Theses and Dissertations - UTB/UTPA

Date of Award


Document Type


Degree Name

Doctor of Philosophy (PhD)


Computer Information Systems

First Advisor

Dr. Punit Ahluwalia

Second Advisor

Dr. Francis Kofi Andoh-Baidoo

Third Advisor

Dr. Jun Sun


Employees’ non-compliance with information systems security policies has been identified as a major threat to organizational data and information systems. This dissertation investigates the process underlying information systems security compliance in organizations with the focus on employees. The process model is complex, comprising many normative, attitudinal, psychological, environmental, and organizational factors. Therefore, the study of information security compliance requires a holistic assessment of all these factors. This dissertation seeks to achieve this objective by offering a comprehensive and integrated model of employee behavior especially focused towards information security compliance. The research framework is influenced by the Reciprocal Determinism Theory which explains individuals psycho-social functioning in terms of triadic reciprocal causation. Several theories explain the role of various factors forming the intellectual puzzle. These are: General Deterrence Theory, Social-Exchange Theory, Social Learning Theory, Expectation-Disconfirmation Theory, Rational Choice Theory, Cognitive Dissonance Theory, Reactance Theory, and Status-Quo Bias Theory. This dissertation makes several significant contributions to literature and to practitioners. Several new factors that influence compliance decisions by employees have been proposed, namely task dissonance, self-policing, word-of-mouth, and habit. For the first time, top management support has been examined as a multi-dimensional construct which provides a better understanding of the phenomenon. Also for the first time, this dissertation constructs a process model to examine the interactions between punishment severity and certainty and top management support and normative factors. It also investigates the interactions between normative and psychological factors, namely resistance and self-policing on information security compliance. This dissertation emphasizes that the practitioners should consider all the relevant factors in order to manage the information security compliance problem. Therefore, it is more useful to think in terms of establishing a security culture that embodies all the relevant factors prevalent in an organization. The dissertation is guided by positivist paradigm. Hypotheses are tested and validated using established quantitative approaches, namely data collection using survey and structural equation modeling. Major findings were derived and most of the dissertation’s hypotheses were supported. The findings are discussed, and the conclusions, significant theoretical and practical implications of the findings, limitations, and recommendations for future research are presented.


Copyright 2014 Mohammad I. Merhi. All Rights Reserved.

Granting Institution

University of Texas-Pan American