- مبلغ: ۸۶,۰۰۰ تومان
- مبلغ: ۹۱,۰۰۰ تومان
Individuals often fail to perform the security behaviors their organizations request to protect informational assets. However, forcing individuals into the compliance can trigger undesired behaviors. We propose a model grounded in Theory of Planned Behavior and information security literature to study determinants of early conformance toward technologyenforced security policies. The model was tested with 535 respondents from a university that implemented new password policies. The results show support for all the proposed relationships, except that subjective norm does not affect intentions. This important finding is explained by the leading role of early conformers, which highlights the importance of context-specific theorizing by researchers.
Information security is a high priority for organizations; however, individuals asked to implement newly mandated changes in security tend to procrastinate, resist, fail to perform, or circumvent the behavior required of the new policy. To better understand what leads individuals to be early conformers, this study uniquely measures actual early conformance to a security change in the context of an implementation of new password policies. Using data collected from 535 respondents, some of whom had enacted the change and others who had not, we are able to explain significant variances in users’ attitudes toward the security policy change and actual early conformance behaviors. Importantly, intention to conform early is a predictor of actual early conformance behavior.
The research provides numerous contributions to both research and practice. In terms of research, this study contributes by focusing on and measuring both intention and actual change behavior rather than stopping at user intention. Further, by exploring an actual security change behavior, this study is one of the first to test the links between attitude, intention, and behavior, avoiding conclusions drawn on untested influences between intentions and behaviors. By focusing on a nonvolitional setting, the research provides a better understanding of attitudes surrounding technology-enforced security policies and the potential consequences of these attitudes. It also highlights the importance of awareness in influencing change behavior. Finally, the study contributes to research by measuring which triggers lead to awareness of the newly proposed security policy change. Most studies that measure awareness have not empirically identified how awareness can be increased. We encourage future researchers to consider such measures in their research.