Majed Rajab

Date Approved


Degree Type

Campus Only Dissertation

Degree Name

Doctor of Philosophy (PhD)

Department or School

College of Technology

Committee Member

Ali Eydgahi, PhD, Chair

Committee Member

Bilquis Ferdousi, Ph.D.

Committee Member

Munther Abualkibash, Ph.D.

Committee Member

Huei Lee, Ph.D.


The study of employees’ intention to comply with information security policies in higher education is limited. This research thus embarks on an empirical analysis of the factors predicting employees’ intention to comply or the lack thereof with respect to their institutions’ policies. The theoretical frameworks utilized by the study’s model for this analysis are outlined. Details regarding data collection and analysis are also provided to answer the crucial question: What are the best predictors of employees’ intention to comply with information security policies within the higher education community? This benefits colleges and universities in better designing preventive solutions, thereby saving potential financial and reputational losses.

Using data collected from a sample of employees at Eastern Michigan University, the proposed model was fitted based on four theoretical frameworks: theory of planned behavior, protection motivation theory, deterrence theory and organizational theory. This model is the first to integrate all relevant theories cited as influencing intention to comply with information security policies. Partial least squares structural equation modeling (PLS-SEM) is utilized to develop a deeper understanding of the factors leading higher education employees to comply with policies. Choice of this technique is both informed by the widespread usage of PLS-SEM in the information security compliance intention literature as well as its exploratory orientation, suiting the purposes of this research.

Findings suggest that the protection motivation model serves as the most appropriate behavioral theory for understanding employees’ intention to comply with information security policies in higher education. Perceived vulnerability to information breaches, perceived response efficacy, and perceived response cost were found to be significant in predicting intended compliance. This finding is significant in many respects. First, universities need to develop workshops aimed towards training staff on how to effectively respond to IT risks. Further, the majority of staff is not aware of the dangers and complexities of IT attacks; therefore, universities need to provide comprehensive guides or training sessions on the breadth, width, and magnitude of IT risks to increase levels of Information Security Policy (ISP) compliance intention. Finally, future studies of ISP intention to comply should incorporate vulnerability and response efficacy as main elements of their models.