THE IMPACT OF TRAINING AND SOCIAL NORMS ON INFORMATION SECURITY COMPLIANCE: A PILOT STUDY

Transcription

1 THE IMPACT OF TRAINING AND SOCIAL NORMS ON INFORMATION SECURITY COMPLIANCE: A PILOT STUDY Research-in-Progress Mohammad I. Merhi Department of Computer Information Systems & Quantitative Methods College of Business Administration University of Texas Pan American 1201 W. University Drive Edinburg, TX mmerhi@utpa.edu Vishal Midha Department of Computer Information Systems & Quantitative Methods College of Business Administration University of Texas Pan American 1201 W. University Drive Edinburg, TX vmidha@utpa.edu Abstract Security training has been shown to be an important factor that impacts employees intentions to comply with organization s security policies. In this study, we define and then study the impact of two sub-constructs of security training, threat appraisal and policy awareness, on intentions to comply with organizational security policies. Injunctive and descriptive norms, which are standards of behavior that recommends and forbids behavior in specific circumstances, have been hypothesized as mediators between training constructs and behavioral intention to comply. We pilot-tested our proposed set of hypotheses with survey data collected from 69 employees in a higher education institute. Results supported our proposed model. Based on the findings, implications for theory and practices are discussed. Keywords: security compliance, injunctive norms, subjective, security training, policy awareness training, SETA.

2 IS Security and Privacy Introduction Employees violation and non-compliance with security policies have been frequently identified as the greatest single source of threat to organizational information systems security (Warkentin et al. 2011a). Scholars have agreed that the end users (insiders) in the organizations are the weakest link in ensuring information security and thus considered as one of the main reasons why information security incidents are present (Baskerville and Siponen 2002; Bulgurcu et al. 2010; D Arcy et al. 2009; Straub and Welke 1998; Warkentin et al a, b). Within an organizational setting, each employee represents a source of threat to the organization s security and privacy regulation compliance especially if the employee does not apply these regulations and thus behave differently (Warkentin and Willison 2009). Recently, studies have emerged to indicate the factors that may have an effect on the employees behaviors and especially their compliance with information security policies (Furnell 2008; Straub and Welke 1998; Whitman 2004). In terms of influencing individual employee behavior, it is believed that user training and awareness of the risks to information security is an essential prerequisite factor that leads employees to comply with information security policy. Warkentin et al. (2011a) state that training is usually utilized as a primary mean to influence employees behavior in the workplace. Consequently, security training was and continues to be one of the most important fundamentals to information security practices (Puhakainen and Siponen 2010). Though research on information security policy compliance has expanded in the last decade, Warkentin et al. (2011a) indicate that there are still gaps in the literature. Many researcher, such as Bulgurcu et al. (2010) and Puhakainen and Siponen (2010), mention that only few security compliance studies empirically explore the role of training and compliance, and have suggested the need for additional empirical research on information security awareness education and training (Ifinedo 2012). Similarly, Karjalainen and Siponen (2011) believe that the existing literature does not offer the characteristics of information security training that show how this type of training differs from other forms of training. Our study addresses to such call for papers and contributes to the literature of security trainings. In this paper, based on literature review, we first propose that the construct of security training should be studied as a composite of two related, yet different, sub-constructs threat appraisal and policy awareness. We, then propose four hypotheses on how two different social norms descriptive and injunctive influence the security training sub-constructs, which in turn influence employees intentions to comply with security policies. These hypotheses are then pilot tested using a survey data set collected from 68 employees in a large higher education institute. Finally, conclusions, implications, and future work avenues are presented. Security Training and Awareness Having designed an information security policy for an organization does not mean that this particular organization is safe. The reason is that employees may not comply with this policy. To achieve success in implementing information security policy, Warkentin et al. (2011b) argue that along with the policy many organizations implement formal Security Education, Training, and Awareness (SETA) programs, and seek to establish an environment that is conducive to employee motivation and intentions to comply with the information privacy policies. That is because the best way to ensure the feasibility of a security policy is to make sure employees understand it and accept necessary precautions (Whitman et al. 2001). Goodhue and Straub (1991 p. 13) suggested that since protective measures often require significant managerial vigilance, an appropriate level of awareness and concern may be a prerequisite for adequate security protection. SETA was and continues to be one of the most important fundamentals to information security practices (Puhakainen and Siponen 2010). They have been identified as a crucial and a primary mean to influence employees behavior to comply with the information security policies (Dhillon 1999; Warkentin et al. 2011a; Whitman 2004). According to Siponen (2000), the most commonly used approaches aimed at minimizing human-related faults are SETA. These approaches aim at increasing employees intentions to comply with organizations information security policy and the use of security solutions (Siponen 2000). That is because these programs have a similar deterrent effect, achieved through ongoing organizational 2 Thirty Third International Conference on Information Systems, Orlando 2012

3 Merhi & Midha / The Impact of Training and Social Norms on Information Security efforts that reinforce acceptable usage guidelines and emphasize the potential threats for misuse (D Arcy et al. 2009). In literature, SETA has been defined and measured as a single construct (e.g. Aytes and Connolly 2004; Furnell et al. 2002; Whitman and Mattord, 2004). However, thorough and careful analysis of literature reveals that security training construct consists of two interrelated constructs. For instance, Aytes and Connolly (2004) argue that information security awareness training usually aims at gaining knowledge or awareness of existing security threats and developing skills to apply proper countermeasures, whereas Bishop (2003) mentions that training programs emphasize what is and what is not allowed. Another example where training is used as regular awareness training is found in Furnell et al. (2002) who argue that training programs can be included within general organizational training strategies that promote awareness of day-to-day physical security issues within the organization. Based on these and many such similar definitions and usages for security training construct, we propose that threat appraisal and policy awareness are two different constructs. Threat appraisal construct can be defined as the portion of security training that makes employees understand and enables them to assess security threats, whereas policy awareness is the portion that educates employees on the dos and don ts of organizational IT use. These two types of training are different; threat appraisal provides the employee the power to decide on the severity of the threat, whereas policy awareness training explains what they should be done. Social Norms Social norms are standards of behavior that recommend and forbid behavior in specific circumstances. They are based on widely shared beliefs that describe how individual group members ought to behave and perform in a given situation (Ajzen and Fishbein 1980; Voss 2001). When considering normative influence on behavior, Cialdini et al. (1990; 1991) advised that it is critical to differentiate between two categories of normative beliefs: descriptive and injunctive. Descriptive norms refer to beliefs about what is actually done by most others in one s social group. Injunctive norms, on the other hand, refer to people s beliefs about what ought to be done (Cialdini et al. 1990). Each of these categories refers to a separate source of human motivation (Deutsch and Gerard 1955). The primary difference between the two is that descriptive norms typically do not involve social sanctions for noncompliance with the norm (Lapinski and Rimal 2005). Both types of normative information have been considered to be at least partly responsible for regulating individuals behavior. Researchers in different fields attempted to test and demonstrate the power of social norms in variety of different beliefs and behaviors such as recycling (Schultz 1999), littering (Cialdini et al. 1990; 1991; Kallgren et al. 2000), energy conservation (Goldstein et al., 2008; Nolan et al. 2008; Schultz et al., 2007), alcohol use (Rimal and Real 2005), tax evasion (Wenzel 2004), and student gambling (Larimer and Neighbors 2003). In the IS domain, such influences have been represented by the construct subjective norms, which is equivalent to injunctive norms (Boer and Westhoff 2006; Lapinski and Rimal 2005). However, most of the IS domain literature has ignored the differentiation between injunctive and descriptive norms. Despite support for the TRA (Fishbein and Ajzen 1975) and TPB (Ajzen 1985), research shows that subjective norms often exert only limited influence on people s intentions. In fact, researchers demonstrated that both descriptive and injunctive norms have an independent influence on intentions over and above the influence of other TPB variables (Beck and Ajzen 1991; Conner and McMillan 1999; Parker et al. 1995). In a meta-analysis study, Rivis and Sheeran s (2003) found that descriptive norms accounted for an additional five percent of the variance in intentions. In the same vein, Fishbein (2000) and Fishbein and Yzer (2003) argued that both descriptive and injunctive norms are significant sources of normative influence in attitude behavior relations and should be modeled together. In this study, we include and study the impact of both types of social norms on employees intentions towards security compliance. Information Security Compliance Model and Hypotheses Though research on information security policy compliance has expanded in the last decade, gaps in the literature still exist and there is still a room for new studies that help both practitioners and researchers to understand the factors leading to information security compliance (Warkentin et al. 2011a). Specifically, Thirty Third International Conference on Information Systems, Orlando

4 IS Security and Privacy Bulgurcu et al. (2010) and Puhakainen and Siponen (2010) highlighted the need for additional empirical research on information security awareness education and training. This study aims to contribute filling this gap. Figure 1 illustrates the proposed information security compliance model. It asserts that intention to comply with information security policies is affected directly by descriptive norm and injunctive norm. At the same time, threat appraisal training and policy awareness training affect intention to information security compliance indirectly through descriptive and injunctive norms. Below is a brief description of each of these factors along with the hypotheses. Threat appraisal training H2 Descriptive norm H1 Policy awareness training H4 Injunctive norm H3 Intention to information security compliance Figure 1: Proposed Model Descriptive Norm The descriptive norm describes what most people do, or refers to what an individual thinks others do in a particular situation. This type of norm usually motivates individuals by providing evidence as to what will likely be effective and adaptive action. In other words, descriptive norms send the message if a lot of people are doing this, it s probably a wise thing to do (Cialdini 2007). Such an assumption, in a given situation, offers individuals an information-processing advantage and a decisional shortcut when they are about to take a decision (Cialdini, 1988). In other words, individuals make their decisions on their perceptions of what most others do in similar situations (Venkatesan 1966). This type of norm focuses on the tendency that an individual may have to replicate the believed behavior of others (Sheeran and Orbell 1999). Individuals often perform (or believe in) certain actions or nonactions because many other people do (or believe) the same (Herath and Rao 2009b). Behavioral literature has recognized the significance of descriptive norms, meaning that individuals create their behavior based on others behaviors. The reason is, imitating others offers individuals an informationprocessing advantage and helps them to take the best decision when they are about to take a decision. In other words, employees in organizations change their behavior if they perceive that most of their peers are behaving in certain way. In the context of security policy compliance, we can expect that if employees perceive their peers to routinely follow the information security policies as directed by the organization they are more likely to have positive intentions to follow them as well and carry out similar behaviors. Thus, we can expect that: H.1: Descriptive norm will be positively associated with intention to comply with organizational information security policies. Threat Appraisal Training (TAT) The main goal of threat appraisal training is to empower employees to be able to assess threats, understand threats severity as well as the likelihood of its occurring. With this training, employees should get to know about the threats related to security that they may encounter and the consequences that will occur for the organization as well as for themselves in case of failing to apply the organizations security policies. After understanding the consequences of security breaches, employees fear of committing an error raises. This high level of fear leads them to search for ways that help them avoid security threats and their consequences. In the context of this study, we expect that when employees feel the threat and its consequences, they will try to search and find out a way that helps them to avoid these issues. The easiest way is to check what others are doing especially those who have not been caught committing any security problem before or those who have not been penalized because of an information security issue. As individuals, when we are fearful and unsure about how to behave in a particular situation, we tend to look 4 Thirty Third International Conference on Information Systems, Orlando 2012

5 Merhi & Midha / The Impact of Training and Social Norms on Information Security at others behaviors (Rimal and Real 2005). The reason is when others engage in a behavior, they give us social cues on how to behave in similar situations (Cialdini 2001). From these arguments, the following hypothesis is offered: H.2: Threat appraisal training will be positively associated with descriptive norm. Injunctive Norm Injunctive norms refer to rules or beliefs that describe what an individual thinks others approve or disapprove. In other words, it is not to one s own view of what constitutes appropriate behavior but to one s perception of what others believe to be appropriate behavior. This category of norms specifies what should be done. An instance of an injunctive norm is the belief that one should comply with the security policy of an organization in order to prevent data loss. Previous studies indicated that such moral evaluation strongly influences compliance decisions (Larimer and Neighbors 2003). The reason for this is explained in the behavioral literature, which suggests that individuals create their behavior based on the views of those individuals who are important to them. In other words, employees in organizations change their behavior if they perceive that important referents, such as peers and supervisors, would like them to behave in a certain way. In considering injunctive norms in organizational setting, Venkatesh et al. (2003) examined employees perceptions of the expectations of superiors, managers, and peers in relevant information systems departments. They found that if an employee believes that his/her peers, managers, or superiors expect a specific behavior from him/her, he/she will more likely do it. In the context of this study, we assume that the expectations of managers, supervisors, information security officers, IT staff, and peers will have a persuasive effect on employees intention to comply with information security policies. If those individuals, who are usually important to the employees, advise them to comply with information security policies or if the employees believe that these individuals expect them to comply, they will more likely have positive intentions to follow their peers by undertaking the appropriate security actions and thus comply with the organizational information security policies. Hence, we propose: H.3: Injunctive norm will be positively associated with intention to comply with organizational information security policies. Policy Awareness Training In literature, it has been argued that in order to ensure the feasibility of a security policy, organizations have to make sure that their employees understand it and accept necessary precautions (Whitman et al. 2001). In policy awareness training, the information security policy should be set as the foundation and thus the primary training tool (Peltier 2005). This type of security training can be included within general organizational training strategies that promote awareness of day-to-day physical security issues within the organization (Furnell et al. 2002). Good policy awareness training should focus on providing employees with general knowledge of the information security environment, along with the awareness of required security procedures (Lee and Lee 2002; Whitman et al. 2001). During training, employees are educated about the rules that clearly define what should and should not be done. The knowledge of such rules implicitly indicates and raises the shared beliefs among the employees because all employees have to agree and apply the information security policy. When employees know about the rules, they recognize that they are obliged to apply these rules because their peers know that they were trained to do so. In other words, these employees believe that their peers are expecting them to behave in the same way they were trained because otherwise they will be questioned and may be punished for not applying what they learned during training. For this reason, we expect that policy awareness training affects employees injunctive norms. From these arguments, the following hypotheses are offered: H.4: Policy awareness training will be positively associated with injunctive norm. It is worth noting that the proposed model is intentionally simplified to be parsimonious. While there might be other relationships between and among the variables included in the model, those possible relationships are not examined in this study because the focus in this current model is to investigate the proposed hypotheses. Future research might explore other relationships and extend the current model. Thirty Third International Conference on Information Systems, Orlando

6 IS Security and Privacy Pilot Study Methodology Research Method and Data Collection In order to assess the proposed model, survey methodology was utilized. The population for this pilot study included faculty and staff at a large public university in the Southern part of the United States. Using random sampling, a total of 85 individuals were invited to complete the survey instrument. Of the 85 surveys, a total of 69 usable surveys were collected and used for data analysis. Thus, the effective response rate for this pilot was about 81 percent. Measures The measures used in this study were based on previously validated measures where possible. Scale items for three constructs, intention, descriptive norm, and injunctive norm, were adopted from previous literature but adapted to our study s context. The behavioral construct intention to comply was adopted from Siponen et al. (2010) with some modifications and additions of new items. Items in this construct include I am likely to follow organizational security policies. Similarly, the social norms constructs were acquired from previous studies with some modifications and additions of new items. Descriptive norm items were adapted from Herath and Rao (2009a), and injunctive norm items were modified from Siponen et al. (2010). For instance, one of the items that were used to measure descriptive norm is I believe other employees comply with the organization IS security compliance policies. As for injunctive norm My colleagues think that I should follow organizational IS security compliance policies was one of the items that was used to assess this construct. Regarding threat appraisal training and policy awareness training, items for these two constructs were constructed in this study in order to capture and assess these two concepts. Examples of scale items that were used to assess these two constructs include My organization s security training educates how information security breaches are becoming more and more serious for threat appraisal training and My organization s security training outlines appropriate use of information technology resources (e.g. ) policies for policy awareness compliance. In this study, a total of five constructs, and a total of 25 multiple items with five Likert scale ranging from Strongly disagree to Strongly agree were employed. Data Analysis and Results Before applying statistical procedures, data abnormalities such as missing data and outliers were investigated. Violations of statistical assumptions were also checked. Missing data were checked and incomplete instruments were not included in the study. Outliers tests revealed that there was no need for a corrective treatment. Data were also checked for violations of assumptions such as normality and linearity and results indicated that these assumptions were met in the data collected. Partial least squares (PLS) was used to assess both the research models and the psychometric properties of the scales. Measurement Model Assessment In this study, PLS was used to assess the convergent validity, discriminant validity and the internal consistency (reliability) of the constructs forming the research model. Chin (1998) sets criteria for acceptable psychometric properties. These criteria require that (1) internal consistencies exceed 0.70; (2) loadings in a confirmatory factor analysis (CFA) exceed 0.70; (3) loadings are greater than cross-loadings; and (4) the square root of the average variance extracted (AVE) exceeds the inter-construct correlations (Chin 1998). To check if these criteria are met in our model, we first tested whether the items load highly (greater than 0.70) in only one construct and if these loadings are greater than cross-loadings. Two items, one from the threat appraisal training construct and one from the policy awareness training construct, were dropped and eliminated from the analysis because they violated these guidelines. After checking the loadings of the items, internal consistency was checked with composite reliabilities. All the constructs demonstrated acceptable values: the reliability coefficients of all the constructs ranged from 0.84 to 0.93 and are above This indicates that the items used are reliable measures for their perspective constructs. 6 Thirty Third International Conference on Information Systems, Orlando 2012

7 Merhi & Midha / The Impact of Training and Social Norms on Information Security Next, we checked for convergent and discriminant validity. Results demonstrated convergent validity as the AVE values of all constructs are equal or higher than the threshold of 0.5. Comparing the square root of the AVE to the correlations among the constructs, each construct was more closely related to its own construct than to the others which simply means that discriminant validity is demonstrated in this study. Thus, results suggest that the scales demonstrate adequate psychometric properties. Structural Model Assessment and Hypotheses Testing We also used PLS (SmartPLS 2.0) to assess the model and the proposed hypotheses among the five latent constructs. PLS is better suited for theory development than for theory testing and is especially useful for prediction (Urbach and Ahlemann 2010). The analysis results are graphically presented in Figure 2. Figure 2 shows the path coefficients and the significance levels for each hypothesis as well as the variances for the three dependent constructs: descriptive norm, injunctive norm, and behavioral intention to comply with information security policies. The significance of the paths was determined using the T- statistic calculated with the bootstrapping technique. All constructs were modeled as reflective. Threat appraisal training explains 43 % of the variance in descriptive norm. Policy awareness training explains 58 % of the variance in injunctive norm. Descriptive norm and injunctive norm together explain 65 % of the variance of intention to comply. Threat appraisal training 0.66*** Descriptive norm 0.35*** R 2 =.65 R 2 =.43 R 2 = *** Intention to information security compliance Policy awareness training 0.76*** Injunctive norm Note ***: Significant at level. All four hypotheses are supported. Consistent with Hypothesis 1, descriptive norm has a significant effect (at level) on intention to comply with information security policies. Also, threat appraisal training has a significant effect (at level) on descriptive norm, supporting Hypothesis 2. Consistent with the prediction, injunctive norm has a significant effect (at the level) on intention to comply with information security policies, supporting Hypothesis 3. Also, consistent with Hypothesis 4, policy awareness training has a significant effect (at level) on injunctive norm. Discussion and Implications Figure 2: Model Results This research has several key findings and offers theoretical as well as practical implications. In information security literature, SETA has been given high importance but we noticed that two different concepts are used to define and measure this construct. To our best knowledge, this study is the first to suggest this matter. In addition, this study does not only study the impact of two crucial factors - descriptive and injunctive norm, but also suggests that these two types of norm can be affected by other factors. These factors are the two types of training identified in this research. The proposed model was supported by the empirical data. All four hypotheses were supported. These two contributions add to the body of knowledge and enhance our understanding about the factors that affect employees behavior. As for practitioners, our research offers implications to them that help them to develop strategies to decrease the security breach. The results of this study show that intention to comply with information security policies is influenced by injunctive and descriptive norm (R2= 65%). The coefficients in Figure 2 show that injunctive norm has a big influence (β= 0.53; Sig. at 0.001) on intention to comply with information security policies. This result Thirty Third International Conference on Information Systems, Orlando

8 IS Security and Privacy comes in line with previous information systems studies especially those who use the TRA and TPB as their core model. In the context of information security, this result confirms previous findings (Herath and Rao, 2009a) and indicates that in organizations referents expectations do affect the employees behaviors. This finding suggest that the more employees believe that important people around them expect from them to comply with information security, the more likely they will comply. Based on this, managers and supervisors in organizations can enhance security compliance by first explaining to their employees what they expect from them regarding security compliance and then emphasizing it. The relationship between descriptive norm and intention to comply with information security policies was also found highly significant (β= 0. 35; Sig. at 0.001), supporting hypothesis 1. Descriptive norm was found to be a crucial factor that affects behavioral intention to comply. This finding speaks to practitioners and especially to those organizations that are trying to influence their employees behavior to apply the organizational information security policies. In order to increase security compliance in their organization, information security officers and IT supervisors can enhance the security climate in the organizations by offering session where employees can freely share their ideas/experiences about security related issues and the usage of the organization s security policy as a foundation to solve these problems. From this discussion, it is expected that employees will get the knowledge on how to deal with a similar cases in the future believing that this is the normal thing to do since other people are doing it. Furthermore, results indicate that the two concepts of training that we presented are valid and each one of them is a construct by itself. It is found that threat appraisal training positively affects descriptive norm (β= 0.66; Sig. at 0.001), supporting hypothesis 3. This finding suggest that in order to enhance security compliance, managers who are responsible for the security in the organizations should empower employees to be able to assess threats, understand threats severity as well as the likelihood of its occurring. During their training, employees should know about the threats related to security that they may encounter and the consequences that will occur for the organization as well as for themselves in case of failing to apply the organizations security policies. Showing case examples of employees who have not been caught committing any security problem before or those who have not been penalized because of an information security issue, will also help other employees to make these cases behaviors as a model that should follow. Venkatesan (1966) found that imitating what most others are doing influences individuals to behave similarly. Moreover, support for hypothesis 4 was found: That is, policy awareness training positively (β= 0.76; Sig. at 0.001) affects injunctive norm. This result comes to assure the importance of policy training in information security and suggests that employees in organizations should be exposed to rules that clearly define what should and should not be done. In order to enhance security compliance, organizations should promote awareness of day-to-day physical security issues within the organization. Future Research and Conclusions After we tested the model in this pilot study, we plan to take few issues into consideration. First, the sample was collected from one university located in the Southern part of the United States. In order to generalize the findings to other age groups and/or other countries/cultures, we plan to test the model proposed in this study in different areas and probably countries if possible. Re-testing this model in other countries and taking the culture into consideration and introducing moderator effects such as gender, age, etc. will definitely enrich the body of knowledge and enhance our understanding of the factors affecting the intention to comply with information security. Second, the relationships tested among the constructs in this model were simple in order to keep it parsimonious. As mentioned previously, there might be other relationships among these constructs that need to be investigated in future studies. In literature, employees non-compliance with their organization s information security policies has been identified as the greatest single source of threat to organizational information systems security. This research-in-progress is an effort to identify how different types of training affect different types of norms leading to information security compliance. For information security researchers, this study makes an important contribution in conceptualizing and measuring two concepts that have been used as one construct. Also, to our best knowledge, this study for the first time assesses social norms as dependent variables. Social norms were used in previous studies as independent variables; whereas, in this study we demonstrated that social norms can be affected by other factors. Thus, from the standpoint of information 8 Thirty Third International Conference on Information Systems, Orlando 2012

9 Merhi & Midha / The Impact of Training and Social Norms on Information Security security, this study is a crucial contribution to theory and practice. References Ajzen, I From Intentions to Actions: A Theory of Planned Behavior, in Action-Control: From Cognitions to Behavior, J. Kuhl and J. Beckman (eds.), Heidelberg, Germany: Springer, pp Ajzen, I. and Fishbein, M Understanding Attitudes and Predicting Social Behavior, Englewood Cliffs, NJ: Prentice-Hall. Aytes, K., and Connolly, T Computer Security and Risky Computing Practices: A Rational Choice Perspective, Journal of Organizational and End User Computing (16:3), pp Baskerville, R., and Siponen, M An Information Security Meta-Policy for Emergent Organizations, Logistics Information Management (15:5/6), pp Beck, L., and Ajzen, I Predicting Dishonest Actions Using the Theory of Planned Behavior, Journal of Research in Personality (25:3), pp Bishop, M., What is Computer Security? IEEE Security and Privacy (1:1), pp Boer, H., and Westhoff, Y The Role of Positive and Negative Signaling Communication by Strong and Weak Ties in the Shaping of Safe Sex Subjective Norms of Adolescents in South Africa, Communication Theory (16:1), pp Bulgurcu, B., Cavusoglu, H., and Benbasat, I Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness, MIS Quarterly (34:3), pp Chin, W Issues and Opinion on Structural Equation Modeling, MIS Quarterly (22:1), pp. vii-xvi. Cialdini, R. B Influence: Science and practice (2nd ed.), Glenview, IL: Scott, Foresman. Cialdini, R. B Descriptive Social Norms as Underappreciated Sources of Social Control, Psychometrika (72:2), pp Cialdini, R. B., Kallgren, C. A., and Reno, R. R A Focus Theory of Normative Conduct: A Theoretical Refinement and Re-evaluation, Advances in Experimental Social Psychology (24), pp Cialdini, R. B., Reno, R. R., and Kallgren, C. A A Focus Theory of Normative Conduct: Recycling the Concept of Norms to Reduce Littering in Public Places, Journal of Personality and Social Psychology (58:6), pp Conner, M., and McMillan, B Interaction Effects in the Theory of Planned Behavior: Studying Cannabis Use, British Journal of Social Psychology (38:2), pp D Arcy, J., Hovav, A., and Galletta, D User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach, Information Systems Research (20:1), pp Deutsch, M., and Gerard, H. B A Study of Normative and Informational Social Influence upon Individual Judgment, Journal of Abnormal and Social Psychology (51:3), pp Dhillon, G Managing and Controlling Computer Misuse, Information Management Computer Security (7:4), pp Fishbein, M The Role of Theory in HIV Prevention, AIDS Care (12:3), pp Fishbein, M., and Ajzen, I Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research, Reading, MA: Addison-Wesley. Fishbein, M., and Yzer, M. C Using Theory to Design Effective Health Behavior Interventions, Communication Theory (13:2), pp Furnell, S End-User Security Culture: A Lesson That Will Never Be Learnt? Computer Fraud & Security (4), pp Furnell, S., Gennatou, M. and Dowland, P A Prototype Tool for Information Security Awareness and Training, Logistics Information Management (15:5/6), pp Goldstein, N. J., Cialdini, R. B., and Griskevicius, V A Room With a Viewpoint: Using Social Norms to Motivate Environmental Conservation in Hotels, Journal of Consumer Research (35:3), pp Goodhue, D. L., and Straub, D. W Security Concerns of System Users: A Study of Perceptions of the Adequacy of Security, Information & Management (20:1), pp Herath, T., and Rao, H. R. 2009a. Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organizations, European Journal of Information Systems (18:2), pp Thirty Third International Conference on Information Systems, Orlando

10 IS Security and Privacy Herath, T., and Rao, H. R. 2009b. Encouraging Information Security Behaviors: Role of Penalties, Pressures and Perceived Effectiveness, Decision Support Systems (47:2), pp Ifinedo, P Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory, Computers & Security (31:1), pp Kallgren, C. A., Reno, R. R., and Cialdini, R. B A Focus Theory of Normative Conduct: When Norms Do and Do Not Affect Behavior, Personality and Social Psychology Bulletin (26:8), pp Karjalainen, M., and Siponen, M. T Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches, Journal of the Association for Information Systems (12:8), pp Lapinski, M. K., and Rimal, R. N An Explication of Social Norms, Communication Theory (15:2), pp Larimer, M. E., and Neighbors, C Normative Misperception and the Impact of Descriptive and Injunctive Norms on Student Gambling, Psychology of Addictive Behaviors (17:3), pp Lee, J., Lee. Y A Holistic Model of Computer Abuse within Organizations, Information Management Computer Security (10:2), pp Nolan, J. M., Schultz, P. W., Cialdini, R. B., Griskevicius, V., and Goldstein, N. J Normative Social Influence is Underdetected, Personality and Social Psychology Bulletin (34:7), pp Parker, D., Manstead, A. S. R., and Stradling, S. G Extending the Theory of Planned Behaviour: The Role of Personal Norm, British Journal of Social Psychology (34:2), pp Peltier, T. R Implementing an Information Security Awareness Program, Information Systems Security (14: 2), pp Puhakainen, P., and Siponen, M. T Improving Employees Compliance through Information Systems Security Training: An Action Research Study, MIS Quarterly (34:4), pp Rimal, R. N., and Real, K How Behaviors are Influenced by Perceived Norms: A Test of the Theory of Normative Social Behavior, Communication Research (32:3), pp Rivis, A., and Sheeran, P Descriptive Norms as an Additional Predictor in the Theory of Planned Behaviour: A Meta-Analysis, Current Psychology: Developmental, Learning, Personality, Social (22:3), pp Schultz, P. W Changing Behavior with Normative Feedback Interventions: A Field Experiment on Curbside Recycling, Basic and Applied Social Psychology (21:1), pp Schultz, P. W., Nolan, J. M., Cialdini, R. B., Goldstein, N. J., and Griskevicius, V The Constructive, Destructive, and Reconstructive Power of Social Norms, Psychological Science (18:5), pp Sheeran, P. and Orbell S Augmenting the Theory of Planned Behavior: Roles for Anticipated Regret and Descriptive Norms, Journal of Applied Social Psychology, (29:10), pp Siponen, M. T Critical Analysis of Different Approaches to Minimizing User-Related Faults in Information Systems Security: Implications for Research and Practice, Information Management & Computer Security (8:5), pp Siponen, M. T., Pahnila, S., and Mahmood, M. A Compliance with Information Security Policies: An Empirical Investigation, IEEE Computer (43: 2), pp Straub, D. W., and Welke, R Coping with Systems Risk: Security Planning Models for Management Decision Making, MIS Quarterly (22:4), pp Urbach, N., and Ahlemann, F Structural Equation Modeling in Information Systems Research Using Partial Least Squares, Journal of Information Technology Theory and Application (11:2), pp Venkatesan, M Experimental Study of Consumer Behavior, Conformity, and Independence, Journal of Marketing Research (3:4), pp Venkatesh, V., Morris, M. G., Davis, G. B. and Davis, F. D User Acceptance of Information Technology: Toward a Unified View, MIS Quarterly (27:3), pp Voss, T Game Theoretical Perspectives on the Emergence of Social Norms, in Social Norms, M. Hechter and K. D. Opp, (eds.), Russell Sage Foundation, pp Warkentin, M., Carter, L., and McBride, M. E. 2011a. Exploring the Role of Individual Employee Characteristics and Personality on Employee Compliance with Cybersecurity Policies, The 2011 Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG Available online at: 10 Thirty Third International Conference on Information Systems, Orlando 2012

11 Merhi & Midha / The Impact of Training and Social Norms on Information Security Warkentin, M., Johnston, A. C., and Shropshire, J. 2011b. The Influence of the Informal Social Learning Environment on Information Privacy Policy Compliance Efficacy and Intention, European Journal of Information Systems (20:3), pp Warkentin, M., and Willison, R Behavioral and Policy Issues in Information Systems Security: The Insider Threat, European Journal of Information Systems (18:2), pp Wenzel, M The Social Side of Sanctions: Personal and Social Norms as Moderators of Deterrence, Law and Human Behavior (28:5), pp Whitman, M. E In Defense of the Realm: Understanding the Threats to Information Security, International Journal of Information Management (24:1), pp Whitman, M. E., and Mattord, H. J Making Users Mindful of IT Security; Awareness Training is Vital to Keeping the Idea of IT Security Uppermost in Employees Minds, Security Management (48:11), pp Whitman, M. E., Townsend, A. M., and Alberts, R. J Information Systems Security and the Need for Policy, in Information Security Management: Global Challenges in the New Millennium, M. Khosrowpour, (ed.), Idea Group Publishing, Hershey, PA, pp Wybo, M. D., Straub. D. W Protecting Organizational Information Resources, Information Resources Management Journal (2:4), pp Thirty Third International Conference on Information Systems, Orlando