Review of behavioural theories in security compliance and research challenges

Leave a Comment / Security and Behaviour Change / By /

The paper by Pham, Brennan, and Richardson titled “Review of Behavioural Theories in Security Compliance and Research Challenges” is a critical examination of various behavioral theories that are used to understand and improve security compliance within organizations. The authors provide a detailed overview of the theories that have been applied to the field of cybersecurity, analyzing their effectiveness and identifying research gaps that still need to be addressed.

Key Points from the Paper

  1. Security Compliance Challenges:
    • The paper begins by discussing the importance of security compliance in protecting organizational assets. It highlights how non-compliance, whether intentional or unintentional, can lead to significant security breaches.
    • The authors emphasize the complexity of achieving security compliance due to the interplay of various factors, including individual behaviors, organizational culture, and external pressures.
  2. Review of Behavioral Theories:
    • The paper reviews several key behavioral theories that have been applied to security compliance. These include:
      • Theory of Planned Behavior (TPB): This theory suggests that an individual’s behavior is influenced by their intentions, which are shaped by their attitudes, subjective norms, and perceived behavioral control. In the context of security compliance, TPB is used to understand how employees’ intentions to follow security policies are formed.
      • Protection Motivation Theory (PMT): PMT posits that individuals are motivated to protect themselves based on their perception of a threat and their ability to cope with it. This theory is often applied to understand why employees may or may not follow security protocols depending on how they perceive the threat and their confidence in their ability to mitigate it.
      • Deterrence Theory: This theory is based on the idea that people are deterred from engaging in undesirable behavior (e.g., violating security policies) if they believe they will be caught and punished. The paper discusses how this theory has been used to design security policies that emphasize the consequences of non-compliance.
      • General Deterrence Theory (GDT): An extension of Deterrence Theory, GDT suggests that the mere knowledge of potential punishment can deter individuals from violating security policies. The paper explores how GDT has been used in designing preventive security measures.
  3. Research Challenges:
    • The paper identifies several challenges in applying these behavioral theories to security compliance:
      • Contextual Variability: Security behaviors can vary significantly depending on the context, such as the type of organization, the specific security threat, and the individual’s role. This makes it difficult to apply a one-size-fits-all approach to security compliance.
      • Measurement Issues: Accurately measuring compliance and the factors that influence it is challenging. The paper discusses the difficulties in quantifying abstract concepts like perceived threat or intention to comply.
      • Integration of Theories: The authors point out that while individual theories provide valuable insights, there is a need for an integrated approach that combines elements from multiple theories to better understand and influence security compliance.
      • Behavioral Interventions: Developing effective interventions based on these theories requires a deep understanding of both the theories themselves and the specific organizational context. The paper calls for more research into how interventions can be tailored to different environments.
  4. Recommendations for Future Research:
    • The authors suggest several areas for future research:
      • Cross-Theoretical Research: Combining elements from different theories to create more comprehensive models of security compliance.
      • Longitudinal Studies: Conducting studies over an extended period to better understand how security behaviors evolve and how interventions impact long-term compliance.
      • Behavioral Economics: Integrating insights from behavioral economics to understand how incentives and penalties influence security behaviors.
      • Cultural Considerations: Examining how cultural factors influence security compliance and the effectiveness of different interventions.

Book References for Further Reading

  1. “Predicting and Changing Behavior: The Reasoned Action Approach” by Martin Fishbein and Icek Ajzen – This book provides a deep dive into the Theory of Planned Behavior, one of the key theories discussed in the paper.
  2. “Protection Motivation Theory: Applied Social Psychology Annual” edited by J. G. Oliver – This text explores Protection Motivation Theory, offering insights into its application in various fields, including cybersecurity.
  3. “Deterrence: The Legal Threat in Crime Control” by Franklin E. Zimring and Gordon Hawkins – A foundational book on Deterrence Theory, which is relevant to understanding the deterrence-based approaches in security compliance.

Conclusion

The paper by Pham, Brennan, and Richardson is a valuable resource for anyone interested in the application of behavioral theories to security compliance. It provides a thorough review of the existing theories, highlights the challenges in applying them, and suggests directions for future research. For students and practitioners in the field of cybersecurity, this paper offers a comprehensive overview of the theoretical underpinnings of security compliance and the complexities involved in achieving it.

Related Posts:

Leave a Comment

Your email address will not be published. Required fields are marked *