0000000000591025
AUTHOR
Seppo Pahnila
Toward a Unified Model of Information Security Policy Compliance
Information systems security (ISS) behavioral research has produced different models to explain security policy compliance. This paper (1) reviews 11 theories that have served the majority of previous information security behavior models, (2) empirically compares these theories (Study 1), (3) proposes a unified model, called the unified model of information security policy compliance (UMISPC), which integrates elements across these extant theories, and (4) empirically tests the UMISPC in a new study (Study 2), which provided preliminary empirical support for the model. The 11 theories reviewed are (1) the theory of reasoned action, (2) neutralization techniques, (3) the health belief model,…
To Calculate or To Follow Others : How Do Information Security Managers Make Investment Decisions?
Economic models of information security investment suggest estimating cost and benefit to make an information security investment decision. However, the intangible nature of information security investment prevents managers from applying costbenefit analysis in practice. Instead, information security managers may follow experts’ recommendations or the practices of other organizations. The present paper examines factors that influence information security managers’ investment decisions from the reputational herding perspective. The study was conducted using survey questionnaire data collected from 106 organizations in Finland. The findings of the study reveal that the ability and reputation …
Employees’ adherence to information security policies: An exploratory field study
The key threat to information security comes from employees who do not comply with information security policies. We developed a new multi-theory based model that explained employees' adherence to security policies. The paradigm combines elements from the Protection Motivation Theory, the Theory of Reasoned Action, and the Cognitive Evaluation Theory. We validated the model by using a sample of 669 responses from four corporations in Finland. The SEM-based results showed that perceived severity of potential information security threats, employees' belief as to whether they can apply and adhere to information security policies, perceived vulnerability to potential security threats, employees…