Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model

A key approach in many organizations to address the myriad of information security threats is encouraging employees to better understand and comply with information security policies (ISPs). Despite a significant body of academic research in this area, a commonly held but questionable assumption in...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Information systems research 2021-09, Vol.32 (3), p.1043-1065
Hauptverfasser: Chen, Yan, Galletta, Dennis F., Lowry, Paul Benjamin, Luo, Xin (Robert), Moody, Gregory D., Willison, Robert
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:A key approach in many organizations to address the myriad of information security threats is encouraging employees to better understand and comply with information security policies (ISPs). Despite a significant body of academic research in this area, a commonly held but questionable assumption in these studies is that noncompliance simply represents the opposite of compliance. Hence, explaining compliance is only half of the story, and there is a pressing need to understand the causes of noncompliance, as well. If organizational leaders understood what leads a normally compliant employee to become noncompliant, future security breaches might be avoided or minimized. In this study, we found that compliant and noncompliant behaviors can be better explained by uncovering actions that focus not only on efficacious coping behaviors, but also those that focus on frustrated users who must sometimes cope with emotions, too. Employees working from a basis of emotion-focused coping are unable to address the threat and, feeling overwhelmed, focus only on controlling their emotions, merely making themselves feel better. Based on our findings, organizations can enhance their security by understanding the “tipping point” where employees’ focus likely changes from problem-solving to emotion appeasement, and instead push them into a more constructive direction. Yan Chen is an associate professor at Florida International University. She received her PhD in management information systems from University of Wisconsin–Milwaukee. Her research focuses on information security management, online fraud, privacy, and social media. She has published more than 30 research papers in refereed academic journals and conference proceedings. Dennis F. Galletta is a LEO awardee, fellow, and former president of the Association for Information Systems and professor at University of Pittsburgh since 1985. He has published 108 articles and four books. He is a senior editor at MIS Quarterly and an editorial board member at the Journal of Management Information Systems , and has been on several other boards. Paul Benjamin Lowry is the Suzanne Parker Thornhill Chair Professor in Business Information Technology at the Pamplin College of Business at Virginia Tech. He has published more than 135 journal articles. His research areas include organizational and behavioral security and privacy; online deviance and harassment, and computer ethics; human–computer interaction, social media, and gamificati
ISSN:1047-7047
1526-5536
DOI:10.1287/isre.2021.1014