Degree Granting Department
Alan R. Hevner, Ph.D.
Gert-Jan de Vreede, Ph.D.
T. Grandon Gill, D.B.A.
Loran Jarrett, D.B.A.
Uday Murthy, Ph.D.
employees, practitioners, target groups, tailored messages, leadership, peers, intrinsic motivation
Lack of employee compliance with information security policies is a key factor driving security incidents. Information security practitioners struggle to enforce policy compliance while employees try to curtail safeguards in favor of expediency and other perceived business goals. Several studies have shown individual and organizational factors influencing this type of employee behavior. However, few have recommended management-level interventions that can be used as a solution framework by information security practitioners.
This research utilized the Design Science Research (DSR) methodology to develop a management-level intervention based on a messaging strategy that aims to help information security practitioners improve the information security culture of their organization through employees’ intrinsic motivation, thus increasing compliance with information security policies. DSR calls for the design of an artifact to solve a problem of practice. In this research, the artifact is the management-level intervention mentioned above. The two terms were used interchangeably throughout this manuscript depending on the context.
I adopted the DSR derivate, elaborated Action Design Research (eADR), to develop the artifact, completing its first three cycles (Diagnosis, Design, and Implementation). Each of these cycles involved specific research methods, giving rigor and validity to the artifact. The diagnosis cycle consisted of a literature review combined with my experience as a practitioner to frame the problem space and create an initial draft of the artifact. During the design cycle, the artifact was evaluated and refined using a qualitative Focus Group study in which participants were subject matter experts from different disciplines related to the research topic. The data collected during the focus group study was analyzed using a thematic analysis approach; results validated the theoretical foundation of the artifact. During the implementation cycle, the management-level intervention was evaluated through a field experiment, using a quantitative method to measure its effectiveness. The results obtained from applying a validated industry survey before and after the intervention were quite interesting as they were not the expected results.
The resulting management-level intervention consisted of three simple steps that information security practitioners can adapt to their context for deployment, making it a solution framework that can be broadly adopted. This solution was the main contribution to practice. The contribution to science was centered around the theoretical foundation the solution is based on, which combines the Fogg Behavior Model with the message utility construct in the Informing Science’s Single Client Resonance Model and the Self Determination Theory to increase intrinsic motivation towards information security compliance among employees. This premise can prompt novel research in this and other disciplines, especially those that concentrate on certain organizational climates, such as safety, ethics, diversity and inclusion, and others. Other contributions were based on the experience and learnings of conducting a field experiment in collaboration with industry. In addition, this project augmented the eADR research field by applying the model to the information security compliance practice field.
In summary, this research work strongly contributed to science and practice. Additionally, I compiled an extensive list of future research directions to augment this contribution.
Scholar Commons Citation
Giovannetti, Federico, "Designing a Messaging Strategy to Improve Information Security Policy Compliance" (2022). USF Tampa Graduate Theses and Dissertations.