Advisor

Warkentin, Merrill

Committee Member

Shim, P.J.

Committee Member

Carter, Lemuria

Committee Member

Ponder, Nicole

Committee Member

Taylor, Stephen

Date of Degree

1-1-2008

Document Type

Dissertation - Open Access

Degree Name

Doctor of Philosophy

College

College of Business

Department

Department of Management and Information Systems

Abstract

Why do some employees go out of their way to follow prescribed information security protocols, while others all but ignore organizational information security measures? A body of research known as organizational citizenship behavior provides insight into this issue. Theories of organizational citizenship behavior draw mainly from the psychological and sociological disciplines. They are used to explain the behaviors of employees who act in the best interest of the company, even when they don’t have to. Examples of citizenship behaviors include information sharing, voluntary reduction of compensation, and relinquishment of power for the benefit of the organization (Nathanson & Becker 1973). Although organizational citizenship behavior has seen little exposure in the area of organizational information security compliance, it stands to provide exceptional explanatory power in this area. Information security practices, such as creating difficult passwords or conducting virus scans, are generally seen as additional tasks which require extra effort while offering no gains in personal productivity (Shropshire et al., 2006; Warkentin et al., 2004; Warkentin et al., 2006). These activities could be construed as out-of-role-behaviors because employee compliance may not be mandatory. Furthermore, it is difficult to enforce information security standards (Whitman, 2003). Thus, it would appear that those who follow information security protocols are motivated by something other than financial compensation. Currently, there has been little work toward integrating endpoint security with theories of organizational citizenship behavior. This may be due to two reasons: although it embodies a relatively mature stream of research, organizational citizenship behavior has seen little exposure within the information systems context; secondly, the behavioral aspects of endpoint security remain a critical but overlooked aspect of organizational information security. Therefore, the purpose of this research is to develop a theoretical model for predicting individual compliance with organizational information security practices. The results could be used by managers to more accurately predict adherence to information security practices and to better manage and motivate employees. Such a model might also be of utility in the area of employee selection and screening; recent political and economic events have caused an increase in demand for employees who can be trusted to safeguard sensitive information. This study provides a substantial contribution to knowledge by empirically testing a predictive model for information security compliance among employees. The findings associated with this research are offered in the form of recommendations for future theoretical and empirical research. Practical implications for entrepreneurs and policymakers are also discussed.

URI

https://hdl.handle.net/11668/15624

Comments

Protocol Compliance||End User Behavior||Endpoint Security||Organizational Citizenship Behavior

Share

COinS