Academic journal article Journal of the Association for Information Systems

Don't Even Think about It! the Effects of Antineutralization, Informational, and Normative Communication on Information Security Compliance

Academic journal article Journal of the Association for Information Systems

Don't Even Think about It! the Effects of Antineutralization, Informational, and Normative Communication on Information Security Compliance

Article excerpt

1Introduction

As knowledge sharing and online transactions among individuals and organizations increase, information security increasingly becomes a strategic issue. Although organizations must protect against vulnerabilities from outside attacks (Ransbotham & Mitra, 2009) and comply with external security and privacy rules (Wall, Lowry, & Barlow, 2016), many security vulnerabilities arise from the actions of employees. Through the use of organizational sanctions and security education, training, and awareness (SETA) programs, security professionals actively battle security incidents (Jenkins & Durcikova, 2013) by encouraging employees to perform security-related behaviors, such as updating software, avoiding questionable emails, and using strong passwords (Anderson & Agarwal, 2010; Bulgurcu, Cavusoglu, & Benbasat, 2010; Johnston & Warkentin, 2010; Johnston, Warkentin, & Siponen, 2015; Karjalainen & Siponen, 2009; Liang & Xue, 2009; Liang & Xue, 2010) .

Modern organizations develop or purchase SETA programs designed to reinforce acceptable use guidelines and emphasize the potential consequences of information security policy violations (D'Arcy, Hovav, & Galletta, 2009). However, traditional SETA approaches are often ineffective in preventing violations (Siponen & Vance, 2010), so it is imperative that we explore other approaches to designing SETA programs and the way they communicate policies to better persuade employees to comply (Johnston, Warkentin, McBride, & Carter, 2016; Johnston et al., 2015). Many researchers conclude that managers should effectively communicate security-related concepts to their employees (Boss, Galletta, Lowry, Moody, & Polak, 2015; Siponen & Vance, 2010; Willison, Warkentin, & Johnston, 2018), yet little research empirically examines how such communication can affect later security behavior. Moreover, despite the extensive body of research on SETA, little research has examined the use of periodic short communication from management about the importance of complying with information security policies and actually applying what is taught in the formal SETA process.

Much like the successes from using so-called "nudges" by behavioral economists such as Tversky and Kahneman (1981) and Thaler and Sunstein (2008) for promoting tax compliance and healthy lifestyle decisions, such short periodic communications may serve as reminders regarding expected behaviors and may be critical to ensure greater security policy compliance. Therefore, in this paper, we focus on short SETA communications designed to augment SETA education and training programs. We do not address the content or effectiveness of these detailed programs. For an overview of SETA education and training approaches, see Puhakainen and Siponen (2010). Because annual SETA training effectiveness decays over time, some employers and software vendors have begun to implement real-world short communications. Providence Health and Services, a hospital chain on the U.S. west coast, has replaced office notes with ones that say "protect confidential information" and other reminders. The SANS Institute distributes post-it notes that include the reminder "do not write your password here." Commercial web browsers now utilize security warnings displayed to users who may surf to the wrong site (Anderson, Vance, Kirwan, Eargle, & Jenkins, 2016; Vance, Anderson, Kirwan, & Eargle, 2014). Many sites now provide instant feedback on the strength of newly formed passwords, which has been shown to have a positive impact on user security behavioral outcomes (Ciampa, 2013; Ur et al., 2012). Finally, studies have shown the value of general security pop-ups and warnings when users perform various actions (Akhawe & Felt, 2013).

Despite the widespread use of SETA programs that are designed to increase awareness of security policies and often emphasize the sanctions for violations, employees are often noncompliant (EY, 2017). …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.