This paper addresses the primary threat to information security, which is non-compliance with security policies by employees. A new model was developed, integrating elements from the Protection Motivation Theory, the Theory of Reasoned Action, and the Cognitive Evaluation Theory, to explain employees’ adherence to security policies. The model was validated using a sample of 669 responses from employees in four Finnish corporations. The results, based on Structural Equation Modeling (SEM), revealed that factors such as perceived severity of potential security threats, belief in the ability to adhere to security policies, perceived vulnerability to threats, attitude towards compliance, and social norms significantly influenced the intention to comply with security policies. This intention, in turn, had a significant impact on actual compliance. The study suggests that high-level managers should emphasize the importance of information security and the necessity of policy compliance, and that employees should receive security education and hands-on training.
Critical success factors for security education, training and awareness (SETA) programme effectiveness: an empirical comparison of practitioner perspectives
Cyber security has never been more important than it is today in an ever more connected and pervasive digital world....