End-user IT Security Policy Compliance: A Confidence-Building Measures Approach

Corporate information systems security managers are continuously investing in the latest technical security tools to make their defenses against internal and external attacks on their information systems effective and efficient. However, these technical tools do not provide complete protection and organizations are experiencing a rise in security breaches. The cause of some security breaches are attributed to the actions of employees within the organization. Based on literature in international relations, this study advances four propositions to explain how end-user compliance with organizational information security policy (ISP) can be achieved using a confidence-building measures approach. The set of four propositions developed involve trust, prior notification of information system security initiative(s), disclosure of observed non-compliant behavior and promotion of compliant behavior. A laboratory experiment has been proposed as a methodology to assess these propositions.