Employees' adherence to information security policies: An exploratory field study

The key threat to information security comes from employees who do not comply with information security policies. We developed a new multi-theory based model that explained employees' adherence to security policies. The paradigm combines elements from the Protection Motivation Theory, the Theory of Reasoned Action, and the Cognitive Evaluation Theory. We validated the model by using a sample of 669 responses from four corporations in Finland. The SEM-based results showed that perceived severity of potential information security threats, employees' belief as to whether they can apply and adhere to information security policies, perceived vulnerability to potential security threats, employees' attitude toward complying with information security policies, and social norms toward complying with these policies had a significant and positive effect on the employees' intention to comply with information security policies. Intention to comply with information security policies also had a significant impact on actual compliance with these policies. High level managers must warn employees of the importance of information security and why it is necessary to carry out these policies. In addition, employees should be provided with security education and hands on training.