Employees' Behavior towards IS Security Policy Compliance

The literature agrees that the major threat to IS security is constituted by careless employees who do not comply with organizations' IS security policies and procedures. To address this concern, different approaches for ensuring employees' IS security policy compliance have been proposed. Prior research on IS security compliance has criticized these extant IS security awareness approaches as lacking theoretically and empirically grounded principles to ensure that employees comply with IS security policies. To fill this gap, this study proposes a theoretical model that contains the factors that explain employees' IS security policy compliance. Data (N=245) from a Finnish company provides empirical support for the model. The results suggest that information quality has a significant effect on actual IS security policy compliance. Employees' attitude, normative beliefs and habits have significant effect on intention to comply with IS security policy. Threat appraisal and facilitating conditions have significant impact on attitude towards complying, while coping appraisal does not have a significant effect on employees' attitude towards complying. Sanctions have insignificant effect on intention to comply with IS security policy and awards do not have a significant effect on actual compliance with IS security policy