User non-compliance with information security policies in organizations due to negligence or ignorance is reported as a key data security problem for organizations. Research on employee violation of information security policies has focused on non-compliance due to poor training, low employee motivation, weak effective commitment, or individual oversight. However, the findings from some of the studies are contradictory. Furthermore, no parsimonious theory explains nor predicts employee compliance with information security policies. This study addresses this problem by building a theoretical model grounded in data using grounded theory methodology. The findings indicate organizations need to create a supportive organizational environment. These measures will impact individual employee’s perception. Information technology plays a moderating role between organization practices and the individual cognitive factors. These cognitive factors will in turn have an effect on the individual employees’ compliance with the information security policies.