What do we really know about why employees comply with security policy?

Add to my custom PDF

Seeing the Forest and the Trees: A Meta-Analysis of the Antecedents to Information Security Policy Compliance

Information security policies are formalized employee guidelines for the use of IT. Organizations rely on these policies as employees account for a large percentage of security incidents. Current literature lacks consensus regarding key drivers of policy compliance and is uncertain as to how they perform under different conditions. This study aims to holistically investigate the findings of prior research in order to clarify what is important for security policy compliance.

Cram et al. conducted an analysis of 95 research papers, classifying them into 17 distinct categories. They then determined which of the categories were most strongly predictive of security policy compliance. Conference papers, dissertations and unpublished papers were all included in the studies collection. Four factors explaining inconsistencies within the literature were identified:

1) studies measuring compliance vs others measuring policy violation, which are not necessarily opposites

2) studies measuring actual compliance vs others measuring intended compliance

3) studies concerned with general security policies vs others concerned with specific policies (e.g. antivirus software and data backups)

4) the location and national culture of the participants

Three of the top five strongest categories in explaining policy compliance are all oriented around employee values: attitude, personal norms and ethics, normative beliefs. In comparison, the categories that are generally seen as being more easily manipulated by management, such as punishment and rewards, are among the weakest in predicting security policy compliance. Activities related to perceptions of security policy usefulness and training present a mid-range importance in predicting policy compliance. The analysis of factors of inconsistency in current literature revealed that:

  • Policy compliance and violation should not be considered opposite views of the same construct.
  • Past work suggesting the use of intended compliance as a proxy for actual compliance is not uniformly reliable.
  • Employees interpret the narrow scope of specific policies to correspond to diminished sanctions, in comparison to more severe punishments for general policies.
  • Cultural factors can influence compliance. There are significant differences between the Asia- Pacific, Europe and North America regions.

This study presents practical insights for the management of security policy. For instance, managers may benefit in hiring employees with attitudes and beliefs consistent with organizational objectives, rather than focusing on punishment and rewards. Convincing employees of the value of policies is especially important, for example by sharing anecdotal evidence of how they have mitigated security incidents in the past. Managers can also assign a security champion to each project team to provide accessible training and increase team security effectiveness.

Security policy compliance is motivated more by employee values than punishement and rewards.