IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v32y2021i3p1043-1065.html
   My bibliography  Save this article

Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model

Author

Listed:
  • Yan Chen

    (College of Business, Florida International University, Miami, Florida 33199)

  • Dennis F. Galletta

    (Katz Graduate School of Business, University of Pittsburgh, Pittsburgh, Pennsylvania 15260)

  • Paul Benjamin Lowry

    (Pamplin College of Business, Virginia Tech, Blacksburg, Virginia 24061)

  • Xin (Robert) Luo

    (Anderson School of Management, University of New Mexico, Albuquerque, New Mexico 87131)

  • Gregory D. Moody

    (Lee Business School, University of Nevada, Las Vegas, Nevada 89154)

  • Robert Willison

    (International Business School Suzhou, Xi’an Jiaotong–Liverpool University, Suzhou, Jiangsu Province 215123, P.R. China)

Abstract

Organizational information security (ISec) threats have exploded with advances in globalization and technology. Thus, organizations are scrambling to find both technical and behavioral approaches to shore up security. Whereas security technologies are crucial to these efforts, they are often rendered useless by employees’ misunderstanding, carelessness, or deliberate disregard of ISec polices (ISPs). Accordingly, organizations are increasingly seeking ways to encourage employees to work as security allies. A key approach in many organizations is encouraging employees to better understand and comply with ISPs. Consequently, ISec research has leveraged several theories to identify the underlying reasons for ISP compliance behaviors among employees. However, most of this research focuses unilaterally on compliance without simultaneously considering noncompliance, as if noncompliance were caused by opposite factors. A pressing need thus exists for a theoretical foundation that can consider both common outcomes and whether there is an explainable tipping point that can explain when a normally compliant employee chooses to become noncompliant, and vice versa. In this study, we contextualize the extended parallel process model (EPPM) to ISP compliance by accounting for dual outcomes of compliance/noncompliance and dual roles of coping—problem-focused coping and emotion-focused coping. We further extend the EPPM to include response costs and maladaptive rewards to predict the two possible outcomes. Additionally, we employ a weighted discriminant value measurement approach to examine the tipping point between compliance and noncompliance. To test our resulting theoretical model and new measure, we conducted two separate empirical studies with 816 employees, using survey and scenario methodologies. The empirical results from these studies indicate that our contextualization and extension of EPPM better explain the gaps than alternative theories in the ISP literature.

Suggested Citation

  • Yan Chen & Dennis F. Galletta & Paul Benjamin Lowry & Xin (Robert) Luo & Gregory D. Moody & Robert Willison, 2021. "Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model," Information Systems Research, INFORMS, vol. 32(3), pages 1043-1065, September.
    • Handle: RePEc:inm:orisre:v:32:y:2021:i:3:p:1043-1065
    DOI: 10.1287/isre.2021.1014
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.2021.1014
    Download Restriction: no
    File URL: https://libkey.io/10.1287/isre.2021.1014?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Jeffrey L. Jenkins & Mark Grimes & Jeffrey Gainer Proudfoot & Paul Benjamin Lowry, 2014. "Improving Password Cybersecurity Through Inexpensive and Minimally Invasive Means: Detecting and Deterring Password Reuse Through Keystroke-Dynamics Monitoring and Just-in-Time Fear Appeals," Information Technology for Development, Taylor & Francis Journals, vol. 20(2), pages 196-213, April.
    2. Paul Benjamin Lowry & Tamara Dinev & Robert Willison, 2017. "Why security and privacy research lies at the centre of the information systems (IS) artefact: proposing a bold research agenda," European Journal of Information Systems, Taylor & Francis Journals, vol. 26(6), pages 546-563, November.
    3. Son, Jai-Yeol & Park, Jongpil, 2016. "Procedural justice to enhance compliance with non-work-related computing (NWRC) rules: Its determinants and interaction with privacy concerns," International Journal of Information Management, Elsevier, vol. 36(3), pages 309-321.
    4. Tejaswini Herath & H Raghav Rao, 2009. "Protection motivation and deterrence: a framework for security policy compliance in organisations," European Journal of Information Systems, Taylor & Francis Journals, vol. 18(2), pages 106-125, April.
    5. W. Alec Cram & Jeffrey G. Proudfoot & John D’Arcy, 2017. "Organizational information security policies: a review and research framework," European Journal of Information Systems, Taylor & Francis Journals, vol. 26(6), pages 605-641, November.
    6. Allen C Johnston & Merrill Warkentin & Maranda McBride & Lemuria Carter, 2016. "Dispositional and situational factors: influences on information security policy violations," European Journal of Information Systems, Taylor & Francis Journals, vol. 25(3), pages 231-251, May.
    7. Mears, Daniel P. & Stewart, Eric A., 2010. "Interracial contact and fear of crime," Journal of Criminal Justice, Elsevier, vol. 38(1), pages 34-41, January.
    8. Clay Posey & Paul Benjamin Lowry & Tom L Roberts & T Selwyn Ellis, 2010. "Proposing the online community self-disclosure model: the case of working professionals in France and the U.K. who use online communities," European Journal of Information Systems, Taylor & Francis Journals, vol. 19(2), pages 181-195, April.
    9. Jingguo Wang & Yuan Li & H. Raghav Rao, 2017. "Coping Responses in Phishing Detection: An Investigation of Antecedents and Consequences," Information Systems Research, INFORMS, vol. 28(2), pages 378-396, June.
    10. Rajdeep Grewal & Joseph A. Cote & Hans Baumgartner, 2004. "Multicollinearity and Measurement Error in Structural Equation Models: Implications for Theory Testing," Marketing Science, INFORMS, vol. 23(4), pages 519-529, June.
    11. Scott R Boss & Laurie J Kirsch & Ingo Angermeier & Raymond A Shingler & R Wayne Boss, 2009. "If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security," European Journal of Information Systems, Taylor & Francis Journals, vol. 18(2), pages 151-164, April.
    12. Anthony Vance & Christophe M. Elie-Dit-Cosaque & Detmar W. Straub, 2008. "Examining Trust in Information Technology Artifacts: The Effects of System Quality and Culture," Post-Print halshs-00641137, HAL.
    13. Mari Karjalainen & Mikko Siponen & Petri Puhakainen & Suprateek Sarker, 2020. "Universal and Culture-dependent Employee Compliance of Information Systems Security Procedures," Journal of Global Information Technology Management, Taylor & Francis Journals, vol. 23(1), pages 5-24, January.
    14. John D'Arcy & Anat Hovav & Dennis Galletta, 2009. "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, INFORMS, vol. 20(1), pages 79-98, March.
    15. repec:dau:papers:123456789/2723 is not listed on IDEAS
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Hou, Tingting & Luo, Xin (Robert) & Ke, Dan & Cheng, Xusen, 2022. "Exploring different appraisals in deviant sharing behaviors: A mixed-methods study," Journal of Business Research, Elsevier, vol. 139(C), pages 496-509.
    2. Romanus Izuchukwu Okeke & Max Hashem Eiza, 2023. "The Application of Role-Based Framework in Preventing Internal Identity Theft Related Crimes: A Qualitative Case Study of UK Retail Companies," Information Systems Frontiers, Springer, vol. 25(2), pages 451-472, April.
    3. Maurizio Cavallari, 2023. "Organizational Determinants and Compliance Behavior to Shape Information Security Plan," Academic Journal of Interdisciplinary Studies, Richtmann Publishing Ltd, vol. 12, November.
    4. A. F. Salam & Hua Dai & Lei Wang, 2022. "Online Users’ Identity Theft and Coping Strategies, Attribution and Sense of Urgency: A Non-Linear Quadratic Effect Assessment," Information Systems Frontiers, Springer, vol. 24(6), pages 1929-1948, December.
    5. Muddassar Sarfraz & Kausar Fiaz Khawaja & Um-e-Farwah, 2024. "Is the internet a double-edged sword for organizations? An empirical study on cyberloafing," Information Technology and Management, Springer, vol. 25(4), pages 319-333, December.
    6. Fatemeh Mariam Zahedi & Yan Chen & Huimin Zhao, 2024. "Ontology-Based Intelligent Interface Personalization for Protection Against Phishing Attacks," Information Systems Research, INFORMS, vol. 35(3), pages 1463-1478, September.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. A. J. Burns & Tom L. Roberts & Clay Posey & Paul Benjamin Lowry & Bryan Fuller, 2023. "Going Beyond Deterrence: A Middle-Range Theory of Motives and Controls for Insider Computer Abuse," Information Systems Research, INFORMS, vol. 34(1), pages 342-362, March.
    2. Li, Yuanxiang John & Hoffman, Elizabeth, 2023. "Designing an incentive mechanism for information security policy compliance: An experiment," Journal of Economic Behavior & Organization, Elsevier, vol. 212(C), pages 138-159.
    3. Warut Khern-am-nuai & Matthew J. Hashim & Alain Pinsonneault & Weining Yang & Ninghui Li, 2023. "Augmenting Password Strength Meter Design Using the Elaboration Likelihood Model: Evidence from Randomized Experiments," Information Systems Research, INFORMS, vol. 34(1), pages 157-177, March.
    4. Debabrata Dey & Abhijeet Ghoshal & Atanu Lahiri, 2022. "Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement," Management Science, INFORMS, vol. 68(4), pages 2914-2931, April.
    5. Maurizio Cavallari, 2023. "Organizational Determinants and Compliance Behavior to Shape Information Security Plan," Academic Journal of Interdisciplinary Studies, Richtmann Publishing Ltd, vol. 12, November.
    6. Supunmali Ahangama, 2023. "Relating Social Media Diffusion, Education Level and Cybersecurity Protection Mechanisms to E-Participation Initiatives: Insights from a Cross-Country Analysis," Information Systems Frontiers, Springer, vol. 25(5), pages 1695-1711, October.
    7. Eun Hee Park & Jongwoo Kim & Lynn Wiles, 2023. "The role of collectivism and moderating effect of IT proficiency on intention to disclose protected health information," Information Technology and Management, Springer, vol. 24(2), pages 177-193, June.
    8. Fu, Shixuan & Zheng, Xiaojiang & Wang, Hongpeng & Luo, Yunzhong, 2023. "Fear appeals and coping appeals for health product promotion: Impulsive purchasing or psychological distancing?," Journal of Retailing and Consumer Services, Elsevier, vol. 74(C).
    9. Claudia García-García & Catalina B. García-García & Román Salmerón, 2021. "Confronting collinearity in environmental regression models: evidence from world data," Statistical Methods & Applications, Springer;Società Italiana di Statistica, vol. 30(3), pages 895-926, September.
    10. Sridhar, Shrihari & Naik, Prasad A. & Kelkar, Ajay, 2017. "Metrics unreliability and marketing overspending," International Journal of Research in Marketing, Elsevier, vol. 34(4), pages 761-779.
    11. Hemin Jiang & Mikko Siponen & Zhenhui (Jack) Jiang & Aggeliki Tsohou, 2024. "The Impacts of Internet Monitoring on Employees’ Cyberloafing and Organizational Citizenship Behavior: A Longitudinal Field Quasi-Experiment," Information Systems Research, INFORMS, vol. 35(3), pages 1175-1194, September.
    12. Rajdeep Grewal & Murali Chandrashekaran & F. Robert Dwyer, 2008. "Navigating Local Environments with Global Strategies: A Contingency Model of Multinational Subsidiary Performance," Marketing Science, INFORMS, vol. 27(5), pages 886-902, 09-10.
    13. Femke Hilverda & Margôt Kuttschreuter, 2018. "Online Information Sharing About Risks: The Case of Organic Food," Risk Analysis, John Wiley & Sons, vol. 38(9), pages 1904-1920, September.
    14. Mahabubur Rahman & M. Ángeles Rodríguez-Serrano & Mary Lambkin, 2019. "Brand equity and firm performance: the complementary role of corporate social responsibility," Journal of Brand Management, Palgrave Macmillan, vol. 26(6), pages 691-704, November.
    15. Petra Dickel & Monika Sienknecht & Jacob Hörisch, 2021. "The early bird catches the worm: an empirical analysis of imprinting in social entrepreneurship," Journal of Business Economics, Springer, vol. 91(2), pages 127-150, March.
    16. Ibrahim Mutambik & John Lee & Abdullah Almuqrin & Waleed Halboob & Taha Omar & Ahmad Floos, 2022. "User concerns regarding information sharing on social networking sites: The user’s perspective in the context of national culture," PLOS ONE, Public Library of Science, vol. 17(1), pages 1-27, January.
    17. Sara Moussawi & Marios Koufaris & Raquel Benbunan-Fich, 2021. "How perceptions of intelligence and anthropomorphism affect adoption of personal intelligent agents," Electronic Markets, Springer;IIM University of St. Gallen, vol. 31(2), pages 343-364, June.
    18. Kumju Hwang & Hyemi Um, 2021. "Social Controls and Bonds of Public Information Consumer on Sustainable Utilization and Provision for Computing," Sustainability, MDPI, vol. 13(9), pages 1-20, May.
    19. Fernanda Leão Ramos & Jorge Brantes Ferreira & Angilberto Sabino de Freitas & Juliana Werneck Rodrigues, 2018. "The Effect of Trust in the Intention to Use m-banking," Brazilian Business Review, Fucape Business School, vol. 15(2), pages 175-191, March.
    20. Lee, Ruby P. & Johnson, Jean L. & Grewal, Rajdeep, 2008. "Understanding the antecedents of collateral learning in new product alliances," International Journal of Research in Marketing, Elsevier, vol. 25(3), pages 192-200.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:32:y:2021:i:3:p:1043-1065. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.