Abstract:
Information security is a crucial concern for organisations in today’s technological world. This study evaluates employees’ and organisations’ information security compliance behaviour through investigating compliance with information handling policies and procedures. Previous theories have assumed that intention always leads to behaviour. This study investigated whether this is actually the case. A revised model of Ajzen’s theory of planned behaviour (TPB) was proposed to better explain the factors that influence intention. Using data from a quantitative survey of 120 employees from various organisations, this model was tested to determine the relationships between awareness, attitude towards compliance, subjective norms, perceived behavioural control and behavioural intention as well as to see whether intention indeed led to behaviour. Findings showed that subjective norms has the strongest influence on intention and actual behaviour, whereas attitude towards compliance has the weakest influence on employees’ intention to comply with information security policies and procedures. Findings also showed that intention does not always lead to behaviour; other external factors can influence behaviour. This highlights that previous research using the original TPB which implied intention leads to behaviour should be re-evaluated and more research needs to be done. This study provides insights for the corporate world by showing the most effective and least effective methods of training employees and what factors are most likely to influence employee’s compliance behaviour. Providing regular reminders about compliant behaviour, having sensory triggers for employees about compliant behaviour, and offering continuous training for employees are the best methods to keep employees aware of common security risks and threats.