The sufficiency of the theory of planned behavior for explaining information security policy compliance
Abstract
Purpose
This paper aims to challenge the assumption that the theory of planned behaviour (TPB) includes all constructs that explain information security policy compliance and investigates if anticipated regret or constructs from the protection motivation theory add explanatory power. The TPB is an established theory that has been found to predict compliance with information security policies well.
Design/methodology/approach
Responses from 306 respondents at a research organization were collected using a questionnaire-based survey. Extensions in terms of anticipated regret and constructs drawn from the protection motivation theory are tested using hierarchical regression analysis.
Findings
Adding anticipated regret and the threat appraisal process results in improvements of the predictions of intentions. The improvements are of sufficient magnitude to warrant adjustments of the model of the TPB when it is used in the area of information security policy compliance.
Originality/value
This study is the first test of anticipated regret as a predictor of information security policy compliance and the first to assess its influence in relation to the TPB and the protection motivation theory.
Keywords
Acknowledgements
This research is sponsored by the Swedish Civil Contingencies Agency (MSB).
Citation
Sommestad, T., Karlzén, H. and Hallberg, J. (2015), "The sufficiency of the theory of planned behavior for explaining information security policy compliance", Information and Computer Security, Vol. 23 No. 2, pp. 200-217. https://doi.org/10.1108/ICS-04-2014-0025
Publisher
:Emerald Group Publishing Limited
Copyright © 2015, Emerald Group Publishing Limited