Though most organizations have policies and guidelines to protect their information systems from unauthorized access, research has shown that employee compliance is often a problem.
Mandatory policies not always followed
“Even if the policies are mandatory, individual perceptions, interpretations, and behavior vary within the process of complying,” says accounting and information systems professor France Belanger, who, with three doctoral students, completed a new study exploring the attitudes and “resistance behavior” of individuals faced with a required information technology security change. Previous studies, she says, largely focused on voluntary behavior.
Study looks at behavior across Virginia Tech
Using their own institution as a case study, Belanger and her team — Eric Negangard and Kathy Enget (accounting and information systems) and Stephane Collignon (business information technology) — surveyed undergraduate and graduate students, faculty, staff, and administrators at Virginia Tech. The university required its information systems account holders to change their passwords by July 1, 2011, after evaluating password practices in the wake of recurring security problems. Accounts would not be accessible with old passwords after the deadline.
The survey comprised 571 respondents; the study was based on a final sample of 425 participants.
Awareness of change influences user attitudes
Managers who develop and implement information security procedures may find some useful lessons about change management in the study, Belanger says. It highlights the role of user awareness of the security change in influencing user attitudes toward the change and shows the relative importance of various organizational measures to publicize the change.
“Promoting awareness is an important part of the change management process. Our results suggest that organizations should also consider a number of other factors that can affect user attitudes towards the change and, in turn, their resistance behavior.” These include user perceptions about the usefulness and ease of use of the particular information system, their vulnerability to the security threat, the influence of their social network, and their technical competence or ability to perform the protective action.
“By fully understanding these factors and considering their impact on attitude and intention,” she says, “organizations can more successfully manage the process of mandatory security policy enhancements.”
Information security more important than ever
Belanger notes that a company’s physical property was historically its most valuable and most easily safeguarded asset. “Today, one of the most valuable resources is information — information that is kept in a variety of systems and accessed and transmitted from employer as well as personal desktop and laptop computers and smart phones. All these access points or devices are subject to security threats, and their security is, ultimately, the responsibility of the individuals using them.”
Belanger says the model she developed incorporates elements from previous studies on technology acceptance and user resistance, including research demonstrating that compliance and resistance are not polarized extremes. “There can be some level of each in the other. The fact that people do not act directly against a policy implementation or change is not sufficient evidence that there is no opposition.”
Researchers, she says, have distinguished three forms of compliance: “mandatory,” when individuals abide by an external authority; “introjected,” when they feel coerced and oppressed and may resist; and “volitional,” when they see themselves rather than an external authority as being in control of their own behavior. Volitional compliance, she says, can represent a form of resistance. In observing a password change, for example, individuals view their action as being self-directed (“I’m changing my password because I want to, not because the policy says I have to”).
Weak links often overlooked
To those who argue that individual feelings do not matter when compliance is not a choice, Belanger says that resistance can take various forms, from mild or passive — expressed by a lack of interest, apathy, inaction or indifference, refusal to accept responsibilities — to active — resulting in actions that include formal or informal protests, complaints, or demands.
In a mandatory change, users may express their opposition by not participating in the spirit of the change — doing only the minimum required and/or waiting until the last minute to comply. “While complying, the individual may remain unmotivated or indifferent,” she says, “This can be problematic. Studies have shown that uninvolved individuals are the weak link in an organization’s security chain of defense.”
Resistance can exist while complying
For example, she notes that though notification of the Virginia Tech password change began in February 2011, only 63 of the 571 individuals who responded to her survey had changed their passwords before the survey was conducted in April. Among those who had not changed their passwords, the intention to resist ranged from “rather not resistant” to “strongly resistant.”
Says Belanger: “Our study shows that resistance can exist while abiding by the rules.”
Official announcements not always effective
The study team also tracked announcements and other notifications from the university throughout the process. “While the first notification was made on Feb. 8,” Belanger says, “the survey revealed that many individuals were not aware of the change for many months.”
The university’s online course and project management site (Scholar) was the most effective vehicle in promoting awareness of the change to faculty and students. Just over 50 percent of the respondents indicated that they first heard of the change requirement via this site, while 14 percent, the next highest response, cited Belanger’s survey.
Results defy expectation
“Contrary to our expectations, the results indicate that perceived severity of the security threat does not have a significant influence on attitude. In other words, people are conscious that a password breach can have severe consequences, but it does not affect their attitude toward the security policy implementation.”
Another surprising finding: the more technical competence respondents have, the less they favor the policy enhancement. Belanger speculates that the mandatory aspect of the policy change may be why. “In a voluntary implementation, that competence may be a vector of pride and accomplishment. In a mandatory context, the individual may feel her competence challenged, triggering a negative attitude toward the process.”
These unexpected results, she says, suggest directions for further research.