Using Cognitive Dissonance Theory to Explain Information Security Policy Violations

The use of sanctions has long been advocated to enforce information security policy (ISP) compliance to control malicious and non-malicious insider threat. The ISP literature is largely based on deterrence theory. However, findings are inconsistent and deterrence has not been a strong predictor especially when non-compliant behavior is the focus of the study. To better explain this phenomenon, scholars have integrated theories and introduced additional constructs. By integrating cognitive dissonance and extended deterrence theory, this study seeks to examine the moderating effect of the personality trait of inertia on the relationship between formal and informal sanctions with ISP non-compliance. More specifically, the focus of this study is on investigating the factors that impact non-compliance of insiders (employees). \ \ This paper revisits the role of formal and informal sanctions in ISP compliance literature through the lens of cognitive dissonance theory. Although certainty of getting caught as well as the severity and swiftness of penalties for engage in policy violating behavior along with subjective norm and their peer behavior have a negative effect on employees’ intention to show non-compliance behavior, inertia will strengthen this relationship. \ \ To test the research hypotheses, we plan to use a scenario-based survey instrument for data collection following by Partial Least Squares (PLS) method using Smart PLS 3.0 for data analysis. The survey instrument will be created with items extracted from extant literature and the scenarios will be chosen from unauthorized access to computerized data. \ \ This study has a number of theoretical and practical implications. It contributes to ISP compliance body of knowledge by its novel theoretical approach such that individuals utilize a cognitive process to justify the inconsistency between their prior thought and the subsequent action (inertia). To the authors’ knowledge, cognitive dissonance theory has never been used in ISP compliance literature. Moreover, examining the moderating effect of inertia can shed light on the long standing debate regarding the effectiveness of deterrence on compliance. From a practical standpoint, the result of our study can help in designing training and information intervention programs for employees who are in inertia state and driving them toward attitude and behavior change.