Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model

Authors: Chen, Yan; Galletta, Dennis F.; Lowry, Paul Benjamin; Luo, Xin (Robert); Moody, Gregory D.; Willison, Robert

Journal: Information Systems Research (2021)

DOI: 10.1287/isre.2021.1014

<jats:p> A key approach in many organizations to address the myriad of information security threats is encouraging employees to better understand and comply with information security policies (ISPs). Despite a significant body of academic research in this area, a commonly held but questionable assumption in these studies is that noncompliance simply represents the opposite of compliance. Hence, explaining compliance is only half of the story, and there is a pressing need to understand the causes of noncompliance, as well. If organizational leaders understood what leads a normally compliant employee to become noncompliant, future security breaches might be avoided or minimized. In this study, we found that compliant and noncompliant behaviors can be better explained by uncovering actions that focus not only on efficacious coping behaviors, but also those that focus on frustrated users who must sometimes cope with emotions, too. Employees working from a basis of emotion-focused coping are unable to address the threat and, feeling overwhelmed, focus only on controlling their emotions, merely making themselves feel better. Based on our findings, organizations can enhance their securit…

View in Otero