To Örebro University

oru.seÖrebro University Publications
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Conceptual inconsistencies in variable definitions and measurement items within ISP non-/compliance research: A systematic literature review
Örebro University, Örebro University School of Business.ORCID iD: 0000-0003-0658-4548
Örebro University, Örebro University School of Business.ORCID iD: 0000-0002-3713-346X
Örebro University, Örebro University School of Business.ORCID iD: 0000-0002-5270-1517
2025 (English)In: Computers & Security, ISSN 0167-4048, E-ISSN 1872-6208, Vol. 152, article id 104365Article, review/survey (Refereed) Published
Abstract [en]

The rich stream of research focusing on employee non-/compliance with information security policies (ISPs) suffers from inconsistent results. Attempts to explain such inconsistencies have included investigation of possible contextual moderating factors. Another promising, yet not systematically investigated, explanation concerns conceptual inconsistencies in variable definitions and in questionnaire measurement items. Based on a systematic literature review covering 36 ISP non-/compliance articles using Protection Motivation Theory (PMT) and/or Theory of Planned Behavior (TPB), we found four major types of conceptual inconsistencies and unclarities within and across studies; (i) inconsistencies in variable definitions; (ii) inconsistencies between variable measurement items; (iii) inconsistencies between variable definitions and measurement items; and (iv) unclearly/vaguely worded measurement items. The review contributes to the field by demonstrating that the inconsistent results in the field may not only be due to unknown contextual moderators, but also to conceptual incongruences within and across studies.
Place, publisher, year, edition, pages
Elsevier, 2025. Vol. 152, article id 104365
Keywords [en]
Information security policy, Protection motivation theory, Theory of planned behavior, Variable properties, Non-compliance
National Category
Information Systems, Social aspects
Identifiers
URN: urn:nbn:se:oru:diva-119696DOI: 10.1016/j.cose.2025.104365ISI: 001428697400001Scopus ID: 2-s2.0-85217911678OAI: oai:DiVA.org:oru-119696DiVA, id: diva2:1944836
Available from: 2025-03-17 Created: 2025-03-17 Last updated: 2025-09-19Bibliographically approved
In thesis
1. Good Variable Practice: Addressing inconsistencies in non-/compliance research using a sequential multi-method approach
Open this publication in new window or tab >>Good Variable Practice: Addressing inconsistencies in non-/compliance research using a sequential multi-method approach
2025 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

This thesis examines research on employees’ behavior toward information security policies (ISPs), commonly studied under the concept of non-/compliance. While extensive research has expanded knowledge in this field, recent reviews highlight inconsistent and contradictory research findings. These inconsistencies are often attributed to contextual moderators, but this explanation is only partial. This thesis offers a complementary perspective by focusing on definitions and measurements of variables commonly used in research.

Using a sequential multi-method approach, including a traditional survey, a literature review, interviews, and a survey experiments, this thesis demonstrates that non-/compliance research suffers from widespread inconsistencies/unclarities in defining and measuring key variables, both within and across studies. The thesis also finds that these inconsistencies/unclarities may contribute to differences in research results.

These identified inconsistencies in variable definitions and measurements are not only of theoretical concern (in terms of theoretical specificity) but may also have significant empirical consequences insofar as they may influence research findings. Based on this, this thesis contributes to the extant literature by suggesting a research agenda specifying 12 considerations for research design that future researchers should consider in order to improve theoretical development in the field, minimize the impact of inconsistent variable definitions and measurements on research results, and, most importantly, enhance our understanding of ISP non-/compliance phenomena.
Place, publisher, year, edition, pages
Örebro: Örebro University, 2025. p. 122
Series
Örebro Studies in Informatics ; 25
Keywords
Information Systems, Information Security, Behavioral Information Security, Compliance, Non-compliance, Information Security Policies, PMT, TPB, UMISPC, Good Variable Practice
National Category
Information Systems, Social aspects
Identifiers
urn:nbn:se:oru:diva-123107 (URN)9789175296944 (ISBN)9789175296951 (ISBN)
Public defence
2025-10-16, Örebro universitet, Forumhuset, Hörsal F, Fakultetsgatan 1, Örebro, 13:15 (English)
Opponent
Supervisors
Available from: 2025-08-27 Created: 2025-08-27 Last updated: 2025-09-30Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Gerdin, MarcusGrönlund, ÅkeKolkowska, Ella

Search in DiVA

By author/editor
Gerdin, MarcusGrönlund, ÅkeKolkowska, Ella
By organisation
Örebro University School of Business
In the same journal
Computers & Security
Information Systems, Social aspects

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 113 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
Örebro University Library
|
DiVA Portal
|
DiVA Log in
|
Register in DiVA
|
Contact us