User Acceptance of Information Security Policies

According to established standards, the information security management of organizations should be based on the assessed information security risks faced by the organization. In practice, the information security level will also depend on the employees’ comprehension and assessment of the information security risks. Therefore, many organizations introduce information security policies to enforce behaviour resulting in adequate levels of information security. Occasionally, the information security goals and the business goals are in conflict. The way these conflicts are handled is decisive for the information security as well as the efficiency of the organizations.

The general aim of the project User acceptance of information security policies is to support the comprehension and knowledge of behaviour affecting the information security and, thereby, making decisions related to information security more informed. The project is based on the research questions:

  • What factors affect the users’ intention to comply with information security policies?
  • How are trade-offs between business and information security goals made in organizations?
  • How are information security risks assessed?

In order to answer these questions, hypotheses have been formulated and thereafter tested with statistical methods. To be able to base the performed studies on extensive data sets, meta analyses of extant research studies have been used and complemented with additional surveys performed by the project.

The results show that the factors best explaining the user’s intention to comply with information security policies are attitude, perceived norms, perceived behavioural control, anticipated regret, and habit. Another conclusion is that conflicts between business and information security goals result in employees being forced to make trade-offs and improvise.
Commonly, information security risks are assessed as the combination of the probability and consequence of a threat being realized. However, the results show that directly prioritizing risks results in the consequence having a much larger influence than the probability. Moreover, the consensus among the raters of information security risks is low, resulting in the assessments not being suitable as bases for decisions.

Additional studies are needed to increase the knowledge on human behaviour and information security. This includes experiments studying the actual behaviour rather than the intentions coupled to information security policy compliance. Considering the assessment of information security risks, studies are needed to support the development of the assessment methods and tools increasing the consensus of the raters and, thus, making the assessment results suitable as the bases for decisions related to information security.

Sommestad, Teodor. Hallberg, Jonas. Lundholm, Kristoffer. Bengtsson, Johan. Variables influencing information security policy compliance: a systematic review of quantitative studies. Information management & computer security, Vol. 22, Issue 1, pp. 42-75. 2013.

Sommestad, T. and Hallberg, J. A review of the theory of planned behaviour in the context of information security policy compliance.” Proc. of the 28th IFIP TC-11 SEC. Auckland, New Zealand, 2013.

Hallberg et al. User Acceptance of Information Security Policies, poster and abstract at the National Symposium on Technology and Methodology for Security and Crisis Management (TAMSEC). 2013

Sommestad, T., Karlzén, H., and Hallberg, J. The sufficiency of the theory of planned behavior for explaining information security policy compliance. Information & Computer Security, Vol. 23, Issue 2, pp. 200–217. 2015.

Sommestad, T., Karlzén, H., and Hallberg, J. A Meta-Analysis of Studies on PMT and Information Security Behavior. The Dewald Roode Information Security Workshop. 2014.

Sommestad, T. Social groupings and information security obedience subcultures within organizations. The 30th International Information Security and Privacy Conference, Hamburg, 26-28 May 2015.

Sommestad, T., Karlzén, H., Nilsson, P., and Hallberg, J. Perceived information security risk as a function of probability and severity. International Symposium on Human Aspects of Information Security & Assurance (HAISA). 2015.

Sommestad, T., Karlzén, H., Nilsson, P., and Hallberg, J. An empirical test of the perceived relationship between risk and the constituents severity and probability, in special issue of Information and Computer Security, Vol. 24 Iss: 2. 2015.

Sommestad, T., Karlzén, H., and Hallberg, J. A Meta-Analysis of Studies on Protection Motivation Theory and Information Security Behaviour. International Journal of Information Security and Privacy 9 (1): 26–46. 2015.

Woltjer, R. Workarounds and Trade-offs in Information Security – an Exploratory Study. Information and Computer Security. 2017.