Though most organizations have policies and guidelines to protect their information systems from unauthorized access, research has shown that employee compliance is often a problem.
“Even if the policies are mandatory, individual perceptions, interpretations, and behavior vary within the process of complying,” says Pamplin College of Business accounting and information systems professor France Belanger.
Belanger and three Pamplin doctoral students completed a new study exploring the attitudes and “resistance behavior” of individuals faced with a required information technology security change. Previous studies, she says, largely focused on voluntary behavior.
Using their own institution as a case study, Belanger and her team — Eric Negangard and Kathy Enget (accounting and information systems) and Stephane Collignon (business information technology) — surveyed undergraduate and graduate students, faculty, staff, and administrators at Virginia Tech. The university required its information systems account holders to change their passwords by July 1, 2011, after evaluating password practices in the wake of recurring security problems. Accounts would not be accessible with old passwords after the deadline.
Managers who develop and implement information security procedures may find some useful lessons about change management in the study, Belanger says. It highlights the role of user awareness of the security change in influencing user attitudes toward the change and shows the relative importance of various organizational measures to publicize the change.
Read more about Belanger’s study in this story, “When users resist” in the fall 2011 Pamplin magazine.