You are here: Home Contents V11 N3 V11N3_Aurigemma.html
Personal tools

The Influence of Employee Affective Organizational Commitment on Security Policy Attitudes and Compliance Intentions



Full text

Journal of Information System Security
Volume 11, Number 3 (2015)
Pages 201222
ISSN 1551-0123
Salvatore Aurigemma — University of Tulsa, USA
Lori Leonard — University of Tulsa, USA
Information Institute Publishing, Washington DC, USA




Higher levels of employee organizational commitment, especially affective organizational commitment, have long been known to bring many benefits to the firm. Previous behavioral information security research confirmed a direct relationship between organizational commitment and employee information security policy (ISP) compliance intent, but did not explore the influence of affective organizational commitment on employee attitudes towards security behaviors; employee attitudes towards security behaviors are influential predictors of behavioral compliance intent. This paper looks more closely at the relationships between affective organizational commitment and ISP compliance attitudes and behavioral intent at a large United States governmental organization. This study found that affective organizational commitment has a significant effect on employees’ ISP compliance intentions both directly and through their attitude towards security behaviors. Additionally, employee perceptions of security policy compliance benefits and costs of non-compliance were significant contributors to favorable security attitudes, but perceptions of the cost of compliance was not.




Non-malicious Insider, Information Security Policy, Affective Organizational Commitment, Behavioral Intent, Planned Behavior, Rational Choice, Attitude




Ajzen, I. (1991). The Theory of Planned Behavior. Organizational behavior and human decision processes 50(2), 179-211.

Ajzen, I. (2001). Nature and Operation of Attitudes. Annual review of psychology 52(1), 27-58.

Allen, N. J. and Meyer, J. P. (1990.) The Measurement and Antecedents of Affective, Continuance and Normative Commitment to the Organization. Journal of occupational psychology 63(1), 1-18.

Aurigemma, S. (2013). A Composite Framework for Behavioral Compliance with Information Security Policies. Journal of Organizational and End User Computing 25(3), 20.

Barlow, J. B., et al. (2013). Don't Make Excuses! Discouraging Neutralization to Reduce It Policy Violation. Computers & Security 39, 145-159.

Barrett, P. (2007). Structural Equation Modelling: Adjudging Model Fit. Personality and Individual differences 42(5), 815-824.

Beck, K. and Wilson, C. (2000). Development of Affective Organizational Commitment: A Cross-Sequential Examination of Change with Tenure. Journal of Vocational Behavior 56(1), 114-136.

Bollen, K. A. and Stine, R. A. (1992). Bootstrapping Goodness-of-Fit Measures in Structural Equation Models. Sociological Methods & Research 21(2), 205-229.

Brackney, R. and Anderson, R. H. (2004). Understanding the Insider Threat. RAND Corporation.

Bulgurcu, B., et al. (2010). Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS quarterly 34(3),

Byrne, B. M. (2001). Structural Equation Modeling with Amos, Eqs, and Lisrel: Comparative Approaches to Testing for the Factorial Validity of a Measuring Instrument. International Journal of Testing 1(1), 55-86.

Chin, W. W. (1998). Commentary: Issues and Opinion on Structural Equation Modeling. JSTOR.

Cole, E. (2015). Insider Threats and the Need for Fast and Directed Response. SANS Institute, pp 1-23.

Crossler, R. E., et al. (2013). Future Directions for Behavioral Information Security Research. Computers & security 32, 90-101.

Dillman, D. A., et al. (2014). Internet, Phone, Mail, and Mixed-Mode Surveys: The Tailored Design Method. John Wiley & Sons, Hoboken, NJ.

Dinev, T. and Hu, Q. (2007). The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies. Journal of the Association for Information Systems 8(7),

Diver, S. (2006). Information Security Policy - a Development Guide for Large and Small Companies. SANS Institute, p 43.

Fornell, C. and Larcker, D. F. (1981). Evaluating Structural Equation Models with Unobservable Variables and Measurement Error. Journal of Marketing Research (JMR) 18(1),

Gefen, D., et al. (2011). An Update and Extension to Sem Guidelines for Admnistrative and Social Science Research. Management Information Systems Quarterly 35(2), iii-xiv.

Hair, J., et al. (2010). Multivariate Data Analysis a Global Perspective, Prentice Hall. Upper Saddle River, NJ,

Heck, R. H. (1998). Factor Analysis: Exploratory and Confirmatory Approaches. Modern methods for business research, 177-215.

Herath, T. and Rao, H. R. (2009). Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations. European Journal of Information Systems 18(2), 106-125.

Hu, L. and Bentler, P. M. (1998). Fit Indices in Covariance Structure Modeling: Sensitivity to Underparameterized Model Misspecification. Psychological methods 3(4), 424.

Hu, L. and Bentler, P. M. (1999). Cutoff Criteria for Fit Indexes in Covariance Structure Analysis: Conventional Criteria Versus New Alternatives. Structural Equation Modeling: A Multidisciplinary Journal 6(1), 1-55.

Hu, Q., et al. (2012). Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture*. Decision Sciences 43(4), 615-660.

Jarvis, C. B., et al. (2003). A Critical Review of Construct Indicators and Measurement Model Misspecification in Marketing and Consumer Research. Journal of Consumer Research 30(2), 199-218.

Jöreskog, K. G. and Sörbom, D. (1989). Lisrel 7: A Guide to the Program and Applications. Spss Chicago.

Katzell, R. A. and Austin, J. T. (1992). From Then to Now: The Development of Industrial-Organizational Psychology in the United States. Journal of Applied Psychology 77(6), 803.

Kline, R. B. (2011). Principles and Practice of Structural Equation Modeling. Guilford press.

Korsgaard, M. A. and Roberson, L, (1995), Procedural Justice in Performance Evaluation: The Role of Instrumental and Non-Instrumental Voice in Performance Appraisal Discussions. Journal of Management 21(4), 657-669.

Lance, C. E., et al. (2006). The Sources of Four Commonly Reported Cutoff Criteria What Did They Really Say? Organizational research methods 9(2), 202-220.

Liou, K. T. (1995). Professional Orientation and Organizational Commitment among Public Employees: An Empirical Study of Detention Workers. Journal of Public Administration Research and Theory 5(2), 231-246.

Marsh, H. W., et al. (2004). In Search of Golden Rules: Comment on Hypothesis-Testing Approaches to Setting Cutoff Values for Fit Indexes and Dangers in Overgeneralizing Hu and Bentler's (1999) Findings. Structural Equation Modeling 11(3), 320-341.

Mathieu, J. E. and Zajac, D. M. (1990.) A Review and Meta-Analysis of the Antecedents, Correlates, and Consequences of Organizational Commitment. Psychological bulletin 108(2), 171.

Meyer, J. P. and Allen, N. J. (1997). Commitment in the Workplace. Theory, Research and Application, Sage Publications, Inc., London,

Meyer, J. P. and Allen, N. J. (1984). Testing the" Side-Bet Theory" of Organizational Commitment: Some Methodological Considerations. Journal of applied psychology 69(3), 372.

Meyer, J. P. and Allen, N. J. (1991). A Three-Component Conceptualization of Organizational Commitment. Human resource management review 1(1), 61-89.

Meye,r J. P., et al. (2002). Affective, Continuance, and Normative Commitment to the Organization: A Meta-Analysis of Antecedents, Correlates, and Consequences. Journal of vocational behavior 61(1), 20-52.

Mossholder, K. W., et al. (1998.) Relationships between Bases of Power and Work Reactions: The Mediational Role of Procedural Justice. Journal of Management 24(4), 533-552.

Mowday, R. T., et al. (1982). Employee-Organization Linkage: The Psychology of Commitment Absenteism, and Turn Over. Academic Press Inc., London.

Mowday, R. T., et al. (1979). The Measurement of Organizational Commitment. Journal of vocational behavior 14(2), 224-247.

Ng, T. W., et al. (2010). Psychological Contract Breaches, Organizational Commitment, and Innovation-Related Behaviors: A Latent Growth Modeling Approach. Journal of Applied Psychology 95(4), 744.

O'Driscoll, M. P. (1987.) Attitudes to the Job and the Organisation among New Recruits: Influence of Perceived Job Characteristics and Organisational Structure. Applied Psychology 36(2), 133-145.

Panko, R. (2010). Corporate Computer and Network Security. Prentice-Hall, Englewood Cliffs, NJ.

Perry, J. L. (1997). Antecedents of Public Service Motivation. Journal of public administration research and theory 7(2), 181-197.

Petter, S., et al. (2007). Specifying Formative Constructs in Information Systems Research. MIS Quarterly, 623-656.

Ping, Jr. R. A. (1996). Latent Variable Interaction and Quadratic Effect Estimation: A Two-Step Technique Using Structural Equation Analysis. Psychological Bulletin 119(1), 166-175.

Podsakoff, P. M., et al. (2003). Common Method Biases in Behavioral Research: A Critical Review of the Literature and Recommended Remedies. Journal of applied psychology 88(5), 879.

Porter, L. W., et al. (1974). Organizational Commitment, Job Satisfaction, and Turnover among Psychiatric Technicians. Journal of applied psychology 59(5), 603.

Raykov, T. and Marcoulides, G.A. (2006). A First Course in Structural Equation Modeling. Lawrence Erlbaum, Mahwah, NY.

Riketta, M. (2002). Attitudinal Organizational Commitment and Job Performance: A Meta‐Analysis. Journal of Organizational Behavior 23(3), 257-266.

Simon, H. A. (1955). A Behavioral Model of Rational Choice. The quarterly journal of economics 69(1), 99-118.

Siponen, M., et al. (2014). Employees’ Adherence to Information Security Policies: An Exploratory Field Study. Information & Management 51(2), 217-224.

Stanton, J. M., et al. (2004). Behavioral Information Security: Two End User Survey Studies of Motivation and Security Practices. In 10th Americas Conference on Information Systems, AMCIS 2004, New York, NY, USA, August 6-8, 2004, p 175.

Taylor, S. and Todd, P. A. (1995). Understanding Information Technology Usage: A Test of Competing Models. Information Systems Research 6(2), 144-176.

Theoharidou, M., et al. (2005). The Insider Threat to Information Systems and the Effectiveness of Iso17799. Computers & Security 24(6), 472-484.

Vance, A. and Siponen, M. T. (2012). Is Security Policy Violations: A Rational Choice Perspective. Journal of Organizational and End User Computing (JOEUC) 24(1), 21-41.

Verizon, (2015). 2015 Data Breach Investigation Report. pp 1-65.

Wiener, Y. (1982). Commitment in Organizations: A Normative View. Academy of Management Review 7(3), 418-428.

Williams, L. J, and Anderson, S. E. (1991). Job Satisfaction and Organizational Commitment as Predictors of Organizational Citizenship and in-Role Behaviors. Journal of Management 17(3), 601-617.

Willison, R. and Warkentin, M, (2013), Beyond Deterrence: An Expanded View of Employee Computer Abuse. MIS Quarterly 37(1).

Workman, M., et al. (2008.) Security Lapses and the Omission of Information Security Measures: A Threat Control Model and Empirical Test. Computers in Human Behavior 24(6), 2799-2816.
Zhang, J., et al. (2009). Impact of Perceived Technical Protection on Security Behaviors. Information Management & Computer Security 17(4), 330-340.