Determinants of early conformance with information security policies

Individuals often fail to perform the security behaviors their organizations request to protect informational assets. However, forcing individuals into the compliance can trigger undesired behaviors. We propose a model grounded in Theory of Planned Behavior and information security literature to study determinants of early conformance toward technology-enforced security policies. The model was tested with 535 respondents from a university that implemented new password policies. The results show support for all the proposed relationships, except that subjective norm does not affect intentions. This important finding is explained by the leading role of early conformers, which highlights the importance of context-specific theorizing by researchers.