The Relationship between Information Security Awareness and the Intention to Violate Information Security with the Mediating Role of Individual Norms and Self-control

while the role of information in today’s world cannot be denied, and since most activities and processes depend on information, the violation of information security is a critical concern. There are numerous motivations to threaten the security of an organization’s information, ranging from economic motivations to revenge, although some threats are not intentional and the source of such threats does not really intend to do so. There are two sources of security threats, internal and external. The internal threats consist of the employees who intentionally or unintentionally violate the security rules of organizational information. While there are a variety of studies, dealing with this issue from different angles, researchers found no prior reports on the relationship between information security awareness and intention to violate information security with the mediating role of individual norms and self-control. Hence, this research aims to employ several theories, including general deterrence theory, general crime theory, control theory and social learning theory and suggests 5 minor hypotheses and 2 major hypotheses to examine the mentioned relationship among the employees of Keshavarzi Bank in Isfahan city. The results will lead to the development of a new theoretical model, which expands our knowledge in this field and also can be employed by researchers as the theoretical underpinning in their future research. The results can also offer new practical suggestions and solutions to reduce the incidents of information security breach in organizations by the employees.

The present study is an applied research in terms of the purpose, and it is a descriptive-survey with correlation approach in terms of the method. The population of the present study consisted of 350 employees of Keshavarzi Bank in Isfahan. The studied sample was estimated 184 individuals based on the Morgan table and was selected by stratified random sampling fitted to size. The scale was adopted and adapted from published sources, and, except the demographics, was formatted on the five-point Likert scale. The demographics consisted of 5 questions, referring to the respondents’ age, gender, education level, marital status, and organizational position.  The main scale for the variable ‘information security awareness’ consisted of 3 dimensions, namely, ‘information security general awareness’, ‘information security rules awareness’, and ‘information security violation sanctions’, each consisted of three-question items. The questionnaires for ‘individual norms’ and ‘intention to violate information security’ each consisted of 4 items, and the questionnaire for ‘self-control’ consisted of 3 items. The validity of the questionnaires was obtained using face validity (by a number of respondents), content validity (by faculty members and management specialists) and construct validity (confirmatory factor analysis), using average variance extraction (AVE), composite reliability (CR), factor loading and Fornel and Larcker criterion. To examine the scale reliability, Cronbach’s alpha was used and the overall reliability was 0.83. The collected data were analyzed by SPSS and SmartPLS software at two levels of descriptive and inferential statistics. Based on the results, all the research hypotheses were approved.

The relationships between awareness of information security with individual norms (β=0.67), self-control (β=0.71), and intention to violate information security (β=- 0.53) were significant. The results also indicated that individual norms (β= -0.54) and self-control (β= 0.48) were significantly related to intention to violate information security. The results are consistent with some past similar studies, which have been discussed. Overall, it can be suggested that employees’ awareness regarding the security rules of the organization, and the consequences of violation of information security should be improved by conducting different classes. Moreover, building an efficient security culture to encourage employees to follow the security rules of the organization can be an effective step toward this goal. Another step would be implementing sanctions in public against those who violate the security rules of the organization.