Information security policy non-compliance: Can capitulation theory explain user behaviors?

Abstract

Informational security policies depend on user compliance to protect computing resources. When users are lax with security measures and fail to follow security related directives, data breaches are more likely to occur. We hypothesize that users are giving up on security compliance because they believe breaches are inevitable. We test the explanatory theory of security capitulation based on technology threat avoidance, protection motivation theory, and technology acceptance theory. Capitulation theory examines distrust of security, theft of privacy, vulnerability, security threats and security self-efficacy as predictors of capitulation, which influences motivation to protect computing assets. Results indicate that distrust of security, loss of privacy, vulnerability, threats, and self-efficacy are significantly related to capitulation. This research provides insight into emerging explanations of continuing organizational security failures.