To Örebro University

oru.seÖrebro University Publications
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
What goes around comes around: an in-depth analysis of how respondents interpret ISP non-/compliance questionnaire items
Örebro University, Örebro University School of Business. Department of Informatics.ORCID iD: 0000-0003-0658-4548
Örebro University, Örebro University School of Business. Department of Informatics.ORCID iD: 0000-0002-5270-1517
Örebro University, Örebro University School of Business. Department of Informatics.ORCID iD: 0000-0002-3713-346X
2024 (English)In: Information and Computer Security, E-ISSN 2056-4961, Vol. 32, no 4, p. 459-476Article in journal (Refereed) Published
Abstract [en]

Purpose: Research on employee non-/compliance to information security policies suffers from inconsistent results and there is an ongoing discussion about the dominating survey research methodology and its potential effect on these results. This study aims to add to this discussion by investigating discrepancies between what the authors claim to measure (theoretical properties of variables) and what they actually measure (respondents' interpretations of the operationalized variables). This study asks: How well do respondents' interpretations of variables correspond to their theoretical definitions? What are the characteristics of any discrepancies between variable definitions and respondent interpretations?

Design/methodology/approach: This study is based on in-depth interviews with 17 respondents from the Swedish public sector to understand how they interpret questionnaire measurement items operationalizing the variables Perceived Severity from Protection Motivation Theory and Attitude from Theory of Planned Behavior.

Findings: The authors found that respondents' interpretations in many cases differ substantially from the theoretical definitions. Overall, the authors found four principal ways in which respondents interpreted measurement items - referred to as property contextualization, extension, alteration and oscillation - each implying more or less (dis)alignment with the intended theoretical properties of the two variables examined.

Originality/value: The qualitative method used proved vital to better understand respondents' interpretations which, in turn, is key for improving self-reporting measurement instruments. To the best of the authors' knowledge, this study is a first step toward understanding how precise and uniform definitions of variables' theoretical properties can be operationalized into effective measurement items.
Place, publisher, year, edition, pages
Emerald Group Publishing Limited, 2024. Vol. 32, no 4, p. 459-476
Keywords [en]
Information security policy, Non-/compliance research, Validation of measurement instruments, Protection motivation theory, PMT, Theory of planned behavior, TPB
National Category
Information Systems, Social aspects
Identifiers
URN: urn:nbn:se:oru:diva-113439DOI: 10.1108/ICS-12-2023-0240ISI: 001207334600001Scopus ID: 2-s2.0-85191325704OAI: oai:DiVA.org:oru-113439DiVA, id: diva2:1855246
Available from: 2024-04-30 Created: 2024-04-30 Last updated: 2025-09-19Bibliographically approved
In thesis
1. Good Variable Practice: Addressing inconsistencies in non-/compliance research using a sequential multi-method approach
Open this publication in new window or tab >>Good Variable Practice: Addressing inconsistencies in non-/compliance research using a sequential multi-method approach
2025 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

This thesis examines research on employees’ behavior toward information security policies (ISPs), commonly studied under the concept of non-/compliance. While extensive research has expanded knowledge in this field, recent reviews highlight inconsistent and contradictory research findings. These inconsistencies are often attributed to contextual moderators, but this explanation is only partial. This thesis offers a complementary perspective by focusing on definitions and measurements of variables commonly used in research.

Using a sequential multi-method approach, including a traditional survey, a literature review, interviews, and a survey experiments, this thesis demonstrates that non-/compliance research suffers from widespread inconsistencies/unclarities in defining and measuring key variables, both within and across studies. The thesis also finds that these inconsistencies/unclarities may contribute to differences in research results.

These identified inconsistencies in variable definitions and measurements are not only of theoretical concern (in terms of theoretical specificity) but may also have significant empirical consequences insofar as they may influence research findings. Based on this, this thesis contributes to the extant literature by suggesting a research agenda specifying 12 considerations for research design that future researchers should consider in order to improve theoretical development in the field, minimize the impact of inconsistent variable definitions and measurements on research results, and, most importantly, enhance our understanding of ISP non-/compliance phenomena.
Place, publisher, year, edition, pages
Örebro: Örebro University, 2025. p. 122
Series
Örebro Studies in Informatics ; 25
Keywords
Information Systems, Information Security, Behavioral Information Security, Compliance, Non-compliance, Information Security Policies, PMT, TPB, UMISPC, Good Variable Practice
National Category
Information Systems, Social aspects
Identifiers
urn:nbn:se:oru:diva-123107 (URN)9789175296944 (ISBN)9789175296951 (ISBN)
Public defence
2025-10-16, Örebro universitet, Forumhuset, Hörsal F, Fakultetsgatan 1, Örebro, 13:15 (English)
Opponent
Supervisors
Available from: 2025-08-27 Created: 2025-08-27 Last updated: 2025-09-30Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Gerdin, MarcusKolkowska, EllaGrönlund, Åke

Search in DiVA

By author/editor
Gerdin, MarcusKolkowska, EllaGrönlund, Åke
By organisation
Örebro University School of Business
In the same journal
Information and Computer Security
Information Systems, Social aspects

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 207 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
Örebro University Library
|
DiVA Portal
|
DiVA Log in
|
Register in DiVA
|
Contact us