There is a rich stream of research focusing on employee non-/compliance with information security policies. However, this stream suffers from inconsistent, even contradicting results and lack of theoretical congruence. Attempts to explain such inconsistencies have included investigation of possible moderating effects of contextual variables. We further investigate these inconsistencies by analytically disentangling the consistency in the implementation of the four most used variables of Protection Motivation Theory—Perceived severity, Perceived susceptibility, Response efficacy, and Self-efficacy—across the research field. Specifically, we address the following research question; what inconsistencies, if any, are there in the use of Protection motivation theory in non-/compliance research? We find that three of the variables analyzed have been ascribed more than one theoretical property across the seven studies reviewed, thereby making it problematic to fully understand their cause-and-effect relationships. That is, it is unclear which property that explains employees’ intention to comply with IS policies, whether they have the same effects, or have an increased effect when applied in conjunction. This study contributes to the literature by proposing that inconsistent results may not only be due to omitted moderating factors, but also to theoretical properties of key variables being inconsistently defined and measured.
Gerdin, Marcus; Grönlund, Åke; and Kolkowska, Ella, "Use of protection motivation theory in non-compliance research" (2021). WISP 2021 Proceedings. 14.