Predicting information security policy compliance intentions and behavior for six employee-based risks

ABSTRACTEmployees’ non-compliance with organizational information security policies poses a significant threat to organizations. Enhancing our understanding of compliance behavior is crucial for improving security. Although research has identified numerous psychological factors that affect intentions to comply with security policies, how such intentions map onto actual compliance behavior is not well understood. Building on a well-supported model of security policy compliance intentions, we evaluate compliance with each of six types of information security policies using decision vignettes, and compare parameters across models. The study contributes to information security compliance research by examining each risk separately and exploring heterogeneity across risk types.