Protective Measures and Security Policy Non-Compliance Intention: IT Vision Conflict as a Moderator

Protective Measures and Security Policy Non-Compliance Intention: IT Vision Conflict as a Moderator

Kuo-Chung Chang, Yoke May Seow
Copyright: © 2019 |Pages: 21
DOI: 10.4018/JOEUC.2019010101
(Individual Articles)
No Current Special Offers


Internal vulnerabilities and insider threats top the list of information security (InfoSec) incidents; prompting organizations to establish InfoSec policy (ISP). Yet, mitigating user's ISP non-compliance is still an arduous task. Hence, this study aims to minimize user's ISP non-compliance intention by investigating their perception and attitude toward ISP non-compliance. Specifically, protective measures drawing upon the protection motivation theory - perceived severity of ISP non-compliance, rewards and familiarity with ISP - analyze users' attitude toward ISP non-compliance. Further, the new construct, information technology (IT) vision conflict, is the mismatch between the values that users hold and those embedded in the ISP. The misalignment of the two conflicting values moderates the relationship between the protective measures and attitude toward ISP non-compliance. Findings show that IT vision conflict weakens the negative relationship between perceived severity of ISP non-compliance and attitude toward ISP non-compliance; indirectly affecting ISP non-compliance intention.
Article Preview


In 2015, organizations in the United Kingdom (UK) reported a 36% increase of employee-related information security (InfoSec) breaches compared with the previous year (PwC, 2015b); and insider threats constitute the highest number of InfoSec incidents globally (PwC, 2015a). Nonetheless, although organizations have implemented InfoSec policy (ISP) (Guo, Yuan, Archer, & Connelly, 2011), users’ resistance to ISP is among the major reasons for ISP’s failure (Kolkowska & Dhillon, 2013) which is a notable problem for organizations (Posey, Roberts, Lowry, Bennett, & Courtney, 2013). Employees disregarded the ISP because they felt that the ISP is a nuisance (Renaud, 2012), they prioritize other work tasks, and the ISP is poorly understood (PwC, 2015b). Also, ISP non-compliance behaviors could be due to employees’ dissatisfaction with the ISP (Hedström, Karlsson, & Kolkowska, 2013), negligence or ignorance (Siponen & Vance, 2010).

Thus, the domains of InfoSec and ISP non-compliance have received substantial attention from researchers and practitioners. Among the behavioral theories applied to address ISP non-compliance include deterrence theory (D’Arcy & Hovav, 2009; Herath & Rao, 2009), the theory of planned behavior (Bulgurcu, Cavusoglu, & Benbasat, 2010; Cox, 2012), and social action theory (Hedström et al., 2013). Further, there are research investigating user ISP non-compliance behaviors from ethical (Myyry, Siponen, Pahnila, Vartiainen, & Vance, 2009) and rational choice perspectives (Bulgurcu et al., 2010; Vance & Siponen, 2012).

While extant research offers insights on the InfoSec contravention, they leave an incomplete understanding of the ISP infringement issues. First, despite having identified factors of ISP compliance behaviors, research highlighting ISP non-compliance behaviors is scant (Guo et al., 2011; Workman, Bommer, & Straub, 2008). Moreover, these two types of behaviors are qualitatively dissimilar and therefore, their respective antecedents might differ (Guo et al., 2011). Adhering rules or policy could simply be based on normative beliefs regulating what people ought to do without requiring the users to over analyze (Cox, 2012). However, to perform counter-normative actions, users might deliberate about rule-breaking and find relevant excuses (Blanton & Christie, 2003). Furthermore, Wall et al. (2013) claim that habitual behavior, being routine and automatic, is imperative in mitigating ISP non-compliance. In contrast, users might think twice before committing the ISP non-compliance action because they know that it is unlawful. Hence, it is more worthwhile to investigate why users are ISP non-compliant rather than why they are ISP-compliant (Guo et al., 2011; Vance & Siponen, 2012). This is even more so since intentional negligence of ISP is one of the most common security-related behaviors among users. Investigating the ISP non-compliance phenomenon is more pragmatic and interesting because unexpected deviant actions have greater “informational value” than normative behaviors (Barlow, Warkentin, Ormond, & Dennis, 2013; Blanton & Christie, 2003); while extending our understanding on ISP non-compliance motivation or rationalization (Siponen & Vance, 2010).

Complete Article List

Search this Journal:
Volume 35: 3 Issues (2023)
Volume 34: 10 Issues (2022)
Volume 33: 6 Issues (2021)
Volume 32: 4 Issues (2020)
Volume 31: 4 Issues (2019)
Volume 30: 4 Issues (2018)
Volume 29: 4 Issues (2017)
Volume 28: 4 Issues (2016)
Volume 27: 4 Issues (2015)
Volume 26: 4 Issues (2014)
Volume 25: 4 Issues (2013)
Volume 24: 4 Issues (2012)
Volume 23: 4 Issues (2011)
Volume 22: 4 Issues (2010)
Volume 21: 4 Issues (2009)
Volume 20: 4 Issues (2008)
Volume 19: 4 Issues (2007)
Volume 18: 4 Issues (2006)
Volume 17: 4 Issues (2005)
Volume 16: 4 Issues (2004)
Volume 15: 4 Issues (2003)
Volume 14: 4 Issues (2002)
Volume 13: 4 Issues (2001)
Volume 12: 4 Issues (2000)
Volume 11: 4 Issues (1999)
Volume 10: 4 Issues (1998)
Volume 9: 4 Issues (1997)
Volume 8: 4 Issues (1996)
Volume 7: 4 Issues (1995)
Volume 6: 4 Issues (1994)
Volume 5: 4 Issues (1993)
Volume 4: 4 Issues (1992)
Volume 3: 4 Issues (1991)
Volume 2: 4 Issues (1990)
Volume 1: 3 Issues (1989)
View Complete Journal Contents Listing