Employees’ adherence to information security policies: An exploratory field study

This paper addresses the primary threat to information security, which is non-compliance with security policies by employees. A new model was developed, integrating elements from the Protection Motivation Theory, the Theory of Reasoned Action, and the Cognitive Evaluation Theory, to explain employees’ adherence to security policies. The model was validated using a sample of 669 responses from employees in four Finnish corporations. The results, based on Structural Equation Modeling (SEM), revealed that factors such as perceived severity of potential security threats, belief in the ability to adhere to security policies, perceived vulnerability to threats, attitude towards compliance, and social norms significantly influenced the intention to comply with security policies. This intention, in turn, had a significant impact on actual compliance. The study suggests that high-level managers should emphasize the importance of information security and the necessity of policy compliance, and that employees should receive security education and hands-on training.