The Influence of Institutional Forces on Employee Compliance with Information Security Policies

Ye Hou, Ping Gao, Richard Heeks


Information Security is an issue of growing concern to organisations, typically addressed by development of information security policies. However, policies are only effective if organizational employees comply with them. This paper reviews literature related to employees’ security behaviour and information security policy compliance and presents research gaps from literature review on influencing employees’ compliance behaviour with information security policy. Here, we analyse the institutional factors that shape employee behaviour towards information security policy compliance. Applying institutional theory, we posit that an employee’s compliance behaviour with information security policy is positively influenced by regulative, normative and culture-cognitive forces in organisations.


  1. Axelrod, R., 1984. The Evolution of Cooperation. Basic Books, New York.
  2. Bjorck, F., 2004. Institutional Theory: A New Perspective for Research into IS/IT Security in Organisations. In Proceedings of the HICSS 04 Working Conference on Information Systems Security Management, 186-190.
  3. Blackstock, K. L., Ingram, J., Burton, R., Brown, K. M. and Slee, B., 2010. Understanding and Influencing Behaviour Change by Farmers to Improve Water Quality. Science of the Total Environment, 408 (23), 5631-5638.
  4. Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., and Boss, R. W., 2009. If Someone Is Watching, I'll Do What I'm Asked: Mandatories, Control, and Information Security. European Journal of Information Systems, 18 (2), 151-164.
  5. Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010. Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS Quarterly, 34 (3), 523-548.
  6. Butler, T., 2003. An Institutional Perspective on Developing and Implement Intranet - and Internet -Based Information Systems. Information Systems Journal, 13 (3), 209-231.
  7. Chiasson, M. W. and Davidson, E., 2005. Taking Industry Seriously in Information System Research. MIS Quarterly, 29 (4), 591-605.
  8. Da Veiga, A. and Eloff, J. H. P., 2007. An Information Security Governance Framework. Information Systems Management, 24 (4), 361-372.
  9. Da Veiga, A. and Eloff, J. H. P., 2010. A Framework and Assessment Instrument for Information Security Culture. Computer & Security, 29 (1), 196-207.
  10. Dhillon, G. and Backhouse, J., 2001. Current Directions in Information Security Research: Toward Socio-Organisational Perspectives. Information Systems Journal, 11 (2), 127-153.
  11. DiMaggio, P. J. and Powell, W., 1983. The Iron Cage Revisited: Institutional Isomorphism and Collective Rationality in Organisational Fields. American Sociological Review, 48 (3), 147-160.
  12. Gordon, L. A., 2006. Economics Aspects of Information Security: An Emerging Field of Research. Information Systems Frontier, 8 (5), 335-337.
  13. Hechter, M., Opp, K. D. and Wippler, R., 1990. Social Institutions: Their Emergence, Maintenance and Effects. eds. Aldine de Gruyter, New York and Berlin.
  14. Herath, T. and Rao, H. R., 2009a. Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations. European Journal of Information Systems, 18 (2), 106-125.
  15. Herath, T. and Rao, H. R., 2009b. Encouraging Information Security Behaviours in Organisations: Role of Penalties, Pressures and Perceived Effectiveness. Decision Support Systems, 47 (2), 154-165.
  16. Hu, Q., Hart, P. and Cooke, D., 2007. The Role of External and Internal Influences on Information System Security- A Neo-Institutional Perspective. Journal of Strategic Information System, 16 (2), 153-172.
  17. Johnston, A. C. and Warkentin, M., 2010. Fear Appeals and Information Security Behaviours: An Empricial Study. MIS Quarterly, 34 (3), 549-566.
  18. Loch, K., Carr, H., and Warkentin, M., 1992. Threats to Information Systems: Today's Reality, Yesterday's Understanding. MIS Quarterly, 17 (2), 173-186.
  19. Meyer, J. W. and Rowan, B., 1977. Institutionalise Organisations: Formal Structure as Myth and Ceremony. American Journal of Sociology, 83 (2), 340-363.
  20. Mishra, S. and Dhillon, G., 2006. Information Systems Security Governance Research: A Behavioural Perspective. 1st Annual Symposium on Information Assurance, Academic Track of 9th Annual NYS Cyber Security Conference, New York, USA.
  21. Myyry, L., 2009. What Levels of Moral Reasoning and Values Explain Adherence to Information Security Rules? An Empirical Study. European Journal of Information Systems, 18 (2), 126-139.
  22. Pahnila, S., Siponen, M. and Mahmood, A., 2007. Employees' Behaviour Toward IS Security Policy Compliance. In proceedings of the HICSS 07 Working Conference on Information Systems Security, Los Alamitors, CA: IEEE Computer Society Press, 155-166.
  23. Scott, W. R., 1995. Institutions and Organisations. Thousand Oaks, California.
  24. Scott, W. R., 2001. Institutions and Organisations. 2nd edition, Thousand Oaks, California.
  25. Selznick, P., 1949. TV and the Grass Roots. Berkerley, University of California.
  26. Selznick, P., 1957. Leadership in Administration: A Sociological Interpretation. Evanston III, Peterson.
  27. Siponen, M. T., 2000. A Conceptual Foundation for Organisational Information Security Awareness. Information Management & Computer Security, 8 (1), 31-41.
  28. Siponen, M. T. and Iivari, J., 2006. Six Design Theories for IS Security Policies and Guidelines. Journal of the Association for Information Systems, 7 (7), 445-472.
  29. Siponen, M. T. and Vance, A., 2010. Neutralization: New Insight into the Problem of Employee Information Systems Security Policy Violations. MIS Quarterly, 34 (3), 487- 502.
  30. Straub, D. W., 1990. Effective IS Security: An Empirical Study. Information Systems Research, 1 (3), 255-276.
  31. Straub, D. W. and Welke, R. J., 1998. Coping with Systems Risk: Security Planning Models for Management Decision Making. MIS Quarterly, 22 (4), 441-469.
  32. Teo, H. H., Wei, K. K. and Benbasat, I., 2003. Predicting Intention to Adopt Interorganisational Linkages: An Institutional Perspective. MIS Quarterly, 27 (1), 19-49.
  33. Van Niekerk, J. F. and Von Solms, R., 2010. Information Security Culture: A Management Perspective. Computer & Security, 29 (4), 476-486.
  34. Vroom, C. and von Solms, R., 2004. Towards Information Security Behavioural Compliance. Computer & Security, 23 (3), 191-198.
  35. Warkentin, M. and Willison, R., 2009. Behavioural and Policy Issues in Information Systems Security: the Insider Threat. European Journal of Information Systems, 18 (2), 101-105.
  36. Willison, R., 2006. Understanding the Perpetration of Employee Computer Crime in Organisational Context. Information and Organisations, 16 (4), 304-324.
  37. Woon, I. M. Y., Tan, G. W. and Low, R. T., 2005. A Protection Motivation Theory Approach to Home Wireless Security. In Proceeding of the Twenty-Sixth International Conference on Information Systems, 367-380.

Paper Citation

in Harvard Style

Hou Y., Gao P. and Heeks R. (2011). The Influence of Institutional Forces on Employee Compliance with Information Security Policies . In Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011) ISBN 978-989-8425-61-4, pages 132-141. DOI: 10.5220/0003587901320141

in Bibtex Style

author={Ye Hou and Ping Gao and Richard Heeks},
title={The Influence of Institutional Forces on Employee Compliance with Information Security Policies},
booktitle={Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011)},

in EndNote Style

JO - Proceedings of the 8th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2011)
TI - The Influence of Institutional Forces on Employee Compliance with Information Security Policies
SN - 978-989-8425-61-4
AU - Hou Y.
AU - Gao P.
AU - Heeks R.
PY - 2011
SP - 132
EP - 141
DO - 10.5220/0003587901320141