Cognitive-affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study

Abstract

We present a model of employee compliance with information security policy (ISP) that (1) explicates stable, cognitive beliefs regarding the consequences of compliance and noncompliance as well as state-based affective constructs, namely, positive and negative mood states and episodic, security-related work-impediment events, and (2) provides an expanded conceptualisation of moral considerations and normative influences regarding employees' ISP compliance. Because affect is central to this theorisation, we ensure that the model captures and explains differences in day-to-day affective constructs to account for the often fleeting nature of affective states. We test our multilevel model using an experience-sampling methodology design, in which employees completed daily surveys over a 2-week period, followed by a hierarchal linear modelling statistical assessment. Our contribution to theory is a unique account of ISP compliance that integrates affective factors with constructs from rational choice theory and theory of planned behaviour and that diverges from prior conceptualisations of ISP compliance as a purely stable and reason-based phenomenon. For practitioners, our results suggest that a combination of cognitive and affective influences may produce discrete episodes of ISP compliance that do not coincide with prior behavioural trends.