Article Preview
TopIntroduction
Organizations are vulnerable to cyber-attacks partially because people in the organization are unaware of or unprepared for cyber risks. People are one of the major causes of cyber security breaches (Avina et al., 2017; Huang and Pearlson, 2019). Organizations spend millions of dollars on their cyber security infrastructure that includes technical and non-technical measures, but most times leave the most important asset and vulnerability open ̶ the human. Therefore, despite their investments, companies are not able to reap the benefits of their security investments because of human/employee’s non-compliance with cyber security policies and measures. Cyber security non-compliance is a major concern for organizations (Alqahtani & Braun, 2021; Harris & Martin, 2019). For effective compliance and human acceptance of cyber security technology and compliance with cyber practices, it is crucial to identify, research, and analyse the factors that affect cyber security compliance and implementation. Furthermore, the users need to understand, take, and conform to the security measures of the organization’s information security so that companies can reap the benefits of their technology investments. In Donalds and Osei-Bryson (2020) and Li et al. (2019), the authors concluded that the behavior of employees has a direct relationship with effective information system security compliance. Many cyber security incidents have occurred due to the negligence of cyber security policies (Harris and Martin, 2019; Herath and Rao, 2009; Li et al., 2019). Institutionalization of security policies into practice makes the employees embrace the policies, which makes their behavior more complaint (Alqahtani & Braun, 2021; Harris & Martin, 2019; Li et al., 2019).
Different factors affect the behavior of employees towards cyber security compliance. For cyber security compliance, most of the times, certain new technologies also need to be adopted (Alqahtani & Braun, 2021; Baptista & Oliveira, 2015). Many theories and models are proposed in literature that affect human behavior towards technology adoption. One of the most widely accepted technology adoption models is Unified Theory of Acceptance, Use of Technology (UTAUT) (Venkatesh et al., 2003) and UTAUT2 (Venkatesh et al., 2012).
In this study, all the factors of UTUAT2 model have been explored for cyber security compliance. Limited literature is available that link constructs of UTAUT2 model with cyber security compliance. But there are several weaknesses in the previous studies. Most of the previous studies are biased towards a specific group of people and not applicable to general users or employees. For example, the detailed study conducted by Almaiah, Alamri, and Al-Rahmi (2019), Cuganesan, Steele, and Hart, (2018), D’Arcy and Greene (2014), Hu et al., (2012), Liu, Wang, and Liang (2020), S. Raschid Muller and Mary L. Lind (2020), and Simonova, (2020) is biased in several ways. They had focused on a very limited group of people with specialized professions. For example, in S. Raschid Muller and Mary L. Lind (2020), information security professionals are expected to have a better understanding of information security policies than regular employees (Ahlan, Lubis, and Lubis, 2015; Bauer, Bernroider, and Chudzikowski, 2017). Due to the limitations and bias in the previous studies related to technology adoption and security compliance, the results are very weak and difficult to digest. For example, S. Raschid Muller and Mary L. Lind (2020) suggested that UTAUT2 may not be a very good model for inspecting Information Security Policy (ISP) compliance amongst information security professionals. This may not be the case with the general public and employees of organizations because information assurance professionals usually have more knowledge and bias towards compliance. Therefore, this may not be the case for all employees. This study is performed on general users in organizations.