{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T19:04:53Z","timestamp":1774551893102,"version":"3.50.1"},"reference-count":86,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2017,7,10]],"date-time":"2017-07-10T00:00:00Z","timestamp":1499644800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,7,10]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>This paper aims to investigate two different types of compliance measures: the first measure is a value-monistic compliance measure, whereas the second is a value-pluralistic measure, which introduces the idea of competing organisational imperatives.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>A survey was developed using two sets of items to measure compliance. The survey was sent to 600 white-collar workers and analysed through ordinary least squares.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The results suggest that when using the value-monistic measure, employees\u2019 compliance was a function of employees\u2019 intentions to comply, their self-efficacy and awareness of information security policies. In addition, compliance was not related to the occurrence of conflicts between information security and other organisational imperatives. However, when the dependent variable was changed to a value-pluralistic measure, the results suggest that employees\u2019 compliance was, to a great extent, a function of the occurrence of conflicts between information security and other organisational imperatives, indirect conflicts with other organisational values.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>The results are based on small survey; yet, the findings are interesting and justify further investigation. The results suggest that relevant organisational imperatives and value systems, along with information security values, should be included in measures for employees\u2019 compliance with information security policies.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>Practitioners and researchers should be aware that there is a difference in measuring employees\u2019 compliance using value monistic and value pluralism measurements.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>Few studies exist that critically compare the two different compliance measures for the same population.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/ics-11-2016-0084","type":"journal-article","created":{"date-parts":[[2017,5,24]],"date-time":"2017-05-24T07:32:02Z","timestamp":1495611122000},"page":"279-299","source":"Crossref","is-referenced-by-count":29,"title":["Measuring employees\u2019 compliance \u2013 the importance of value pluralism"],"prefix":"10.1108","volume":"25","author":[{"given":"Fredrik","family":"Karlsson","sequence":"first","affiliation":[]},{"given":"Martin","family":"Karlsson","sequence":"additional","affiliation":[]},{"given":"Joachim","family":"\u00c5str\u00f6m","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"key":"key2020120620392042400_ref001","doi-asserted-by":"crossref","first-page":"326","DOI":"10.1177\/000765039903800305","article-title":"Understanding research on values in business: a level of analysis framework","volume":"38","year":"1999","journal-title":"Business & Society"},{"key":"key2020120620392042400_ref002","doi-asserted-by":"crossref","first-page":"276","DOI":"10.1016\/j.cose.2006.11.004","article-title":"A qualitative study of user\u2019s view on information security","volume":"26","year":"2007","journal-title":"Computers & Security"},{"key":"key2020120620392042400_ref003","doi-asserted-by":"crossref","first-page":"33","DOI":"10.1108\/09593840510584612","article-title":"Value conflicts in enterprise systems","volume":"18","year":"2005","journal-title":"Information Technology & People"},{"key":"key2020120620392042400_ref004","first-page":"216","article-title":"A ladder of citizen participation","volume":"35","year":"1969","journal-title":"Journal of the American Planning Association"},{"key":"key2020120620392042400_ref005","article-title":"Do it OR ELSE! Exploring the effectiveness of deterrence on employee compliance with information security policies","year":"2014"},{"key":"key2020120620392042400_ref006","doi-asserted-by":"crossref","first-page":"145","DOI":"10.1016\/j.cose.2013.05.006","article-title":"Don\u2019t make excuses! discouraging neutralization to reduce IT policy violation","volume":"39","year":"2013","journal-title":"Computer & Security"},{"key":"key2020120620392042400_ref007","volume-title":"Liberty","year":"2002"},{"key":"key2020120620392042400_ref008","article-title":"Religiosity and information security policy compliance","year":"2013"},{"key":"key2020120620392042400_ref009","first-page":"476","article-title":"Effects of individual and organization based beliefs and the moderating role of work experience on insiders\u2019 good security behaviors","year":"2009"},{"key":"key2020120620392042400_ref010","article-title":"Roles of information security awareness and perceived fairness in information security policy compliance","year":"2009"},{"key":"key2020120620392042400_ref011","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2020120620392042400_ref012","first-page":"39","article-title":"Emotional intelligence coping and psychological distress: a partial least square approach to developing a predictive model","volume":"3","year":"2007","journal-title":"Electronic Journal of Applied Psychology"},{"key":"key2020120620392042400_ref013","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1080\/15536548.2005.10855772","article-title":"Perceptions of information security in the workplace: linking information security climate to compliant behavior","volume":"1","year":"2005","journal-title":"Journal of Information Privacy & Security"},{"key":"key2020120620392042400_ref014","volume-title":"Cisco 2014 Annual Security Report","author":"Cisco","year":"2014"},{"key":"key2020120620392042400_ref015","volume-title":"Research Design: Qualitative, Quantitative, and Mixed Methods Approaches","year":"2003"},{"key":"key2020120620392042400_ref016","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1016\/j.cose.2012.09.010","article-title":"Future directions for behavioral information security research","volume":"32","year":"2013","journal-title":"Computers & Security"},{"key":"key2020120620392042400_ref017","doi-asserted-by":"crossref","first-page":"1091","DOI":"10.1111\/j.1540-5915.2012.00383.x","article-title":"Employee misuse of information technology resources: testing a contemporary deterrence model","volume":"43","year":"2012","journal-title":"Decision Sciences Journal"},{"key":"key2020120620392042400_ref018","doi-asserted-by":"crossref","first-page":"293","DOI":"10.1111\/j.1365-2575.2006.00219.x","article-title":"Value-focused assessment of information security in organizations","volume":"16","year":"2006","journal-title":"Information Systems Journal"},{"key":"key2020120620392042400_ref019","volume-title":"ENISA Threat Landscape 2014: Overview of Current and Emerging Cyber-threats","author":"ENISA","year":"2014"},{"key":"key2020120620392042400_ref020","volume-title":"Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace","author":"European Commission","year":"2013"},{"key":"key2020120620392042400_ref021","article-title":"alue sensitive design and information systems","volume-title":"Human-Computer Interaction in Management Information Systems: Applications","year":"2006"},{"key":"key2020120620392042400_ref022","doi-asserted-by":"crossref","first-page":"286","DOI":"10.1109\/TPC.2014.2374011","article-title":"A path to successful management of employee security compliance: an empirical study of information security climate","volume":"57","year":"2014","journal-title":"IEEE Transactions on Professional Communication"},{"key":"key2020120620392042400_ref023","article-title":"The values of IT in elderly care","volume":"1","year":"2007","journal-title":"Information Technology & People"},{"key":"key2020120620392042400_ref024","first-page":"43","article-title":"Using actor network theory to understand information security management","volume-title":"Security and Privacy \u2013 Silver Linings in the Cloud","year":"2010"},{"key":"key2020120620392042400_ref025","doi-asserted-by":"crossref","first-page":"266","DOI":"10.1108\/IMCS-08-2012-0043","article-title":"Social action theory for understanding information security non-compliance in hospitals: the importance of user rationale","volume":"21","year":"2013","journal-title":"Information Management & Computer Security"},{"key":"key2020120620392042400_ref026","doi-asserted-by":"crossref","first-page":"373","DOI":"10.1016\/j.jsis.2011.06.001","article-title":"Value conflicts for information security management","volume":"20","year":"2011","journal-title":"Journal of Strategic Information Systems"},{"key":"key2020120620392042400_ref027","doi-asserted-by":"crossref","first-page":"154","DOI":"10.1016\/j.dss.2009.02.005","article-title":"Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness","volume":"47","year":"2009","journal-title":"Decision Support Systems"},{"key":"key2020120620392042400_ref028","doi-asserted-by":"crossref","first-page":"106","DOI":"10.1057\/ejis.2009.6","article-title":"Protection motivation and deterrence: a framework for security policy compliance in organisations","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"key":"key2020120620392042400_ref029","doi-asserted-by":"crossref","first-page":"499","DOI":"10.1002\/9780470173404.ch23","article-title":"The causes and consequences of response rates in surveys by the news media and government contractor survey research firms","volume-title":"Advances in Telephone Survey Methodology","year":"2007"},{"key":"key2020120620392042400_ref030","doi-asserted-by":"crossref","first-page":"99","DOI":"10.1016\/j.im.2011.12.005","article-title":"Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the US and South Korea","volume":"49","year":"2012","journal-title":"Information & Management"},{"key":"key2020120620392042400_ref032","doi-asserted-by":"crossref","first-page":"6","DOI":"10.1080\/07421222.2014.1001255","article-title":"The role of self-control in information security violations: insights from a cognitive neuroscience perspective","volume":"31","year":"2015","journal-title":"Journal of Management Information Systems"},{"key":"key2020120620392042400_ref031","doi-asserted-by":"crossref","first-page":"615","DOI":"10.1111\/j.1540-5915.2012.00361.x","article-title":"Managing employee compliance with information security policies: the critical role of top management and organizational culture","volume":"43","year":"2012","journal-title":"Decision Sciences Journal"},{"key":"key2020120620392042400_ref033","doi-asserted-by":"crossref","first-page":"54","DOI":"10.1145\/1953122.1953142","article-title":"Does deterrence work in reducing information security policy abuse by employees?","volume":"54","year":"2011","journal-title":"Communication of the ACM"},{"key":"key2020120620392042400_ref034","first-page":"30","article-title":"Exploring user\u2019s compliance behavior towards health information system security policies based on extended health belief model","year":"2014"},{"key":"key2020120620392042400_ref035","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1016\/j.im.2013.10.001","article-title":"Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition","volume":"51","year":"2014","journal-title":"Information & Management"},{"key":"key2020120620392042400_ref036","doi-asserted-by":"crossref","first-page":"30","DOI":"10.1080\/10580530.2015.1117868","article-title":"Critical times for organizations: what should be done to curb workers\u2019 noncompliance with IS security policy guidelines?","volume":"33","year":"2016","journal-title":"Information Systems Management"},{"key":"key2020120620392042400_ref037","volume-title":"Net Losses: Estimating the Global Cost of Cybercrime","author":"Intel Security","year":"2014"},{"key":"key2020120620392042400_ref038","doi-asserted-by":"crossref","first-page":"706","DOI":"10.1111\/j.1540-5907.2006.00211.x","article-title":"Value choices and American public opinion","volume":"50","year":"2006","journal-title":"American Journal of Political Science"},{"key":"key2020120620392042400_ref039","doi-asserted-by":"crossref","first-page":"549","DOI":"10.2307\/25750691","article-title":"Fear appeals and information security behaviors: an empirical study","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2020120620392042400_ref040","first-page":"113","article-title":"An enhanced fear appeal rhetorical framework: leveraging threats to the human asset through sanctioning rhetoric","volume":"39","year":"2016","journal-title":"MIS Quarterly"},{"key":"key2020120620392042400_ref041","article-title":"Reigning in the remote employee: applying social learning theory to explain information security policy compliance attitudes","year":"2010"},{"key":"key2020120620392042400_ref042","article-title":"Information security policy compliance: an empirical study on escalation of commitment","year":"2013"},{"key":"key2020120620392042400_ref043","unstructured":"Karjalainen, M. (2011), \u201cImproving employees\u2019 \ninformation systems (IS) security behavior \u2013 Toward a meta-theory of IS security training and a new framework for understanding employees\u201d \nIS security behavior\u201d, \nPhD, University of Oulu, Oulu."},{"key":"key2020120620392042400_ref044","doi-asserted-by":"crossref","first-page":"300","DOI":"10.1057\/ejis.2009.20","article-title":"Exploring agile values in method configuration","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"key":"key2020120620392042400_ref045","doi-asserted-by":"crossref","first-page":"246","DOI":"10.1108\/ICS-05-2014-0033","article-title":"Information security culture \u2013 state-of-the-art review between 2000 and 2013","volume":"23","year":"2015","journal-title":"Information Management & Computer Security"},{"key":"key2020120620392042400_ref046","first-page":"1","article-title":"An integrative behavioral model of information security policy compliance","volume":"2014","year":"2014","journal-title":"e Scientific World Journal"},{"key":"key2020120620392042400_ref047","first-page":"70","article-title":"Comply or die is dead: long live security-aware principal agents","year":"2013"},{"key":"key2020120620392042400_ref048","volume-title":"Computerization and Controversy, Second Edition: Value Conflicts and Social Choices","year":"1996"},{"key":"key2020120620392042400_ref049","unstructured":"Kolkowska, E. (2013), \u201cA method for analysing value \u2013 based compliance in information systems security\u201d, PhD, \u00d6rebro University, \u00d6rebro."},{"key":"key2020120620392042400_ref050","first-page":"339","article-title":"Analyzing value conflicts for a work-friendly ISS policy implementation","year":"2012"},{"key":"key2020120620392042400_ref052","article-title":"Understanding compliance with Internet use policy: an integrative model based on commandand-control and self-regulatory approaches","year":"2010"},{"key":"key2020120620392042400_ref051","article-title":"Understanding the compliance with the Internet use policy from a criminology perspective","year":"2009"},{"key":"key2020120620392042400_ref053","doi-asserted-by":"crossref","first-page":"635","DOI":"10.1016\/j.dss.2009.12.005","article-title":"Understanding compliance with internet use policy from the perspective of rational choice theory","volume":"48","year":"2010","journal-title":"Decision Support Systems"},{"key":"key2020120620392042400_ref054","doi-asserted-by":"crossref","first-page":"1865","DOI":"10.1287\/mnsc.1060.0597","article-title":"Common method variance in IS research: a comparison of alternative approaches and a reanalysis of past research","volume":"52","year":"2006","journal-title":"Management Science"},{"key":"key2020120620392042400_ref055","first-page":"1","article-title":"The role of punishment and task dissonance in information security policies compliance","year":"2014"},{"key":"key2020120620392042400_ref056","doi-asserted-by":"crossref","first-page":"233","DOI":"10.1046\/j.1365-2575.2003.00143.x","article-title":"The paucity of multimethod research: a review of the information systems literature","volume":"13","year":"2003","journal-title":"Information Systems Journal"},{"key":"key2020120620392042400_ref057","article-title":"Information systems security governance research: a behavioral perspective","volume-title":"1st Annual Symposium on Information Assurance","year":"2006"},{"key":"key2020120620392042400_ref058","first-page":"155","article-title":"Investigating the factors influencing information security compliance in a financial service firm","year":"2013"},{"key":"key2020120620392042400_ref059","doi-asserted-by":"crossref","first-page":"126","DOI":"10.1057\/ejis.2009.10","article-title":"What levels of moral reasoning and values explain adherence to information security rules? An empirical study","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"key":"key2020120620392042400_ref060","doi-asserted-by":"crossref","first-page":"545","DOI":"10.1080\/03610918508812458","article-title":"Comparison of prediction methods for multicollinearity data","volume":"14","year":"1985","journal-title":"Communications is Statistics, Simulation and Computations"},{"key":"key2020120620392042400_ref061","article-title":"Which factors explain employees\u2019 adherence to information security policies? An empirical study","year":"2007"},{"key":"key2020120620392042400_ref062","article-title":"Employees\u2019 behavior towards IS security policy compliance","year":"2007"},{"key":"key2020120620392042400_ref063","doi-asserted-by":"crossref","first-page":"117","DOI":"10.1177\/1555343415575152","article-title":"The influence of organizational information security culture on information security decision making","volume":"9","year":"2015","journal-title":"Journal of Cognitive Engineering and Decision Making"},{"key":"key2020120620392042400_ref064","doi-asserted-by":"crossref","first-page":"153","DOI":"10.1080\/07421222.2003.11045759","article-title":"Software piracy in the workplace: a model and empirical test","volume":"20","year":"2003","journal-title":"Journal of Management Information Systems"},{"key":"key2020120620392042400_ref065","volume-title":"Defending Yesterday \u2013 Key Findings from The Global State of Information Security Survey 2014","author":"Pwc","year":"2013"},{"key":"key2020120620392042400_ref066","doi-asserted-by":"crossref","first-page":"57","DOI":"10.1109\/MSP.2011.157","article-title":"Blaming noncompliance is too convenient: what really causes information breaches?","volume":"10","year":"2012","journal-title":"IEEE Security & Privacy"},{"key":"key2020120620392042400_ref067","doi-asserted-by":"crossref","first-page":"296","DOI":"10.1108\/09685221211267666","article-title":"Health service employees and information security policies: an uneasy partnership?","volume":"20","year":"2012","journal-title":"Information Management & Computer Security"},{"key":"key2020120620392042400_ref068","doi-asserted-by":"crossref","first-page":"70","DOI":"10.1016\/j.cose.2015.10.006","article-title":"Information security policy compliance model in organizations","volume":"56","year":"2016","journal-title":"Computers & Security"},{"key":"key2020120620392042400_ref069","article-title":"Value priorities and behavior: applying a theory of integrated value systems","volume-title":"The Psychology of Values: The Ontario Symposium","year":"1996"},{"key":"key2020120620392042400_ref070","doi-asserted-by":"crossref","first-page":"217","DOI":"10.1016\/j.im.2013.08.006","article-title":"Employees\u2019 adherence to information security policies: an exploratory field study","volume":"51","year":"2014","journal-title":"Information and Management"},{"key":"key2020120620392042400_ref073","doi-asserted-by":"crossref","first-page":"487","DOI":"10.2307\/25750688","article-title":"Neutralization: new insights into the problem of employee information systems security policy violations","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2020120620392042400_ref074","first-page":"289","article-title":"Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations","volume":"23","year":"2013","journal-title":"European Journal of Information Systems"},{"key":"key2020120620392042400_ref071","doi-asserted-by":"crossref","first-page":"145","DOI":"10.1145\/1610252.1610289","article-title":"Are employees putting your company at risk by not following information security policies?","volume":"52","year":"2009","journal-title":"Communication of the ACM"},{"key":"key2020120620392042400_ref072","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1109\/MC.2010.35","article-title":"Compliance with information security policies: an empirical investigation","volume":"43","year":"2010","journal-title":"Computer"},{"key":"key2020120620392042400_ref075","article-title":"Social groupings and information security obedience within organizations","year":"2015"},{"key":"key2020120620392042400_ref076","article-title":"The sufficiency of the theory of planned behavior for explaining information security policy compliance","volume":"23","year":"2015","journal-title":"Information and Computer Security"},{"key":"key2020120620392042400_ref077","doi-asserted-by":"crossref","first-page":"507","DOI":"10.1080\/10841806.2001.11643542","article-title":"Value pluralism and its implications for american public administration","volume":"23","year":"2001","journal-title":"Administrative Theory & Praxis"},{"key":"key2020120620392042400_ref078","doi-asserted-by":"crossref","first-page":"124","DOI":"10.1016\/j.cose.2004.07.001","article-title":"Analysis of end user security behaviors","volume":"24","year":"2005","journal-title":"Computers & Security"},{"key":"key2020120620392042400_ref079","article-title":"Employee ISP compliance intentions: an empirical test of empowerment","year":"2015"},{"key":"key2020120620392042400_ref080","doi-asserted-by":"crossref","first-page":"53","DOI":"10.5116\/ijme.4dfb.8dfd","article-title":"Making sense of Cronbach\u2019s alpha","volume":"2","year":"2011","journal-title":"International Journal of Medical Education"},{"key":"key2020120620392042400_ref081","doi-asserted-by":"crossref","first-page":"819","DOI":"10.1037\/0022-3514.50.4.819","article-title":"A value pluralism model of ideological reasoning","volume":"50","year":"1986","journal-title":"Journal of Personality and Social Psychology"},{"key":"key2020120620392042400_ref082","volume-title":"Computer and Information Security Handbook","year":"2013"},{"key":"key2020120620392042400_ref083","doi-asserted-by":"crossref","first-page":"476","DOI":"10.1016\/j.cose.2009.10.005","article-title":"Information security culture: a management perspective","volume":"29","year":"2010","journal-title":"Computers & Security"},{"key":"key2020120620392042400_ref084","doi-asserted-by":"crossref","first-page":"190","DOI":"10.1016\/j.im.2012.04.002","article-title":"Motivating IS security compliance: insights from habit and protection motivation theory","volume":"49","year":"2012","journal-title":"Information and Management"},{"key":"key2020120620392042400_ref085","article-title":"Control-related motivations and information security policy compliance: the effect of reflective and reactive autonomy","year":"2013"},{"key":"key2020120620392042400_ref086","doi-asserted-by":"crossref","first-page":"330","DOI":"10.1108\/09685220910993980","article-title":"Impact of perceived technical protection on security behaviors","volume":"17","year":"2009","journal-title":"Information Management & Computer Security"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-11-2016-0084\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-11-2016-0084\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:23:18Z","timestamp":1753406598000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/3\/279-299\/105966"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,7,10]]},"references-count":86,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2017,7,10]]}},"alternative-id":["10.1108\/ICS-11-2016-0084"],"URL":"https:\/\/doi.org\/10.1108\/ics-11-2016-0084","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2017,7,10]]}}}