From Information Security Awareness to Reasoned Compliant Action: Analyzing Information Security Policy Compliance in a Large Banking Organization

The aim of this paper is to develop a better understanding of the importance of neutralization methods in the context of desirable information security behavior of employees. Past behavioral intention theories, such as the theory of planned behavior, have not sufficiently accounted for neutralization by which employees may temporarily neutralize certain values when determining the formation of an intention and consequently behavior. We provide a new integrated view on security behavior by combining the theory of planned behavior and neutralization theory in one study. Based on the analysis of 220 data sets acquired by an online survey, our results support the hypotheses gained from both theories. In particular, neutralization techniques are used by employees to justify undesired security behaviors. In relative terms, neutralization seems to be at least equally important as the predictors of the theory of planned behavior when considering effect sizes. Our main contribution is to provide evidence for the important role of six considered neutralization techniques, which implicates to proactively utilize these in the development of effective information security awareness programs.