Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education

Document Type


Publication Date



Engineering Technology

Publication Title

Computers and Security


Higher education institutions have invested heavily in their high-tech infrastructure to ensure the security and integrity of their information. Incompliance with information technology policies has shown to lead to mass information leaks, reputational damage and potential litigation. Little research has been conducted on the subject of employees’ compliance with such sensitive protocols. This paper presents a comprehensive theoretical model based on Theory of Planned Behavior, Protection Motivation Theory, General Deterrence Theory and Organizational Theory for predicting intentions of higher education employees’ compliance with information security policies. Utilizing a survey instrument and using Structural Equation Modeling-Partial Least Squares method, this study found that perceived vulnerability, response efficacy and response cost to be the most predictive indicators that are positively associated with intentions of information security compliance among university staff and faculty. But, little support was found for the General Deterrence Theory, Theory of Planned Behavior and Organizational Theory in explaining the variance of higher education staff intentions to comply with information security policies. Results indicated that the Protection Motivation Theory provides the best theoretical framework to understand higher education employees’ behavior with respect to compliance with information security. Such results confirmed earlier empirical investigations attempting to understand the basic question of why do employees differ with respect to compliance with information security. Consistent with the prior research, severe sanctions, close management supervision, peers’ pressure and attitudes towards information security do not matter as much as perceived vulnerability and response efficacy in ensuring higher levels of intentions to comply with ISPs in organizations. The study recommends universities and colleges to invest in applied information security training for their staff, as well as for the university overall community.


A. Eydgahi is a faculty member in EMU's School of Engineering.

*M. Rajab is an EMU student.

Link to Published Version