Information security is a critical factor in the ongoing digital transformation of organisations. It is connected to the implementation of emerging technologies that facilitate interoperability between organisations and citizens, changes that come with risks that must be managed. To minimise these risks, organisations implement information security policies (ISPs), and employee compliance is essential. One of the theories used to explain ISP compliance behaviours is the theory of planned behaviour. This paper aims to determine the influence of the theory’s constructs on behavioural intention to comply with ISP. A survey of 108 information security managers in the public and private sectors reveals that attitude and subjective norms influence employees’ behavioural intention to comply with ISPs. However, perceived behavioural control does not affect actual use behaviour. These findings suggest that organisations must design information security strategies that, in addition to technical aspects, consider psychological and social factors that affect employee behaviour to promote positive attitudes towards safety through awareness strategies.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

The Theory of Planned Behaviour and Information Security

  • Sussy Bayona-Oré

摘要

Information security is a critical factor in the ongoing digital transformation of organisations. It is connected to the implementation of emerging technologies that facilitate interoperability between organisations and citizens, changes that come with risks that must be managed. To minimise these risks, organisations implement information security policies (ISPs), and employee compliance is essential. One of the theories used to explain ISP compliance behaviours is the theory of planned behaviour. This paper aims to determine the influence of the theory’s constructs on behavioural intention to comply with ISP. A survey of 108 information security managers in the public and private sectors reveals that attitude and subjective norms influence employees’ behavioural intention to comply with ISPs. However, perceived behavioural control does not affect actual use behaviour. These findings suggest that organisations must design information security strategies that, in addition to technical aspects, consider psychological and social factors that affect employee behaviour to promote positive attitudes towards safety through awareness strategies.