Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model

Article

Chen, Yan; Galletta, Dennis F.; Lowry, Paul Benjamin; Luo, Xin (Robert); Moody, Gregory D.; Willison, Robert

State University System of Florida; Florida International University; Pennsylvania Commonwealth System of Higher Education (PCSHE); University of Pittsburgh; Virginia Polytechnic Institute & State University; University of New Mexico; Nevada System of Higher Education (NSHE); University of Nevada Las Vegas; Xi'an Jiaotong-Liverpool University

INFORMATION SYSTEMS RESEARCH

1047-7047

10.1287/isre.2021.1014

2021

1043-1065

Organizational information security (ISec) threats have exploded with advances in globalization and technology. Thus, organizations are scrambling to find both technical and behavioral approaches to shore up security. Whereas security technologies are crucial to these efforts, they are often rendered useless by employees' misunderstanding, carelessness, or deliberate disregard of ISec polices (ISPs). Accordingly, organizations are increasingly seeking ways to encourage employees to work as security allies. A key approach in many organizations is encouraging employees to better understand and comply with ISPs. Consequently, ISec research has leveraged several theories to identify the underlying reasons for ISP compliance behaviors among employees. However, most of this research focuses unilaterally on compliance without simultaneously considering noncompliance, as if noncompliance were caused by opposite factors. A pressing need thus exists for a theoretical foundation that can consider both common outcomes and whether there is an explainable tipping point that can explain when a normally compliant employee chooses to become noncompliant, and vice versa. In this study, we contextualize the extended parallel process model (EPPM) to ISP compliance by accounting for dual outcomes of compliance/noncompliance and dual roles of coping-problem-focused coping and emotion-focused coping. We further extend the EPPM to include response costs and maladaptive rewards to predict the two possible outcomes. Additionally, we employ a weighted discriminant value measurement approach to examine the tipping point between compliance and noncompliance. To test our resulting theoretical model and new measure, we conducted two separate empirical studies with 816 employees, using survey and scenario methodologies. The empirical results from these studies indicate that our contextualization and extension of EPPM better explain the gaps than alternative theories in the ISP literature.

访问原文