BIS Seminar: Associate Professor Alexandra Durcikova

Effort Matters: Explaining How High Required Effort May Derail Users’ Intentions to Adhere to Security Policies

Computer users who are not compliant with security policies pose a serious threat to their organizations. As a result, organizations often implement security controls that users interact with to secure information assets. However, an often-overlooked side effect of these controls is increased required effort for users. In our research, we hypothesize how this increased required effort influences users’ adherence to security policies. In three experiments, we find that increased required effort negatively moderated users’ intentions to follow security policies, resulting in lower overall compliance. In addition, controlling for this moderating effect of required effort on intentions substantially increases the explained variance in security policy compliance. Further, we show that this effect of required effort is separate from the effect of perceived behavioral control—a hypothesized surrogate of effort in previous research. Our research suggests that information security managers should be cognizant of and decrease the impact of security controls on effort, or this effort may derail users’ positive intentions—mitigating the effect of various organizational efforts to improve intentions and thereby improve security policy compliance.

Associate Professor Alexandra Durcikova

Alexandra Durcikova is an Associate Professor at the Price College of Business, University of Oklahoma. Professor Durcikova has written more than 50 research papers in Information Systems Research, MIS Quarterly, JMIS, Information Systems Journal, European Journal of Information Systems, and numerous international conferences. She has won numerous teaching excellence awards. Her research focuses on knowledge management and knowledge management systems, the role of organizational climate in the use of knowledge management systems, knowledge management system characteristics, governance mechanisms in the use of knowledge management systems, and human compliance and noncompliance with security policy and characteristic of successful phishing attempts within the area of network security and end user security.