Cognitive-Affective Drivers of Employees’ Daily Compliance with Information Security Policies: A Multilevel, Longitudinal Study
Information Systems Journal (ISJ), vol. 29(1), pp. 43-69, 2019
60 Pages Posted: 23 Oct 2017 Last revised: 9 Jan 2019
Date Written: January 1, 2019
Abstract
We present a model of employee compliance with information security policy (ISP) that (1) explicates stable, cognitive beliefs regarding the consequences of compliance and non-compliance as well as state-based affective constructs – namely, positive and negative mood states and episodic, security-related work-impediment events and (2) provides an expanded conceptualisation of moral considerations and normative influences regarding employees’ ISP compliance. Because affect is central to this theorisation, we ensure that the model captures and explains differences in day-to-day affective constructs to account for the often fleeting nature of affective states. We test our multilevel model using an experience-sampling methodology design in which employees completed daily surveys over a two-week period, followed by a hierarchal linear modelling statistical assessment. Our contribution to theory is a unique account of ISP compliance that integrates affective factors with constructs from rational choice theory (RCT) and theory of planned behaviour (TPB) and that diverges from prior conceptualisations of ISP compliance as a purely stable and reason-based phenomenon. For practitioners, our results suggest that a combination of cognitive and affective influences may produce discrete episodes of ISP compliance that do not coincide with prior behavioural trends.
Keywords: Compliance, Information Security Policies (ISPs), Security, Organisational Security, ISP Compliance, Rational Choice Theory (RCT), Affect, Mood, Mood States, Morality, Multilevel Analysis, Organisational Compliance, Theory of Planned Behaviour (TPB), Organisational Citizenship Behaviours (OCBs)
Suggested Citation: Suggested Citation