Summary: | <p>Information system security literature has primarily focused on cognitive processes and their impact on information security policy noncompliance behavior. Specific cognitive theories that have been applied include planned behavior, rational choice, deterrence, neutralization, and protection motivation. However, affective processes may better determine misuse or information security policy noncompliance than cognitive processes.</p>
<p>The purpose of this dissertation is to evaluate the impact of affective absorption (i.e. the trait or disposition to become deeply involved with ones emotions) and affective flow (i.e. a state of deep involvement with ones emotions) on cognitive processes in the context of attitude toward and compliance with information security policies. In essence, individuals with high levels of negative affective absorption may be more prone to experience negative affective flow which may lead to deviant behavior such as misuse of organizational information or noncompliance with information security policy.</p>
<p>The proposed conceptual model is evaluated using the classical experimental design through a laboratory experiment. A preliminary investigation (e.g. expert panel
reviews, pre-test, and pilot studies) is conducted to ensure measurement validity. During the main investigation, the proposed model and hypotheses are tested. Driven by theory, an alternative model is proposed and tested.</p>
<p>The findings of this study underscore the need for understanding affective processes with regard to information security policy compliance behavior. By evaluating both cognitive and affective processes, we gain a more holistic understanding pertaining to information security decision making. This study contributes to information systems security literature by introducing two new constructs, affective absorption and affective flow. In addition, it asserts the need to capture actual behavior in information security research. The findings also contribute to practice by indicating that organizations should (1) include affect in their security, education, training, and awareness programs, (2) focus on eliminating frustrating tasks or reducing frustration caused by these tasks, and (3) induce positive affect through monitoring employee affect levels, identifying areas that need correction, and quickly responding to issues prior to deviance.</p>
|