IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v32y2021i3p1043-1065.html
   My bibliography  Save this article

Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model

Author

Listed:
  • Yan Chen

    (College of Business, Florida International University, Miami, Florida 33199)

  • Dennis F. Galletta

    (Katz Graduate School of Business, University of Pittsburgh, Pittsburgh, Pennsylvania 15260)

  • Paul Benjamin Lowry

    (Pamplin College of Business, Virginia Tech, Blacksburg, Virginia 24061)

  • Xin (Robert) Luo

    (Anderson School of Management, University of New Mexico, Albuquerque, New Mexico 87131)

  • Gregory D. Moody

    (Lee Business School, University of Nevada, Las Vegas, Nevada 89154)

  • Robert Willison

    (International Business School Suzhou, Xi’an Jiaotong–Liverpool University, Suzhou, Jiangsu Province 215123, P.R. China)

Abstract

Organizational information security (ISec) threats have exploded with advances in globalization and technology. Thus, organizations are scrambling to find both technical and behavioral approaches to shore up security. Whereas security technologies are crucial to these efforts, they are often rendered useless by employees’ misunderstanding, carelessness, or deliberate disregard of ISec polices (ISPs). Accordingly, organizations are increasingly seeking ways to encourage employees to work as security allies. A key approach in many organizations is encouraging employees to better understand and comply with ISPs. Consequently, ISec research has leveraged several theories to identify the underlying reasons for ISP compliance behaviors among employees. However, most of this research focuses unilaterally on compliance without simultaneously considering noncompliance, as if noncompliance were caused by opposite factors. A pressing need thus exists for a theoretical foundation that can consider both common outcomes and whether there is an explainable tipping point that can explain when a normally compliant employee chooses to become noncompliant, and vice versa. In this study, we contextualize the extended parallel process model (EPPM) to ISP compliance by accounting for dual outcomes of compliance/noncompliance and dual roles of coping—problem-focused coping and emotion-focused coping. We further extend the EPPM to include response costs and maladaptive rewards to predict the two possible outcomes. Additionally, we employ a weighted discriminant value measurement approach to examine the tipping point between compliance and noncompliance. To test our resulting theoretical model and new measure, we conducted two separate empirical studies with 816 employees, using survey and scenario methodologies. The empirical results from these studies indicate that our contextualization and extension of EPPM better explain the gaps than alternative theories in the ISP literature.

Suggested Citation

  • Yan Chen & Dennis F. Galletta & Paul Benjamin Lowry & Xin (Robert) Luo & Gregory D. Moody & Robert Willison, 2021. "Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model," Information Systems Research, INFORMS, vol. 32(3), pages 1043-1065, September.
  • Handle: RePEc:inm:orisre:v:32:y:2021:i:3:p:1043-1065
    DOI: 10.1287/isre.2021.1014
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.2021.1014
    Download Restriction: no

    File URL: https://libkey.io/10.1287/isre.2021.1014?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. W. Alec Cram & Jeffrey G. Proudfoot & John D’Arcy, 2017. "Organizational information security policies: a review and research framework," European Journal of Information Systems, Taylor & Francis Journals, vol. 26(6), pages 605-641, November.
    2. Allen C Johnston & Merrill Warkentin & Maranda McBride & Lemuria Carter, 2016. "Dispositional and situational factors: influences on information security policy violations," European Journal of Information Systems, Taylor & Francis Journals, vol. 25(3), pages 231-251, May.
    3. Clay Posey & Paul Benjamin Lowry & Tom L Roberts & T Selwyn Ellis, 2010. "Proposing the online community self-disclosure model: the case of working professionals in France and the U.K. who use online communities," European Journal of Information Systems, Taylor & Francis Journals, vol. 19(2), pages 181-195, April.
    4. Jingguo Wang & Yuan Li & H. Raghav Rao, 2017. "Coping Responses in Phishing Detection: An Investigation of Antecedents and Consequences," Information Systems Research, INFORMS, vol. 28(2), pages 378-396, June.
    5. Rajdeep Grewal & Joseph A. Cote & Hans Baumgartner, 2004. "Multicollinearity and Measurement Error in Structural Equation Models: Implications for Theory Testing," Marketing Science, INFORMS, vol. 23(4), pages 519-529, June.
    6. Scott R Boss & Laurie J Kirsch & Ingo Angermeier & Raymond A Shingler & R Wayne Boss, 2009. "If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security," European Journal of Information Systems, Taylor & Francis Journals, vol. 18(2), pages 151-164, April.
    7. Anthony Vance & Christophe M. Elie-Dit-Cosaque & Detmar W. Straub, 2008. "Examining Trust in Information Technology Artifacts: The Effects of System Quality and Culture," Post-Print halshs-00641137, HAL.
    8. repec:dau:papers:123456789/2723 is not listed on IDEAS
    9. Jeffrey L. Jenkins & Mark Grimes & Jeffrey Gainer Proudfoot & Paul Benjamin Lowry, 2014. "Improving Password Cybersecurity Through Inexpensive and Minimally Invasive Means: Detecting and Deterring Password Reuse Through Keystroke-Dynamics Monitoring and Just-in-Time Fear Appeals," Information Technology for Development, Taylor & Francis Journals, vol. 20(2), pages 196-213, April.
    10. Paul Benjamin Lowry & Tamara Dinev & Robert Willison, 2017. "Why security and privacy research lies at the centre of the information systems (IS) artefact: proposing a bold research agenda," European Journal of Information Systems, Taylor & Francis Journals, vol. 26(6), pages 546-563, November.
    11. Son, Jai-Yeol & Park, Jongpil, 2016. "Procedural justice to enhance compliance with non-work-related computing (NWRC) rules: Its determinants and interaction with privacy concerns," International Journal of Information Management, Elsevier, vol. 36(3), pages 309-321.
    12. Tejaswini Herath & H Raghav Rao, 2009. "Protection motivation and deterrence: a framework for security policy compliance in organisations," European Journal of Information Systems, Taylor & Francis Journals, vol. 18(2), pages 106-125, April.
    13. Mears, Daniel P. & Stewart, Eric A., 2010. "Interracial contact and fear of crime," Journal of Criminal Justice, Elsevier, vol. 38(1), pages 34-41, January.
    14. Mari Karjalainen & Mikko Siponen & Petri Puhakainen & Suprateek Sarker, 2020. "Universal and Culture-dependent Employee Compliance of Information Systems Security Procedures," Journal of Global Information Technology Management, Taylor & Francis Journals, vol. 23(1), pages 5-24, January.
    15. John D'Arcy & Anat Hovav & Dennis Galletta, 2009. "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, INFORMS, vol. 20(1), pages 79-98, March.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. A. F. Salam & Hua Dai & Lei Wang, 2022. "Online Users’ Identity Theft and Coping Strategies, Attribution and Sense of Urgency: A Non-Linear Quadratic Effect Assessment," Information Systems Frontiers, Springer, vol. 24(6), pages 1929-1948, December.
    2. Hou, Tingting & Luo, Xin (Robert) & Ke, Dan & Cheng, Xusen, 2022. "Exploring different appraisals in deviant sharing behaviors: A mixed-methods study," Journal of Business Research, Elsevier, vol. 139(C), pages 496-509.
    3. Romanus Izuchukwu Okeke & Max Hashem Eiza, 2023. "The Application of Role-Based Framework in Preventing Internal Identity Theft Related Crimes: A Qualitative Case Study of UK Retail Companies," Information Systems Frontiers, Springer, vol. 25(2), pages 451-472, April.
    4. Maurizio Cavallari, 2023. "Organizational Determinants and Compliance Behavior to Shape Information Security Plan," Academic Journal of Interdisciplinary Studies, Richtmann Publishing Ltd, vol. 12, November.
    5. Muddassar Sarfraz & Kausar Fiaz Khawaja & Um-e-Farwah, 2024. "Is the internet a double-edged sword for organizations? An empirical study on cyberloafing," Information Technology and Management, Springer, vol. 25(4), pages 319-333, December.
    6. Fatemeh Mariam Zahedi & Yan Chen & Huimin Zhao, 2024. "Ontology-Based Intelligent Interface Personalization for Protection Against Phishing Attacks," Information Systems Research, INFORMS, vol. 35(3), pages 1463-1478, September.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. A. J. Burns & Tom L. Roberts & Clay Posey & Paul Benjamin Lowry & Bryan Fuller, 2023. "Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse," Information Systems Research, INFORMS, vol. 34(1), pages 342-362, March.
    2. Li, Yuanxiang John & Hoffman, Elizabeth, 2023. "Designing an incentive mechanism for information security policy compliance: An experiment," Journal of Economic Behavior & Organization, Elsevier, vol. 212(C), pages 138-159.
    3. Warut Khern-am-nuai & Matthew J. Hashim & Alain Pinsonneault & Weining Yang & Ninghui Li, 2023. "Augmenting Password Strength Meter Design Using the Elaboration Likelihood Model: Evidence from Randomized Experiments," Information Systems Research, INFORMS, vol. 34(1), pages 157-177, March.
    4. Maurizio Cavallari, 2023. "Organizational Determinants and Compliance Behavior to Shape Information Security Plan," Academic Journal of Interdisciplinary Studies, Richtmann Publishing Ltd, vol. 12, November.
    5. Fu, Shixuan & Zheng, Xiaojiang & Wang, Hongpeng & Luo, Yunzhong, 2023. "Fear appeals and coping appeals for health product promotion: Impulsive purchasing or psychological distancing?," Journal of Retailing and Consumer Services, Elsevier, vol. 74(C).
    6. Debabrata Dey & Abhijeet Ghoshal & Atanu Lahiri, 2022. "Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement," Management Science, INFORMS, vol. 68(4), pages 2914-2931, April.
    7. Supunmali Ahangama, 2023. "Relating Social Media Diffusion, Education Level and Cybersecurity Protection Mechanisms to E-Participation Initiatives: Insights from a Cross-Country Analysis," Information Systems Frontiers, Springer, vol. 25(5), pages 1695-1711, October.
    8. Eun Hee Park & Jongwoo Kim & Lynn Wiles, 2023. "The role of collectivism and moderating effect of IT proficiency on intention to disclose protected health information," Information Technology and Management, Springer, vol. 24(2), pages 177-193, June.
    9. Mahabubur Rahman & M. Ángeles Rodríguez-Serrano & Mary Lambkin, 2019. "Brand equity and firm performance: the complementary role of corporate social responsibility," Journal of Brand Management, Palgrave Macmillan, vol. 26(6), pages 691-704, November.
    10. Petra Dickel & Monika Sienknecht & Jacob Hörisch, 2021. "The early bird catches the worm: an empirical analysis of imprinting in social entrepreneurship," Journal of Business Economics, Springer, vol. 91(2), pages 127-150, March.
    11. Sara Moussawi & Marios Koufaris & Raquel Benbunan-Fich, 2021. "How perceptions of intelligence and anthropomorphism affect adoption of personal intelligent agents," Electronic Markets, Springer;IIM University of St. Gallen, vol. 31(2), pages 343-364, June.
    12. Kumju Hwang & Hyemi Um, 2021. "Social Controls and Bonds of Public Information Consumer on Sustainable Utilization and Provision for Computing," Sustainability, MDPI, vol. 13(9), pages 1-20, May.
    13. Lee, Ruby P. & Johnson, Jean L. & Grewal, Rajdeep, 2008. "Understanding the antecedents of collateral learning in new product alliances," International Journal of Research in Marketing, Elsevier, vol. 25(3), pages 192-200.
    14. You-Kyung Lee, 2021. "Impacts of Digital Technostress and Digital Technology Self-Efficacy on Fintech Usage Intention of Chinese Gen Z Consumers," Sustainability, MDPI, vol. 13(9), pages 1-15, April.
    15. Jung Lee & Jae-Nam Lee & Bernard C. Y. Tan, 2015. "Antecedents of cognitive trust and affective distrust and their mediating roles in building customer loyalty," Information Systems Frontiers, Springer, vol. 17(1), pages 159-175, February.
    16. Jae Kyu Lee & Younghoon Chang & Hun Yeong Kwon & Beopyeon Kim, 2020. "Reconciliation of Privacy with Preventive Cybersecurity: The Bright Internet Approach," Information Systems Frontiers, Springer, vol. 22(1), pages 45-57, February.
    17. Gerdes, Madison B, 2023. "Assessing the relationship between gun ownership and fear of mass shootings," Social Science & Medicine, Elsevier, vol. 336(C).
    18. Kee-Young Kwahk & Byoungsoo Kim, 2017. "Effects of social media on consumers’ purchase decisions: evidence from Taobao," Service Business, Springer;Pan-Pacific Business Association, vol. 11(4), pages 803-829, December.
    19. Horstmann, Felix, 2017. "Measuring the shopper's attitude toward the point of sale display: Scale development and validation," Journal of Retailing and Consumer Services, Elsevier, vol. 36(C), pages 112-123.
    20. Trong Tuan Luu, 2019. "CSR and Customer Value Co-creation Behavior: The Moderation Mechanisms of Servant Leadership and Relationship Marketing Orientation," Journal of Business Ethics, Springer, vol. 155(2), pages 379-398, March.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:32:y:2021:i:3:p:1043-1065. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.