Abstract
1- Introduction
2- Literature review
3- Theoretical background and research hypotheses
4- Methodology
5- Data analysis and results
6- Discussion
7- Implications
8- Limitations and future research
9- Conclusion
References
Abstract
Numerous studies have found that employees are the principal source of adverse Information Systems Security (ISS) incidents in organizational settings. Consequently, the ISS research focuses on examining factors that affect employees' behaviour towards complying with ISS policy. Most of this research, based on the theory of reasoned action, considers that employees' intention to comply with ISS policies is a good predictor of their behaviour. This paper argues that the employees' compliance with ISS policies within organizations is usually enforced, and that the non-compliance is mainly due to the resistance towards these policies. This research examines the role of organizational punishment and organizational norms in impacting employees' resistance towards the ISS policies. The data were collected from 133 employees of 10 organizations spanning four industries and the hypotheses were tested and validated using PLS-SEM analytical procedures. The results show that moral and descriptive norms are useful in reducing the resistance.
Introduction
Several studies report that the increasing violations of Information Systems Security (ISS) policies result in a wide range of negative consequences for organizations, such as data loss or theft, computer intrusions, and privacy breaches (Ernst & Young, 2011; Ponemon Institute, 2016; Ponemon, 2017). A recent study by the Ponemon Institute found that nearly 90 percent of healthcare organizations represented in their study had experienced at least one data breach in the two years period (Ponemon Institute, 2016). Researchers have agreed that, very often, the end users are the weakest link in ensuring ISS in organizations (Kolkowska et al., 2017; Merhi & Ahluwalia, 2014; Moody et al., 2018; Safa & Von Solms, 2016). Numerous studies also show that employees’ behaviour remains a major challenge for successfully implementing strict ISS policies in organizations. In a survey of IT security practitioners, nearly 56% of the participants attributed employees’ resistance to comply with ISS policies as the biggest barrier to implementing effective security strategies in their organizations (Ponemon Institute, 2016). Likewise, in the “Global State of IS Survey 2018,” PWC found that employees’ actions remain the foremost cause of ISS incidents in organizations (PWC, 2017). Accordingly, the ISS research has focused on studying employee behaviour in the context of the compliance of ISS policies (Bulgurcu et al., 2010; Hwang & Cha, 2018; Merhi & Ahluwalia, 2013; Merhi & Midha, 2012).