Impact of perceived technical protection on security behaviors

The purpose of this paper based on compensation theory, is to incorporate perceived technical security protection into the theory of planned behavior and examined factors affecting end‐user security behaviors, specifically, compliance with security policies.

An online survey is conducted to validate the proposed research model. The survey is sent out to an industrial panel. A total of 176 usable responses are received and used in the data analysis.

The results show that both perceived behavioral control (PBC) and attitude have significant impact on intention to comply with security policy. Perceived technical protection affects behavioral intentions both indirectly, through PBC, and directly. The negative direct effect (i.e. perceived high technical protection leads to low intention to comply with security policy) suggests possible risk compensation effects in the information security context.

This result should be of interest to practitioners. In practice (e.g. during security training), the power and capability of technical protection mechanisms should not be exaggerated. Instead, its limitations and drawbacks should be emphasized, so that end‐users will adopt more cautious security practices and adhere to the requirements of the organization's security policies.

This paper embeds risk compensation theory within the security policy compliance context and offers a useful starting point for further empirical examination of this theory in information security context.