Assessing information security behaviour: a self-determination theory perspective

Abstract

Purpose This paper outlines the development of a validated questionnaire for assessing information security behaviour. The purpose of this paper is to present data from the questionnaire validation process and the quantitative study results. Design/methodology/approach Data obtained through a quantitative survey (N = 263) at a South African university were used to validate the questionnaire. Findings Exploratory factor analysis produced 11 factors. Cronbach’s alpha for the 11 factors were all above 0.7, suggesting that the questionnaire is valid and reliable. The responses show that autonomy questions received positive perception, followed by competence questions and lastly relatedness questions. The correlation analysis results show that there was a statistically significant relationship between competence factors and autonomy factors. There was a partial significant relationship between autonomy and relatedness factors, and between competence and relatedness factors. The study results suggest that competence and autonomy could be more important than relatedness in fostering information security behaviour among employees. Research limitations/implications This study used a convenience sampling, a cross-sectional design, and was carried out in a single organisation. This could pose limitations when generalising the study results. Future studies could use random sampling and consider other universities for further validation. Practical implications Universities can use the questionnaire to identify developmental areas to improve information security from a behaviour perspective. Originality/value This paper provides a research instrument for assessing information security behaviour from the perspective of the self-determination theory.