Journal of the Association for Information Systems


The objective of our paper is to conceptually and empirically challenge the idea of general information security policy (ISP) compliance. Conceptually, we argue that general ISP compliance is an ill-defined concept that has minimal theoretical usefulness because the policy-directed security actions vary considerably from threat to threat in terms of time, difficulty, diligence, knowledge, and effort. Yet, our senior IS scholars’ basket of journals has a strong preference to publish models in which the authors speculate that their findings are generalizable across all (or many) threats and controls contained in an organization’s ISP document. In our paper, we argue that compliance with each of the mandatory threat-specific security actions may require different (as opposed to similar) explanatory models, which makes constructing a universal model of ISP compliance problematic. Therefore, we argue that future ISP compliance literature will be more valuable if it focuses on the mechanisms, treatments, and behavioral antecedents associated with the required actions around specific threats instead of attempting to build a model that purportedly covers all (or many) threat-specific security actions (or intentions thereof). To support this claim empirically, we conducted two studies comparing general compliance intentions (i.e., undefined security action) and threat-specific compliance intentions. In both studies, our data show that compliance intentions vary significantly across general compliance measures and multiple threat-specific security measures or scenarios. Our results indicate that it is problematic to generalize about the behavioral antecedents from general compliance intentions to threat-specific security compliance intentions, from one threat-specific security action to other threat-specific security actions, and from one threat-specific security action to general compliance intentions.