Paper 1: AHP-based Security Decision Making: How Intention and Intrinsic Motivation Affect Policy Compliance
Abstract: Analytic hierarchy process is a multiple-criteria tool used in applications related to decision-making. In this paper, analytic hierarchy process is used as guidance in information security policy decision-making by identifying influencing factors and their weights for information security policy compliance. The weights for intrinsic motivators are identified based on self-determination theory as essential criteria, namely, autonomy, competence, relatedness, along with behavioural intention towards compliance; and use four awareness focus areas. A survey of cyber-security decision-makers at a Fortune 600 organisation provided data. The results suggest that behavioural intention (52% of the weight of influencing factors) is more important than autonomy (21%), competence (21%) or relatedness (6%) in influencing behaviour towards information security policy compliance. Determining weights of intrinsic motivation, intention, and awareness focus areas can help security decision-making and compliance with policy, and support design of effective security awareness programmes. However, these weights may in turn be affected by local organisational and cultural factors.
Keywords: Analytic Hierarchy Process; behavioural intention; autonomy; competence; relatedness; information security policy compliance