Top

Journal of Business and Psychology

16-03-2023

Personal and Contextual Predictors of Information Security Policy Compliance: Evidence from a Low-Fidelity Simulation

Authors: Ricardo R. Brooks, Kevin J. Williams, So-Yun Lee

Published in: Journal of Business and Psychology

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The objective of this study was to examine the roles that organizational security climate and perceived costs and rewards of compliance play in predicting the extent to which people endorse compliance or violation of specific information security policies (ISP). A low-fidelity simulation placed participants in either a strong or weak information security climate and presented them with four cybersecurity scenarios that assessed their judgments of complying with or violating security policies in those situations. Results indicated that information security climate relates to intent to comply with a company’s security policies via attitudes, subjective norms, and perceived behavioral control, in line with the predictions of the theory of planned behavior (Ajzen, 1991). Strong intentions to comply with policies, in turn, were associated with greater endorsement of compliant behaviors and decreased endorsement of policy violations in the specific scenarios. However, whether or not individuals chose to endorse compliance with or violation of specific policies, after initial intentions were formed, was also influenced by their perceived costs and rewards of compliance. The effects of costs were particularly strong: as perceived costs increased, participants were more likely to endorse ISP violations. Our findings suggest that establishing a strong information security climate may reduce the chances of security breaches, but that organizations should also intervene to reduce the perceived burden and inconvenience of security tasks.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

For the purpose of this study ISP “violations” follow the Cram and colleagues (2019) definition operationalizing violations as the degree to which an employee fails to comply with the requirements outlined in a given set of ISP.

We used the following search terms: information security policy, information security compliance, cybersecurity compliance, compliance, noncompliance, violation, information security policy. These terms were entered into the following databases: PROQUEST™: PsychARTICLES, IEEE Xplore Digital Library™, EBSCO™ and Computers and Applied Sciences Complete, along with Google Scholar.

Aguinis, H., & Bradley, K. J. (2014). Best practice recommendations for designing and implementing experimental vignette methodology studies. Organizational Research Methods, 17(4), 351–371. https://doi.org/10.1177/1094428114547952CrossRef

Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211. https://doi.org/10.1016/0749-5978(91)90020-TCrossRef

Ajzen, I. (2011). The theory of planned behaviour: Reactions and reflections. Psychology & Health, 26(9), 1113–1127. https://doi.org/10.1080/08870446.2011.613995CrossRef

Armitage, C. J., & Conner, M. (2001). Efficacy of the theory of planned behaviour: A meta-analytic review. British Journal of Social Psychology, 40(4), 471–499. https://doi.org/10.1348/014466601164939CrossRefPubMed

Aurigemma, S., & Mattson, T. (2017). Deterrence and punishment experience impacts on ISP compliance attitudes. Information and Computer Security, 25(4), 421–436. https://doi.org/10.1108/ICS-11-2016-0089CrossRef

Bauer, S., & Bernroider, E. W. N. (2017). From information security awareness to reasoned compliant action: Analyzing information security policy compliance in a large banking organization. ACM SIGMIS Database: The DATABASE for Advances in Information Systems, 48(3), 44–68. https://doi.org/10.1145/3130515.3130519CrossRef

Beautement, A., Sasse, M. A., & Wonham, M. (2008, September). The compliance budget: Managing security behaviour in organisations. Proceedings of the 2008 New Security Paradigms Workshop, 47–58. https://doi.org/10.1145/1595676.1595684

Beautement, A., & Sasse, A. (2009). The economics of user effort in information security. Computer Fraud & Security, 2009(10), 8–12. https://doi.org/10.1016/S1361-3723(09)70127-7CrossRef

Becker, G. S. (1968). Crime and punishment: An economic approach. The Journal of Political Economy, 76(2), 169–217. https://doi.org/10.1007/978-1-349-62853-7_2CrossRef

Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly, 39(4), 837–864. https://www.jstor.org/stable/26628654

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly., 34(3), 523–548. https://doi.org/10.2307/25750690CrossRef

Carr, J. Z., Schmidt, A. M., Ford, J. K., & DeShon, R. P. (2003). Climate perceptions matter: A meta-analytic path analysis relating molar climate, cognitive and affective states, and individual level work outcomes. Journal of Applied Psychology, 88(4), 605–619. https://doi.org/10.1037/0021-9010.88.4.605CrossRefPubMed

Chan, M., Woon, I., & Kankanhalli, A. (2005). Perceptions of information security in the workplace: Linking information security climate to compliant behavior. Journal of Information Privacy and Security, 1(3), 18–41. https://doi.org/10.1080/15536548.2005.10855772CrossRef

Chen, Y., Galletta, D. F., Lowry, P. B., Luo, X. R., Moody, G. D., & Willison, R. (2021). Understanding inconsistent employee compliance with information security policies through the lens of the extended parallel process model. Information Systems Research, 32(3), 1043–1065. https://doi.org/10.1287/isre.2021.1014CrossRef

Cheng, L., Li, W., Zhai, Q., & Smyth, R. (2014). Understanding personal use of the Internet at work: An integrated model of neutralization techniques and general deterrence theory. Computers in Human Behavior, 38, 220–228. https://doi.org/10.1016/j.chb.2014.05.043CrossRef

Chmielewski, M., & Kucker, S. C. (2020). An MTurk crisis? Shifts in data quality and the impact on study results. Social Psychological and Personality Science, 11(4), 464–473. https://doi.org/10.1177/1948550619875149CrossRef

Christian, M. S., Bradley, J. C., Wallace, J. C., & Burke, M. J. (2009). Workplace safety: A meta-analysis of the roles of person and situation factors. Journal of Applied Psychology, 94(5), 1103–1127. https://doi.org/10.1037/a0016172CrossRefPubMed

Cram, W. A., Proudfoot, J. G., & D’Arcy, J. (2017). Organizational information security policies: A review and research framework. European Journal of Information Systems, 26(6), 605–641. https://doi.org/10.1057/s41303-017-0059-9CrossRef

Cram, W. A., D’Arcy, J., & Proudfoot, J. G. (2019). Seeing the forest and the trees: A meta-analysis of the antecedents to information security policy compliance. MIS Quarterly, 43(2), 525–554. https://doi.org/10.24251/HICSS.2017.489CrossRef

Cram, W. A., Proudfoot, J. G., & D’Arcy, J. (2021). When enough is enough: Investigating the antecedents and consequences of information security fatigue. Information Systems Journal, 31(4), 521–549. https://doi.org/10.1111/isj.12319CrossRef

Curcuruto, M., Griffin, M. A., Kandola, R., & Morgan, J. I. (2018). Multilevel safety climate in the UK rail industry: A cross validation of the Zohar and Luria MSC scale. Safety Science, 110, 183–194. https://doi.org/10.1016/j.ssci.2018.02.008CrossRef

D’Arcy, J., Herath, T., & Shoss, M. K. (2014). Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems, 31(2), 285–318. https://doi.org/10.2753/MIS0742-1222310210CrossRef

Dalal, R. S., Howard, D. J., Bennett, R. J., Posey, C., Zaccaro, S. J., & Brummel, B. J. (2022). Organizational science and cybersecurity: Abundant opportunities for research at the interface. Journal of Business and Psychology, 37(1), 1–29. https://doi.org/10.1007/s10869-021-09732-9CrossRefPubMed

D’Arcy, J., & Devaraj, S. (2012). Employee misuse of information technology resources: Testing a contemporary deterrence model. Decision Sciences, 43(6), 1091–1124. https://doi.org/10.1111/j.1540-5915.2012.00383.xCrossRef

D’Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems, 20(6), 643–658. https://doi.org/10.1057/ejis.2011.23CrossRef

D’Arcy, J., & Lowry, P. B. (2019). Cognitive-affective drivers of employees’ daily compliance with information security policies: A multilevel, longitudinal study. Information Systems Journal, 29(1), 43–69. https://doi.org/10.1111/isj.12173CrossRef

Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intention, and behavior: An introduction to theory and research. Addison-Wesley.

Fishbein, M., & Ajzen, I. (2010). Predicting and changing behavior: The reasoned action approach. Psychology Press. https://doi.org/10.4324/9780203838020CrossRef

Golubovich, J., Seybert, J., Martin-Raugh, M., Naemi, B., Vega, R. P., & Roberts, R. D. (2017). Assessing perceptions of interpersonal behavior with a video-based situational judgment test. International Journal of Testing, 17(3), 191–209. https://doi.org/10.1080/15305058.2016.1194275CrossRef

Goo, J., Yim, M.-S., & Kim, D. J. (2014). A path to successful management of employee security compliance: An empirical study of information security climate. IEEE Transactions on Professional Communication, 57(4), 286–308. https://doi.org/10.1109/TPC.2014.2374011CrossRef

Guion, R. M. (1973). A note on organizational climate. Organizational Behavior and Human Performance, 9(1), 120–125. https://doi.org/10.1016/0030-5073(73)90041-XCrossRef

Guo, K. H. (2013). Security-related behavior in using information systems in the workplace: A review and synthesis. Computers & Security, 32, 242–251. https://doi.org/10.1016/j.cose.2012.10.003CrossRef

Han, J., Kim, Y. J., & Kim, H. (2017). An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective. Computers & Security, 66, 52–65. https://doi.org/10.1016/j.cose.2016.12.016CrossRef

Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125. https://doi.org/10.1057/ejis.2009.6CrossRef

Hinkin, T. R. (1998). A brief tutorial on the development of measures for use in survey questionnaires. Organizational Research Methods, 1(1), 104–121. https://doi.org/10.1177/109442819800100106CrossRef

Hu, L. T., & Bentler, P. M. (1999). Cutoff criteria for fit indexes in covariance structure analysis: Conventional criteria versus new alternatives. Structural Equation Modeling: A Multidisciplinary Journal, 6(1), 1–55. https://doi.org/10.1080/10705519909540118CrossRef

Huang, Y. H., Zohar, D., Robertson, M. M., Garabet, A., Lee, J., & Murphy, L. A. (2013a). Development and validation of safety climate scales for lone workers using truck drivers as exemplar. Transportation Research Part f: Traffic Psychology and Behaviour, 17, 5–19. https://doi.org/10.1016/j.trf.2012.08.011CrossRef

Huang, Y. H., Zohar, D., Robertson, M. M., Garabet, A., Murphy, L. A., & Lee, J. (2013b). Development and validation of safety climate scales for mobile remote workers using utility/electrical workers as exemplar. Accident Analysis & Prevention, 59, 76–86. https://doi.org/10.1016/j.aap.2013.04.030CrossRef

Hughes, R., & Huby, M. (2002). The application of vignettes in social and nursing research. Journal of Advanced Nursing, 37(4), 382–386. https://doi.org/10.1046/j.1365-2648.2002.02100.xCrossRefPubMed

IBM. (2020). Cost of insider threats: Global report 2020. IBM. https://www.ibm.com/security/digital-assets/services/cost-of-insider-threats/#/

Ifinedo, P. (2012). Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83–95. https://doi.org/10.1016/j.cose.2011.10.007CrossRef

Ifinedo, P. (2016). Critical times for organizations: What should be done to curb workers’ noncompliance with IS security policy guidelines? Information Systems Management, 33(1), 30–41. https://doi.org/10.1080/10580530.2015.1117868CrossRef

Jaafar, N. I., & Ajis, A. (2013). Organizational climate and individual factors effects on information security compliance behaviour. International Journal of Business and Social Science, 4(10), 118–130.

James, L. R., & Jones, A. P. (1974). Organizational climate: A review of theory and research. Psychological Bulletin, 81(12), 1096–1112. https://doi.org/10.1037/h0037511CrossRef

Jenkins, J. L., & Durcikova, A. (2013). What, I shouldn’t have done that? The influence of training and just-in-time reminders on secure behavior. In R. Baskerville & M. Chau, (Eds.), Proceedings of International Conference on Information Systems, Milan.

Johnson, S. E. (2007). The predictive validity of safety climate. Journal of Safety Research, 38(5), 511–521. https://doi.org/10.1016/j.jsr.2007.07.001CrossRefPubMed

Johnson, R. E., Rosen, C. C., & Djurdjevic, E. (2011). Assessing the impact of common method variance on higher order multidimensional constructs. Journal of Applied Psychology, 96(4), 744–761. https://doi.org/10.1037/a0021504CrossRefPubMed

Johnston, A. C., Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113–134. https://doi.org/10.25300/MISQ/2015/39.1.06CrossRef

Kanfer, R., & Ackerman, P. L. (1989). Motivation and cognitive abilities: An integrative/aptitude-treatment interaction approach to skill acquisition. Journal of Applied Psychology, 74(4), 657–690. https://doi.org/10.1037/0021-9010.74.4.657CrossRef

Karjalainen, M., Sarker, S., & Siponen, M. (2019). Toward a theory of information systems security behaviors of organizational employees: A dialectical process perspective. Information Systems Research, 30(2), 687–704. https://doi.org/10.1287/isre.2018.0827CrossRef

Kessler, S. R., Pindek, S., Kleinman, G., Andel, S. A., & Spector, P. E. (2020). Information security climate and the assessment of information security risk among healthcare employees. Health Informatics Journal, 26(1), 461–473. https://doi.org/10.1177/1460458219832048CrossRefPubMed

Lewin, K. (1943). Defining the field at a given time. Psychological Review, 50, 292–310.CrossRef

Li, H., Zhang, J., & Sarathy, R. (2010). Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems, 48(4), 635–645. https://doi.org/10.1016/j.dss.2009.12.005CrossRef

Li, H., Sarathy, R., Zhang, J., & Luo, X. (2014). Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance. Information Systems Journal, 24(6), 479–502. https://doi.org/10.1111/isj.12037CrossRef

Lievens, F., & Motowidlo, S. J. (2016). Situational judgment tests: From measures of situational judgment to measures of general domain knowledge. Industrial and Organizational Psychology, 9(1), 3–22. https://doi.org/10.1017/iop.2015.71CrossRef

Lowry, P. B., & Moody, G. D. (2015). Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Information Systems Journal, 25(5), 433–463. https://doi.org/10.1111/isj.12043CrossRef

MacKenzie, S. B., Podsakoff, P. M., & Podsakoff, N. P. (2011). Construct measurement and validation procedures in MIS and behavioral research: Integrating new and existing techniques. MIS Quarterly, 35(2), 293–334. https://doi.org/10.2307/23044045CrossRef

Martin-Raugh, M. P., & Kell, H. J. (2021). A process model of situational judgment test responding. Human Resource Management Review, 31(2), 100731. https://doi.org/10.1016/j.hrmr.2019.100731CrossRef

McDaniel, M. A., Morgeson, F. P., Finnegan, E. B., Campion, M. A., & Braverman, E. P. (2001). Use of situational judgment tests to predict job performance: A clarification of the literature. Journal of Applied Psychology, 86(4), 730–740. https://doi.org/10.1037/0021-9010.86.4.730CrossRefPubMed

Milne, S., Orbell, S., & Sheeran, P. (2002). Combining motivational and volitional interventions to promote exercise participation: Protection motivation theory and implementation intentions. British Journal of Health Psychology, 7(2), 163–184. https://doi.org/10.1348/135910702169420CrossRefPubMed

Mischel, W., & Shoda, Y. (1995). A cognitive-affective system theory of personality: Reconceptualizing situations, dispositions, dynamics, and invariance in personality structure. Psychological Review, 102(2), 246–268. https://doi.org/10.1037/0033-295X.102.2.246CrossRefPubMed

Moody, G. D., Siponen, M., & Pahnila, S. (2018). Toward a unified model of information security policy compliance. MIS Quarterly, 42(1), 285–311. https://doi.org/10.25300/MISQ/2018/13853CrossRef

Newnam, S., Griffin, M. A., & Mason, C. (2008). Safety in work vehicles: A multilevel study linking safety values and individual predictors to work-related driving crashes. Journal of Applied Psychology, 93(3), 632–644. https://doi.org/10.1037/0021-9010.93.3.632CrossRefPubMed

Pierce, C. A., & Aguinis, H. (1997). Using virtual reality technology in organizational behavior research. Journal of Organizational Behavior, 18(5), 407–410. https://doi.org/10.1002/(SICI)1099-1379(199709)18:5%3c407::AID-JOB869%3e3.0.CO;2-PCrossRef

Posey, C., Roberts, T. L., Lowry, P. B., & Hightower, R. T. (2014). Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders. Information & Management, 51(5), 551–567. https://doi.org/10.1016/j.im.2014.03.009CrossRef

Posey, C., Raja, U., Crossler, R. E., & Burns, A. J. (2017). Taking stock of organisations’ protection of privacy: Categorising and assessing threats to personally identifiable information in the USA. European Journal of Information Systems, 26(6), 585–604. https://doi.org/10.1057/s41303-017-0065-yCrossRef

Puhakainen, P., & Siponen, M. (2010). Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 757–778. https://doi.org/10.2307/25750704CrossRef

Randall, J. G., Oswald, F. L., & Beier, M. E. (2014). Mind-wandering, cognition, and performance: A theory-driven meta-analysis of attention regulation. Psychological Bulletin, 140(6), 1411–1431. https://doi.org/10.1037/a0037428CrossRefPubMed

Reis, H. T. (2008). Reinvigorating the concept of situation in social psychology. Personality and Social Psychology Review, 12(4), 311–329. https://doi.org/10.1177/1088868308321721CrossRefPubMed

Rentsch, J. R. (1990). Climate and culture: Interaction and qualitative differences in organizational meanings. Journal of Applied Psychology, 75(6), 668–681. https://doi.org/10.1037/0021-9010.75.6.668CrossRef

Richardson, H. A., Simmering, M. J., & Sturman, M. C. (2009). A tale of three perspectives: Examining post hoc statistical techniques for detection and correction of common method variance. Organizational Research Methods, 12(4), 762–800. https://doi.org/10.1177/1094428109332834CrossRef

Ritchey, D. (2018). Curing security fatigue. Retrieved from https://www.securitymagazine.com/articles/89370-curingsecurity-fatigue

Schneider, B. (1990). The climate for service: An application of the climate construct. Organizational Climate and Culture, 1, 383–412.

Schneider, B. (2000). The psychological life of organizations. In N. Ashkanasy, C. P. M. Wilderom, & M. F. Peterson (Eds.), Handbook of Organizational Culture & Climate (pp. 17–21). Sage.

Schneider, B., White, S. S., & Paul, M. C. (1998). Linking service climate and customer perceptions of service quality: Tests of a causal model. Journal of Applied Psychology, 83(2), 150–163. https://doi.org/10.1037/0021-9010.83.2.150CrossRefPubMed

Schneier, B. (2008, January 18). The psychology of security. Schneier on Security. https://www.schneier.com/essays/archives/2008/01/the_psychology_of_se.html

Sherman, R. A., Nave, C. S., Funder DC. (2013). Situational construal is related to personality and gender. Journal of Research in Personality, 47(1), 1–14. https://doi.org/10.1016/j.jrp.2012.10.008CrossRef

Simons, T. (2002). Behavioral integrity: The perceived alignment between managers’ words and deeds as a research focus. Organization Science, 13(1), 18–35. https://doi.org/10.1287/orsc.13.1.18.543CrossRef

Siponen, M. T. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8(1), 31–41. https://doi.org/10.1108/09685220010371394CrossRef

Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & Management, 51(2), 217–224. https://doi.org/10.1016/j.im.2013.08.006CrossRef

Sommestad, T., Hallberg, J., Lundholm, K., & Bengtsson, J. (2014). Variables influencing information security policy compliance: A systematic review of quantitative studies. Information Management & Computer Security, 22(1), 42–75. https://doi.org/10.1108/IMCS-08-2012-0045CrossRef

Son, J. Y. (2011). Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information & Management, 48(7), 296–302. https://doi.org/10.1016/j.im.2011.07.002CrossRef

Spector, P. E., Rosen, C. C., Richardson, H. A., Williams, L. J., & Johnson, R. E. (2019). A new perspective on method variance: A measure-centric approach. Journal of Management, 45(3), 855–880. https://doi.org/10.1177/0149206316687295CrossRef

Stanton, B., Theofanos, M. F., Prettyman, S. S., & Furman, S. (2016). Security fatigue. IT Professional, 18(5), 26–32. https://doi.org/10.1109/MITP.2016.84CrossRef

Straub, D. (1986). Computer abuse and security: Update on an empirical pilot study. ACM SIGSAC Review, 4(2), 21–31. https://doi.org/10.1145/15842.15846CrossRef

Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information & Management, 49(3–4), 190–198. https://doi.org/10.1016/j.im.2012.04.002CrossRef

Warshaw, P. R., & Davis, F. D. (1985). Disentangling behavioral intention and behavioral expectation. Journal of Experimental Social Psychology, 21(3), 213–228. https://doi.org/10.1016/0022-1031(85)90017-4CrossRef

Watson, G. W., Scott, D., Bishop, J., & Turnbeaugh, T. (2005). Dimensions of interpersonal relationships and safety in the steel industry. Journal of Business and Psychology, 19, 303–318. https://doi.org/10.1007/s10869-004-2230-2CrossRef

Webb, T. L., & Sheeran, P. (2006). Does changing behavioral intentions engender behavior change? A meta-analysis of the experimental evidence. Psychological Bulletin, 132(2), 249–268. https://doi.org/10.1037/0033-2909.132.2.249CrossRefPubMed

Williams, L. J., Cote, J. A., & Buckley, M. R. (1989). Lack of method variance in self-reported affect and perceptions at work: Reality or artifact? Journal of Applied Psychology, 74(3), 4652–5468. https://doi.org/10.1037/0021-9010.74.3.462CrossRef

Wood, D., Lowman, G. H., & Harms, P. D. (2017). “Low-fidelity simulations” play central roles in explaining behaviour. European Journal of Personality, 31(5), 483–484. https://doi.org/10.1002/per.2119CrossRef

Yazdanmehr, A., & Wang, J. (2016). Employees’ information security policy compliance: A norm activation perspective. Decision Support Systems, 92, 36–46. https://doi.org/10.1016/j.dss.2016.09.009CrossRef

Zohar, D. (1980). Safety climate in industrial organizations: Theoretical and applied implications. Journal of Applied Psychology, 65(1), 96–102. https://doi.org/10.1037/0021-9010.65.1.96CrossRefPubMed

Zohar, D. (2000). A group-level model of safety climate: Testing the effect of group climate on microaccidents in manufacturing jobs. Journal of Applied Psychology, 85(4), 587–596. https://doi.org/10.1037/0021-9010.85.4.587CrossRefPubMed

Zohar, D. (2010). Thirty years of safety climate research: Reflections and future directions. Accident Analysis & Prevention, 42(5), 1517–1522. https://doi.org/10.1016/j.aap.2009.12.019CrossRef

Zohar, D., & Luria, G. (2005). A multilevel model of safety climate: Cross-level relationships between organization and group-level climates. Journal of Applied Psychology, 90(4), 616–628. https://doi.org/10.1037/0021-9010.90.4.616CrossRefPubMed

Zohar, D., & Tenne-Gazit, O. (2008). Transformational leadership and group interaction as climate antecedents: A social network analysis. Journal of Applied Psychology, 93(4), 744–757. https://doi.org/10.1037/0021-9010.93.4.744CrossRefPubMed

Title: Personal and Contextual Predictors of Information Security Policy Compliance: Evidence from a Low-Fidelity Simulation
Authors: Ricardo R. Brooks
Kevin J. Williams
So-Yun Lee
Publication date: 16-03-2023
Publisher: Springer US
Published in: Journal of Business and Psychology
Print ISSN: 0889-3268
Electronic ISSN: 1573-353X
DOI: https://doi.org/10.1007/s10869-023-09878-8