Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model

A key approach in many organizations to address the myriad of information security threats is encouraging employees to better understand and comply with information security policies (ISPs). Despite a significant body of academic research in this area, a commonly held but questionable assumption in these studies is that noncompliance simply represents the opposite of compliance. Hence, explaining compliance is only half of the story, and there is a pressing need to understand the causes of noncompliance, as well. If organizational leaders understood what leads a normally compliant employee to become noncompliant, future security breaches might be avoided or minimized. In this study, we found that compliant and noncompliant behaviors can be better explained by uncovering actions that focus not only on efficacious coping behaviors, but also those that focus on frustrated users who must sometimes cope with emotions, too. Employees working from a basis of emotion-focused coping are unable to address the threat and, feeling overwhelmed, focus only on controlling their emotions, merely making themselves feel better. Based on our findings, organizations can enhance their security by understanding the “tipping point” where employees’ focus likely changes from problem-solving to emotion appeasement, and instead push them into a more constructive direction.Yan Chen is an associate professor at Florida International University. She received her PhD in management information systems from University of Wisconsin–Milwaukee. Her research focuses on information security management, online fraud, privacy, and social media. She has published more than 30 research papers in refereed academic journals and conference proceedings.Dennis F. Galletta is a LEO awardee, fellow, and former president of the Association for Information Systems and professor at University of Pittsburgh since 1985. He has published 108 articles and four books. He is a senior editor at MIS Quarterly and an editorial board member at the Journal of Management Information Systems, and has been on several other boards.Paul Benjamin Lowry is the Suzanne Parker Thornhill Chair Professor in Business Information Technology at the Pamplin College of Business at Virginia Tech. He has published more than 135 journal articles. His research areas include organizational and behavioral security and privacy; online deviance and harassment, and computer ethics; human–computer interaction, social media, and gamification; and decision sciences, innovation, and supply chains.Xin (Robert) Luo is Endowed Regent’s Professor and full professor of MIS at the University of New Mexico. His research has appeared in leading information systems journals, and he serves as an associate editor for the Journal of the Association for Information Systems, Decision Sciences Journal, Information & Management, Electronic Commerce Research, and the Journal of Electronic Commerce Research.Gregory D. Moody is currently Lee Professor of Information Systems at the University of Nevada Las Vegas, and director of the cybersecurity graduate program. His interests include information systems security and privacy, e-business, and human–computer interaction. He is currently a senior editor for the Information Systems Journal and Transactions on Human-Computer Interaction.Robert Willison is a professor of management at Xi’an Jiaotong–Liverpool University. He received his PhD in information systems from the London School of Economics. His research focuses on insider computer abuse, information security policy compliance/noncompliance, software piracy, and cyber-loafing. His research has appeared in refereed academic journals such as MIS Quarterly, Journal of the Association for Information Systems, Information Systems Journal, and others.

Organizational information security (ISec) threats have exploded with advances in globalization and technology. Thus, organizations are scrambling to find both technical and behavioral approaches to shore up security. Whereas security technologies are crucial to these efforts, they are often rendered useless by employees’ misunderstanding, carelessness, or deliberate disregard of ISec polices (ISPs). Accordingly, organizations are increasingly seeking ways to encourage employees to work as security allies. A key approach in many organizations is encouraging employees to better understand and comply with ISPs. Consequently, ISec research has leveraged several theories to identify the underlying reasons for ISP compliance behaviors among employees. However, most of this research focuses unilaterally on compliance without simultaneously considering noncompliance, as if noncompliance were caused by opposite factors. A pressing need thus exists for a theoretical foundation that can consider both common outcomes and whether there is an explainable tipping point that can explain when a normally compliant employee chooses to become noncompliant, and vice versa. In this study, we contextualize the extended parallel process model (EPPM) to ISP compliance by accounting for dual outcomes of compliance/noncompliance and dual roles of coping—problem-focused coping and emotion-focused coping. We further extend the EPPM to include response costs and maladaptive rewards to predict the two possible outcomes. Additionally, we employ a weighted discriminant value measurement approach to examine the tipping point between compliance and noncompliance. To test our resulting theoretical model and new measure, we conducted two separate empirical studies with 816 employees, using survey and scenario methodologies. The empirical results from these studies indicate that our contextualization and extension of EPPM better explain the gaps than alternative theories in the ISP literature.