Abstract
The behaviour of employees influences information security in virtually all organisations. To inform the employees regarding what constitutes desirable behaviour, an information security policy can be formulated and communicated. However, not all employees comply with the information security policy. This paper reviews and synthesises 16 studies related to the theory of planned behaviour. The objective is to investigate 1) to what extent the theory explains information security policy compliance and violation and 2) whether reasonable explanations can be found when the results of the studies diverge. It can be concluded that the theory explains information security policy compliance and violation approximately as well as it explains other behaviours. Some potential explanations can be found for why the results of the identified studies diverge. However, many of the differences in results are left unexplained.
Chapter PDF
Similar content being viewed by others
Keywords
References
ISO/IEC: Information technology – Security techniques – Information security management measurements, ISO/IEC 27004, Geneva, Switzerland (2009)
Sommestad, T., Hallberg, J., Lundholm, K., Bengtsson, J.: Variables influencing information security policy compliance: a systematic review of quantitative studies. Under review
Ajzen, I.: The theory of planned behavior. Organizational Behavior and Human Decision Processes 50, 179–211 (1991)
Ifinedo, P.: Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers and Security, 83–95 (2012)
Fishbein, M.: A theory of reasoned action: Some applications and implications (1979)
Fishbein, M., Ajzen, I.: Predicting and Changing Behavior: The Reasoned Action Approach. Psychology Press, New York (2010)
Ajzen, I.: The theory of planned behaviour: reactions and reflections. Psychology & Health 26, 1113–1127 (2011)
Hu, Q., Dinev, T., Hart, P., Cooke, D.: Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture. Decision Sciences 43, 615–660 (2012)
Cox, J.: Information systems user security: A structured model of the knowing–doing gap. Computers in Human Behavior 28, 1849–1858 (2012)
Cox, J.: Organizational narcissism as a factor in information security: A structured model of the user knowing-doing gap (2012)
Siponen, M., Pahnila, S., Mahmood, A.: Compliance with Information Security Policies: An Empirical Investigation. Computer 43, 64–71 (2010)
Herath, T., Rao, H.R.: Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems 18, 106–125 (2009)
Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly: Management Information Systems 34, 523–548 (2010)
Dugo, T.M.: The insider threat to organizational information security: a sturctural model and empirical test (2007), http://etd.auburn.edu/etd/handle/10415/1345
Pahnila, S., Siponen, M., Mahmood, A.: Employees’ behavior towards IS security policy compliance. In: Proceedings of the Annual Hawaii International Conference on System Sciences, Big Island, HI, p. 10 (2007)
Zhang, J., Reithel, B.J., Li, H.: Impact of perceived technical protection on security behaviors. Information Management and Computer Security 17, 330–340 (2009)
Guo, K.H., Yuan, Y., Archer, N.P., Connelly, C.E.: Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems 28, 203–236 (2011)
Li, H., Zhang, J., Sarathy, R.: Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems 48, 635–645 (2010)
Johnston, A.C., Warkentin, M.: The Influence of Perceived Source Credibility on End User Attitudes and Intentions to Comply with Recommended IT Actions. Journal of Organizational and End User Computing 22, 1–21 (2010)
Vance, A.: Motivating IS Security Compliance: Insights from Habit and Protection Motivation Theory. Why do employees violate is security policies? Insights from multiple theoretical perspectives. pp. 93–110. Faculty of Science, Department of Information Processing Science, University of Oulu, Oulu, Finland (2010)
Lee, S.M., Lee, S.-G., Yoo, S.: An integrative model of computer abuse based on social control and general deterrence theories. Information & Management 41, 707–718 (2004)
Chan, M., Woon, I.: Perceptions of information security in the workplace: linking information security climate to compliant behavior. Journal of Information Privacy and Security 1, 18–41 (2005)
Son, J.-Y.: Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information and Management 48, 296–302 (2011)
Gibbs, J.P.: Crime, Punishment, and Deterrence, New York (1975)
Hirschi, T.: Causes of Delinquency. Unveristy of California Press, Berkeley (1969)
Becker, B.J., Wu, M.-J.: The Synthesis of Regression Slopes in Meta-Analysis. Statistical Science 22, 414–429 (2007)
Ajzen, I.: The theory of planned behavior. Organizational Behavior and Human Decision Processes 50, 179–211 (1991)
Ajzen, I.: Theory of Planned Behavior, http://people.umass.edu/aizen/tpb.html
Armitage, C.J., Conner, M.: Efficacy of the Theory of Planned Behaviour: a meta-analytic review. The British Journal of Social Psychology / the British Psychological Society 40, 471–499 (2001)
Conner, M., Armitage, C.J.: Extending the Theory of Planned Behavior: A Review and Avenues for Further Research. Journal of Applied Social Psychology 28, 1429–1464 (1998)
McEachan, R.R.C., Conner, M., Taylor, N.J., Lawton, R.J.: Prospective prediction of health-related behaviours with the Theory of Planned Behaviour: a meta-analysis. Health Psychology Review 5, 97–144 (2011)
Montano, D.E., Kasprzyk, D.: Theory of reasoned action, theory of planned behavior, and the integrated behavioral model. In: Glanz, K., Rimer, B., Viswanath, K. (eds.) Health Behavior and Health Education: Theory Research, and Practice, pp. 68–96. United States of America (2008)
Rivis, A., Sheeran, P.: Descriptive Norms as an Additional Predictor in the Theory of Planned. Current Psycology: Developmental, Learning, Personality, Scoial 22, 218–233 (2003)
Sheppard, B., Hartwick, J., Warshaw, P.: The theory of reasoned action: A meta-analysis of past research with recommendations for modifications and future research. Journal of Consumer Research 15, 325–343 (1988)
Trafimow, D.: Distinctions Pertaining to Fishbein and Ajzen’s Theory of Reasoned Action. In: Ajzen, I., Albarracin, D., Hornik, R. (eds.) Prediction and Change of Health Behavior: Applying the Reasoned Action Approach, Erlbaum, Hillsdale (2007)
Sheeran, P., Trafimow, D., Finlay, K., Norman, P.: Evidence that the type of person affects the strength of the perceived behavioural control-intention relationship. The British Journal of Social Psychology / the British Psychological Society 41, 253–270 (2002)
Albarracín, D., Johnson, B.T., Fishbein, M., Muellerleile, P.A.: Theories of reasoned action and planned behavior as models of condom use: a meta-analysis. Psychological Bulletin 127, 142–161 (2001)
Malhotra, M., Grover, V.: An assessment of survey research in POM: from constructs to theory. Journal of Operations Management 16, 407–425 (1998)
Hooker, K., Kaus, C.R.: Health-related possible selves in young and middle adulthood. Psychology and Aging 9, 126–133 (1994)
Ajzen, I., Albarracin, D.: Predicting and Changing Behavior. In: Ajzen, I., Albarracin, D., Hornik, R. (eds.) Prediction and Change of Health Behavior: Applying the Reasoned Action Approach. Erlbaum, Hillsdale (2007)
NIST: An introduction to computer security: The NIST Handbook. Nist Special Publications. 800 (1995)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Sommestad, T., Hallberg, J. (2013). A Review of the Theory of Planned Behaviour in the Context of Information Security Policy Compliance. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds) Security and Privacy Protection in Information Processing Systems. SEC 2013. IFIP Advances in Information and Communication Technology, vol 405. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39218-4_20
Download citation
DOI: https://doi.org/10.1007/978-3-642-39218-4_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39217-7
Online ISBN: 978-3-642-39218-4
eBook Packages: Computer ScienceComputer Science (R0)