Understanding insiders: Theories and challenges in information security policy compliance research

Studies in information security policy compliance (ISPC) have used a number of behavioral theories from criminology, public health, and economics research to understand why individuals inside organizations commit security policy violations. These theories and empirical studies have broadened our understanding of some of the most prevalent and most difficult to address causes of information security incidents: Non-malicious and malicious acts of policy violations. However, there are a number of issues with current studies and certain observations that may be fruitful to address, both for future research as well as for practitioners in organizations. In this chapter, I summarize some of the major behavioral frameworks used in ISPC research, indicating the main causal variables studied, the results of these investigations, as well as practical implications for organizations. Given that many of the studies that adopt a rational actor perspective and a cost-benefit calculus have not obtained consistent results, I suggest a set of variables and behavioral effects that highlight how individuals commit a plethora of non-rational acts in their day-to-day activities, and that this basic understanding of human biases may be fruitful in the information security context. Moreover, I point to methodological challenges regarding self-reported studies and the problem of non-malicious acts being mixed with malicious acts. Lastly, I identify ethical challenges in controlling employee behavior and the importance of understanding behavioral ethics in the information security context and organizational settings.