Help
Cart
Skip main navigation

Available Issues

April 10, 2013 - April 2, 2026

Available Issues

April 10, 2013 - April 2, 2026

Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model

Published Online:24 May 2021https://doi.org/10.1287/isre.2021.1014

References

  • Awad NF, Ragowsky A (2008) Establishing trust in electronic commerce through online word of mouth: An examination across genders. J. Management Inform. Systems 24(4):101–121.CrossrefGoogle Scholar
  • Banas J (2008) A tailored approach to identifying and addressing college students’ online health information literacy. Amer. J. Health Ed. 39(4):228–236.CrossrefGoogle Scholar
  • Belsley DA, Kuh E, Welsch RE (2005) Regression Diagnostics: Identifying Influential Data and Sources of Collinearity (Wiley, Hoboken, NJ).Google Scholar
  • Bennett RJ, Robinson SL (2000) Development of a measure of workplace deviance. J. Appl. Psych. 85(3):349–360.CrossrefGoogle Scholar
  • Bollen K, Lennox R (1991) Conventional wisdom on measurement: A structural equation perspective. Psych. Bull. 110(2):305–314.CrossrefGoogle Scholar
  • Boss SR, Galletta DF, Moody GD, Lowry PB, Polak P (2015) What do users have to fear? Using fear appeals to engender threats and fear that motivate protective behaviors in users. MIS Quart. 39(4):837–864.CrossrefGoogle Scholar
  • Boss SR, Kirsch LJ, Angermeier I, Shingler RA, Boss RW (2009) If someone is watching, I’ll do what I’m asked: Mandatoriness, control, and information security. Eur. J. Inform. Systems 18(2):151–164.CrossrefGoogle Scholar
  • Bulgurcu B, Cavusoglu H, Benbasat I (2010) Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quart. 34(3):523–548.CrossrefGoogle Scholar
  • Burns A, Roberts T, Posey C, Lowry PB (2019) The adaptive roles of positive and negative emotions in organizational insiders’ engagement in security-based precaution taking. Inform. Systems Res. 30(4):1228–1247.LinkGoogle Scholar
  • Chen Y, Zahedi FM (2016) Individuals’ internet security perceptions and behaviors: Polycontextual contrasts between the United States and China. MIS Quart. 40(1):205–222.CrossrefGoogle Scholar
  • Chew F, Palmer S, Slonska Z, Subbiah K (2002) Enhancing health knowledge, health beliefs, and health behavior in Poland through a health promoting television program series. J. Health Comm. 7(3):179–196.CrossrefGoogle Scholar
  • Cram WA, Proudfoot JG, D’Arcy J (2017) Organizational information security policies: A review and research framework. Eur. J. Inform. Systems 26(6):605–641.CrossrefGoogle Scholar
  • Cyr D (2008) Modeling website design across cultures: Relationships to trust, satisfaction, and e-loyalty. J. Management Inform. Systems 24(4):47–72.CrossrefGoogle Scholar
  • D’Arcy J, Greene G (2014) Security culture and the employment relationship as drivers of employees’ security compliance. Inform. Management Comput. Security 22(5):474–489.CrossrefGoogle Scholar
  • D’Arcy J, Lowry PB (2019) Cognitive-affective drivers of employees’ daily compliance with information security policies: A multilevel, longitudinal study. Inform. Systems J. 29(1):43–69.CrossrefGoogle Scholar
  • D’Arcy J, Herath T, Shoss MK (2014) Understanding employee responses to stressful information security requirements: A coping perspective. J. Management Inform. Systems 31(2):285–318.CrossrefGoogle Scholar
  • D’Arcy J, Hovav A, Galletta DF (2009) User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Inform. Systems Res. 20(1):79–98.LinkGoogle Scholar
  • Davison RM, Martinsons MG (2016) Context is king! Considering particularism in research design and reporting. J. Inform. Tech. 31(3):241–249.CrossrefGoogle Scholar
  • de Hoog N, Stroebe W, de Wit JBF (2007) The impact of vulnerability to and severity of a health risk on processing and acceptance of fear-arousing communications: A meta-analysis. Rev. General Psych. 11(3):258–285.CrossrefGoogle Scholar
  • Floyd DL, Prentice-Dunn S, Rogers RW (2000) A meta-analysis of research on protection motivation theory. J. Appl. Soc. Psych. 30(2):407–429.CrossrefGoogle Scholar
  • Fry RB, Prentice-Dunn S (2005) The effects of coping information and value affirmation on responses to a perceived health threat. Health Comm. 17(2):133–147.CrossrefGoogle Scholar
  • Fry RB, Prentice-Dunn S (2006) Effects of a psychosocial intervention on breast self-examination attitudes and behaviors. Health Ed. Res. 21(2):287–295.CrossrefGoogle Scholar
  • Gefen D, Straub DW, Rigdon EE (2011) An update and extension to SEM guidelines for administrative and social science research. MIS Quart. 35(2):iii–xiv.CrossrefGoogle Scholar
  • Gibney R, Zagenczyk TJ, Masters MF (2009) The negative aspects of social exchange: An introduction to perceived organizational obstruction. Group Organ. Management 34(6):665–697.CrossrefGoogle Scholar
  • Goo J, Yim M-S, Kim DJ (2014) A path to successful management of employee security compliance: An empirical study of information security climate. IEEE Trans. Professional Comm. 57(4):286–308.CrossrefGoogle Scholar
  • Goodhue DL, Lewis W, Thompson R (2012) Does PLS have advantages for small sample size or non-normal data? MIS Quart. 36(3):981–1001.CrossrefGoogle Scholar
  • Gore TD, Bracken CC (2005) Testing the theoretical design of a health risk message: Reexamining the major tenets of the extended parallel process model. Health Ed. Behav. 32(1):27–41.CrossrefGoogle Scholar
  • Grewal R, Cote JA, Baumgartner H (2004) Multicollinearity and measurement error in structural equation models: Implications for theory testing. Marketing Sci. 23(4):519–529.LinkGoogle Scholar
  • Guo KH, Yuan Y, Archer NP, Connelly CE (2011) Understanding nonmalicious security violations in the workplace: A composite behavior model. J. Management Inform. Systems 28(2):203–236.CrossrefGoogle Scholar
  • Gurung A, Luo X, Liao Q (2009) Consumer motivations in taking action against spyware: An empirical investigation. Inform. Management Comput. Security 17(3):276–289.CrossrefGoogle Scholar
  • Hair JF, Ringle CM, Sarstedt M (2011) PLS-SEM: Indeed a silver bullet. J. Marketing Theory Practice 19(2):139–152.CrossrefGoogle Scholar
  • Hair JF Jr, Black WC, Babin BJ, Anderson RE (2006) Multivariate Data Analysis, 7th ed. (Prentice Hall, New York).Google Scholar
  • Han J, Kim YJ, Kim H (2017) An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Comput. Security 66:52–65.CrossrefGoogle Scholar
  • Hayes AF (2009) Beyond Baron and Kenny: Statistical mediation analysis in the new millennium. Comm. Monographs 76(4):408–420.CrossrefGoogle Scholar
  • Hedström K, Karlsson F, Kolkowska E (2013) Social action theory for understanding information security non-compliance in hospitals: The importance of user rationale. Inform. Management Comput. Security 21(4):266–287.CrossrefGoogle Scholar
  • Hedström K, Kolkowska E, Karlsson F, Allen JP (2011) Value conflicts for information security management. J. Strategic Inform. Systems 20(4):373–384.CrossrefGoogle Scholar
  • Henseler J, Chin WW (2010) A comparison of approaches for the analysis of interaction effects between latent variables using partial least squares path modeling. Structural Equation Model. 17(1):82–109.CrossrefGoogle Scholar
  • Herath T, Rao HR (2009) Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur. J. Inform. Systems 18(2):106–125.CrossrefGoogle Scholar
  • Hong W, Chan FK, Thong JY, Chasalow LC, Dhillon G (2013) A framework and guidelines for context-specific theorizing in information systems research. Inform. Systems Res. 25(1):111–136.LinkGoogle Scholar
  • Hooper D, Coughlan J, Mullen MR (2008) Structural equation modelling: Guidelines for determining model fit. Electronic J. Bus. Res. Methods 6(1):53–60.Google Scholar
  • Hu Q, Xu Z, Dinev T, Ling H (2011) Does deterrence work in reducing information security policy abuse by employees? Comm. ACM 54(6):54–60.CrossrefGoogle Scholar
  • Ifinedo P (2012) Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Comput. Security 31(1):83–95.CrossrefGoogle Scholar
  • Jain RP, Simon JC, Poston RS (2011) Mitigating vendor silence in offshore outsourcing: An empirical investigation. J. Management Inform. Systems 27(4):261–298.CrossrefGoogle Scholar
  • Jenkins JL, Grimes M, Proudfoot J, Lowry PB (2014) Improving password cybersecurity through inexpensive and minimally invasive means: Detecting and deterring password reuse through keystroke-dynamics monitoring and just-in-time warnings. Inform. Technology Development 20(2):196–213.CrossrefGoogle Scholar
  • Johnston AC, Warkentin M (2010a) Fear appeals and information security behaviors: An empirical study. MIS Quart. 34(1):549–566.CrossrefGoogle Scholar
  • Johnston AC, Warkentin M (2010b) The influence of perceived source credibility on end user attitudes and intentions to comply with recommended IT actions. J. Organ. End User Comput. 22(3):1–21.CrossrefGoogle Scholar
  • Johnston AC, Warkentin M, Siponen M (2015) An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quart. 39(1):113–134.CrossrefGoogle Scholar
  • Johnston AC, Warkentin M, Dennis AR, Siponen M (2019) Speak their language: Designing effective messages to improve employees’ information security decision making. Decision Sci. 50(2):245–284.CrossrefGoogle Scholar
  • Johnston AC, Warkentin M, McBride M, Carter L (2016) Dispositional and situational factors: influences on information security policy violations. Eur. J. Inform. Systems 25(3):231–251.CrossrefGoogle Scholar
  • Kahoe RD, Dunn RF (1976) The fear of death and religious attitudes and behavior. J. Sci. Study Religion 14(4):379–382.CrossrefGoogle Scholar
  • Karjalainen M, Sarker S, Siponen M (2019) Toward a theory of information systems security behaviors of organizational employees: A dialectical process perspective. Inform. Systems Res. 30(2):687–704.LinkGoogle Scholar
  • Karjalainen M, Siponen M, Puhakainen P, Sarker S (2020) Universal and culture-dependent employee compliance of information systems security procedures. J. Global Inform. Tech. Manag. 23(1):5–24.CrossrefGoogle Scholar
  • Karlsson F, Karlsson M, Åström J (2017) Measuring employees’ compliance–the importance of value pluralism. Inform. Comput. Sec. 25(3):279–299.Google Scholar
  • Kim DJ (2008) Self-perception-based vs. transference-based trust determinants in computer-mediated transactions: A cross-cultural comparison study. J. Management Inform. Systems 24(4):13–45.CrossrefGoogle Scholar
  • Kim JJ, Park EHE, Baskerville RL (2016) A model of emotion and computer abuse. Inform. Management 53(1):91–108.CrossrefGoogle Scholar
  • Kirlappos I, Beautement A, Sasse MA (2013) 'Comply or die' is dead: Long live security-aware principal agents. Adam AA, Brenner M, Smith M, eds. Financial Cryptography and Data Security (Springer, Berlin), 70–82.CrossrefGoogle Scholar
  • Kolkowska E, Dhillon G (2013) Organizational power and information security rule compliance. Comput. Security 33:3–11.CrossrefGoogle Scholar
  • Kolkowska E, Karlsson F, Hedström K (2017) Toward analysing the rationale of information security non-compliance: Devising a value-based compliance analysis method. J. Strategic Inform. Systems 26(1):39–57.CrossrefGoogle Scholar
  • LaTour MS, Rotfeld HJ (1997) There are threats and (maybe) fear-caused arousal: Theory and confusions of appeals to fear and fear arousal itself. J. Advertising 26(3):45–59.CrossrefGoogle Scholar
  • Lazarus R (1993) Coping theory and research: Past, present, and future. Psychosomatic Medicine 55(3):234–247.CrossrefGoogle Scholar
  • Leventhal H (1970) Findings and theory in the study of fear communications. Adv. Experiment. Soc. Psych. 5:119–186.CrossrefGoogle Scholar
  • Li H, Luo RX, Chen Y (2021) Understanding information security policy violation from a situational action perspective. J. Assoc. Inform. Systems. Forthcoming.Google Scholar
  • Li H, Zhang J, Sarathy R (2010) Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems 48(4):635–645.CrossrefGoogle Scholar
  • Li H, Sarathy R, Zhang J, Luo X (2014) Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance. Inform. Systems J. 24(6):479–502.CrossrefGoogle Scholar
  • Liang H, Xue Y (2010) Understanding security behaviors in personal computer usage: A threat avoidance perspective. J. Assoc. Inform. Systems 11(7):394–413.Google Scholar
  • Liang H, Xue Y, Pinsonneault A, Wu Y (2019) What users do besides problem-focused coping when facing IT security threats: An emotion-focused coping perspective. MIS Quart. 43(2):373–394.CrossrefGoogle Scholar
  • Liao Q, Gurung A, Luo X, Li L (2009) Workplace management and employee misuse: Does punishment matter? J. Comput. Inform. Systems 50(2):49–59.Google Scholar
  • Lowry PB, Moody GD (2015) Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organizational information security policies. Inform. Systems. J. 25(5):433–463.CrossrefGoogle Scholar
  • Lowry PB, Cao J, Everard A (2011) Privacy concerns vs. desire for interpersonal awareness in driving the use of self-disclosure technologies: The case of instant messaging in two cultures. J. Management Inform. Systems 27(4):163–200.CrossrefGoogle Scholar
  • Lowry PB, Dinev T, Willison R (2017) Why security and privacy research lies at the centre of the information systems (IS) artefact: Proposing a bold research agenda. Eur. J. Inform. Systems 26(6):546–563.CrossrefGoogle Scholar
  • Lowry PB, D’Arcy J, Hammer B, Moody GD (2016a) ‘Cargo Cult’ science in traditional organization and information systems survey research: A case for using nontraditional methods of data collection, including Mechanical Turk and online panels. J. Strategic Inform. Systems 25(3):232–240.CrossrefGoogle Scholar
  • Lowry PB, Posey C, Bennett RJ, Roberts TL (2015) Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust. Inform. Systems J. 25(3):193–230.CrossrefGoogle Scholar
  • Lowry PB, Zhang J, Wang C, Siponen M (2016b) Why do adults engage in cyberbullying on social media? An integration of online disinhibition and deindividuation effects with the social structure and social learning (SSSL) model. Inform. Systems Res. 27(4):962–986.LinkGoogle Scholar
  • MacKinnon DP (2008) Introduction to Statistical Mediation Analysis (Erlbaum, New York).Google Scholar
  • Maddux JE, Rogers RW (1983) Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. J. Experiment. Soc. Psych. 19(5):469–479.CrossrefGoogle Scholar
  • Marsh HW, Hocevar D (1985) Application of confirmatory factor analysis to the study of self-concept: First- and higher order factors models and their invariance across groups. Psych. Bull. 97(3):562–582.CrossrefGoogle Scholar
  • McIntosh DN, Zajonc RB, Vig PS, Emerick SW (1997) Facial movement, breathing, temperature, and affect: Implications of the vascular theory of emotional efference. Cognition Emotion 11(2):171–195.CrossrefGoogle Scholar
  • Mears DP, Stewart EA (2010) Interracial contact and fear of crime. J. Criminal Justice Popular Culture 38(1):34–41.CrossrefGoogle Scholar
  • Mendes M, McDonald MD (2001) Putting severity of punishment back in the deterrence package. Policy Stud. J. 29(4):588–610.CrossrefGoogle Scholar
  • Milne S, Sheeran P, Orbell S (2000) Prediction and intervention in health-related behavior: A meta-analytic review of protection motivation theory. J. Appl. Soc. Psych. 30(1):106–143.CrossrefGoogle Scholar
  • Osman A, Barrious FX, Osman JR, Schneekloth R, Troutman JA (1994) The pain anxiety symptoms scale: Psychometric properties in a community sample. J. Behav. Medicine 17(5):511–522.CrossrefGoogle Scholar
  • Plutchik R (2001) The nature of emotions. Amer. Sci. 89(4):344–350.CrossrefGoogle Scholar
  • Podsakoff PM, MacKenzie SB, Lee JY, Podsakoff NP (2003) Common method biases in behavioral research: A critical review of the literature and recommended remedies. J. Appl. Psych. 88(5):879–903.CrossrefGoogle Scholar
  • Ponemon (2019) 2019 Ponemon Institute study on the cyber resilient organization. TechRepublic, https://www.techrepublic.com/resource-library/whitepapers/2019-ponemon-institute-study-on-the-cyber-resilient-organization/.Google Scholar
  • Popova L (2012) The extended parallel process model illuminating the gaps in research. Health Ed. Behav. 39(4):455–473.CrossrefGoogle Scholar
  • Posey C, Bennett RJ, Roberts TL (2011a) Understanding the mindset of the abusive insider: An examination of insiders’ causal reasoning following internal security changes. Comput. Security 30(6–7):486–497.CrossrefGoogle Scholar
  • Posey C, Roberts TL, Lowry PB (2011b) Motivating the insider to protect organizational information assets: Evidence from protection motivation theory and rival explanations. Dewald Roode Workshop Inform. Systems Security Res., Blacksburg, VA, September 23–24, 1–51.Google Scholar
  • Posey C, Roberts TL, Lowry PB (2015) The impact of organizational commitment on insiders’ motivation to protect organizational information assets. J. Management Inform. Systems 32(4):179–214.CrossrefGoogle Scholar
  • Posey C, Bennett B, Roberts T, Lowry PB (2011c) When computer monitoring backfires: Invasion of privacy and organizational injustice as precursors to computer abuse. J. Inform. System Security 7(1):24–47.Google Scholar
  • Posey C, Lowry PB, Roberts TL, Ellis S (2010) Proposing the online community self-disclosure model: The case of working professionals in France and the UK who use online communities. Eur. J. Inform. Systems 19(2):181–195.CrossrefGoogle Scholar
  • Posey C, Roberts TL, Lowry PB, Hightower RT (2014) Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders. Inform. Management 51(5):551–567.CrossrefGoogle Scholar
  • Posey C, Roberts TL, Lowry PB, Bennett RJ, Courtney J (2013) Insiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quart. 37(4):1189–1210.CrossrefGoogle Scholar
  • Puhakainen P, Siponen M (2010) Improving employees’ compliance through information systems security training: An action research study. MIS Quart. 34(4):757–778.CrossrefGoogle Scholar
  • Rao MT, Brown CV, Perkins WC (2007) Host country resource availability and information system control mechanisms in multinational corporations: An empirical test of resource dependence theory. J. Manage. Inf. Syst. 23(4):11–28.CrossrefGoogle Scholar
  • Rogers RW (1983) Cognitive and physiological processes in fear appeals and attitude change: A revised theory of protection motivation. Cacioppo JT, Petty RE, eds. Social Psychophysiology: A Sourcebook (Guilford, New York), 153–176.Google Scholar
  • Scherer KR (2005) What are emotions? And how can they be measured? Soc. Sci. Inform. 44(4):695–729.CrossrefGoogle Scholar
  • Schuetz SW, Benjamin Lowry P, Pienta DA, Bennett Thatcher J (2020) The effectiveness of abstract vs. concrete fear appeals in information security. J. Management Inform. Systems 37(3):723–757.CrossrefGoogle Scholar
  • Silic M, Lowry PB (2020) Using design-science based gamification to improve organizational security training and compliance. J. Management Inform. Systems 37(1):129–161.CrossrefGoogle Scholar
  • Siponen M, Vance A (2010) Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quart. 34(3):487–502.CrossrefGoogle Scholar
  • Son J-Y, Park J (2016) Procedural justice to enhance compliance with non-work-related computing (NWRC) rules: Its determinants and interaction with privacy concerns. Internat. J. Inform. Management 36(3):309–321.CrossrefGoogle Scholar
  • Vance A, Elie-Dit-Cosaque C, Straub DW (2008) Examining trust in information technology artifacts: The effects of system quality and culture. J. Management Inform. Systems 24(4):73–100.CrossrefGoogle Scholar
  • Vance A, Lowry PB, Eggett D (2015) Increasing accountability through user-interface design artifacts: A new approach to addressing the problem of access-policy violations. MIS Quart. 39(2):345–366.CrossrefGoogle Scholar
  • Vance A, Siponen M, Pahnila S (2012) Motivating IS security compliance: Insights from habit and protection motivation theory. Inform. Management 49(3-4):190–198.CrossrefGoogle Scholar
  • Wang J, Li Y, Rao HR (2017) Coping responses in phishing detection: An investigation of antecedents and consequences. Inform. Systems. Res. 28(2):378–396.LinkGoogle Scholar
  • Warkentin M, Johnston A, Walden E, Straub D (2016) Neural correlates of protection motivation for secure IT behaviors: An fMRI examination. J. Assoc. Inform. Systems 17(3):194–215.Google Scholar
  • Willison R, Lowry PB, Paternoster R (2018) A tale of two deterrents: Considering the role of absolute and restrictive deterrence in inspiring new directions in behavioral and organizational security. J. Assoc. Inform. Systems. 19(12):1187–1216.Google Scholar
  • Wink P (2006) Who is afraid of death? Religiousness, spirituality, and death anxiety in late adulthood. J. Religion Spirituality Aging 18(2):93–110.CrossrefGoogle Scholar
  • Witte K (1992) Putting the fear back into fear appeals: The extended parallel process model. Comm. Monographs 59(4):329–349.CrossrefGoogle Scholar
  • Witte K (1994) Fear control and danger control: A test of the extended parallel process model (EPPM). Comm. Monographs 61(2):113–134.CrossrefGoogle Scholar
  • Witte K, Allen M (2000) A meta-analysis of fear appeals: Implications for effective public health campaigns. Health Ed. Behav. 27(5):591–615.CrossrefGoogle Scholar
  • Witte K, Cameron A, McKeon JK, Berkowitz JM (1996) Predicting risk behaviors: Development and validation of a diagnostic scale. J. Health Comm. 1(4):317–342.CrossrefGoogle Scholar
  • Xu F, Luo XR, Hsu C (2020) Anger or fear? Effects of discrete emotions on employee’s computer-related deviant behavior. Inform. Management 57(3):103180.CrossrefGoogle Scholar
  • Yazdanmehr A, Wang J (2016) Employees’ information security policy compliance: A norm activation perspective. Decision Support Systems 92:36–46.CrossrefGoogle Scholar
  • Zeidner M, Endler NS (1995) Handbook of Coping: Theory, Research, Applications (Wiley, New York).Google Scholar
  • Zhang D, Lowry PB, Zhou L, Fu X (2007) The impact of individualism-collectivism, social presence, and group diversity on group decision making under majority influence. J. Management Inform. Systems 23(4):53–80.CrossrefGoogle Scholar
Previous
Back to Top
Next
INFORMS site uses cookies to store information on your computer. Some are essential to make our site work; Others help us improve the user experience. By using this site, you consent to the placement of these cookies. Please read our Privacy Statement to learn more.
Agree