Cognitive-Affective Drivers of Employees’ Daily Compliance with Information Security Policies: A Multilevel, Longitudinal Study

Information Systems Journal (ISJ), vol. 29(1), pp. 43-69, 2019

60 Pages Posted: 23 Oct 2017 Last revised: 9 Jan 2019

See all articles by John D'Arcy

John D'Arcy

University of Delaware - Alfred Lerner College of Business and Economics

Paul Benjamin Lowry

Virginia Tech - Pamplin College of Business

Date Written: January 1, 2019

Abstract

We present a model of employee compliance with information security policy (ISP) that (1) explicates stable, cognitive beliefs regarding the consequences of compliance and non-compliance as well as state-based affective constructs – namely, positive and negative mood states and episodic, security-related work-impediment events and (2) provides an expanded conceptualisation of moral considerations and normative influences regarding employees’ ISP compliance. Because affect is central to this theorisation, we ensure that the model captures and explains differences in day-to-day affective constructs to account for the often fleeting nature of affective states. We test our multilevel model using an experience-sampling methodology design in which employees completed daily surveys over a two-week period, followed by a hierarchal linear modelling statistical assessment. Our contribution to theory is a unique account of ISP compliance that integrates affective factors with constructs from rational choice theory (RCT) and theory of planned behaviour (TPB) and that diverges from prior conceptualisations of ISP compliance as a purely stable and reason-based phenomenon. For practitioners, our results suggest that a combination of cognitive and affective influences may produce discrete episodes of ISP compliance that do not coincide with prior behavioural trends.

Keywords: Compliance, Information Security Policies (ISPs), Security, Organisational Security, ISP Compliance, Rational Choice Theory (RCT), Affect, Mood, Mood States, Morality, Multilevel Analysis, Organisational Compliance, Theory of Planned Behaviour (TPB), Organisational Citizenship Behaviours (OCBs)

Suggested Citation

D'Arcy, John and Lowry, Paul Benjamin, Cognitive-Affective Drivers of Employees’ Daily Compliance with Information Security Policies: A Multilevel, Longitudinal Study (January 1, 2019). Information Systems Journal (ISJ), vol. 29(1), pp. 43-69, 2019, Available at SSRN: https://ssrn.com/abstract=3057146

John D'Arcy

University of Delaware - Alfred Lerner College of Business and Economics ( email )

419 Purnell Hall
Newark, DE 19716
United States

Paul Benjamin Lowry (Contact Author)

Virginia Tech - Pamplin College of Business ( email )

1016 Pamplin Hall
Blacksburg, VA 24061
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
108
Abstract Views
569
Rank
454,063
PlumX Metrics