Violators versus non-violators of information security measures in organizations—A study of distinguishing factors

Abstract

ABSTRACT The present study analyzes the elements that differentiate violators from non-violators of information security measures. Various elements are derived from established theories and models such as general deterrence theory, theory of planned behavior, theory of reasoned action, protection motivation theory, and social cognitive theory. To examine these factors, the data are gathered through an online study conducted in a Midwestern University, USA. The data are collected using questionnaires, and after scrutiny, 195 questionnaires are selected for final analysis. This data are analyzed using second-level statistical techniques, such as chi-square analysis and ANOVA. Results reveal that violators and non-violators of information security measures differ significantly with respect to many factors. These factors include perceived privacy, subjective norms, perceived information security policy (ISP) scope, perceived severity of penalty, perceived celerity of penalty, management support, organizational security culture, and perceived organizational IT capability. The non-significant factors are trust and work load. Implications for practitioners and researchers are provided.