Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model

A key approach in many organizations to address the myriad of information security threats is encouraging employees to better understand and comply with information security policies (ISPs). Despite a significant body of academic research in this area, a commonly held but questionable assumption in these studies is that noncompliance simply represents the opposite of compliance. Hence, explaining compliance is only half of the story, and there is a pressing need to understand the causes of noncompliance, as well. If organizational leaders understood what leads a normally compliant employee to become noncompliant, future security breaches might be avoided or minimized. In this study, we found that compliant and noncompliant behaviors can be better explained by uncovering actions that focus not only on efficacious coping behaviors, but also those that focus on frustrated users who must sometimes cope with emotions, too. Employees working from a basis of emotion-focused coping are unable to address the threat and, feeling overwhelmed, focus only on controlling their emotions, merely making themselves feel better. Based on our findings, organizations can enhance their security by understanding the “tipping point” where employees’ focus likely changes from problem-solving to emotion appeasement, and instead push them into a more constructive direction.Yan Chen is an associate professor at Florida International University. She received her PhD in management information systems from University of Wisconsin–Milwaukee. Her research focuses on information security management, online fraud, privacy, and social media. She has published more than 30 research papers in refereed academic journals and conference proceedings.Dennis F. Galletta is a LEO awardee, fellow, and former president of the Association for Information Systems and professor at University of Pittsburgh since 1985. He has published 108 articles and four books. He is a senior editor at MIS Quarterly and an editorial board member at the Journal of Management Information Systems, and has been on several other boards.Paul Benjamin Lowry is the Suzanne Parker Thornhill Chair Professor in Business Information Technology at the Pamplin College of Business at Virginia Tech. He has published more than 135 journal articles. His research areas include organizational and behavioral security and privacy; online deviance and harassment, and computer ethics; human–computer interaction, social media, and gamification; and decision sciences, innovation, and supply chains.Xin (Robert) Luo is Endowed Regent’s Professor and full professor of MIS at the University of New Mexico. His research has appeared in leading information systems journals, and he serves as an associate editor for the Journal of the Association for Information Systems, Decision Sciences Journal, Information & Management, Electronic Commerce Research, and the Journal of Electronic Commerce Research.Gregory D. Moody is currently Lee Professor of Information Systems at the University of Nevada Las Vegas, and director of the cybersecurity graduate program. His interests include information systems security and privacy, e-business, and human–computer interaction. He is currently a senior editor for the Information Systems Journal and Transactions on Human-Computer Interaction.Robert Willison is a professor of management at Xi’an Jiaotong–Liverpool University. He received his PhD in information systems from the London School of Economics. His research focuses on insider computer abuse, information security policy compliance/noncompliance, software piracy, and cyber-loafing. His research has appeared in refereed academic journals such as MIS Quarterly, Journal of the Association for Information Systems, Information Systems Journal, and others.