User Acceptance of Information Security Policies
According to established standards, the information security management of organizations should be based on the assessed information security risks faced by the organization. In practice, the information security level will also depend on the employees’ comprehension and assessment of the information security risks. Therefore, many organizations introduce information security policies to enforce behaviour resulting in adequate levels of information security. Occasionally, the information security goals and the business goals are in conflict. The way these conflicts are handled is decisive for the information security as well as the efficiency of the organizations.
The general aim of the project User acceptance of information security policies is to support the comprehension and knowledge of behaviour affecting the information security and, thereby, making decisions related to information security more informed. The project is based on the research questions:
- What factors affect the users’ intention to comply with information security policies?
- How are trade-offs between business and information security goals made in organizations?
- How are information security risks assessed?
In order to answer these questions, hypotheses have been formulated and thereafter tested with statistical methods. To be able to base the performed studies on extensive data sets, meta analyses of extant research studies have been used and complemented with additional surveys performed by the project.
The results show that the factors best explaining the user’s intention to comply with information security policies are attitude, perceived norms, perceived behavioural control, anticipated regret, and habit. Another conclusion is that conflicts between business and information security goals result in employees being forced to make trade-offs and improvise.
Commonly, information security risks are assessed as the combination of the probability and consequence of a threat being realized. However, the results show that directly prioritizing risks results in the consequence having a much larger influence than the probability. Moreover, the consensus among the raters of information security risks is low, resulting in the assessments not being suitable as bases for decisions.
Additional studies are needed to increase the knowledge on human behaviour and information security. This includes experiments studying the actual behaviour rather than the intentions coupled to information security policy compliance. Considering the assessment of information security risks, studies are needed to support the development of the assessment methods and tools increasing the consensus of the raters and, thus, making the assessment results suitable as the bases for decisions related to information security.