To read this content please select one of the options below:

The sufficiency of the theory of planned behavior for explaining information security policy compliance

Teodor Sommestad (Information Security and IT Architecture; Swedish Defence Research Agency (FOI); Linköping; Sweden)
Henrik Karlzén (Information Security and IT Architecture; Swedish Defence Research Agency (FOI); Linköping; Sweden)
Jonas Hallberg (Information Security and IT Architecture; Swedish Defence Research Agency (FOI); Linköping; Sweden)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 8 June 2015

2797

Abstract

Purpose

This paper aims to challenge the assumption that the theory of planned behaviour (TPB) includes all constructs that explain information security policy compliance and investigates if anticipated regret or constructs from the protection motivation theory add explanatory power. The TPB is an established theory that has been found to predict compliance with information security policies well.

Design/methodology/approach

Responses from 306 respondents at a research organization were collected using a questionnaire-based survey. Extensions in terms of anticipated regret and constructs drawn from the protection motivation theory are tested using hierarchical regression analysis.

Findings

Adding anticipated regret and the threat appraisal process results in improvements of the predictions of intentions. The improvements are of sufficient magnitude to warrant adjustments of the model of the TPB when it is used in the area of information security policy compliance.

Originality/value

This study is the first test of anticipated regret as a predictor of information security policy compliance and the first to assess its influence in relation to the TPB and the protection motivation theory.

Keywords

Acknowledgements

This research is sponsored by the Swedish Civil Contingencies Agency (MSB).

Citation

Sommestad, T., Karlzén, H. and Hallberg, J. (2015), "The sufficiency of the theory of planned behavior for explaining information security policy compliance", Information and Computer Security, Vol. 23 No. 2, pp. 200-217. https://doi.org/10.1108/ICS-04-2014-0025

Publisher

:

Emerald Group Publishing Limited

Copyright © 2015, Emerald Group Publishing Limited

Related articles