Predicting Compliance of Security Policies: Norms and Sanctions

Abstract

ABSTRACT This paper is motivated by the need to find reasons for the divergent findings reported in many studies that assessed the effects of social norms on IS security policy compliance, and answers multiple calls for additional research on this subject. In doing so, this paper contributes to the existing information security literature by presenting an integrated model that draws from the General Deterrence Theory, the Social Norms, and the Normality perspective. Specifically, this study investigates the effect of formal sanctions on information security policies compliance mediated by subjective, descriptive, and moral norms. The data were collected from the employees of five organizations in the Southern United States using the survey method. Quantitative analysis of the sampled data was conducted by using PLS to assess the various hypotheses. This study shows that descriptive and moral norms mediate the relationships between formal sanctions and information security compliance. The paper highlights the influence of moral norms on how IT users respond to IS security policies.