Factors influencing protection motivation and IS security policy compliance

The key threat to IS security is constituted by careless employees who do not comply with IS security policies. To ensure that employees comply with organizations’ IS security procedures, a number of IS security policy compliance means have been proposed in the past. Prior research has criticized these means as lacking theoretically and empirically grounded principles to ensure that employees comply with IS security policies. This paper advances a new model that explain employees’ IS security compliance. In this model, we extend protection motivation theory (PMT) by introducing preceding factors (e.g., visibility and normative beliefs) of the protection motivation process. To test this model, we collected data (N=919) from five companies. The results suggest that the preceding factors have significant effect on threat appraisal, self-efficacy and response efficacy. Threat appraisal have significant effect on intention to comply with IS security policies. Intention to comply has significant effect on actual compliance towards IS security policies