Search results

Research on employee non-/compliance to information security policies suffers from inconsistent results and there is an ongoing discussion about the dominating survey research methodology and its potential effect on these results. This study aims to add to this discussion by investigating discrepancies between what the authors claim to measure (theoretical properties of variables) and what they actually measure (respondents’ interpretations of the operationalized variables). This study asks: How well do respondents’ interpretations of variables correspond to their theoretical definitions? What are the characteristics of any discrepancies between variable definitions and respondent interpretations?

This study is based on in-depth interviews with 17 respondents from the Swedish public sector to understand how they interpret questionnaire measurement items operationalizing the variables Perceived Severity from Protection Motivation Theory and Attitude from Theory of Planned Behavior.

The authors found that respondents’ interpretations in many cases differ substantially from the theoretical definitions. Overall, the authors found four principal ways in which respondents interpreted measurement items – referred to as property contextualization, extension, alteration and oscillation – each implying more or less (dis)alignment with the intended theoretical properties of the two variables examined.

The qualitative method used proved vital to better understand respondents’ interpretations which, in turn, is key for improving self-reporting measurement instruments. To the best of the authors’ knowledge, this study is a first step toward understanding how precise and uniform definitions of variables’ theoretical properties can be operationalized into effective measurement items.

The purpose of this study is to further validate and extend the unified model of information security policy compliance (UMISPC) developed by Moody et al. (2018).

To be able to compare the results of this study and those reported by Moody et al. (2018) (and followers), the same quantitative data collection method (questionnaire) and variable measurement instruments were used. Specifically, questionnaire data were collected from a department within a Swedish governmental organization comprising 150 employees. Of these, 90 answered the questionnaire which rendered a response rate of 60%. Following Moody et al. (2018), the collected data were analyzed by means of structural equation modeling.

This study generally provides empirical support for the original UMISPC as a large majority of the findings are in line with those reported by Moody et al. (2018). However, it also suggests important differences and boundary conditions.

This study extends the original study of Moody et al. (2018) and subsequent replication studies by testing it in a new national/organizational context. Based on their call for future research, it also develops and empirically tests the effects of a new, socially visible information system security violation scenario. Related to this, this study also revisits the role of the variable subjective norms for better understanding employee non-/compliance to information security policies by suggesting that their effects may be indirect (i.e. running through other variables in the UMISPC) rather than direct.