Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model

Yan Chen (), Dennis F. Galletta (), Paul Benjamin Lowry (), Xin (Robert) Luo (), Gregory D. Moody () and Robert Willison ()
Additional contact information
Yan Chen: College of Business, Florida International University, Miami, Florida 33199
Dennis F. Galletta: Katz Graduate School of Business, University of Pittsburgh, Pittsburgh, Pennsylvania 15260
Paul Benjamin Lowry: Pamplin College of Business, Virginia Tech, Blacksburg, Virginia 24061
Xin (Robert) Luo: Anderson School of Management, University of New Mexico, Albuquerque, New Mexico 87131
Gregory D. Moody: Lee Business School, University of Nevada, Las Vegas, Nevada 89154
Robert Willison: International Business School Suzhou, Xi’an Jiaotong–Liverpool University, Suzhou, Jiangsu Province 215123, P.R. China

Information Systems Research, 2021, vol. 32, issue 3, 1043-1065

Abstract: Organizational information security (ISec) threats have exploded with advances in globalization and technology. Thus, organizations are scrambling to find both technical and behavioral approaches to shore up security. Whereas security technologies are crucial to these efforts, they are often rendered useless by employees’ misunderstanding, carelessness, or deliberate disregard of ISec polices (ISPs). Accordingly, organizations are increasingly seeking ways to encourage employees to work as security allies. A key approach in many organizations is encouraging employees to better understand and comply with ISPs. Consequently, ISec research has leveraged several theories to identify the underlying reasons for ISP compliance behaviors among employees. However, most of this research focuses unilaterally on compliance without simultaneously considering noncompliance, as if noncompliance were caused by opposite factors. A pressing need thus exists for a theoretical foundation that can consider both common outcomes and whether there is an explainable tipping point that can explain when a normally compliant employee chooses to become noncompliant, and vice versa. In this study, we contextualize the extended parallel process model (EPPM) to ISP compliance by accounting for dual outcomes of compliance/noncompliance and dual roles of coping—problem-focused coping and emotion-focused coping. We further extend the EPPM to include response costs and maladaptive rewards to predict the two possible outcomes. Additionally, we employ a weighted discriminant value measurement approach to examine the tipping point between compliance and noncompliance. To test our resulting theoretical model and new measure, we conducted two separate empirical studies with 816 employees, using survey and scenario methodologies. The empirical results from these studies indicate that our contextualization and extension of EPPM better explain the gaps than alternative theories in the ISP literature.

Keywords: information security; extended parallel processing model; protection motivation theory; organizational security (search for similar items in EconPapers)
Date: 2021
References: View references in EconPapers View complete reference list from CitEc
Citations: View citations in EconPapers (6)

Downloads: (external link)
http://dx.doi.org/10.1287/isre.2021.1014 (application/pdf)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:inm:orisre:v:32:y:2021:i:3:p:1043-1065

Access Statistics for this article

More articles in Information Systems Research from INFORMS Contact information at EDIRC.
Bibliographic data for series maintained by Chris Asher ().