Abstract
Purpose
The purpose of this study is to further validate and extend the unified model of information security policy compliance (UMISPC) developed by Moody et al. (2018).
Design/methodology/approach
To be able to compare the results of this study and those reported by Moody et al. (2018) (and followers), the same quantitative data collection method (questionnaire) and variable measurement instruments were used. Specifically, questionnaire data were collected from a department within a Swedish governmental organization comprising 150 employees. Of these, 90 answered the questionnaire which rendered a response rate of 60%. Following Moody et al. (2018), the collected data were analyzed by means of structural equation modeling.
Findings
This study generally provides empirical support for the original UMISPC as a large majority of the findings are in line with those reported by Moody et al. (2018). However, it also suggests important differences and boundary conditions.
Originality/value
This study extends the original study of Moody et al. (2018) and subsequent replication studies by testing it in a new national/organizational context. Based on their call for future research, it also develops and empirically tests the effects of a new, socially visible information system security violation scenario. Related to this, this study also revisits the role of the variable subjective norms for better understanding employee non-/compliance to information security policies by suggesting that their effects may be indirect (i.e. running through other variables in the UMISPC) rather than direct.
Keywords
Citation
Gerdin, M. (2025), "Validating and extending the unified model of information security policy compliance", Information and Computer Security, Vol. 33 No. 1, pp. 25-48. https://doi.org/10.1108/ICS-12-2023-0263
Publisher
:Emerald Publishing Limited
Copyright © 2024, Marcus Gerdin.
License
Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode
Introduction
The ever-increasing number of information security incidents (Torres and Crossler, 2019; Enisa, 2018, 2020, 2023) have led organizations to invest in, and increasingly rely on, protective measures to minimize the risks of security breaches. One protective measure currently in the forefront is organizational information security policies (ISPs). After all, while technical measures are necessary, they are not sufficient and offer little value if employees do not comply with organizational ISPs.
Following this increasing importance of ISP compliance for counteracting information security breaches in today’s organizations, a rapidly growing academic literature has devoted much effort into investigating how and why employees comply, or not, with such ISPs (Cram et al., 2017; 2019; D’Arcy and Lowry; 2019; Mou et al., 2022). Recently, however, scholars have expressed fundamental concerns about the current state of research in this field. The premise is twofold. First, several studies have identified empirical inconsistencies and contradictions in the literature (Cram et al., 2017; Sommestad et al., 2014; Mou et al., 2022). Second, it has been discussed whether the continuous inflow of “new” behavioral theories into this research field (Cram et al., 2017; 2019; Moody et al., 2018; Mou et al., 2022) has not only led to unnecessary theoretical fragmentation, but also to a lack of knowledge exchange between studies based on different theoretical perspectives (Moody et al., 2018; Pahnila et al., 2007; Venkatesh et al., 2012). Overall, therefore, the combination of these two qualities of the literature have made it difficult for both scholars and practitioners to comprehend research findings (i.e. to identify what works and what does not) and to stay updated with the current state of the art (Alraja et al., 2023; Cram et al., 2017; Moody et al., 2018; Torres and Crossler, 2019).
In response to these concerns, the seminal study of Moody et al. (2018, p. 286) sought to unify several behavioral theories into one general framework so as to “progress towards a synthesis of the jungle of alternative theories.” Specifically, they created what is referred to as a unified model of information security policy compliance (UMISPC), where the authors merged the most relevant variables (as measured by their success in predicting expected information security effects) from each theory and combined them into one single model. Their basic argument was that there are a lot of similarities among the competing theories and their respective variables.
Replicating Moody et al.’s (2018) original research design, several studies have offered further empirical support for the UMISPC by testing its applicability in university settings (Koohang et al., 2021) and across different nations (e.g. Alraja et al., 2023; Kajtazi et al., 2021; Masuch et al., 2020). As pointed out by Moody et al. (2018, p. 285), however, future research also needs to “determine the extent to which the UMISPC needs to be revised to account for different types of information system security (ISS) policy violations and the extent to which the UMISPC is generalizable beyond the three types of ISS violations we examined.” That is, not only should future research test the generalizability of the model in yet more organizational and national contexts, but also if it holds for other types of ISS violation scenarios. After all, Moody et al. (2018, p. 306) unexpectedly found no significant effects of the variable they refer to as “Subjective norms” and argue this can be explained by the nature of the three scenarios. Specifically, they propose that:
[O]ur scenarios, such as sharing passwords or insecure USB practices, may not be visible socially, nor are they widely socially unacceptable in a work environment (Siponen et al., 2010). Social visibility and social unacceptableness may be necessary conditions for social factors or subjective norms to explain ISS policy compliance. Future research should examine to what extent the social nature of the ISS acts are linked to subjective norms and similar social factors.
Hence, not only is it important to conduct yet more replication studies to further substantiate the key findings of the UMISPC (see, e.g. Alraja et al., 2023; Kajtazi et al., 2021; Koohang et al., 2021; Masuch et al., 2020), but also to extend it in at least two important respects. First, it is important to examine the model’s predictive ability in yet other empirical contexts, thereby confirming or contradicting its transferability across different contexts. Second, and based on Moody et al.’s (2018) explicit call for future research cited above, it is important to examine the model’s applicability (boundary conditions) for yet other types of ISS violations. Again, they specifically seek future studies which examine the effects of socially visible ISS violations, not least to better understand the unexpected finding that subjective norms had limited effects of individuals’ intention to comply with ISPs.
On these bases, therefore, the aim of this study is twofold. First, it aims to further validate the UMISPC by testing it in yet another empirical context (a Swedish governmental organization), a context which to the best of our knowledge has not been the subject of study in previous studies of the UMISPC (see, e.g. Alraja et al., 2023; Kajtazi et al., 2021; Koohang et al., 2021; Masuch et al., 2020). Second, this study aims to extend the UMISPC by developing and empirically testing the effects of a new security scenario where the ISP violation is socially visible, thereby providing a more solid basis for understanding the effects of Subjective norms actors on employees’ intention to comply with ISPs (for more details, see the Research methods section below). Against this backdrop, we ask the following research questions (RQs):
To what extent is the UMISPC applicable to a Swedish governmental organizational context; what are the key similarities/differences (if any) in comparison with the original model and subsequent replication studies?
How (if at all) does the “new,” socially visible security scenario affect the research results more generally, and the effects of subjective norms more specifically?
The remainder of this paper is structured as follows. The next section elaborates theoretically on the variables and relationships of the original UMISPC, as well as on the extensions to this model made in this paper, all of which are summarized in the form of testable hypotheses. The following two sections describe the research method used to collect and analyze the questionnaire data, and presents the results thereof. The final section elaborates in detail on the key findings of this study and how they relate to those reported by Moody et al. (2018) and subsequent replication studies. This section also discusses study limitations, theoretical and practical contributions, and fruitful directions for future research.
UMISPC: conceptual model and hypotheses development
As mentioned above, the UMISPC developed by Moody et al. (2018) synthesizes 11 of the most used behavioral theories in the ISP non-/compliance research field into a single unified model [1]. Again, the premise of the model is that there are a lot of theoretical similarities among these theories and, thus, a unified model could be created based on their different, yet complementary explanations of ISS behavior.
As Figure 1 illustrates, the original UMISPC seeks to explain two important outcomes. The first one is intention which depicts employees’ “inclination to engage in a specific behavior” (Moody et al., 2018, p. 300). Or more specifically, this outcome variable depicts the extent to which the employees intend to comply, or not comply, with the prescribed ISPs. The second outcome variable is reactance which denotes the extent to which employees deny “that there is an ISS problem” (Moody et al., 2018, p. 300). The basic premise is that an employee may not behave as prescribed if he/she interprets too much negative emotion with a specific behavior, thereby denying the existence of the problem (Lowry and Moody, 2015). Figure 1 also illustrates that these two outcomes can be explained by multiple antecedent variables, of which one (fear) affects both intention and reactance.
Next, we define each of the variables included in the original UMISPC and develop hypotheses for their respective relationships, going from right to left in the figure. The original model is illustrated with solid lines in the figure. After that, we theorize the potential impact of the two extensions to the original model made in this paper. As mentioned above, these extensions imply that a new, socially visible ISS violation scenario is developed and, related to this, a “new” antecedent variable (subjective norms) is added to the original model. The new relationship between subjective norms and intention is illustrated with a dashed line in Figure 1.
With respect to the original UMISPC, we start with defining and theorizing the three variables explaining Intention to comply with ISPs, i.e. habit, role values and fear, respectively.
Habit
As illustrated by Figure 1, habit is presumed to affect employees’ intention to engage in a specific ISS behavior. Moody et al. (2018, p. 300) define habit as: “A regular tendency that does not require conscious thought to be compliant with the ISS policy.” That is, habit implies a repetition of behavior which is largely taken-for-granted (Limayem and Hirt, 2003; Verplanken and Orbell, 2003). And, according to Limayem and Hirt (2003), an organization can increase the level of “automatic” compliance to ISPs through recurrent training of employees. Overall, therefore, it could be argued that the more habitual behavior employees have, the higher their intention to comply with ISPs (Moody et al., 2018; Verplanken and Orbell, 2003). And in line with this expectation, subsequent replication studies have found that habit has a positive effect on intention (Masuch et al., 2020), although several of them find weak (statistically nonsignificant) effects (Alraja et al., 2023; Kajtazi et al., 2021; Koohang et al., 2021) [2]. On these bases, it can thus be proposed that:
Habit will have a positive effect on employees’ intention to comply with ISPs.
Role values
It has also been argued that role values positively affect employees’ intention to engage in a secure behavior (see Figure 1 above). Specifically, this variable highlights the importance of ISPs being in line with, or rather not differentiate from, the nature of the work employees perform. Along these lines, Moody et al. (2018, p. 300) define role values as “The required ISS policy compliance act is appropriate, justified, and acceptable, keeping in mind the nature of the work and the task the person is performing.” Hence, we can expect that the higher the alignment between the perceived role values of the employees and the required behavior stipulated by ISPs, the higher the intention to comply with these policies. More formally, it can thus be expected that:
Role values will have a positive effect on the employees’ intention to comply with ISPs.
Fear
As illustrated by Figure 1, employees’ intention to comply with ISPs (as well as reactance) can also be explained by their perceived level of fear, where this latter variable denotes “Negative emotional response to stimuli” (Moody et al., 2018, p. 300, see also Witte, 1992). The theoretical assumption is that the higher the negative emotional stimulus (i.e. fear) employee experience, the more intention to comply with expected ISS behavior they will feel (Moody et al., 2018; Johnston and Warkentin, 2010). While empirical findings are somewhat mixed [where, e.g. Moody et al.’s (2018) original study and the subsequent replication study of Kajtazi et al. (2021) found negative effects], several studies have generated results in line with this assumption. For example, the studies of Alraja et al. (2023), Masuch et al. (2020) and Koohang et al. (2021) all found positive effects (although the path coefficient of the last-mentioned study was not statistically significant, p = 0.11). On these bases, it can thus be proposed that:
Fear will have a positive effect on employees’ intention to comply with ISPs.
As illustrated in Figure 1, fear is also theoretically associated with reactance to ISPs in the sense that “fear can also be coped with by denying the existence of the possible problem” (Moody et al., 2018, p. 301). Thus, an employee can cope with perceived fear by simply denying the problem (reactance). However, empirical findings concerning this relation are mixed, even inconsistent. For example, Moody et al. (2018), Masuch et al. (2020) and Alraja et al. (2023) found that fear had positive effects on reactance, while Kajtazi et al. (2021) and Koohang et al. (2021) found negative effects.
Arguably, these empirical inconsistencies can be attributed to how fear is theorized. The premise is that this construct originates from fear appeals in health psychology and has been argued to affect individuals in two different ways (Boss et al., 2015). The first way is through Fear control, and second way is through Danger control. Fear control is a state where the individual copes with increasing feelings of Fear by denying/avoiding the ISS threat (Boss et al., 2015; de Hoog et al., 2007), thereby suggesting a positive effect on reactance. Danger control, however, copes with the threat by reducing fear through following desired actions, i.e. by complying with ISPs (Boss et al., 2015; de Hoog et al., 2007). Based on this argument, we would thus expect a negative effect of fear on reactance. As de Hoog et al. (2007) argue, however, “[…] theory does not specify which conditions lead to either fear control or danger control, how the two processes interact, or how individuals alternate between the two processes” (cited in Boss et al., 2015, p. 6). Accordingly, fear could potentially have both a positive and a negative effect on reactance (Boss et al., 2015; de Hoog et al., 2007). Accordingly, the following is proposed:
Fear will have a negative effect on employees’ reactance.
Fear will have a positive effect on employees’ reactance.
Neutralization
As found by Moody et al. (2018, p. 300), reactance is also affected by what they refer to as neutralization, where this latter variable refers to “Rationalized thinking that allows one to justify departure from compliance intentions.” Neutralization is thus built upon the idea that people can engage in ISS-deviant behavior by rationalizing reasons for why they should make exceptions (Siponen and Vance, 2010; Sykes and Matza, 1957). In the case of ISS, rationalized excuses will thus result in reactance, i.e. the denial of ISS problems.
According to Vance and Siponen (2012), there are six neutralization techniques. However, Moody et al. (2018) only found empirical support for three of them. The first technique, Condemnation of the condemners, implies that an employee can justify her/his actions by blaming those who are the target of the action (Vance and Siponen, 2012). For instance, if the ISP is viewed as too restrictive or unreasonable, the employee will argue that it is not wrong to deviate from the prescribed ISS behavior. The second technique, Appeal to higher loyalties, implies that an employee can violate a prescribed behavior by referring to higher ranked loyalties. For instance, to get her/his work done, an employee can argue that violating an ISP is acceptable (Siponen and Vance, 2010; Siponen and Iivari, 2006). The third and final neutralization technique is that of Denial of injury, where the employee simply denies that her/his actions are problematic. Or, as put by Siponen and Vance (2010, p. 490), “It is ok to violate information security policies if no harm is done to the company.”
All in all, these three techniques thus suggest that increasing levels of neutralization positively affect the reactance of employees as they rationalize excuses to why their behavior should not be seen an ISS problem. More formally, it can thus be proposed:
Neutralization will have a positive effect on the employees’ reactance.
Threat
As illustrated by Figure 1, fear is affected by the perceived ISS threat, where Moody et al. (2018, p. 300) defines the latter variable as “Perceived severity and susceptibility to a perceived potential harm.” This means that threat is divided into the two subcategories “perceived severity” and “perceived susceptibility” (Johnston and Warkentin, 2010; Witte, 1992). Perceived severity refers to the individual’s opinion of the seriousness of the imposed threat. If the employee believes that the threat will have severe consequences, he/she will have an increased negative emotional response (i.e. an increased perception of fear) (Witte, 1992). Perceived susceptibility refers to the employees’ opinions on the risks (likelihood and/or vulnerability) of facing the perceived threat. If the employee believes he/she has a high risk of being affected by the perceived Threat, he/she will have increased negative response (i.e. an increased perception of fear) (Witte, 1992).
Together, perceived severity and susceptibility affect the employees’ perceived fear in the sense that a higher perceived threat will increase the perceived fear (see also Herath and Rao, 2009). Thus, it is proposed that:
Threat will have a positive effect on employees’ perceived fear.
Response efficacy
Response efficacy is defined as “The perceived effectiveness of the behavior in mitigating or avoiding the perceived threat” (Moody et al., 2018, p. 300). As illustrated by Figure 1, the UMISPC finds empirically that the more the employee believes that the required ISS behavior (according to the ISP) is effective in mitigating and/or avoiding security threats, the higher the perceived severity and susceptibility of the threat (see also Herath and Rao, 2009; Ifinedo, 2012). In support of this assumption, several replication studies have found strong positive associations between response efficacy and perceived threat (see, e.g. Alraja et al., 2023; Kajtazi et al., 2021; Koohang et al., 2021; Masuch et al., 2020). More formally, it can thus be proposed that:
Response efficacy will have a positive effect on employees’ perceived threat.
We now turn to the two extensions made in this paper to the original UMISPC developed by Moody et al. (2018), namely, the development of a new, socially visible ISS violation scenario and, related to this, the (re)introduction of a new antecedent variable (Subjective norms) into the model. Beginning with the former, the original model was developed through an empirical-data-driven approach based on several data sets gathered through scenario-based surveys (Moody et al., 2018). The scenarios used refer to three commonly occurring ISP violations (for details, see Siponen and Vance, 2010), namely, sharing of passwords (passwords), insecure use of USB drives (USB drive) and not locking computers (workstation logout). As noted by Moody et al. (2018), however, a common denominator of these three scenarios is that they are not socially visible. That is, these policy violations are not directly observable by superiors and peers, suggesting that social pressure to comply with ISPs become less strong compared with socially visible violations.
Addressing Moody et al.’s (2018, p. 306) call for future research that examines “the social nature” of ISS behavior, this study develops a new, socially visible security scenario (see the Research methods section for details). Again, the principal reasons for so doing are to test the conceptual boundaries of the UMISPC (see also Olbrich et al., 2017), and to shed further light on the role and impact of the variable Subjective norms on employees’ intentions to comply with ISPs. The premise is that Moody et al.’s (2018) original study could not find a statistically significant relationship between subjective norms and intention. As suggested above, however, there are theoretical reasons to believe that, when a socially visible security scenario is used, subjective norms can be expected to have a significant positive effect. The argument is as follows.
A common way of conceptualizing subjective norms is to view them as “The summative influence perceived by an individual due to social norms, roles within the group, and the individual’s self-concept relevant to the group” (Moody et al., 2018, p. 290). Social norms are expected to influence employees’ behavior in the form of desire and/or pressure to follow social norms deemed important at the workplace (Moody and Siponen, 2013). The basic argument is that when there is a strong social norm that urges employees to act in accordance with the ISP, they will show a higher Intention to do so. Similarly, employee roles (not to be mistaken for the variable role values described below) influence their behavior via the idea that the more normal and proper it is to follow prescribed security actions, the higher the intention of doing so. Finally, self-concept refers to “the idea that individuals have their own internal goals and values regarding which behaviors are appropriate” (Moody and Siponen, 2013, p. 325). And, when the individual strongly believes that a particular behavior is important, “he or she will experience strong pressure from known others to engage in behavior that supports this known self-concept” (p. 327).
So, all in all, the higher the social pressure the individual perceives, the higher the Intention to comply with ISPs. By extension, it can thus be argued that when ISS violations are socially visible, the following can be expected:
Subjective norms will have a positive effect on the employees’ Intention to comply with ISPs.
Research methods
Based on the overall aims of this study to further validate and extend the UMISPC by testing it in yet another empirical context and examining the effects of subjective norms in a scenario where ISP violations are socially visible, it was important to make the results comparable. Therefore, it was decided to adhere strictly to research methods used in the original study by Moody et al. (2018). That is, we opted for the same quantitative data collection method (questionnaire), variable measurement instruments, and data analysis method (structural equation modeling [SEM] analysis) as the original study.
Regarding search for relevant literature, we conducted manual backward and forward searches following the methodology described by Webster and Watson (2002). This process entailed reviewing the reference lists of relevant literature and manually searching by means of Google Scholar to identify articles referencing key sources identified in earlier steps. Specifically, the backward searches enabled us to identify and elaborate on important literature providing the theoretical bases of the original UMISPC (see the hypotheses development section above). After all, and again, the original model was developed through an empirical-data-driven approach, rather than a theory-deductive one. In contrast, the forward searches enabled us to identify more recent literature drawing upon Moody et al.’s (2018) seminal study. In particular, these forward searches enabled us to identify subsequent studies replicating the original study, thereby providing a solid basis of empirical results against which the ones found in this study could be contrasted and discussed. To the best of our knowledge, this search process helped us to identify all published articles which have replicated the UMPISC model since its creation. In total, we found four such studies, namely, those of Alraja et al. (2023), Kajtazi et al. (2021), Koohang et al. (2021) and Masuch et al. (2020). Together with the original study of Moody et al. (2018), these four replication studies formed an important basis for the research method design in this study, as will be detailed next.
Data collection
As mentioned above, this study addresses Moody et al.’s (2018, p. 287) call for the UMISPC to “be tested in different contexts to determine its boundaries and identify situations in which its components fail to explain a phenomenon.” Accordingly, it was decided to test its transferability to a Swedish governmental organization – a context which to the best of our knowledge has not been the subject of study in previous studies of the UMISPC (see, e.g. Alraja et al., 2023; Kajtazi et al., 2021; Koohang et al., 2021; Masuch et al., 2020).
This organization was deemed appropriate for at least three reasons. First, it handled massive amounts of confidential information, implying that ISP compliance was a major concern within the organization. Second, ISS managers in the organization were very interested in the research topic and thought of their organization as having an information-security focused culture. Third, this organization granted direct access to 150 employees within one and the same department which, in turn, reduced the risk of noisy measurements due to large variations in workplace contexts as well as reduced the risk of low response rates as answering the questionnaire was encouraged by the ISS managers.
The questionnaire distributed within the department in question consisted of 45 measurement items and, except the miscellaneous questions, were measured on seven-point Likert scales (Strongly disagree – Strongly agree). All questions (except four, more about this in the next section) have been validated in previous studies (Moody et al., 2018; see also Alraja et al., 2023; Kajtazi et al., 2021; Masuch et al., 2020). The survey items were translated from English to Swedish and went through a pilot test with eight respondents (including the two ISS managers) so as to identify any inconsistencies, ambiguousness or vagueness in the measurement items (De Veaux et al., 2015). This resulted in five revised questions, and one questionnaire item measuring role values being removed from the final set of survey questions. For more details about the measurement instruments, see Appendix.
The new ISS violation scenario developed specifically for this study was adapted to the organization in question and revolved around the “incorrect wearing of access/identification cards.” The premise is that their ISP stipulated that all employees are required to have their access/identification card visible for others to see. The underpinning argument is that by wearing their cards visible, it will be easier to identify and, if necessary, remove any unauthorized persons from the premises. Unlike the ISS violation scenarios used in the original study of Moody et al. (2018), as well as in subsequent replication studies (e.g. Alraja et al., 2023; Kajtazi et al., 2021), therefore, this type of violation of the required ISS behavior is directly observable for superiors and peers.
To increase the practical relevance of the new scenario, two ISS managers from the studied organization participated in its development (Siponen and Vance, 2014). Moreover, to make the scenario similar to those used by Moody et al. (2018), we followed their recommendation to include information about “the positional role of the main person in the scenario, the security-related policy, and the extent to which the policy was violated” (p. 303). A more detailed description of this scenario can be found in Appendix.
The questionnaire was distributed to the employees by means of email which included a cover letter describing the aims of study and the expected benefits from the research results. The letter also informed the employees that participation was voluntary and that no results could be traced back to individual respondents. After one reminder, 90 respondents answered the questionnaire. Hence, the response rate was 60% which was deemed acceptable, even good (Moody et al., 2018; Morton et al., 2012).
Data analysis
All data analyses in this study were performed using the statistical software program STATA (version STATA/SE 16).
Convergent validity
Convergent validity is defined as “the extent to which the latent construct explains the variance of its indicators” (Hair et al., 2019, p. 760). In other words, convergent validity implies that all the reflective indicators which make up a construct share a high proportion of variance in common. There are alternative guidelines about what level of item loading is acceptable and not, but as a rule of thumb factor loadings above 0.6 are commonly considered practically significant in situations where the sample size is around 90 respondents (Hair et al., 2019). Consequently, all measurement items in the data set with a factor loading below 0.6 were removed from the measurement instruments. This resulted in four items being removed. One was removed from the role values construct (Role value 1) and the other three from the subjective norms construct (Subjective norms 5–7) (see final set of items in Table 1 below).
Another measure of convergent validity is Cronbach’s alpha (Tavakol and Dennick, 2011). As can be seen in Table 1, all constructs had an alpha value above 0.7, and all constructs except role values had an alpha level above 0.8. Alpha values above 0.7 are often considered as satisfactory (Bland and Altman, 1997).
Discriminant validity
Hair et al. (2019, p. 677) state that discriminant validity can be assessed by comparing “the average variance extracted values for any two constructs with the square of the correlation estimate between these two constructs.” In other words, to achieve sufficient discriminant validity, the average variances extracted (AVEs) (measuring the variance explained by each construct) should be larger than the squared correlation estimate (measuring the covariation between these constructs, Hair et al., 2019). Data on discriminant validity are presented in Table 2 below.
Structural equation modeling
To test the UMISPC, SEM was used. The SEM analysis was done in two steps. The first step was to create and assess a measurement model. A measurement model “specifies the theoretical correspondence rules between measured and latent variables (constructs)” (Hair et al., 2019, p. 608). As described earlier, items with a lower loading of 0.6 were removed. After so doing, the model fit indices were as follows: comparative fit index = 0.858, root square error of approximation = 0.083 with a 90% confidence interval between 0.073 and 0.093, and standardized root mean square residual (SRMR) = 0.080.
The second step was to create a structural model of the UMISPC. This model contained an index for each construct. The indexes were calculated by adding all item scores of a construct and then divide the sum by the number of items. The reason for using indexes of latent variables is due to the sample size. Because as Hair et al. (2019) state, the more constructs and measurement items, the more complex the model is. In turn, a complex model requires a substantial number of respondents to make sure that the model is stable (Hair et al., 2019). As this study has a sample size of 90, it was decided to reduce the complexity of the model by creating indexes for all constructs. Having said that, as a robustness check, a SEM analysis with latent variables was conducted and the results were compared with those of the index model. Overall, the two models produced similar results which further increases the validity of the results detailed next.
Results
The results section is divided into three subsections. The first section presents factor loadings for each measurement item and Cronbach’s alphas for each construct. The second section presents the descriptive statistics and square root of AVEs. The third and final section outlines the results of the hypotheses tests.
Factor loadings and Cronbach’s alphas
Table 1 shows each measurement item’s factor loading and the Cronbach’s alphas for each construct. Again, after removing four items with a factor loading lower than 0.6, the model consisted of 36 items reflecting nine constructs. Moreover, all constructs had Cronbach’s alphas above the threshold of 0.7 (Bland and Altman, 1997; Tavakol and Dennick, 2011).
Descriptive statistics and square roots of average variances extracted
As can be seen by the skewness and kurtosis statistics in Table 2, no constructs were normally distributed. However, Hair et al. (2019, p. 632) state that a “generally accepted ratio to minimize problems with deviations from normality is 10 respondents for each parameter estimated in the model.” Since the sample size was 90 respondents and the number of variables was nine, this means that this study averaged 10 respondents for each parameter. Therefore, following Hair et al.’s (2019) rule of thumb, the potential negative effect of the data not being normally distributed is less of a concern in the present study.
Table 2 also displays the square root of AVEs along the diagonal in the correlation matrix. As the table shows, all variables have a higher internal correlation than external correlation (comparing the square root AVEs with the bivariate correlations between constructs). Accordingly, discriminant validity of the variables was deemed acceptable (Hair et al., 2019).
Hypotheses testing
Table 3 and Figure 2 show the overall results of the hypotheses testing. As the table and figure demonstrate, all hypotheses but two (and H3c and H7) were accepted. In addition, Table 4 shows how results from this study relate to those of Moody et al. (2018) and subsequent replication studies. As will be discussed next, the overall picture is that some results are strong and point in the same direction across studies (e.g. Response efficacy → Threat, Threat → Fear, and Role values → Intention), while others seem inconclusive, even contradictory (e.g. Habit → Intention, Fear → Intention, and Fear → Reactance).
Discussion
Key findings
Overall, our study both validates and extends the UMISPC by demonstrating its transferability to a new empirical context – a Swedish governmental organization – using a new type of security scenario where ISP violations are socially visible. After all, Table 4 suggests that a majority of the survey findings presented above align with Moody et al.’s (2018) original findings (see H2, H3a, H4–H7). Nevertheless, our results also suggest some differences in terms of the opposite directions of two significant relationships (see H1 and H3b) and substantial differences in effect sizes of two relationships (see H4 and H6). These similarities and differences, and implications thereof, will be discussed next.
To begin with, our findings demonstrate that subjective norms [3] had no direct effect on intention and, thus, H7 was rejected – a result which is in line with Moody et al.’s (2018) original study. This is an interesting finding as the basic premise of this study was that the new, socially visible ISS violation scenario should yield a significant positive effect of subjective norms on employees’ intention to comply with ISPs. One interpretation of this result is that the UMISPC correctly presumes that Subjective norms, more generally, have limited or no direct effect on employees’ intention to comply. Another interpretation can be that, in this particular organizational context, the practice of not wearing access/identification card visible was more or less “socially accepted” among superiors and peers. As a result, even if this ISS violation indeed was socially visible, subjective norms may nevertheless have limited effects on employees’ intention to comply ISPs. Conversations with two ISS managers at the organization in question provide some support for this potential explanation to the unexpected result.
Importantly, however, a third possible interpretation of this unexpected result is that there are conceptual overlaps between variables in the model. Not least this can apply to subjective norms and habits, and subjective norms and role values, respectively (where not least the latter is strongly correlated with subjective norms, see Table 2 above) [4]. After all, both habits (i.e. the taken-for-granted tendency of employees to comply with ISPs) and role values (i.e. the feeling among employees that ISP compliance is appropriate and justified given the work task performed) may be conceptually similar to a since-long established social pressure from superiors and peers to comply with ISPs. This said, however, additional SEM analyses show that the path coefficients between subjective norms and intention to comply remain statistically nonsignificant even after removing habits and/or role values from the model.
A fourth interpretation is, therefore, that the high correlations between subjective norms and other variables in the model (see Table 2 above) is perhaps less a matter conceptual overlap, but more of subjective norms being an important predictor of these other variables, suggesting that the effect of this variable on intention to comply is more indirect in character. More to the point, it can be discussed whether this type of social pressure stemming from superiors and peers to comply with ISPs primarily affects other variables in the UMISPC. For example, it can be argued that a high social pressure to follow prescribed ISS behavior increases employees’ beliefs in the effectiveness of this behavior in mitigating or avoiding perceived threats (i.e. response efficacy). In a similar vein, a persistent high social pressure can make employees internalize the rationales of ISP compliance, thereby making such compliance seem like an important part of one’s daily work tasks (role values), even as a taken-for-granted part thereby making ISP compliance habitual in nature (habit). Finally, there is reason to believe that a persistent social pressure to comply with ISPs make it less likely that employees will deny the existence of ISS problems (neutralization). And indeed, additional SEM analyses showed strong significant positive direct effects of subjective norms on response efficacy [Std. path coef. (β) = 0.44, p < 0.001], role values (β = 0.57, p < 0.001) and habit (β = 0.28, p < 0.01), thereby suggesting that the effect of subjective norms on intention to comply and reactance run through these other variables. Our additional SEM analyses also showed a strong significant negative direct effect of subjective norms on neutralization (β = −0.39, p < 0.001), suggesting an indirect effect of subjective norms on reactance running through neutralization. As it seems, therefore, while subjective norms is indeed a potent variable (at least for the type of socially visible ISS violation scenario used in this study), its expected effects on intention and reactance are indirect, through strongly affecting other variables in the UMISPC.
As mentioned above, another similarity with the original work of Moody et al. (2018) is that this study generally supports their speculation that role values is a generic predictor of ISP compliance (see H2 above). After all, this study demonstrates that role values is significantly associated with intention also in a socially visible scenario as the effect sizes were similar between the two studies (β = 0.7 compared to 0.77, but see Alraja et al., 2023, Koohang et al., 2021; and Masuch et al., 2020, who found lower effect sizes of 0.58, 0.50 and 0.36, respectively).
In line with Moody et al. (2018), this study also found that neutralization had a significant positive effect on reactance (see H4). Note, however, that in previous research, neutralization has primarily been seen as a predictor of intention (see, e.g. Siponen and Vance, 2010), and it was Moody et al. (2018) who introduced the idea that neutralization primarily affect reactance [5]. And, indeed, additional SEM analyses conducted in this study confirm Moody et al.’s finding of a nonsignificant association between neutralization and intention to comply with ISPs. Note also that even though this study generally supports Moody et al.’s claim that neutralization is a generic explanation of reactance by demonstrating its effect in a yet another national/organizational context and using a new ISS scenario, the effect size found in this study is substantially lower (β = 0.23 compared to 0.49; see also Alraja et al., 2023; Kajtazi et al., 2021; Koohang et al., 2021, who also reported lower, but statistically significant, effect sizes).
This study also shows that threat has a statistically significant and positive effect on employees’ perceived fear (see H5). The effect sizes are also quite similar as this study found an effect size of 0.65 and the original study an effect size of 0.59 (see also Alraja et al., 2023; Kajtazi et al., 2021; Koohang et al., 2021, who all reported strong positive effect sizes of 0.49, 0.52 and 0.73, respectively). Therefore, we can again draw the conclusion that the new security scenario seemed to not impact the effect size of this relation in the UMISPC.
This study also provides support for the idea that response efficacy has a positive effect on threat (see H6). An interesting observation regarding this relationship is, however, that the effect sizes differ substantially between this and the original study. More to the point, Moody et al. (2018) found an effect size of 0.33, while this study found an effect size of 0.69. On the one hand, it can be argued that the different the ISS violation scenarios used may explain these differences as the perceived effectiveness of the recommended security behavior may differ between scenario types. On the other hand, however, the replication studies conducted by Alraja et al. (2023) and Kajtazi et al. (2021), which both used Moody et al.’s three original ISS scenarios, also reported fairly high effect sizes (β = 0.51 and 0.45, respectively), thereby suggesting that observed differences may be due to other contextual factors.
As noted above, even though most of this study’s findings are in line with those of Moody et al. (2018), and with subsequent replication studies, they deviate from the original UMISPC in two important ways. First, as detailed above, fear had three hypotheses due to this variable theoretically having multiple potential effects. As shown in Table 3, H3a and H3b were both accepted due to fear having a statistically significant and positive effect on intention and a significant negative effect on reactance. Consequently, H3c which is based on Moody et al.’s (2018) original findings of there being a positive relation between fear and reactance was not supported by this study, quite the contrary. The same goes for their finding of a negative relation between fear and intention.
Potentially, these diverging results can be caused by differences in measurement instruments between the studies. Again, since a new ISS violation scenario was developed in this study, the survey instrument measuring fear also had to be changed to better fit the new scenario. This said, however, an overview of four replication studies shows that the empirical support for Moody et al.’s original UMISPC when it comes to the effects of fear on intention and reactance, respectively, is very limited. Indeed, Kajtazi et al. (2021) find a statistically significant, yet rather weak negative relationship between fear and intention (β = −0.116). But apart from this, none of these studies provide support for the Moody et al.’s findings. On the contrary, and in line with this study, Alraja et al. (2023) and Masuch et al. (2020) found significant positive relations between fear and intention. Hence, these studies suggest that increasing feelings of fear will increase (rather than decrease) employees’ intention to comply with ISPs. Similarly, Alraja et al. (2023), Kajtazi et al. (2021) and Masuch et al. (2020) all found negative relations between fear and reactance, suggesting that the higher the perceived fear among employees, the less the likelihood that they will deny that there are ISS problems.
Second, in contrast to Moody et al.’s (2018) original finding of a negative relationship between habit and employees’ Intention to comply with ISPs, this study hypothesizes and finds a significant positive effect (see H4). In a similar vein, several replication studies (e.g. Alraja et al., 2023; Koohang et al., 2021; Masuch et al., 2020) have been unable to verify Moody et al.’s original finding and it has been discussed whether this lack of significant results may be due to different national contexts (Finnish and German context, see Masuch et al., 2020) or to the introduction of GDPR (Kajtazi et al., 2021).
However, when looking at the literature on habit, researchers such as Vance et al. (2012) describe habit as a routinized behavior that does not require consciousness thoughts, thereby suggesting habits per se neither implicates a negative or a positive effect on intention. Rather, more information is required to theorize the effects of habits. For example, if habitual behavior is the result of extensive employee training in handling ISS threats, there is reason to expect a positive effect of habit on employees’ intention to comply with ISPs (cf. Verplanken and Orbell, 2003; Limayem and Hirt, 2003). However, if employees’ habitual behavior is the result of a long-standing and deeply embedded social acceptance of violating ISPs (cf. the subjective norms variable discussed above), then a negative relationship can be expected. Arguably, this lack of information about the underpinning premises of habits can explain the rather weak effect sizes found in studies focused on the UMISPC. After all, the effect size found in Moody et al. (2018) is only −0.14, while this study found an effect size of only 0.14. And again, recent replication studies have generally been unable to find significant path coefficients (Alraja et al., 2023; Kajtazi et al., 2021; Koohang et al., 2021; but see Masuch et al., 2020, who found a strong positive effect, β = 0.455).
Study limitations
As all studies, this study has several methodological limitations. First, the results are based on a rather small sample of 90 respondents working within one and the same department of a larger Swedish government organization. While this choice of sample enabled a high response rate of 60% (due to strong managerial support for answering the questionnaire) and reduced the risk that variations in workplace contexts would introduce noise in the measurements, small sample sizes can negatively impact the statistical power of the SEM analyses, leading to less reliable estimates of factor loadings and path coefficients (Hair et al., 2019, see also Research methods section above). Furthermore, generalizations outside this particular empirical domain should be made with caution. After all, there is always a risk that omitted context-specific conditions affect the results. The same applies to the new ISS violation scenario which was specifically developed to fit the organization in question. Second, since this study relies on survey data collected from key respondents, it may imply measurement problems. Indeed, a number of steps were taken to ensure that survey measurements used were valid and reliable, including, the use of already-established instruments, pretesting of instruments and assessments of construct validity. Despite these measures, however, the well-known problems of single-source bias and noisy measurements cannot be ruled out. Third, and finally, considering the cross-sectional design of this study, evidence of directionality cannot be demonstrated. That is, although the relations in the theoretical model are all substantiated by theory (see Hypotheses development section above), the directions of proposed relationships cannot be demonstrated empirically.
Theoretical and practical contributions and directions for the future
Despite these limitations, this study offers substantial theoretical and practical contributions. In terms of the former, this study generally finds that the predictive ability and generality of the UMISPC is further strengthened since most effects found by Moody et al. (2018) were also found in this study (although effect sizes sometimes differed as detailed above). This, despite this study being conducted in yet another national/organizational context (a Swedish governmental organization) as well as using a socially visible ISS violation scenario. A first key contribution of this study thus is that it provides compelling evidence of the UMISPC being largely “generalizable beyond the three types of ISS violations we examined” (Moody et al., 2018, p. 285). This said, however, this study also shows that effect sizes of several relationships can differ significantly in comparison with the original model. Again, for example, this study shows more than twice the effect size of the relation between response efficacy and threat, while the opposite pattern is prevalent for the relation between neutralization and reactance. Hence, more research is needed to sort out whether these types of differences are due to differences in organizational/national settings, and/or ISS violation scenarios, or can explained by other, currently omitted contextual variables.
Second, this study suggests that the variable subjective norms do not have a significant positive effect on employees’ intention to comply with ISPs. This is unexpected as the hypothesis was that such effect should emerge when a socially visible ISS violation scenario was used (see H7), as opposed to the three nonsocially visible scenarios used by Moody et al. (2018) and followers (Alraja et al., 2023; Kajtazi et al., 2021). As our additional data analyses showed, however, subjective norms is a strong predictor of response efficacy, role value, habit and neutralization. A second key contribution of this study thus is the suggestion that while subjective norms is indeed a potent antecedent variable (at least for the type of socially visible scenario used in this study), its expected effects on intention and reactance are primarily indirect, through strongly affecting other variables in the UMISPC. This said, however, more theoretical and empirical work is needed to establish the extent to which subjective norms affect Intention to comply with ISPs directly, indirectly, or not at all.
Third, this study contradicts a few of Moody et al.’s (2018) findings regarding the effects of fear and habit. Again, this study found that fear had a positive effect on intention and a negative effect on reactance. Unlike Moody et al. (2018), this study also finds a positive effect of habit on intention. While this study’s findings in these respects are at least partially supported by several replication studies (e.g. Alraja et al., 2023; Kajtazi et al., 2021; Koohang et al., 2021), it is arguably too early to “call it a day.” Rather, a third theoretical contribution of this study is that it points to potentially important boundary conditions of the original UMISPC – boundary conditions that need further empirical and theoretical elaboration in future research.
Finally, our findings suggest several practical contributions. To begin with, the very strong predictive effect of response efficacy on threat highlights importance of organizations taking measures that make their employees believe that the expected ISS behavior is indeed effective. In a similar vein, our findings strongly suggests that management need to ensure that ISS policies are perceived by employees as appropriate and justified in relation to the nature of their work tasks (cf. the strong effects of role value on intention to comply). That is, it is important that ISPs provide a rationale that explains the value of the policy in a way that facilitates the sense among employees that they would comply even if it was not required. In fact, our study suggests that managerial efforts that facilitate the internalization of ISPs among employees, e.g. by means of training programs and leading by example, is potentially highly effective as ISP compliance then becomes largely taken-for-granted and habitual in character (cf. habit). Finally note, however, that while fear has strong positive and negative effects on intention and reactance, respectively, it is far from certain that a managerial focus on increasing employees’ feelings of fear has the desired effects on ISP compliance. Again, the previous literature has pointed to the dual nature of its effects (as summarized in H3a–c). And, the comparison of studies shown in Table 4 above, demonstrates that fear has been found to have positive, negative as well no effects on intention and reactance.
Figures
Figure 1.
Moody et al.’s (2018) original UMISPC. The new relationship between Subjective norms and Intention added in this paper, is illustrated with a dashed line
Figure 2.
The UMISPC structural path coefficients
Factor loadings and Cronbach’s alphas
| Construct items | Confirmatory factor loadings | Cronbach’s alphas |
|---|---|---|
| Response efficacy | 0.73 | |
| Response efficacy 1 | 0.62 | |
| Response efficacy 2 | 0.78 | |
| Response efficacy 3 | 0.68 | |
| Threat | 0.87 | |
| Threat 1 | 0.87 | |
| Threat 2 | 0.66 | |
| Threat 3 | 0.84 | |
| Threat 4 | 0.81 | |
| Habit | 0.87 | |
| Habit 1 | 0.81 | |
| Habit 2 | 0.89 | |
| Habit 3 | 0.62 | |
| Habit 4 | 0.67 | |
| Habit 5 | 0.64 | |
| Habit 6 | 0.64 | |
| Habit 7 | 0.62 | |
| Habit 8 | 0.7 | |
| Role value | 0.87 | |
| Role value 2 | 0.79 | |
| Role value 3 | 0.73 | |
| Role value 4 | 0.61 | |
| Role value 5 | 0.76 | |
| Role value 6 | 0.9 | |
| Role value 7 | 0.7 | |
| Role value 8 | 0.62 | |
| Fear | 0.88 | |
| Fear 1 | 0.87 | |
| Fear 2 | 0.91 | |
| Fear 3 | 0.77 | |
| Neutralization | 0.85 | |
| Neutralization 1 | 0.84 | |
| Neutralization 2 | 0.89 | |
| Neutralization 3 | 0.75 | |
| Intention | 0.96 | |
| Intention 1 | 0.94 | |
| Intention 2 | 0.99 | |
| Reactance | 0.87 | |
| Reactance 1 | 0.84 | |
| Reactance 2 | 0.93 | |
| Subjective norms | 0.85 | |
| Subjective norms 1 | 0.85 | |
| Subjective norms 2 | 0.96 | |
| Subjective norms 3 | 0.82 | |
| Subjective norms 4 | 0.62 |
Source: Author’s own creation
Descriptive statistics and bivariate correlation matrix
| Response efficacy | Threat | Habit | Role values | Fear | Neutralization | Intention | Reactance | Subjective norms |
|
|---|---|---|---|---|---|---|---|---|---|
| Descriptive statistics | |||||||||
| Theoretical range | 1–7 | 1–7 | 1–7 | 1–7 | 1–7 | 1–7 | 1–7 | 1–7 | 1–7 |
| Minimum | 1.666667 | 1 | 3.375 | 3.142857 | 1.333333 | 1 | 1 | 1 | 3.75 |
| Maximum | 7 | 7 | 7 | 7 | 7 | 6 | 7 | 7 | 7 |
| Mean | 4.97037 | 4.113889 | 5.375 | 5.974603 | 5.277778 | 1.959259 | 5.711111 | 2.9 | 6.627778 |
| Standard deviation | 1.388956 | 1.575426 | 0.9083724 | 1.034063 | 1.613187 | 1.138178 | 1.657428 | 1.512495 | 0.6727485 |
| Skewness | −0.382915 | 0.0735163 | −0.2386608 | −1.043215 | −0.8311849 | 1.346334 | −1.372178 | 0.5499817 | −2.532818 |
| Kurtosis | 2.23157 | 2.194575 | 2.319906 | 3.20747 | 2.619436 | 4.34826 | 3.801008 | 2.389917 | 9.454522 |
| Pairwise correlations | |||||||||
| Response efficacy | 0.697497634 | ||||||||
| Threat | 0.6939* | 0.800262771 | |||||||
| Habit | 0.4223* | 0.3825* | 0.705703443 | ||||||
| Role values | 0.3698* | 0.5201* | 0.3565* | 0.734679657 | |||||
| Fear | 0.5631* | 0.6532* | 0.3463* | 0.6653* | 0.853862064 | ||||
| Neutralization | −0.2922* | −0.3969* | −0.2853* | −0.6960* | −0.4650* | 0.825879513 | |||
| Intention | 0.3826* | 0.5151* | 0.4282* | 0.8184* | 0.6782* | −0.5989* | 0.963944647 | ||
| Reactance | −0.5167* | −0.6135* | −0.2888* | −0.6939* | −0.6731* | 0.4882* | −0.6391* | 0.885015377 | |
| Subjective norms | 0.4410* | 0.3260* | 0.2792* | 0.5712* | 0.5424* | −0.3918* | 0.4781* | −0.3973* | 0.822468883 |
Italic diagonals are the square roots of the AVEs for each construct. Significance level was p < 0.05
Source: Author’s own creation
Standardized path coefficients of hypothesized relationships
| Description of paths and expected signs | Std. path coef. | p-value | Accept/reject |
|---|---|---|---|
| H1: Habit → Intention (+) | 0.1434053 | 0.027 | Accepted |
| H2: Role Value → Intention (+) | 0.7041974 | 0.000 | Accepted |
| H3a: Fear → Intention (+) | 0.2491927 | 0.006 | Accepted |
| H3b: Fear → Reactance (−) | −0.5943109 | 0.000 | Accepted |
| H3c: Fear → Reactance (+) | −0.5943109 | 0.000 | Rejected |
| H4: Neutralization → Reactance (+) | 0.2334671 | 0.010 | Accepted |
| H5: Threat → Fear (+) | 0.6531514 | 0.000 | Accepted |
| H6: Response Efficacy → Threat (+) | 0.6939013 | 0.000 | Accepted |
| H7: Subjective Norms → Intention (+) | −0.0590027 | 0.444 | Rejected |
Significance level was p < 0.05. Model fit indices: comparative fit index (CFI) = 0.813; root square error of approximation (RMSEA) = 0.203 with a 90% confidence interval between 0.16 and 0.249, and standardized root mean square residual (SRMR) = 0.170
Source: Author’s own creation
Comparison of path coefficients and R2
| Comparison of path coefficients | ||||||
|---|---|---|---|---|---|---|
| This study | Moody et al. (2018) | Masuch et al. (2020) | Koohang et al. (2021) | Kajtazi et al. (2021) | Alraja et al. (2023) |
|
| Response efficacy → threat | 0.693*** | 0.333*** | 0.325*** | 0.532*** | 0.454*** | 0.511*** |
| Threat → fear | 0.653*** | 0.591*** | 0.489*** | 0.730*** | 0.520*** | 0.486*** |
| Habit → intention | 0.143* | −0.144*** | 0.455*** | 0.084 | 0.0033 | 0.049 |
| Role values → intention | 0.704*** | 0.773*** | 0.360*** | 0.505*** | 0.642*** | 0.582*** |
| Fear → intention | 0.249*** | −0.289*** | 0.098*** | 0.107* | −0.136* | 0.131** |
| Fear → reactance | −0.594*** | 0.250*** | 0.039 | −0.367*** | −0.116* | 0.266*** |
| Neutralization → reactance | 0.233** | 0.493*** | 0.061*** | 0.298*** | 0.376*** | 0.267*** |
| Comparison of R2 | ||||||
| Threat | 0.48 | 0.111 | 0.106 | 0.28 | 0.206 | 0.261 |
| Fear | 0.42 | 0.350 | 0.239 | 0.53 | 0.271 | 0.236 |
| Intention | 0.71 | 0.677 | 0.495 | 0.39 | 0.500 | 0.418 |
| Reactance | 0.48 | 0.295 | 0.371 | 0.29 | 0.199 | 0.184 |
* = sig. < 0.05; ** = sig. < 0.01; *** = sig. < 0.001; ns. = nonsignificant
Source: Author’s own creation
Notes
The theories in question are: the theory of reasoned action, neutralization theory, the health belief model, theory of planned behavior, theory of interpersonal behavior, protection motivation theory, the extended protection motivation theory, deterrence theory and rational choice theory, theory of self-regulation, extended parallel processing model and control balance theory.
Note, however, that the original study of Moody et al. (2018) found a weak negative effect.
In line with Moody et al. (2018), this study used two sets of questionnaire items for measuring this variable where the latter set (Items 5–7) had to be removed due to poor item loadings (see Appendix for details). As insightfully noted by one of the anonymous reviewers, however, while both sets are derived from theory of planned behavior (see Ajzen, 1991), it is far from certain that they should be strongly correlated. Rather, Ajzen (1991) argued that the degree to which important referents would (dis)approve of respondents’ engagement in a given activity (cf. Items 1–4) should be multiplied by their motivation to comply with the referents in question (cf. Items 5–7). That is, subjective norms are “directly proportional to the sum of the resulting products across the n salient referents” (p. 195). This said, however, Ajzen (1991, p. 196) himself presented empirical evidence suggesting that the inclusion of the second set of questionnaire items “did not add predictive power; in fact it tended to suppress the correlations [with global measures of Subjective norms].” Hence, the approach taken in this study – i.e. to only rely on the first set of questionnaire items to measure subjective norms (Items 1–4) – seems empirically valid when considering seminal work on theory of planned behavior.
We are grateful to one of the anonymous reviewers for pointing out the potential problem of conceptual overlaps and the fact that there are strong positive and negative bivariate correlation coefficients between, on the one hand, subjective norms and, on the other hand, intention. Hence, it may be premature to conclude that subjective norms have no direct effects on intention.
This said, however, these empirical findings are also anchored within the literature on neutralization. For instance, Siponen and Vance (2010) argue that neutralization is a coping mechanism which employees adopt to minimize/deny the problem. As reactance implies the denying of the possibility of an ISS-related problem (Lowry and Moody, 2015), neutralization techniques could predict reactance.
Appendix. Measurement instruments
This section presents all the survey questions. All questions except the miscellaneous ones were measured on seven-point Likert scales (Strongly disagree – Strongly agree).
ISS Violation Scenario – Access card.
Svensson is a mid-level manager in a medium-sized organization which deals with confidential information. With respect to this, the organization has a firm policy that all employees must carry their access card visible at all times to make it easy to verify that they are employed there. This to counteract unauthorized personal accessing the premise. Nevertheless, Svensson decides to not carry the access card visible and keeps it in her/his pocket. Svensson reasons that many employees do not wear their access cards visible anyway and that many know who he/she is.
Miscellaneous questions:
What is your current age?
What is your gender?
How many years of work experience do you have?
How realistic do you think the above scenario is?
Intention (Adapted from Piquero and Piquero, 2006):
What is the chance that you would do what Svensson did in the described scenario?
I would act in the same way as Svensson did if I were in the same situation.
Threat (Adapted from Milne, Sheeran and Orbell, 2000; Woon, Tan and Low, 2005).
Perceived severity:
If I were to do what Svensson did, there would be a serious information security problem for my organization.
Perceived vulnerability:
I would be subjected to an information security threat if I were to do what Svensson did.
My organization would be subjected to an information security threat if I were to do what Svensson did.
An information security problem would occur if I were to do what Svensson did.
Response efficacy (Adapted from Milne et al., 2000; Woon et al., 2005):
If I were to comply with information security procedures, IS security breaches would be scarce.
If I were to do the opposite to what Svensson did, it would keep IS security breaches down.
If I were to do the opposite to what Svensson did, IS security breaches would be minimal.
Habit (Adapted from Verplanken and Orbell, 2003):
Complying with information security procedures is something I do frequently.
Complying with information security procedures is something I do automatically.
Complying with information security procedures is something I do without having to consciously remember.
Complying with information security procedures is something I do without thinking.
Complying with information security procedures is something that belongs to my (daily, weekly, monthly) routine.
Complying with information security procedures is something I start doing before realize I am doing it.
Complying with information security procedures is something that is typically “me.”
Complying with information security procedures is something I have been doing for a long time.
Role values.
Perceived behavioral control (Adapted from Ajzen, 2002):
If you were Svensson, how much would you feel able to not do as he did? (Removed due to low factor loading)
Affect (Adapted from Limayem and Hirt, 2003)
What Svensson did is smart.
What Svensson did is pleasant.
Roles (Adapted from Bamberg and Schmidt, 2003)
What Svensson did fits with his/her work style. (Removed after pilot test).
What Svensson did can be justified due to the nature of Svensson’s work.
Self-concept (Adapted from Gagnon et al., 2003):
I would feel guilty if I did what Svensson did.
What Svensson did is consistent with my principles.
It is acceptable to do what Svensson did.
Moral (Adapted from Vance and Siponen, 2012):
How morally wrong would it be to do what the person did in the scenario?
Neutralization (Adapted from Vance and Siponen, 2012).
Condemnation of the condemners:
It is not as wrong to violate company information security procedures that are too restrictive.
Denial of injury:
It is OK to violate company information security procedures if no one gets hurt.
Appeal to higher loyalties.
It is alright to violate company information security procedures to get a job done.
Reactance (Adapted from Witte et al., 1996):
Feel that problems resulting from acting like Svensson did are overly exaggerated.
Think that problems resulting from acting like Svensson did are overstated.
Fear (Questions tailored specifically for this study based on Moody et al., 2018):
If I act as Svensson, there is a risk that unauthorized persons can move freely in the building.
If I act as Svensson, there is a risk that unauthorized persons can get access to classified information.
If I act as Svensson, there is a risk that unauthorized persons can get access to my personal possessions.
Subjective norms/Social factors (Adapted from Johnston and Warkentin, 2010; Bergeron, Raymond, Rivard and Gara, 1995):
I believe that top management in my organization thinks I should do what Svensson did.
I believe that my immediate supervisor in my organization thinks I should do what Svensson did.
I believe that coworkers in my organization think I should do what Svensson did.
I believe that the security staff in my organization thinks I should do what Svensson did.
With respect to complying with information security procedures, I have to do as the top management of my organization thinks. (Removed due to low factor loading)
With respect to complying with information security procedures, I have to do as my colleagues think. (Removed due to low factor loading)
With respect to complying with information security procedures, I have to do as my superiors think. (Removed due to low factor loading)
Source: Author’s own creation
References
Ajzen, I. (2002), “Residual effects of past on later behavior: habituation and reasoned action perspectives”, Personality and Social Psychology Review, Vol. 6 No. 2, pp. 107-122.
Alraja, M.N., Butt, U.J. and Abbod, M. (2023), “Information security policies compliance in a global setting: an employee's perspective”, Computers and Security, Vol. 129, p. 103208.
Bamberg, S. and Schmidt, P. (2003), “Incentives, morality, or habit? Predicting students’ car use for university routes with the models of Ajzen, Schwartz, and Triandis”, Environment and Behavior, Vol. 35 No. 2, pp. 264-285.
Bergeron, F., Raymond, L., Rivard, S. and Gara, M.F. (1995), “Determinants of EIS use: testing a behavioral model”, Decision Support Systems, Vol. 14 No. 2, pp. 131-146.
Bland, J.M. and Altman, D.G. (1997), “Statistics notes: Cronbach’s alpha”, BMJ, Vol. 314 No. 7080, p. 572.
Boss, S., Galletta, D., Lowry, P.B., Moody, G.D. and Polak, P. (2015), “What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors”, MIS Quarterly, Vol. 39 No. 4, pp. 837-864.
Cram, W.A., Proudfoot, J.G. and D’Arcy, J. (2017), “Organizational information security policies: a review and research framework”, European Journal of Information Systems, Vol. 26 No. 6, pp. 605-641.
De Hoog, N., Stroebe, W. and De Wit, J.B. (2007), “The impact of vulnerability to and severity of a health risk on processing and acceptance of fear-arousing communications: a meta-analysis”, Review of General Psychology, Vol. 11 No. 3, pp. 258-285.
De Veaux, R., Velleman, P. and Bock, D. (2015), Stats: Data and Models, Pearson Education. ISBN10:1292101636.
Enisa (2018), “ENSIA threat landscape report 2018”, 15 Top Cyberthreats and Trends. European Union Agency for Network and Information Security. Retrieved January, 2020, available at: www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018
Enisa (2020), “Data breach: ENISA threat landscape”, Downloaded 2023-10-02.
Enisa (2023), “Identifying emerging cyber security threats and challenges for 2030”, available at: www.enisa.europa.eu/publications/enisa-foresight-cybersecurity-threats-for-2030_Downloaded_2023-09-13
Gagnon, M.P., Godin, G., Gagné, C., Fortin, J.P., Lamothe, L., Reinharz, D. and Cloutier, A. (2003), “An adaptation of the theory of interpersonal behaviour to the study of telemedicine adoption by physicians”, International Journal of Medical Informatics, Vol. 71 Nos 2/3, pp. 103-115.
Hair, J.F., Black, W.C., Babin, B.J. and Anderson, R. e (2019), Multivariate Data Analysis, 8th ed., Pearson Education, Canada. ISBN: 978-1-47-37-56-54-0.
Herath, T. and Rao, H.R. (2009), “Protection motivation and deterrence: a framework for security policy compliance in organisations”, European Journal of Information Systems, Vol. 18 No. 2, pp. 106-125.
Ifinedo, P. (2012), “Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory”, Computers and Security, Vol. 31 No. 1, pp. 83-95.
Johnston, A.C. and Warkentin, M. (2010), “Fear appeals and information security behaviors: an empirical study”, MIS Quarterly, Vol. 34 No. 3, pp. 549-566.
Kajtazi, M., Holmberg, N., Sarker, S., Keller, C., Johansson, B. and Tona, O. (2021), “Toward a unified model of information security policy compliance: a conceptual replication study”, AIS Transactions on Replication Research, Vol. 7 No. 1, p. 2.
Koohang, A., Nord, J.H., Sandoval, Z.V. and Paliszkiewicz, J. (2021), “Reliability, validity, and strength of a unified model for information security policy compliance”, Journal of Computer Information Systems, Vol. 61 No. 2, pp. 99-107.
Limayem, M. and Hirt, S.G. (2003), “Force of habit and information systems usage: theory and initial validation”, Journal of the Association for Information Systems, Vol. 4 No. 1, p. 3.
Lowry, P.B. and Moody, G.D. (2015), “Proposing the control-reactance compliance model (CRMC) to explain opposing motivations to comply with organizational information security policies”, Information Systems Journal, Vol. 25 No. 5, pp. 433-463.
Masuch, K., Hengstler, S., Trang, S. and Brendel, A.B. (2020), “Replication research of Moody, Siponen, and Pahnila’s unified model of information security policy compliance”, AIS Transactions on Replication Research, Vol. 6 No. 1, p. 13.
Milne, S., Sheeran, P. and Orbell, S. (2000), “Prediction and intervention in health‐related behavior: a meta‐analytic review of protection motivation theory”, Journal of Applied Social Psychology, Vol. 30 No. 1, pp. 106-143.
Moody, G.D. and Siponen, M. (2013), “Using the theory of interpersonal behavior to explain non-work-related personal use of the internet at work”, Information and Management, Vol. 50 No. 6, pp. 322-335.
Moody, G.D., Siponen, M. and Pahnila, S. (2018), “Toward a unified model of information security compliance”, MIS Quarterly, Vol. 42 No. 1, pp. 285-311, doi: 10.25300/MISQ/2018/13853.
Morton, S.M., Bandara, D.K., Robinson, E.M. and Carr, P.E.A. (2012), “In the 21st century, what is an acceptable response rate?”, Australian and New Zealand Journal of Public Health, Vol. 36 No. 2, pp. 106-108.
Mou, J., Cohen, J.F., Gregor, S., Bhattacherjee, A. and Kim, J. (2022), “A test of protection motivation theory in the information security literature: a meta-analytic structural equation modeling approach”, AIS Journal of the Association for Information Systems, Vol. 23 No. 1, pp. 196-236.
Olbrich, S., Frank, U., Gregor, S., Niederman, F. and Rowe, F. (2017), “On the merits and limits of replication and negotiation for IS research”, AIS Transactions on Replication Research, Vol. 3 No. 1, pp. 1-19.
Pahnila, S., Siponen, M. and Mahmood, A. (2007), “Employees' behavior towards IS security policy compliance”, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07), p. 156b, IEEE.
Piquero, N.L. and Piquero, A.R. (2006), “Control balance and exploitative corporate crime”, Criminology, Vol. 44 No. 2, pp. 397-430.
Siponen, M.T. and Iivari, J. (2006), “IS security design theory framework and six approaches to the application of ISPs and guidelines”, Journal of the Association for Information Systems, Vol. 7 No. 7, pp. 445-472.
Siponen, M. and Vance, A. (2010), “Neutralization: new insights into the problem of employee information systems security policy violations”, MIS Quarterly, Vol. 34 No. 3, pp. 487-502.
Siponen, M., Pahnila, S. and Mahmood, A.M. (2010), “Compliance with information security policies: an empirical investigation”, Computer, Vol. 43 No. 2, pp. 64-71.
Sommestad, T., Hallberg, J., Lundholm, K. and Bengtsson, J. (2014), “Variables influencing information security policy compliance: a systematic review of quantitative studies”, Information Management and Computer Security, Vol. 22 No. 1. doi: 10.1108/IMCS-08-2012-0045.
Sykes, G.M. and Matza, D. (1957), “Techniques of neutralization: a theory of delinquency”, American Sociological Review, Vol. 22 No. 6, pp. 664-670.
Tavakol, M. and Dennick, R. (2011), “Making sense of Cronbach's alpha”, International Journal of Medical Education, Vol. 2, p. 53.
Torres, C.I. and Crossler, R.E. (2019), “Information security compliance: a complete value view”, Association For Information Systems. Twenty-fifth Americas Conference on Information Systems, Cancun.
Vance, A. and Siponen, M.T. (2012), “Is security policy violations: a rational choice perspective”, Journal of Organizational and End User Computing, Vol. 24 No. 1, pp. 21-41.
Vance, A., Siponen, M. and Pahnila, S. (2012), “Motivating IS security compliance: insights from habit and protection motivation theory”, Information and Management, Vol. 49 Nos 3/4, pp. 190-198.
Venkatesh, V., Thong, J.Y.L. and Xin, X. (2012), “Consumer acceptance and use of information technology: extending the unified theory of acceptance and use of technology”, MIS Quarterly, Vol. 36 No. 1, pp. 157-178.
Verplanken, B. and Orbell, S. (2003), “Reflections on past behavior: a self‐report index of habit strength 1”, Journal of Applied Social Psychology, Vol. 33 No. 6, pp. 1313-1330.
Webster, J. and Watson, R.T. (2002), “Analyzing the past to prepare for the future: writing a literature review”, MIS Quarterly, pp. xiii-xxiii.
Witte, K. (1992), “Putting the fear back into fear appeals: the extended parallel process model”, Communication Monographs, Vol. 59 No. 4, pp. 329-349.
Witte, K., Cameron, J. and McKeon, J.B. (1996), “Predicting risk behaviors”.
Woon, I., Tan, G.W. and Low, R. (2005), “A protection motivation theory approach to home wireless security”, ICIS 2005 Proceedings, p. 31.
Further reading
Ajzen, I. (1985), “From intentions to actions: a theory of planned behavior”, Action Control, pp. 11-39, Springer, Berlin, Heidelberg.
Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. and Baskerville, R. (2013), “Future directions for behavioral information security research”, Computers and Security, Vol. 32, pp. 90-101.
De Winter, J.C.F. and Dodou, D. (2010), “The driver behaviour questionnaire as a predictor of accidents: a meta-analysis”, Journal of Safety Research, Vol. 41 No. 6, pp. 463-470.
Enisa (2014), “ENISA threat landscape 2014”, Overview of Current and Emerging CyberThreats, European Union Agency for Network and Information Security.
Enisa (2021), “ENISA threat landscape 2021”, available at: www.enisa.europa.eu/publications/enisa-threat-landscape-2021_Downloaded_2023-09-13
Fishbein, M. and Ajzen, I. (1975), Belief, Attitude, Intention and Behavior: An Introduction to Theory and Research, Addison-Wesley, Reading, MA.
Siponen, M.T. and Oinas-Kukkonen, H. (2007), “A review of information security issues and respective research contributions”, ACM SIGMIS Database: The DATABASE for Advances in Information Systems, Vol. 38 No. 1, pp. 60-80.
Siponen, M., Willison, R. and Baskerville, R. (2008), “Power and practice in information systems security research”, ICIS 2008 Proceedings, p. 26.
Triandis, H. (1977), Interpersonal Behavior, Brooks/Cole Publishing Company, Pacific Grove, CA.
Acknowledgements
The authors gratefully acknowledge the valuable comments made by the anonymous reviewers.