Validating and extending the unified model of information security policy compliance

Abstract

Purpose The purpose of this study is to further validate and extend the unified model of information security policy compliance (UMISPC) developed by Moody et al. (2018). Design/methodology/approach To be able to compare the results of this study and those reported by Moody et al. (2018) (and followers), the same quantitative data collection method (questionnaire) and variable measurement instruments were used. Specifically, questionnaire data were collected from a department within a Swedish governmental organization comprising 150 employees. Of these, 90 answered the questionnaire which rendered a response rate of 60%. Following Moody et al. (2018), the collected data were analyzed by means of structural equation modeling. Findings This study generally provides empirical support for the original UMISPC as a large majority of the findings are in line with those reported by Moody et al. (2018). However, it also suggests important differences and boundary conditions. Originality/value This study extends the original study of Moody et al. (2018) and subsequent replication studies by testing it in a new national/organizational context. Based on their call for future research, it also develops and empirically tests the effects of a new, socially visible information system security violation scenario. Related to this, this study also revisits the role of the variable subjective norms for better understanding employee non-/compliance to information security policies by suggesting that their effects may be indirect (i.e. running through other variables in the UMISPC) rather than direct.