Toward a Unified Model of Information Security Policy Compliance
Moody, G. D., Siponen, M., & Pahnila, S. (2018). Toward a Unified Model of Information Security Policy Compliance. MIS Quarterly, 42 (1), 285-311. doi:10.25300/MISQ/2018/13853
Published inMIS Quarterly
© 2018 by the Management Information Systems Research Center (MISRC) of the University of Minnesota.
Information systems security (ISS) behavioral research has produced different models to explain security policy compliance. This paper (1) reviews 11 theories that have served the majority of previous information security behavior models, (2) empirically compares these theories (Study 1), (3) proposes a unified model, called the unified model of information security policy compliance (UMISPC), which integrates elements across these extant theories, and (4) empirically tests the UMISPC in a new study (Study 2), which provided preliminary empirical support for the model. The 11 theories reviewed are (1) the theory of reasoned action, (2) neutralization techniques, (3) the health belief model, (4) the theory of planned behavior, (5) the theory of interpersonal behavior, (6) the protection motivation theory, (7) the extended protection motivation theory, (8) deterrence theory and rational choice theory, (9) the theory of self-regulation, (10) the extended parallel processing model, and (11) the control balance theory. The UMISPC is an initial step toward empirically examining the extent to which the existing models have similar and different constructs. Future research is needed to examine to what extent the UMISPC can explain different types of ISS behaviors (or intentions thereof). Such studies will determine the extent to which the UMISPC needs to be revised to account for different types of ISS policy violations and the extent to which the UMISPC is generalizable beyond the three types of ISS violations we examined. Finally, the UMISPC is intended to inspire future ISS research to further theorize and empirically demonstrate the important differences between rival theories in the ISS context that are not captured by current measures. ...
PublisherManagement Information Systems Research Center, Carlson School of Management, University of Minnesota
MetadataShow full item record
Showing items with similar title or keywords.
Common Misunderstandings of Deterrence Theory in Information Systems Research and Future Research Directions Siponen, Mikko; Soliman, Wael; Vance, Anthony (ACM, 2022)In the 1980s, information systems (IS) borrowed deterrence theory (DT) from the field of criminology to explain information security behaviors (or intention). Today, DT is among the most commonly used theories in IS security ...
Influence of Organizational Culture on Employees Information Security Policy Compliance in Ethiopian Companies Ejigu, Kibrom; Siponen, Mikko; Muluneh, Tilahun (Association for Information Systems, 2021)Information security is one of the organizations' top agendas worldwide. Similarly, there is a growing trend in the kinds and rate of security breaches. Information security experts and scholars concentrate on outsiders' ...
Investigating the Impact of Organizational Culture on Information Security Policy Compliance : The Case of Ethiopia Ejigu, Kibrom Tadesse; Siponen, Mikko; Arage, Tilahun Muluneh (Association for Information Systems, 2021)Information security is one of the organizations' top agendas worldwide. Similarly, there is a growing trend in the kinds and rate of security breaches. Information security experts and scholars concentrate on outsiders' ...
Understanding the inward emotion-focused coping strategies of individual users in response to mobile malware threats Xin, Tong; Siponen, Mikko; Chen, Sihua (Taylor & Francis, 2021)According to coping theory, individuals cope with information system threats by adopting either problem-focused coping (PFC) or emotion-focused coping (EFC). However, little is known about EFC in the information security ...
Karjalainen, Mari; Siponen, Mikko; Sarker, Suprateek (Elsevier, 2020)Existing behavioral information security research proposes continuum or non-stage models that focus on finding static determinants for information security behavior (ISB) that remains unchanged. Such models cannot explain ...