Top Management Can Lower Resistance toward Information Security Compliance

Size: px

Start display at page:

Download "Top Management Can Lower Resistance toward Information Security Compliance"

Horatio Goodman
5 years ago
Views:

1 Top Management Can Lower Resistance toward Information Security Compliance Research-in-Progress Mohammad I. Merhi Judd Leighton School of Business & Economics Indiana University South Bend 1700 Mishawaka Avenue, South Bend, IN Punit Ahluwalia College of Business and Entrepreneurship University of Texas Rio Grande Valley 1201 West University Drive, Edinburg, TX Abstract Recent reports indicate that IS users resistance to use information systems security policies is the biggest barrier to an effective security strategy. Studies that examine IS users resistance to information systems security policies are scarce in the current literature. In this paper, we examine the process of how top management support influences IS users resistance to security policies. Specifically, we examine the influence of the top management support on organizational norms and behavioral control. We also confirm that the norms and behavioral control affect resistance to IS policy. We pilot-tested our proposed set of hypotheses with survey data collected from 133 IS users working in four industries. Results supported our proposed model. Based on the findings, implications for theory and practices are discussed. Keywords: resistance, systems security policies, injunctive norms, descriptive norms, multidimensional top management support. Introduction The existing research in Information Systems Security (ISS) affirms that IS users in the organizations are among the main reasons why ISS incidents occur (Bulgurcu et al. 2010; D Arcy et al. 2009; Warkentin et al. 2011). Implementation of ISS policies require changes in the way IS users interact with IT systems thus generating resistance (Kolkowska and Dhillon 2013; Tipton 2014). A recent survey of 618 IT security practitioners reported that 56% of participants affirmed that employees resistance is the biggest barrier to the implementation of an effective security strategy (Ponemon Institute 2014). Therefore, a theoretically grounded understanding of factors that influence IS users resistance to ISS policies is necessary. Studies that look into IS users resistance to ISS policies are scarce in the current literature. In this paper, we develop a model to examine the antecedents of IS users resistance and analyze the proposed hypotheses using PLS analytic method. By doing this, we bridge a significant gap in the literature. Most studies in ISS research consider users intention to adopt or use ISS policies as the dependent variable thereby assuming a volitional environment where users are free to use the technology. This assumption does not truly reflect the actual situations in the real world where compliance of ISS policies is mandatory, either enforced by technology or by threats of punishment. Therefore, we argue that resistance to IS policy is a very pertinent factor in understanding users compliance behavior because of mandatory enforcement of the ISS policies in most organizations. Thirty Sixth International Conference on Information Systems, Fort Worth

2 Several studies have confirmed that top management s support is essential for success of organizational projects (Ifinedo 2008; Liang et al. 2007; Sharma and Yetton 2003), but there is no universally accepted definition of top management support. Boonstra (2013) argues that top management support is a multidimensional construct however most studies use a unitary and a homogeneous construct to represent top management support (Hu et al. 2012; Kankanhalli et al. 2003). Hu et al. (2012) examined the influence of top management support on IS users cognitive beliefs namely attitude, perceived behavioral control, and subjective norms using top management participation as a proxy. Kim and Kankanhalli (2009) reported that organizational support for change lowered user resistance. This paper extends the existing ISS literature by studying the impact of top management support on IS users resistance to ISS policies. We look into the process by which top management support affect IS users resistance to ISS policies. We argue that top management support to ISS policies affects normative factors within organizations namely injunctive norms, descriptive norms, and perceived behavioral control, which in turn influence users resistance towards these policies. The injunctive norms capture individuals beliefs about what others expect from them (Cialdini et al. 1991). The descriptive norms are the beliefs formed by individuals determined by what others around them do (Cialdini et al. 1991). The perceived behavioral control is individuals beliefs in their abilities, and the control they exercise in order to take an action (Ajzen 1975; 1991). We argue that the top management support can influence the descriptive and injunctive norms, and perceived behavioral control therefore indirectly affecting IS users resistance. The remainder of this paper is organized as follows. We first provide a brief literature review on the factors included in the study, followed by the theoretical framework and a set of research hypotheses. We then pilot test the hypotheses using a survey dataset collected from 133 IS users from four industries. We finally present conclusions, implications, and future work avenues. Literature Review Resistance Resistance has been defined as opposition, challenge or disruption to process or initiatives (Ferneley and Sobreperez 2006; Jermier et al. 1994). Employees resistance to change has been found to be a major factor for many projects failures. New processes and methods often accompany the implementation of a new technology causing changes in social and technical environments. These changes generate resistance because of preference for status-quo. Managing resistance is important as organizations need to focus on employees beliefs and attitudes when implementing ISS policies (Thomson et al. 2006). In this paper, we examine the indirect (process) relationship between top management support and the resistance to comply with ISS policies. Belanger et al. (2011) is perhaps the only article that takes into account the non-volitional characteristic of ISS compliance and posit user resistance as the dependent variable. They argue that when the compliance is enforced, a spectrum of reactions may occur ranging from compliance to resistance. Even though a firm may succeed in successful implementation of ISS policies by mandating them, the resulting resistance may cause collateral harm (Lapointe and Rivard 2005). In a mandatory setting, resistance to change may include voicing opposition, formally protesting, complaining, and demanding the withdrawal of the change (Lapointe and Rivard 2005). Opposition to the ISS change may manifest by incorporating only the minimum requirements and/or waiting until the last minute to comply with the required changes. We extend the important contributions of Belanger et al. (2011) by examining the effect of normative factors namely injunctive norms, descriptive norms, and perceived behavioral control on resistance. Top Management Support for ISS Policies Young and Jordan (2008) define top management support as: devoting time to the [IS] program in proportion to its cost and potential, reviewing plans, following up on results and facilitating the management problems involved with integrating technologies with the management process of the business. Many studies that focus on high cost or strategic value IT projects such as ERP implementations and R&D projects consider top management support as an important antecedent of the success of these projects (Ke and Wei 2008; Green 1995). The top management support has been associated with clear IS vision and assimilation (Liang et al. 2007), team effectiveness (McComb et al. Thirty Sixth International Conference on Information Systems, Fort Worth

3 2008), greater system usage (Guimaraes and Igbaria 1997), project performance (Bonner et al. 2003), and commitment to finish the project (Munns and Bjeirmi 1996). The top management can demonstrate its support by allocating adequate financial and technical resources for major organizational endeavors (Boonstra 2013). McComb et al. (2008) propose that top management members should lend support by placing themselves as project champions in order to show their high commitment and interest in the project. Perry (1985) and Wood (1995) argue that implementation of ISS policies require IS users to significantly change their interaction with IT systems which make them resist the changes unless the top management s involvement is visible. Based on their anecdotal experience, Von Solms and von Solms (2004a); Von Solms and Von Solms (2004b) suggest that top management should ensure that all the information assets of the company are secure by directly communicating with IS users. Kankanhalli et al. (2003) found that greater top management support protects organizations from undesirable ISS incidents. An action research found that IS users compliance with stated ISS policies improved after they noticed that the top managers and the CEO adhered to such policies (Puhakainen and Siponen 2010). Because their findings were based on anecdotal evidence, Puhakainen and Siponen (2010) called for additional studies to confirm their findings. Most of the existing research considers top management support as a single homogeneous construct (Boonstra 2013). However varied meanings and contexts of the construct are used in the top management literature. Commitment, leadership, visibility, and participation are various manifestations of top management support that affect project success (Worley and Doolen 2006; Dong et al. 2009). Based on a meta-analysis of the literature, Boonstra (2013) presents a descriptive framework breaking down the top management behaviors in five categories. These are: Support organization with resources Set up adequate organization structures to achieve the desired outcomes Communicate with all stakeholders and be visible when doing so Gain sufficiently good expertise of the domain Use and demonstrate authority (power) ISS being a highly specialized field, most top management executives may not possess core expertise in this field. Therefore, these executives delegate the authority and responsibility to setup and maintain ISS policies to other executives such as Chief Information Officers and Chief Security Officers. Consequently, we use the first three of the five categories as the indicators of top management support. Injunctive Norms and Descriptive Norms Norms are standards of behavior that exist in a group of people. These norms are based on widely shared beliefs that prescribe how individual group members ought to behave and perform in a given situation (Ajzen and Fishbein 1980; Voss 2001). When considering normative influence on individual s behavior, Cialdini et al. (1990; 1991) advised that it is critical to differentiate between two categories of normative beliefs: descriptive and injunctive. Descriptive norms refer to beliefs about what is actually done by most others in one s social group. Injunctive norms, on the other hand, refer to individual s beliefs about what ought to be done (Cialdini et al. 1990). Both injunctive and descriptive norms are responsible for affecting individuals behavior in various domains such as recycling (Schultz 1999), littering (Kallgren et al. 2000), energy conservation (Goldstein et al. 2008), alcohol use (Rimal and Real 2005), tax evasion (Wenzel 2004), and student gambling (Larimer and Neighbors 2003). Many studies found that both descriptive and injunctive norms independently influenced individual behavior (Beck and Ajzen 1991; Conner and McMillan 1999; Parker et al. 1995). In a meta-analysis of 8097 articles, Rivis and Sheeran s (2003) reported that descriptive norms accounted for an additional five percent variance in individual behavior. Despite fairly strong support for the influence of descriptive norms on individual behavior across disciplines, the ISS literature emphasizes the injunctive norms more than the descriptive norms (Anderson and Agarwal 2010; Herath and Rao 2009). Thus, we include both types of norms in our research model. Kim and Kankanhalli (2009) examined the effect of colleague opinion and self-efficacy for change on user resistance and found both to be statistically non-significant predictors. In this paper, colleague opinion Thirty Sixth International Conference on Information Systems, Fort Worth

4 was considered analogous to social norms and self-efficacy was mapped to PBC. We are also interested in finding out the role of top management support in influencing the organizational norms. Merhi and Midha (2012) examined whether threat appraisal and policy awareness training affected descriptive and injunctive norms. We in this research-in-progress investigate whether top management support influences injunctive and descriptive norms in the context of IS users resistance to ISS policies. Perceived Behavioral Control Perceived behavioral control (PBC) is the perception of the individual s ability to perform a particular behavior (Ajzen 1991). According to the Theory of Planned Behavior (TPB), PBC is an individual s aggregate evaluation of factors such as resources, skills, cooperation of others, and opportunities which is considered to be an antecedent of individual behavior (Ajzen 1991). The role of PBC in influencing individual action has been examined extensively in the literature and has been found to be an important factor in influencing individuals compliance decisions. Researchers across disciplines examined the validity of PBC in a variety of compliance situations such as; adherence to hand hygiene practice (Pittet 2001), tax compliance (Bobek and Hatfield 2003), and driver compliance with speed limit control (Cestac et al. 2011). All these studies found that PBC influenced the compliance behaviors. In ISS, several researchers such as Hu et al. (2012); Warkentin et al. (2011); Zhang et al. (2009) examined the influence of PBC on IS users ISS behavioral compliance and found that IS users needed resources and skills to comply with ISS. In this paper, we argue that PBC is responsible for influencing IS users decision to resist the ISS policies. We also argue that top management support positively affects PBC. Again, to the best of our knowledge, the effect of PBC on IS users resistance to ISS has not been examined in the ISS literature. We in this research-in-progress investigate whether top management support influences PBC and whether PBC affects IS users resistance to ISS. Research Model and Hypotheses The proposed research model posits that resistance to ISS policies is influenced by injunctive norms, descriptive norms, and perceived behavioral control. The top management s support to ISS policies affects injunctive norms, descriptive norms, and perceived behavioral control therefore indirectly affecting resistance to ISS. We now describe the hypotheses proposed in this study. Descriptive Norms Descriptive norms describe what most people do, and refer to what an individual thinks others do in a particular situation. In other words, descriptive norms reflect a shared rationale for a certain action by this reasoning; if a lot of people are doing this, then it s probably a wise thing to do (Cialdini 2007). Such an assumption offers individuals an information-processing advantage and a decisional shortcut when they face a decision situation (Cialdini 1988). This type of norms focuses on the tendency that an individual may have to replicate the believed behavior of others (Sheeran and Orbell 1999). Behavioral literature has recognized the significance of descriptive norms because individuals justify their behavior based on others behaviors. The effect of others behaviors on IS users can be expected to change their attitude towards using ISS policies. Negative attributions of uncertainty and change in work style are among the causes of resistance in IS users. The levels of these attributions are likely to be lower if the users believe that others around them are not opposed to the changes caused by the ISS policies. Thus, we posit that: H1: Greater descriptive norms will negatively influence IS users resistance to ISS policies. Injunctive Norms Injunctive norms are beliefs of individuals about what important others approve or disapprove. In other words, it is not one s own view but what others believe to be appropriate behavior. Venkatesh et al. (2003) examined employees perceptions of the expectations of superiors, managers, and peers in relevant IS departments and found that if employees believe that their peers, managers, or superiors expect a specific behavior from them, they will more likely do it. Several studies have shown that injunctive norms have direct and positive influence on people s attitudes (Anderson and Agarwal 2010; Bulgurcu et al. 2010; Thirty Sixth International Conference on Information Systems, Fort Worth

5 Dinev and Hu 2007; Herath and Rao 2009; Hu et al. 2012; Li et al. 2010; Siponen et al. 2010). Kim and Kankanhalli (2009) posited colleague opinion as a predictor of user resistance but the data did not confirm the relationship. In this paper, we consider both injunctive and descriptive norms as the antecedents of user resistance. We argue that injunctive norms weaken or diminish resistance towards ISS policies. Hence, we postulate: H2: Greater injunctive norms will negatively influence IS users resistance to ISS policies. Perceived Behavioral Control Perceived behavioral control refers to people s perception of their ability to perform a given behavior and is defined as the aggregate sum of product of control factors and associated perceived power (Ajzen 1991). ISS being a specialized domain requires IS users to have a good understanding of the policies and rules they are expected to comply with. Complying with ISS policies may also require IS users to possess a minimum level of proficiency in IT, and have access to adequate tools and resources that are necessary for such compliance. For example, if the ISS policies require that the data must be encrypted when transmitting information over the Internet, then IS users will perceive higher PBC if they think that they are adequately skilled to use the encryption software that is available to them. Thus, IS users who have perception of high control over tasks assigned to them are likely to exhibit lower resistance towards accepting and undertaking such tasks. Thus, we posit: H3: Greater perceived behavioral control will negatively influence IS users resistance to ISS policies. Top Management Support The top management of organizations is responsible for providing resources and opportunities to people so that they can go about performing their designated tasks effectively and efficiently. Top management can facilitate these opportunities for IS users by allocating adequate resources and setting up effective organizational structures (Igbaria et al. 1997). The possession of adequate IT proficiency is likely to increase PBC among IS users. Based on this discussion, we state our hypothesis: H4.a: Greater top management support for ISS policies will positively influence perceived behavioral control. Merhi and Midha (2012) examined the role of training on injunctive and descriptive norms and found positive relationships between these factors. Successful leaders serve as role models thence what they do or say can become a new norm. Top managers explicitly and implicitly support important organizational goals and practices influencing beliefs of people in their span of control. Therefore, we argue that tacit and explicit support for ISS policies by the top leadership of an organization is likely to influence the collective beliefs among the workers/users about the relevance and significance of complying with such policies. Over time, a domino effect may cause such collective beliefs to shape the descriptive norms as well. Therefore: H4.b: Greater top management support for ISS policies will positively influence injunctive norms. H4.c: Greater top management support for ISS policies will positively influence descriptive norms. Figure 1 illustrates the proposed research model. Descriptive Norms Top Management Support H4c (+) H4b (+) H4a (+) Injunctive Norms Perceived Behavioral Control H2 (-) H3 (-) H1 (-) Resistance to ISS Figure 1: Proposed Model Thirty Sixth International Conference on Information Systems, Fort Worth

6 Methodology, Data Analysis, and Results Research Method and Data Collection We used the survey method to collect data. The sampling frame comprised of IS users working in four different industries: education, financial, retail, and IT located in the Southern United States. The data was collected from 10 organizations which had established ISS policies and required compliance by IS users. Participation in the survey was voluntary and the respondents did not receive any incentive. A total of 219 IS users were requested to provide data out of which 133 provided completed questionnaires yielding a response rate of 61%. Measures Measures of all constructs except the top management support were adopted from previously validated measures. Scale items for resistance were adopted from Oreg (2006). Descriptive norms items were adopted from Herath and Rao (2009). Injunctive norms items were modified from Siponen et al. (2010); Anderson and Agarwal, (2010) and Bulgurcu et al. (2010). Measures for PBC were adopted from Workman et al. (2008). Measures for top management support were constructed in this study based on the dimensions presented by Boonstra (2013). All items were seven point Likert scale ranging from Strongly disagree to Strongly agree. Measurement Model Assessment We used PLS to assess the convergent validity, discriminant validity and the internal consistency (reliability) of the constructs forming the research model. We checked the internal consistency using composite reliabilities and Chronbach s alpha. The reliability coefficients of all the constructs ranged from 0.88 to 0.96 and the coefficients of the Chronbach s alpha ranged from 0.84 to 0.95, all greater than 0.70 indicating that the items are reliable (Chin 1998). Table 1: Discriminant Validity: Construct Correlations Construct Descriptive Injunctive PBC TMS Resistance Descriptive Injunctive PBC TMS Resistance The convergent validity was established by ensuring that the loadings in confirmatory factor analysis (CFA) exceed 0.70 and that the loadings are greater than cross-loadings (Chin 1998). Results show that the AVE values of all constructs are equal or higher than the threshold of 0.5 which demonstrate adequate convergent validity (Chin 1998). By comparing the square root of the AVE (bold in Table 1) to the correlations among the constructs, each construct was more closely related to its own construct than to the others which simply means that discriminant validity is also demonstrated in this study. Thus, results suggest that the scales demonstrate adequate psychometric properties. Structural Model Assessment and Hypotheses Testing We also used PLS (SmartPLS 3) to assess the hypothesized relationships among the five latent constructs. Figure 2 shows the path coefficients and the significance levels for each hypothesis as well as the variances for the four dependent constructs: descriptive norms, injunctive norms, PBC, and IS users resistance to ISS. The significance of the paths was determined by using the t-statistic and p-values generated by bootstrapping the observations 5000 times. All constructs were modeled as reflective. Thirty Sixth International Conference on Information Systems, Fort Worth

7 Top Management Support 0.44** 0.41** 0.42** Descriptive Norms R 2 = 0.19 Injunctive Norms R 2 = 0.43 Perceived Behavioral Control R 2 = * * R 2 = 0.11 Resistance to ISS Figure 2: Model Results Note: Not significant; *: Significant at 0.05 level; **: Significant at level. All four hypotheses are supported except H2 (Greater injunctive norms will negatively influence IS users resistance to ISS policies). We discuss these results in the next section. Test for Common Method Bias We conducted two independent analyses to assess the effect of common methods bias. First, we performed Harman s single-factor test (Podsakoff et al., 2003). This test requires simultaneously loading all items of different constructs in a factor analysis with no rotation to determine whether a single factor accounts for most of the variance. If one factor accounts for the majority of the covariance among all measures, then it may be due to the method used. Results of this test developed six factors with eigenvalues greater than 1 of which the highest accounting for 33.2% of the total variance (83.12%). In the second analysis, the construct correlation matrix was examined to check whether any two constructs correlate extremely highly (greater than 0.90) (Pavlou et al., 2006). The correlation matrix (Table 1) does not indicate any highly correlated factors. The highest correlation is equal to Both analyses suggest that methodological bias did not distort the findings reported in this paper. Discussion A strong stream of research points to the significance of top management support for success of major organizational projects (Boonstra 2013; Green 1995; Ke and Wei 2008; Liang et al. 2007). Puhakainen and Siponen (2010) provide anecdotal evidence that top management support influenced IS users compliance with ISS policies and called for quantitative studies that assess the relationship between top management support and IS users behaviors. Hu et al. (2012) quantitatively examined the influence of top management support on IS users cognitive beliefs namely attitude, perceived behavioral control, and subjective norms using top management participation as a proxy. Boonstra (2013) argues that top management support is a multi-dimensional construct but has been examined as a single homogeneous construct. This paper extends this stream of literature by developing top management support as a multidimensional construct. It also adds to this literature by taking a process view of how top management support indirectly influence IS users resistance to ISS policies through normative factors namely injunctive norms, descriptive norms, and perceived behavioral control. The data confirmed the relationships proposed between top management support and injunctive norms and perceived behavioral control. These results confirm the findings of Hu et al. (2012) who also examined these relationships. The data confirmed the hypothesized relationship between descriptive norms and IS users resistance to ISS policies. Descriptive norms are individuals perception of what most others would do when facing a similar situation (Cialdini et al. 1991). Extant literature across disciplines has shown that descriptive norms have a direct and positive impact on individuals behavior (Nolan et al. 2008; Schultz 1999). Venkatesan (1966) found that imitating what most others are doing influences individuals to behave similarly. The data in this study indicate that greater descriptive norms lead to less resistance of ISS policies. This finding indicates that if IS users see that most individuals around them are not resisting the ISS policies, they will more likely not resist the change. Thirty Sixth International Conference on Information Systems, Fort Worth

8 In ISS literature, mixed findings were reported about the role of injunctive norms in influencing ISS compliance intention. Anderson and Agarwal (2010) did not confirm a significant relationship between injunctive norms and ISS compliance. In the extant literature, no study has examined the relationship between injunctive norms and IS users resistance to ISS policies to compare our results to previous findings. These mixed results including the finding in this paper creates opportunity for future research to inquire into the domain related factors that may affect how injunctive norms influence behavior. The results indicated that perceived behavioral control affects IS users resistance to ISS policies. Perceived behavioral control is defined as the aggregate sum of product of control factors and associated perceived power (Ajzen 1991). TPB posits that individuals perceptions of their ability to perform a given behavior influence their behavior (Ajzen 1991). The results indicated that higher level of PBC leads to low resistance. That is if users perceive that they have the ability to apply the ISS policies, they are more likely to less resist these policies. This finding suggests that in order to reduce resistance to ISS policies, managers who are responsible for the security in the organizations should empower IS users to be able to confidently apply the ISS policies. Training, workshops are examples of methods that can be used to enhance IS users abilities to use ISS policies (Merhi and Midha 2012). For instance, during training IS users should learn about the threats related to security that they may encounter, the consequences that will occur for the organization, and techniques that should be used to avoid the threat. Conclusions and Implications Many recent studies have identified IS users resistance to ISS policies to be an important factor that affect information breach in organizations. To our best knowledge, Belanger et al. (2011) is the only paper that quantitatively examined antecedents of IS users resistance to ISS policies. This research-in-progress is an effort to investigate the role of top management support and social norms in influencing IS users resistance to ISS policies. When implemented ISS policies require changes in the way IT is used and thus lead IS users to resist these policies. Project management literature emphasizes the significance of the support of top management in increasing the likelihood of success of major projects. Implementation of ISS policies is similar to other critical projects and thus require top management support. In this paper, we propose that social norms namely injunctive norms, descriptive norms, and perceived behavioral control mediate the relationships between top management support and IS users resistance to ISS. This paper makes significant contributions to the literature. First, we use a multi-dimensional construct for top management support. Until recently, most researchers in the top management literature adopted varied definitions and interpretations of top management support. Our paper extends this research by examining the role of top management in dealing with resistance. Second, we extend the important contributions of Belanger et al. (2011) who examined the effect of attitude on IS users resistance to ISS policies by investigating the role of injunctive norms, descriptive norms, and perceived behavioral control on IS users resistance to ISS policies. Third, to our best knowledge, this is the first study to investigate the role of top management support on descriptive norms. This paper also makes substantive contributions to practice. The multi-dimensional construct of top management support provide practitioner a tool to assess and enhance their support toward ISS policies projects. In this study we demonstrated that top management support influence social norms namely injunctive norms, descriptive norms, and perceived behavioral control which in turn affect IS users resistance to ISS policies. We argue that organizations need to provide more support to ISS projects. The support can take various forms, such as offering educational and training programs, visibly practicing ISS compliance, and demonstrating the vision and goal of the ISS policies to the organization. This leads to building social norms that decrease IS users resistance to ISS policies. Based on this, we believe that this study is a crucial contribution to theory and practice. This paper is a research-in-progress and has few limitations that can be addressed in future research. Given the length restrictions of the track submissions, we could not add more arguments on the importance of the dimensions of TMS. Second, resistance to ISS policies may vary in different organizations and in the same organizations for different positions. The small sample size we collected for this study did not allow us to control for the type of organization to assess their varying influence on resistance. We plan to answer these issues in the future version of this manuscript when we submit it for journal publication Thirty Sixth International Conference on Information Systems, Fort Worth

9 References Ajzen, I Belief, Attitude, Intention and Behavior: An Introduction to Theory and Research, Addison Wesley, Reading, MA. Ajzen, I The Theory of Planned Behavior, Organizational Behavior and Human Decision Processes (50:2), pp Ajzen, I. and Fishbein, M Understanding Attitudes and Predicting Social Behavior, Prentice-Hall, Englewood Cliffs, NJ. Anderson, C., and Agarwal, R Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions, MIS Quarterly (34:3), pp Beck, L., and Ajzen, I Predicting Dishonest Actions Using the Theory of Planned Behavior, Journal of Research in Personality (25:3), pp Belanger, F., Collignon, S., Enget, K., and Negangard, E User Resistance to the Implementation of a Mandatory Security Enhancement, The Dewald Roode Workshop on Information Systems Security Research, IFIP WG8.11/WG11.13, Virginia Tech, Blacksburg, Virginia. Bobek, D. D. and Hatfield, R. C An Investigation of the Theory of Planned Behavior and the Role of Moral Obligation in Tax Compliance, Behavioral Research in Accounting (15:1), pp Bonner, J. M., Ruekert, R. W., and Walker O. C Upper Management Control of New Product Development Projects and Project Performance, Journal of Product Innovation Management (19:3), pp Boonstra, A How Do Top Managers Support Strategic Information System Projects and Why Do They Sometimes Withhold this Support? International Journal of Project Management (31:4), pp Bulgurcu, B., Cavusoglu, H., and Benbasat. I Information Security Policy Compliance: An Empirical Study of Rationality Based Beliefs and Information Security Awareness, MIS Quarterly (34:3), pp Cestac, J., Paran, F., and Delhomme, P Young Drivers Sensation Seeking, Subjective Norms, and Perceived Behavioral Control and Their Roles in Predicting Speeding Intention: How Risk Taking Motivations Evolve with Gender and Driving Experience, Safety Science (49:3), pp Chin, W. W Commentary: Issues and opinion on structural equation modeling, MIS Quarterly (22:1), pp. vii xvi. Cialdini, R. B Influence: Science and practice (2nd ed.), Scott, Foresman, Glenview, IL. Cialdini, R. B Descriptive Social Norms as Underappreciated Sources of Social Control, Psychometrika (72:2), pp Cialdini, R. B., Reno, R. R., and Kallgren, C. A A Focus Theory of Normative Conduct: Recycling The Concept of Norms to Reduce Littering in Public Places, Journal of personality and social psychology (58:6), pp Cialdini, R. B., Kallgren, C. A., and Reno. R. R A Focus Theory Of Normative Conduct: A Theoretical Refinement and Reevaluation of the Role of Norms in Human Behavior, Advances in experimental social psychology (24:20), pp Conner, M. and McMillan, B Interaction Effects in the Theory of Planned Behaviour: Studying Cannabis Use, British Journal of Social Psychology (38:2), pp D Arcy, J., Hovav, A., and Galletta, D User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach, Information Systems Research (20:1), pp Dinev, T. and Hu. Q The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies, Journal of the Association for Information Systems (8:7), pp Dong, L., Neufeld, D. and Higgins, C Top Management Support of Enterprise Systems Implementations, Journal of Information Technology (24:1), pp Ferneley, E. H. and Sobreperez, P Resist, Comply or Workaround? An Examination of Different Facets of User Engagement with Information Systems, European Journal of Information Systems (15:4), pp Goldstein, N. J., Cialdini, R. B., and Griskevicius, V A Room With A Viewpoint: Using Social Norms to Motivate Environmental Conservation in Hotels, Journal of consumer research (35:3), Thirty Sixth International Conference on Information Systems, Fort Worth

10 pp Green, G Top Management Support of R and D Projects: A Strategic Leadership Perspective, Engineering Management, IEEE Transactions on (42:3), pp Guimaraes, T. and Igbaria, M Client/Server System Success: Exploring the Human Side, Decision Sciences (28:4), pp Herath, T. and Rao, H. R Encouraging Information Security Behaviors in Organizations: Role Of Penalties, Pressures And Perceived Effectiveness, Decision Support Systems (47:2), pp Hu, Q., Dinev, T., Hart, P., and Cooke, D Managing Employee Compliance With Information Security Policies: The Critical Role of Top Management and Organizational Culture, Decision Sciences (43:4), pp Ifinedo, P Impacts of Business Vision, Top Management Support, and External Expertise on ERP Success, Business Process Management Journal (14:4), pp Igbaria, M., Zinatelli, N., Cragg, P., and Cavaye. A. L Personal Computing Acceptance Factors In Small Firms: A Structural Equation Model, MIS Quarterly (21:3), pp Jermier, J. M., Knights, D., and Nord, W. R Resistance and Power in Organisation, Cengage Learning, Routledge, London. Kallgren, C. A., Reno, R. R., and Cialdini. R. B A Focus Theory Of Normative Conduct: When Norms Do and Do Not Affect Behavior, Personality And Social Psychology Bulletin (26:8), pp Kankanhalli, A., Teo, H., Tan, B., and Wei, K An Integrative Study of Information Systems Security Effectiveness, International Journal of Information Management (23:2), pp Ke, W. and Wei, K. K Organizational Culture and Leadership in ERP Implementation, Decision Support Systems (45:2), pp Kolkowskaa, E. and Dhillon, G Organizational Power and Information Security Rule Compliance, Computers & Security (33:March), pp Lapointe, L. and Rivard, S A Multilevel Model of Resistance to Information Technology Implementation, MIS Quarterly (29:3), pp Larimer, E. and Neighbors, C Normative Misperception and the Impact of Descriptive and Injunctive Norms on College Student Gambling, Psychology of Addictive Behaviors (17:3), pp Li, H., Zhang, J., and Sarathy, R Understanding Compliance with Internet Use Policy from the Perspective of Rational Choice Theory, Decision Support Systems (48:4), pp Liang, H., Saraf, N., Hu, Q., and Xue, Y Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management, MIS Quarterly (31:1), pp McComb, S. A., Kennedy, D. M., Green, S. G., and Compton, W. D Project Team Effectiveness: The Case for Sufficient Setup and Top Management Involvement, Production Planning and Control (19:4), pp Merhi, M. I. and Midha, V The Impact of Training and Social Norms on Information Security Compliance: A Pilot Study, In International Conference of Information Systems (ICIS) 2012, Orlando, FL. Munns, A. K., and Bjeirmi, B. F The Role of Project Management in Achieving Project Success, International Journal of Project Management (14:2), pp Nolan, J. M., Schultz, P. W., Cialdini, R. B., Goldstein, N. J., and Griskevicius, V Normative Social Influence is Underdetected, Personality and Social Psychology Bulletin (34:7), pp Oreg, S Personality, Context, and Resistance to Organizational Change, European Journal of Work and Organizational Psychology (15:1), pp Parker, D., Manstead, A. S. R., and Stradling, S. G Extending the Theory of Planned Behaviour: The Role of Personal Norm, British Journal of Social Psychology (34:2), pp Pavlou, P. A. and Fygenson, M Understanding and Predicting Electronic Commerce Adoption: An Extension of the Theory of Planned Behavior, MIS Quarterly (30:1), pp Perry, W. E Management Strategies for Computer Security. Butterworth Heinemann. Pittet, D Improving Adherence to Hand Hygiene Practice: A Multidisciplinary Approach, Emerging Infectious Diseases (7:2), pp Podsakoff, P. M., MacKenzie, S. B., Lee, J.-Y., and Podsakoff, N. P Common method biases in behavioral research: A Critical Review of the Literature and Recommended Remedies, Journal of Applied Psychology (88:5), pp Thirty Sixth International Conference on Information Systems, Fort Worth

11 Ponemon Institute, Security in the New Mobile Ecosystem. Avaliable at Puhakainen, P. and Siponen, M Improving Employees Compliance through Information Systems Security Training: An Action Research Study, MIS Quarterly (34:4), pp Rimal, R. N. and Real, K How Behaviors are Influenced by Perceived Norms: A Test of the Theory of Normative Social Behavior, Communication Research (32:3), pp Rivis, A. and Sheeran, P Descriptive Norms as an Additional Predictor in the Theory of Planned Behaviour: A Meta Analysis, Current Psychology (22:3), pp Schultz, P. W Changing Behavior with Normative Feedback Interventions: A Field Experiment on Curbside Recycling, Basic and Applied Social Psychology (21:1), pp Sharma, R. and Yetton, P The Contingent Effects of Management Support and Task Interdependence on Successful Information Systems Implementation, MIS Quarterly (27:4), pp Sheeran, P. and Orbell S Augmenting the Theory of Planned Behavior: Roles for Anticipated Regret and Descriptive Norms, Journal of Applied Social Psychology, (29:10), pp Siponen, M., Pahnila, S., and Mahmood, M Compliance with Information Security Policies: An Empirical Investigation, Computer (43:2), pp Thomson, K. L., von Solms, R., and Louw, L Cultivating an Organizational Information Security Culture, Computer Fraud and Security (2006:10), pp Tipton, H. F Information Security Management Handbook, Fourth Edition. CRC Oress LLC. Boca Raton, FL. Venkatesan, M Experimental Study of Consumer Behavior Conformity and Independence, Journal of Marketing Research (3:4), pp Venkatesh, V., Morris, M. G. Davis, G. B., Davis, and F. D User Acceptance of Information Technology: Toward a Unified View, MIS Quarterly (27:3), pp Von Solms, B. and Von Solms, R The 10 Deadly Sins of Information Security Management, Computers & Security (23:5), Von Solms, R. and von Solms, B From Policies to Culture, Computers & Security (23:4), pp Voss, T Game Theoretical Perspectives on the Emergence of Social Norms, Russel Sage Foundation, New York, NY. Warkentin, M., Johnston, A. C., and Shropshire, J The Influence of the Informal Social Learning Environment on Information Privacy Policy Compliance Efficacy and Intention, European Journal of Information Systems (20:3), pp Wenzel, M The Social Side of Sanctions: Personal and Social Norms as Moderators of Deterrence, Law and Human Behavior (28:5), pp Wood, C Information Security Awareness Raising Methods, Computer Fraud and Security Bulletin (1995:6), pp Workman, M., Bommer, W. H., and Straub, D Security Lapses and the Omission of Information Security Measures: A Threat Control Model and Empirical Test, Computers in Human Behavior (24:6), pp Worley, J. M. and Doolen, T. L The Role of Communication and Management Support in a Lean Manufacturing Implementation, Management Decision, (44:2), pp Zhang, J., Reithel, B. J., and Li, H Impact of Perceived Technical Protection on Security Behaviors, Information Management and Computer Security (17:4), pp Thirty Sixth International Conference on Information Systems, Fort Worth