Understanding Inconsistent Employee Compliance With Information Security Policies Through the Lens of the Extended Parallel Process Model

Authors

Yan Chen, Florida International University
Dennis F. Galletta, University of Pittsburgh
Paul Benjamin Lowry, Virginia Tech
Xin Luo, The University of New Mexico
Gregory D. Moody, University of Nevada, Las VegasFollow
Robert Willison, Xi'an Jiaotong-Liverpool University

Document Type

Article

Publication Date

5-24-2021

Publication Title

Information Systems Research

Volume

32

Issue

3

First page number:

1043

Last page number:

1065

Abstract

Organizational information security (ISec) threats have exploded with advances in globalization and technology. Thus, organizations are scrambling to find both technical and behavioral approaches to shore up security. Whereas security technologies are crucial to these efforts, they are often rendered useless by employees' misunderstanding, carelessness, or deliberate disregard of ISec polices (ISPs). Accordingly, organizations are increasingly seeking ways to encourage employees to work as security allies. A key approach in many organizations is encouraging employees to better understand and comply with ISPs. Consequently, ISec research has leveraged several theories to identify the underlying reasons for ISP compliance behaviors among employees. However, most of this research focuses unilaterally on compliance without simultaneously considering noncompliance, as if noncompliance were caused by opposite factors. A pressing need thus exists for a theoretical foundation that can consider both common outcomes and whether there is an explainable tipping point that can explain when a normally compliant employee chooses to become noncompliant, and vice versa. In this study, we contextualize the extended parallel process model (EPPM) to ISP compliance by accounting for dual outcomes of compliance/noncompliance and dual roles of coping-problem-focused coping and emotion-focused coping. We further extend the EPPM to include response costs and maladaptive rewards to predict the two possible outcomes. Additionally, we employ a weighted discriminant value measurement approach to examine the tipping point between compliance and noncompliance. To test our resulting theoretical model and new measure, we conducted two separate empirical studies with 816 employees, using survey and scenario methodologies. The empirical results from these studies indicate that our contextualization and extension of EPPM better explain the gaps than alternative theories in the ISP literature.

Keywords

Extended parallel processing model; Information security; Organizational security; Protection motivation theory

Disciplines

Defense and Security Studies | Information Security

Language

English

Rights

IN COPYRIGHT. For more information about this rights statement, please visit http://rightsstatements.org/vocab/InC/1.0/

Repository Citation

Chen, Y., Galletta, D. F., Lowry, P., Luo, X., Moody, G. D., Willison, R. (2021). Understanding Inconsistent Employee Compliance With Information Security Policies Through the Lens of the Extended Parallel Process Model. Information Systems Research, 32(3), 1043-1065.
http://dx.doi.org/10.1287/ISRE.2021.1014