CONCLUSION
Information security is a high priority for organizations; however, individuals asked to implement newly mandated changes in security tend to procrastinate, resist, fail to perform, or circumvent the behavior required of the new policy. To better understand what leads individuals to be early conformers, this study uniquely measures actual early conformance to a security change in the context of an implementation of new password policies. Using data collected from 535 respondents, some of whom had enacted the change and others who had not, we are able to explain significant variances in users’ attitudes toward the security policy change and actual early conformance behaviors. Importantly, intention to conform early is a predictor of actual early conformance behavior.
The research provides numerous contributions to both research and practice. In terms of research, this study contributes by focusing on and measuring both intention and actual change behavior rather than stopping at user intention. Further, by exploring an actual security change behavior, this study is one of the first to test the links between attitude, intention, and behavior, avoiding conclusions drawn on untested influences between intentions and behaviors. By focusing on a nonvolitional setting, the research provides a better understanding of attitudes surrounding technology-enforced security policies and the potential consequences of these attitudes. It also highlights the importance of awareness in influencing change behavior. Finally, the study contributes to research by measuring which triggers lead to awareness of the newly proposed security policy change. Most studies that measure awareness have not empirically identified how awareness can be increased. We encourage future researchers to consider such measures in their research.
