CCE Theses and Dissertations

Date of Award


Document Type


Degree Name

Doctor of Philosophy (PhD)


College of Computing and Engineering


Ling Wang

Committee Member

Mary Harward

Committee Member

Inkyoung Hur


compliance, information security, information security policy, information security policy violation, negative affect, organizational injustice


Employees’ non-compliance with Information Security (IS) policies is an important socio-organizational issue that represents a serious threat to the effective management of information security programs in organizations. Prior studies have demonstrated that information security policy (ISP) violation in the workplace is a common significant problem in organizations. Some of these studies have earmarked the importance of this problem by drawing upon cognitive processes to explain compliance with information security policies, while others have focused solely on factors related to non-compliance behavior, one of which is affect. Despite the findings from these studies, there is a dearth of extant literature that integrates both affective and cognitive theories that shed light on a more holistic understanding of information security non-compliance behaviors. This research developed a theoretical model of the relationship between negative affect and cognitive processes and their influence on employees’ ISP non-compliance at the workplace. Cognitive processes provide a significant foundation in understanding why employees show non-compliance behavior with ISPs and rules at the workplace. However, they do not completely explain the motivations behind the deviant employee’s non-compliance behavior. This research examined how the relationships between organizational injustice frameworks and negative affect influence attitude, which, in turn, influences behaviors that can be used to understand ISP non-compliance. Extant literature has explored theories like neutralization, deterrence, theory of planned behavior, rational choice theory, affective events theory, and work-related events as an outcome of neutralization, and organizational injustice, to explain cognitive reactions. The research model was empirically tested using the data collected from 115 participants who participated in a scenario-based survey. The results showed that negative affect has a significantly positive impact on employees’ attitude and ISP non-compliance behavior. Distributive, informational and interpersonal injustices were also found to influence ISP non-compliance in a significant but negative direction. The study contributes to both theory for IS research and practice for organizational management of security policies.