Date of Award

Spring 3-1-2012

Document Type


Degree Name

Doctor of Science in Information Systems


Business and Information Systems

First Advisor

Omar El-Gayar

Second Advisor

Amit Deokar

Third Advisor

Wayne Pauli

Fourth Advisor

Viki Johnson


Information security policy compliance is one of the key concerns that face organizations today. Although, technical and procedural securities measures help improve information security, there is an increased need to accommodate human, social, and organizational factors. While employees are considered the weakest link in information security domain, they also are assets that organizations need to leverage effectively. Employees’ compliance with Information Security Policies (ISPs) is critical to the success of an information security program. This study adapts the Technology Acceptance Model (TAM) and the Theory of Planned Behavior (TPB) to examine users’ behavioral intention to comply with ISPs. Compliance and systems misuse has been investigated heavily in the last couple of years. However, there are still huge gaps in this area, and more investigation is needed as the systems abuse dilemma is more likely to persist in the future. Different theories were borrowed from criminology, sociology, and other social and behavioral sciences to help understand the factors motivating either compliance or non-compliance behavior, or systems misuse intentions and behaviors. This study identifies the antecedents of employees’ compliance with the information security policies (ISPs) of an organization. Specifically, the impact of structured and unstructured information security awareness on behavioral intentions to comply with an organization’s ISP was investigated. Drawing on TAM and TPB, the study posits that along with perceived behavioral control (self-efficacy and controllability) and subjective norms, an employee’s intention to comply with the requirements of the organization’s ISP is associated with the degree to which s/he believes or perceives compliance to be difficult to understand, to learn or operate (perceived complexity; PC), and/or to the extent that safeguarding the organization’s information technology resources will enhance his/her job performance (PUOP). Data was collected using a survey instrument that captured employees’ perceptions and intention regarding compliance with the organizations’ ISPs. A sample of 878 employees working in nine different banks in Jordan was used to test the research model. Results indicated that employees’ intention to comply is significantly influenced by PC, PUOP, and subjective norms. Employees’ awareness of security countermeasures was found to significantly affect perceived usefulness of protection and perceived complexity, and they, in turn, affect their intentions to comply with the requirements of organizations ISPs. General information security awareness and technology awareness were also found to significantly influence employees’ intention to comply through PUOP and PC. Controllability was found to have no significant impact on PC and PUOP. Overall, this study presents significant contributions toward explaining the role of Information Security Awareness (ISA) and employees’ perceptions of the usefulness and complexity of the requirements of the organization’s ISP to boost compliance behavior.