Abstract

Organizations continue to suffer security breaches even when employees understand the importance of complying with information security policies (ISPs). A central but underexplored reason is timing: employees may intend to comply yet postpone actions such as patching software, updating passwords, or completing required security tasks. This delay matters because in organizational settings, one employee’s non-compliance increases exposure for others. Although prior research has explained ISP compliance using rational choice, deterrence, and protection-motivation perspectives, and behavioral economics has separately explained procrastination through present bias, no analytical model has integrated present-biased preferences (O’Donoghue & Rabin, 1999) with network security externalities in a dynamic ISP compliance setting. This paper develops an analytical model of ISP compliance that combines quasi-hyperbolic discounting with the network security externality (August & Tunca, 2006). We model a continuum of heterogeneous employees who face stochastic compliance costs over time, while each employee’s delay increases breach probability for the organization as a whole. The model yields closed-form compliance cutoffs for rational, naive, and sophisticated employees and enables a dynamic characterization of aggregate compliance over time. Our analysis generates four main insights. First, present bias creates a persistent “last mile” problem: as overall compliance improves, the natural incentive created by shared breach risk weakens, but biased employees continue to underweight the future benefits of acting now. Second, the security externality is partially self-correcting early in the compliance window but loses force later, implying that monitoring is most valuable when back-loaded rather than front-loaded. Third, employees who recognize their own tendency to procrastinate comply faster than naive employees, providing a behavioral rationale for security awareness interventions that target self-awareness rather than threat awareness alone. Fourth, we identify a critical level of present bias below which voluntary compliance collapses once the externality fades, making mandatory enforcement or automation the only effective policy response. By integrating behavioral economics with information security policy design, this study offers an insight into why compliance gaps persist even among well-intentioned employees and presents prescriptive guidance for designing deadlines, monitoring schedules, penalties, awareness programs, and automation strategies that account for systematic procrastination in organizational security.

Share

COinS