| Computer security has become increasingly important to organizations as the number of security incidents skyrockets. While many technical means are used to secure corporate systems, individual employees remain the last line--and frequently the weakest link--in organizational defenses. When individuals choose to disregard security policies and procedures meant to protect the organization, they leave the organization at risk. How, then, can organizations motivate their employees to follow security guidelines? Using organizational control and the fear of crime as the lens, we build a model to examine this research question.; The research model examines the relationship between the elements of control (specification, evaluation, and reward), risk elements and risk antecedents (direct experience, indirect experience, and risk) and precautions that can be taken at the individual level which are typically motivated by organizational policies and procedures. The model also introduces the concept of "mandatoriness" which is generally not specifically highlighted in extant literature.; The specific hypotheses are developed and tested using a field survey. An organization was identified for data collection and 1,738 total responses were collected from a population of approximately 3,500. The model was tested using PLS analysis after examination of the data, scale reliability, and item validity.; The results from the analysis suggest that the acts of specifying a policy and evaluating behaviors are effective in convincing individuals that security policies and procedures are mandatory. The perception of mandatoriness, in turn, is effective in motivating individuals to take security precautions. Likewise, both direct and indirect experience have a significant positive effect on perceptions of risk, but risk perceptions do not have any effect on the level of precautions taken by individuals.; The findings highlight the need for management to clearly specify computer security policies and procedures and to evaluate individual employee compliance with those policies. The findings also indicate that the perceived impact of specific scenarios is more likely to affect individual precaution taking behaviors than statistics indicating the likelihood that they will be affected. Additionally, managers need to address the problems of apathy as it relates to security and bolster individuals' efficacy as it relates to computers. |
