Identification of the Employee's Mental Patterns about the Policies of Information Security

Document Type : Research Paper


1 Ph.D. Student in system Management, pardis farabi of Management University of Tehran, Iran

2 Assistant Prof., Faculty of entrepreneurship, Tehran University, Tehran, Iran


The security of information systems is one of the most important challenges for today's organizations. Although most organizations use security technologies, they concluded that technology is not enough by itself and the key threat to the organization security comes from employees who do not agree with the organization security policies. Therefore, the field of end users security behaviors in the organization has received serious attention. In accordance with recent studies, end users have different security perspectives which have weakened the monitoring of user's security behaviors. Using Q methodology, this research attempted to identify employees’ mental patterns regarding information security policies to lead employees with the security requirements of the organization. In this regard, by reviewing previous researches as well as evaluating and summing up the discourse space, Q statements were selected and ranked by 31 employees of petroleum products Distribution Company. Constantly, analysis statements and four mental patterns were identified and classified as assessors, committed, relatives and people who consider deterrence tools helpful in line with information security policies.


Main Subjects

Aytes, K. & Connolly, T .(2003). A research model for investigating human behavior related to computer security. Americas conference on information system (AMCIS). paper 260. Available in: /260.
Brown, S.R., Q (1996). Methodology and Qualitative research. Qualitative Health Reseach, 6(4): 561-567.
Bulgurcu, B., Cavusoglu, H. & Benbasat, L. (2009). Roles of Information Security Awareness and Perceived Fairness in Information Security Policy Compliance, Americas Conference on Information Systems, AMCIS2009, San Francisco, California, Augus 6-9, 2009.
Bulgurcu, B., Cavusoglu, H. & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3): 523-548.
Chang, J., Wu, C. & Liu, H. (2012).The Effects of Job Satisfaction and Organization Commitment on Information Security Policy Adoption and Compliance. Management of Innovation and Technology (ICMIT). IEEE International Conference on, Sanur Bali, June 2012, DOI: 10.1109/ICMIT.2012.6225846.
Cheng, L., Li, Y., Li, W., Holmc, E. & Zhai, Q. (2013). Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Computers & Security, 39: 447- 459.
Corr, S. (2001). An introduction to Q methodology, a Research Technique, British. Journal of Occupational therapy, 64(6): 293-297.
Furnell, S., Gennatou, M. & Dowland P. S. (2002). A prototype tool for IS security awareness and training. International Journal of Logistics Information Management, 15 (5): 352-357.
Furnell, S. M. (2005). Why users cannot use security. Computers & Security, 24(4): 274-279.
Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. computers & security, 31 (1): 83-95.
Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Information & Management, 51 (1): 69–79.
Kalantari, KH. (2003). Data processing and analysis of socio-economic research. Tehran: Sharif. (in Persian)
Katsikas, S. K. (2000). Health care management and information system security: awareness, training or education. International Journal of Medical Informatics, 60(2): 129-135.
Koshgoyanfard, A. (2007). Q methodology. Tehran: IRIB Research Center.
(in Persian)
Lee, J. & Lee, Y. (2002). A holistic model of computer abuse within organizations. Information management & computer security, 10 (2): 57-63.
Pahnila, S., Siponen, M. & Mahmood, M. (2007). Employees’ Behavior towards IS Security Policy Compliance. Proceedings of the 40th Hawaii International Conference on System Sciences, DOI: 10.1109/HICSS.2007.206. ·
Siponen, M. (2000). A Conceptual Foundation for Organizational Information Security Awareness. Information Management & Computer Security, 8(1): 31-41.
Siponen, M., Pahnila, S. & Mahmood, M. (2006). Factors Influencing Protection Motivation and IS Security Policy Compliance, Innovations in Information Technology Conference, Dubai, Nov 2006, DOI: 10.1109/INNOVATIONS. 2006.301907.
Siponen, M., Mahmood, A. & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & Management, 51(2): 217–224.
Sommestad, T., Hallberg, J., Lundholm, K. & Bengtsson, J. (2013). Variables influencing information security policy compliance A systematic review of quantitative studies. Information Management &Computer Security, 22 (1): 42-75.
Son, J, (2011). Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information & Management, 48 (7): 296–302.
Spurling, P. (1995). Promoting security awareness and commitment. Information Management & Computer Security, 3(2): 20-26.
Stanton, J.M., Stam, K.R., Mastrangelo, P.M. & Jolton, J.A. (2005). Analysis of end user security behaviors. Computers & Security, 24(2): 124-133.
Tejaswini, H. & Rao, R. (2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2): 154–165.
Tejaswini, H. & Rao, R. (2009). Protection motivation and deterrence: a framework for security policy compliance in organizations. European Journal of Information Systems, 18(2): 106–125.
Vance, A., Siponen, M. & Pahnila, S. (2012). Motivating IS security compliance: Insights from Habit and Protection Motivation Theory. Information & Management, 49(3-4): 190–198.
Whitman, M. E. (2004). In defense of the realm: understanding the threats to information security. International Journal of Information Management, 24(1): 43-57.