Information systems user security: A structured model of the knowing–doing gap

The corporate information systems users often engage in risky behavior that can threaten the security and integrity of an organization by exposing sensitive information or weakening the existing technological perimeter security. This risky user behavior can be intentional or unintentional, but in either case can cause severe damage to an organization’s reputation as well as potentially extending harm to the organization’s clients and customers. Information systems users not following the corporate security policies, even though they know the policies, is known as user omissive behavior, also known as the knowing–doing gap. This research examines the information assurance understanding and security awareness at the user level by developing a structured model of the user knowing–doing gap. The model examines the role of organizational narcissism and its affect on user attitudes towards following the organization’s information security policies and procedures. It also includes perceived threat as a factor affecting user attitudes towards following information security rules, as well as subjective norms and perceived behavior control consistent with the theory of planned behavior. This structured model provides a framework and description of user information security behavior and the knowing–doing gap.

► Developed a structured model of the user information security knowing–doing gap. ► Based on previous research including the theory of planned behavior and the threat control model. ► Examines narcissism, perceived threat, subjective norms, and perceived behavioral control. ► Findings support perceived vulnerability, subjective norms, and self-efficacy as significant. ► Narcissism, perceived severity of threat, and locus of control were not significant contributors.