Influencing factors of employees’ information systems security police compliance: An empirical research in China

. It is widely agreed that information systems security police compliance plays a pivotal role in safeguarding organizational information security. This study empirically investigated organizational and individual factors in predicting employees’ ISSP compliance. With a survey data of 525 civil servants in China, results showed that organizational information security training and information security climate were significantly related to employees’ ISSP compliance. Specifically, information security climate had stronger effect on ISSP compliance than information security training. Furthermore, it was found that employees’ perceived severity, perceived vulnerability and response efficacy were positively related to employees’ ISSP compliance. We discussed the key implications of our findings for managers and researchers.


Introduction
The widespread application of computers and internets has benefited to organizational efficiency and high performance. Despite the benefits, organizational information systems are more likely to be threatened by cyberattacks and deserved to develop security initiatives. However, monitoring systems, such as data leak prevention, content monitoring technologies which offer technical solutions to the information security problems are not sufficient in providing total protection. With the human factor becoming the weakest link, information security researchers began to highlight employees' compliance to information system security policy and identified a mass of antecedents predicting information systems security police (ISSP) compliance [1][2] [3].
However, as Dhillon and Backhouse (2001) pointed out, empirical research drawing on the socio-organizational view to developing key motivators for improving employee security compliance was still lacking [4]. Additionally, the present research draws inconsistent conclusion on the relationship between ISSP compliance and its antecedents. For example, in terms of organizational related antecedents, Greene and D'Arcy (2010) found that information security climate was positively related to employees' security compliance [5], while Ifinedo (2018) found that information security climate failed to significantly predict employees'ISSP compliance [6]. In terms of individual related antecedents, Siponen et al. (2014) found that employees' perceived severity of threat was significantly accorelated with ISSP compliance [7]. While Ifinedo (2012) didn't support that perceived severity was a robust predictor of ISSP compliance in his research [8].
This study took Chinese civil servants as example and investigated the organizational and individual antecedents in Eastern culture context. We captured information security climate and information security training as organizational informal factor and formal factor respectively. Meanwhile, drawing on protection motivation theory (PMT), we captured perceived severity, perceived vulnerability and response efficacy as individual threat appraisal and coping appraisal. This study would contribute information security research in following respects: (1) enriched ISSP compliance related research in East culture context. (2) clarified the inconsistent conclusion on the relationship between ISSP compliance and its antecedents under a different culture context.

ISSP compliance behavior
Information system security policies (ISSP) are defined as a set of formalized procedures, guidelines, roles and responsibilities to which employees are required to adhere to safeguard and use properly the information and technology resources of their organizations [9]. A rich stream of research has identified numerous antecedents of employees' ISSP compliance. For example, Moody et al. (2018) proposes a unified model of information security policy compliance to examine the different antecedents [1]. Cram, D'Arcy, & Proudfoot (2019) conducted a metaanalysis to classified 401 independent variables as the antecedents of ISSP compliance behavior [3].

Information security climate and ISSP compliance
Information security climate reflects a collection of norms, beliefs, values, and fundamental assumptions shared by organizational members on how information security matters. Most empirical research showed that information security climate was significantly related to employees' compliance with ISSP [10]. For example, Jaafar and Ajis (2013) found IS climate was a robust determinant of ISSP compliance behavior [11]. However, a handful of scholars draw diverse conclusion organizational security climate did not have a significant impact on ISSP compliance. For example, Ifinedo (2018) found that organizational security climate did not predict significantly compliance behavior [6]. The inconsistent conclusion conducted in Western context is deserved to be verified again in a Eastern culture context.

Information security training and ISSP compliance
Information security training is an educational process by which employees fulfill the necessary conditions for information security at the organization [12]. As such, information security training may provide general knowledge and necessary skills for information security [13]. A mature IS training could provide employee with security experience, beliefs and perception of severity of information security, then improve employees' compliance with organizational rule and policy [14][15]

Perceived severity and ISSP compliance
There are inconsistent conclusions on the relationship between perceived severity and ISSP compliance. Most researchers found that employees with higher perceptions of IS security threats were more inclined to comply with ISSP [6][7] [8]. For example, Siponen et al. (2014) found that perceived severity of IS security threats had significant and positive effects on employees' ISSP compliance [7]. Cram et al. (2019) in their meta-analysis also showed that threat severity category is positive related to ISP compliance (β=0.342) [3]. However, Ifinedo (2012) did not support that perceived severity was a significant predictors of information system security behavioral compliance [8].

Perceived vulnerability and ISSP compliance
Most research showed that perceived vulnerability had significant impact on employees' compliance behavior [8][16] [17]. For example, Siponen et al. (2014) found that perceived vulnerability of information system security threat had significantly positive effect on employees' ISSP compliance [7]. However, a few publications found a negative corelation between perceived vulnerability and security policy compliance [18].

Response efficacy and ISSP compliance
When an individual possesses requisite knowledge and skill to provide protection from a threat or danger, the individual is more likely to adopt an adaptive behavior [17]. Accordingly, it can be infered that individuals who can avert threats and dangers in themselves will be more inclined to develop an intention to adopt it [19]. Han et al. [12] and Siponen et al. [20] proposed that response efficacy is also a common determinant of ISSP compliance. However, some scholars in their empirical research found that response efficacy did not significantly predict users' attitudes towards compliance [7].

Research goal
This study was intended to investigate the influence of organizational and individualfactors on ISSP compliance in Eastern countries. The hypotheses are proposed as following: H1: Information security climate is positively associated with ISSP compliance.
H2: Information security training is positively associated with ISSP compliance.
H3: Perceived severity is positively associated with ISSP compliance.
H4: Perceived vulnerability is positively associated with ISSP compliance.
H5: Response efficacy is positively associated with ISSP compliance.

Data collection
In order to ensure the representativeness of the samples, we adopted stratified sampling method to select civil servants from Beijing, Fujian Province, Hebei Province, Shandong Province province et al. On one hand, we chose a professional platform named "Wenjuanxing" for data collection and made different questionnaire links based on different survey areas. Methods Convenience sampling and snowball sampling were used to select respondents. In the process of collecting the questionnaire, the research team emphasized the academic research purpose and anonymity of this survey. The questionnaires were sent to 42 departments and councils of central government in China. The number of questionnaires sent to each institution was from15 to 20 in consideration of each institution size. The questionnaires were collected from Sep. 2019 to May. 2020. After discarding a few questionnaires with incomplete or unreliable answers, 525 valid questionnaires were obtained. Table 1

Measure
All Items were assessed along a 5-point Likert-type scale with 1 indicating "strongly disagree" and 5 indicating "strongly agree." The measure of perceived severity, perceived vulnerability and response efficacy were adapted from Li et al. [15]and Ifenido [8].The measure of information security climate and information security training werewas respectively adopted from Kessler et al. [21] and D'Arcy et al. [13]. ISSP compliance is adopted from Arcy & Teh (2019)' measure with a four-item scale [22].

Data analysis and results
We selected Partial Least Squares (PLS) using Smart PLS 2.0 for data analysis.
The reliability of the measurements was assessed by the composite reliability (CR) index. As shown in Table 2, the composite reliabilities for all constructs are greater than the 0.7 threshold. Furthermore, the Average variance extracted (AVE) are larger than the threshold of 0.5. In addition, all standardized item loadings were significant (p < 0.001) and at least 0.707.

Data analysis and results
Results of the structural model assessment are presented in Table 4. The model explained 73.2% of the variance of employees' ISSP compliance. All the hypotheses were supported as following: information security climate, information security training, perceived severity, perceived vulnerability, response efficiency had significant effect on ISSP compliance. Specially, in terms of organizational factor, information security climate has a stronger effect on ISSP compliance than information security training. In terms of individual factor, response efficacy has a stronger effect on ISSP compliance than perceived severity and perceived vulnerability. Given the research conclusion, it has practical implications for designing effective ISP. First, we confirmed that information security climate and information security training is important predictors of ISSP compliance. This suggested that in addition to information security policies, organization can simultaneously create informal practice (i.e. organizational security climate) and formal practice (i.e. systematic IS security training) to enhance employees ISSP compliance. Second, following the prior study [16], we confirmed that perceived severity, perceived vulnerability and response efficacy are important strategies for motivating employees to engage in responsible security behaviors. It is vital for managers to recognize that any organization may rest on the extent to which its employees' perceived severity and vulnerability of risk.
There are also some limitations. First, all measures were self-reported. Although common method bias was not a problem for this study, it is still possible that participants might have provided "socially desirable responses". Further research should take cross-sectional survey or design longitudinal study to assess employees' compliant behavior over time at their workplace. Second, this study only focused on response efficacy as the coping appraisal. Further research could capture other variables such as selfefficacy, response cost as the coping appraisal.