Assessing information security behaviour: a self-determination theory perspective

This paper outlines the development of a validated questionnaire for assessing information security behaviour. The purpose of this paper is to present data from the questionnaire validation process and the quantitative study results.

Data obtained through a quantitative survey (N = 263) at a South African university were used to validate the questionnaire.

Exploratory factor analysis produced 11 factors. Cronbach’s alpha for the 11 factors were all above 0.7, suggesting that the questionnaire is valid and reliable. The responses show that autonomy questions received positive perception, followed by competence questions and lastly relatedness questions. The correlation analysis results show that there was a statistically significant relationship between competence factors and autonomy factors. There was a partial significant relationship between autonomy and relatedness factors, and between competence and relatedness factors. The study results suggest that competence and autonomy could be more important than relatedness in fostering information security behaviour among employees.

This study used a convenience sampling, a cross-sectional design, and was carried out in a single organisation. This could pose limitations when generalising the study results. Future studies could use random sampling and consider other universities for further validation.

Universities can use the questionnaire to identify developmental areas to improve information security from a behaviour perspective.

This paper provides a research instrument for assessing information security behaviour from the perspective of the self-determination theory.