The growth in computer use has ushered increased concerns of information security throughout the world. In recent decades, companies have increasingly leveraged the Internet to enhance their internal and external connectivity(Li et al. 2010). The high level of connectivity have created unprecedented opportunities for the dark side of the technological advancement to emerge and prosper(Hu et al. 2007).
Historically, researchers interested in the security of IS have long investigated extensively themselves with building technological countermeasures in order to prevent several IS security problems(Aytes and Connolly 2003; Dutta and Roy 2008; Goel and Ghengalur-Smith 2010; Hu et al. 2007; Workman and Gathegi 2007). However, due to infusion of more procedures and logical or physical devices within the information environment, no system can be completely secure(Straub and Welke 1998). Therefore, keeping IT environment safe demands a more complete understanding of the phenomenon, which requires broadening information security far beyond the technical aspects(Luciano et al. 2010). A number of authors have affirmed that information security depends on human factors(Luciano et al. 2010; Maconachy et al. 2001) because information security cannot be achieved through technological measures alone(Aytes and Connolly 2003; Goel and Ghengalur-Smith 2010; Luciano et al. 2010; Trcek et al. 2007). The greatest security threat of all is the company employees- the organizational member who is a trusted agent' inside the firewall(Cardinali 1995; Warkentin and Willison 2009). This paper focuses on users' voluntary behavior towards information security based on the theory of planned behavior(TPB)(Ajzen 1991) because studies of individual components in the TPB have shown that attitudes toward information security, control perceptions, and social influences affect various forms of contravention behaviors and the structural model of technology(Orlikowski 1992) which explains the adoption of technology in organizations as the interplay among organizational properties, human agents, and technology. Because information security is not a temporary issue, it is important to identify factors to lead employees' persistent behavior to comply with information security policy. Furthermore, this study considers a persistent compliance intention as dependent variable. Over half of all IS security breaches are indirectly or directly caused by employees' poor IS security compliance(Siponen and Vance 2010).
This study has found partial support for the research model introduced here. The proposed model explains over 53% of the variation in Persistent Compliance Intention(SMC=0.537). Nine paths out of twelve in the model are statistically significant. The other three paths are not statistically significant. In particular, the relationship of Security Policy Effectiveness with Persistent Attitude toward Compliance surprisingly turns out not to be statistically significant. This results is different from previous literature such as D' Arcy et al.(2009), Herath and Rao(2009a,2009b), and Siponen and Vance(2010). Previous researches suggested that security policy plays a critical role in information security context. However, this research results show that security policy is not a important issues for persistent information security compliance. Furthermore, Perceived Behavioral Control not influenced on Persistent Compliance Intention. Although employees have abilities to detect and protect the information security breaches, these abilities does not lead to persistent intention to comply with information security policy.
Perceived Benefit, Techno-Stress, Organizational Commitment, Perceived Security Climate, and Systems Quality is primarily explained via Persistent Attitude toward Compliance. That is, Persistent Attitude toward Compliance is mediating the effects of the other four independent variables(Perceived Benefit, Techno-Stress, Organizational Commitment, Perceived Security Climate, and Systems Quality). These results show that TPB is a critical for explanation of information security behaviors. Key implications for theory and practice are discussed.