{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,19]],"date-time":"2026-03-19T05:31:20Z","timestamp":1773898280786,"version":"3.50.1"},"reference-count":68,"publisher":"Emerald","issue":"5","license":[{"start":{"date-parts":[[2018,7,17]],"date-time":"2018-07-17T00:00:00Z","timestamp":1531785600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ITP"],"published-print":{"date-parts":[[2018,9,4]]},"abstract":"<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title>\n<jats:p>Information security policies (ISPs) are used by organizations to communicate rules on the use of information systems (IS). Research studies show that compliance with the ISPs is not a straightforward issue and that several factors influence individual behavior toward ISP compliance, such as security awareness or individual perception of security threats. The purpose of this paper is to investigate the competencies associated with users\u2019 ISP compliance behavior.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title>\n<jats:p>In order to reveal the competencies that are associated with the users\u2019 ISP compliance behavior, the authors systematically analyze the ISP compliance literature and the authors develop an ISP compliance competency model. The authors then target to explore if IS users are equipped with these competencies; to do so, the authors analyze professional competence models from various industry sectors and compare the competencies that they include with the developed ISP compliance competencies.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Findings<\/jats:title>\n<jats:p>The authors identify the competencies associated with ISP compliance and the authors provide evidence on the lack of attention in information security responsibilities demonstrated in professional competence frameworks.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title>\n<jats:p>ISP compliance research has focused on identifying the antecedents of ISP compliance behavior. The authors offer an ISP compliance competency model and guide researchers in investigating the issue further by focusing on the professional competencies that are necessary for IS users.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title>\n<jats:p>The findings offer new contributions to practitioners by highlighting the lack of attention on the information security responsibilities demonstrated in professional competence frameworks. The paper also provides implications for the design of information security awareness programs and information security management systems in organizations.<\/jats:p>\n<\/jats:sec>\n<jats:sec>\n<jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title>\n<jats:p>To the best of the authors\u2019 knowledge, the paper is the first study that addresses ISP compliance behavior from a professional competence perspective.<\/jats:p>\n<\/jats:sec>","DOI":"10.1108\/itp-02-2017-0052","type":"journal-article","created":{"date-parts":[[2018,7,17]],"date-time":"2018-07-17T02:06:35Z","timestamp":1531793195000},"page":"1047-1068","source":"Crossref","is-referenced-by-count":29,"title":["Are users competent to comply with information security policies? An analysis of professional competence models"],"prefix":"10.1108","volume":"31","author":[{"given":"Aggeliki","family":"Tsohou","sequence":"first","affiliation":[]},{"given":"Philipp","family":"Holtkamp","sequence":"additional","affiliation":[]}],"member":"140","published-online":{"date-parts":[[2018,7,17]]},"reference":[{"key":"key2021041507284666600_ref001","article-title":"Information security policy compliance: the role of information security awareness","year":"2012"},{"key":"key2021041507284666600_ref003","article-title":"Do it OR ELSE! Exploring the effectiveness of deterrence on employee compliance with information security policies","year":"2014"},{"issue":"4","key":"key2021041507284666600_ref004","first-page":"385","article-title":"The competent manager: a model for effective performance","volume":"4","year":"1982","journal-title":"Strategic Management Journal"},{"key":"key2021041507284666600_ref005","doi-asserted-by":"crossref","unstructured":"Brennan, G. and Moehler, M. (2010), \u201cNeoclassical economics\u201d, in Bevir, M. (Ed.), Encyclopedia of Political Theory, Vol. II, Sage Publications, Thousand Oaks, CA, pp. 946-951.","DOI":"10.4135\/9781412958660.n305"},{"issue":"3","key":"key2021041507284666600_ref006","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2021041507284666600_ref008","unstructured":"CGMA (2014), \u201cCGMA competency framework\u201d, Chartered Global Management Accountant, Chartered Institute of Management Accountants and the Association of International Certified Professional Accountants, Durham, available at: www.cgma.org\/Resources\/Tools\/DownloadableDocuments\/competency-framework-complete.pdf (accessed February 13, 2017)."},{"issue":"1","key":"key2021041507284666600_ref009","first-page":"1","article-title":"Mitigating information security risks by increasing user security awareness: a case study of an information security awareness system","volume":"24","year":"2006","journal-title":"Information Technology Learning and Performance Journal"},{"issue":"3","key":"key2021041507284666600_ref010","doi-asserted-by":"crossref","first-page":"157","DOI":"10.2753\/MIS0742-1222290305","article-title":"Organizations\u2019 information security policy compliance: stick or carrot approach?","volume":"29","year":"2012","journal-title":"Journal of Management Information Systems"},{"issue":"4","key":"key2021041507284666600_ref011","doi-asserted-by":"crossref","first-page":"237","DOI":"10.1016\/0378-7206(90)90033-E","article-title":"Knowledge, skills and abilities of information systems professionals: past, present, and future","volume":"19","year":"1990","journal-title":"Information & Management"},{"issue":"6","key":"key2021041507284666600_ref012","doi-asserted-by":"crossref","first-page":"643","DOI":"10.1057\/ejis.2011.23","article-title":"A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings","volume":"20","year":"2011","journal-title":"European Journal of Information Systems"},{"issue":"1","key":"key2021041507284666600_ref062","doi-asserted-by":"crossref","first-page":"79","DOI":"10.1287\/isre.1070.0160","article-title":"User awareness of security countermeasures and its impact on information systems misuse","volume":"20","year":"2009","journal-title":"Information Systems Research"},{"issue":"10","key":"key2021041507284666600_ref013","first-page":"46","article-title":"Are competency models a waste?","volume":"51","year":"1997","journal-title":"Training and Development"},{"issue":"2","key":"key2021041507284666600_ref063","doi-asserted-by":"crossref","first-page":"127","DOI":"10.1046\/j.1365-2575.2001.00099.x","article-title":"Current directions in IS security research: toward socio-organizational perspectives","volume":"11","year":"2001","journal-title":"Information Systems Journal"},{"key":"key2021041507284666600_ref014","unstructured":"E&Y (2015), \u201cCreating trust in the digital world, EY\u2019s global information security survey\u201d, available at: www.ey.com\/publication\/vwluassets\/ey-global-information-security-survey-2015\/$file\/ey-global-information-security-survey-2015.pdf (accessed February 13, 2017)."},{"key":"key2021041507284666600_ref015","unstructured":"ENISA (2010), \u201cThe new users\u2019 guide: how to raise information security awareness\u201d, available at: www.enisa.europa.eu\/publications\/archive\/copy_of_new-users-guide (accessed February 13, 2017)."},{"issue":"1","key":"key2021041507284666600_ref016","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1057\/jit.2013.2","article-title":"Outsiders: an exploratory history of IS in corporations","volume":"28","year":"2013","journal-title":"Journal of Information Technology"},{"key":"key2021041507284666600_ref064","article-title":"Information security awareness: its antecedents and mediating effects on security compliant behavior","year":"2013"},{"issue":"2","key":"key2021041507284666600_ref017","doi-asserted-by":"crossref","first-page":"106","DOI":"10.1057\/ejis.2009.6","article-title":"Protection motivation and deterrence: a framework for security policy compliance in organisations","volume":"18","year":"2009","journal-title":"European Journal of Information Systems"},{"issue":"1","key":"key2021041507284666600_ref018","first-page":"50","article-title":"How do software development competences change in global settings \u2013 an explorative study","volume":"27","year":"2014","journal-title":"Journal of Software: Evolution and Process"},{"key":"key2021041507284666600_ref019","volume-title":"Human Resources Professional Competency Framework","author":"HRPA","year":"2014"},{"key":"key2021041507284666600_ref020","unstructured":"IAAP (2016), \u201cIAAP Certified Administrative Professional (CAP) exam 2016 body of knowledge\u201d, available at: www.iaap-hq.org\/page\/BOK (accessed February 13, 2017)."},{"key":"key2021041507284666600_ref021","volume-title":"Core Facilitator Competencies","author":"IAF","year":"2015"},{"issue":"1","key":"key2021041507284666600_ref022","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1016\/j.cose.2011.10.007","article-title":"Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory","volume":"31","year":"2012","journal-title":"Computers & Security"},{"key":"key2021041507284666600_ref023","unstructured":"IFMA (2016), \u201cComplete list of competencies covered on the IFMA CFM exam\u201d, available at: www.ifmacredentials.org\/cfm\/cert-and-recert (accessed February 13, 2017)."},{"key":"key2021041507284666600_ref024","volume-title":"Information Technology \u2013 an Security Techniques \u2013 an Information Security Management Systems \u2013 an Requirements","author":"ISO 27001","year":"2013"},{"key":"key2021041507284666600_ref065","volume-title":"Information Technology \u2013 an Security Techniques \u2013 an Code of Practice for Information Security Controls","author":"ISO 27002","year":"2013"},{"key":"key2021041507284666600_ref066","volume-title":"Information Technology \u2013 an Security Techniques \u2013 an Information Security Risk Management","author":"ISO 27005","year":"2011"},{"issue":"4","key":"key2021041507284666600_ref025","first-page":"549","article-title":"Fear appeals and information security behaviors","volume":"34","year":"2010","journal-title":"Management Information Systems Quarterly"},{"issue":"1","key":"key2021041507284666600_ref026","doi-asserted-by":"crossref","first-page":"113","DOI":"10.25300\/MISQ\/2015\/39.1.06","article-title":"An enhanced fear appeal rhetorical framework: leveraging threats to the human asset through sanctioning rhetoric","volume":"39","year":"2015","journal-title":"Management Information Systems Quarterly"},{"key":"key2021041507284666600_ref060","volume-title":"The Social Psychology of Organizations","year":"1978"},{"key":"key2021041507284666600_ref027","article-title":"The last line of defense: motivating employees to follow corporate security guidelines","year":"2007"},{"issue":"1","key":"key2021041507284666600_ref028","first-page":"53","article-title":"Extending the theory of knowledge spaces: a competence-performance approach","volume":"205","year":"1997","journal-title":"Zeitschrift fur Psychologie"},{"key":"key2021041507284666600_ref029","unstructured":"Korossy, K. (1999), \u201cModeling knowledge as competence and performance\u201d, in Albert, D. and Lukas, J. (Eds), Knowledge Spaces: Theories, Empirical Research, and Applications, Psychology Press, Oxford, pp. 103-132."},{"key":"key2021041507284666600_ref030","article-title":"Understanding compliance with internet use policy: an integrative model based on command and control and self-regulatory approaches","year":"2010"},{"key":"key2021041507284666600_ref031","article-title":"Toward developing a theory of end user information security competence","year":"2013"},{"issue":"1","key":"key2021041507284666600_ref032","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1037\/h0034092","article-title":"Testing for competence rather than for \u2018intelligence\u2019","volume":"28","year":"1973","journal-title":"American Psychologist"},{"key":"key2021041507284666600_ref033","volume-title":"Cybersecurity Awareness is About Both \u201cKnowing\u201d and \u201cDoing\u201d","year":"2014"},{"key":"key2021041507284666600_ref034","article-title":"The role of punishment and task dissonance in information security policies compliance","year":"2014"},{"key":"key2021041507284666600_ref035","article-title":"The impact of training and social norms on information security compliance: a pilot study","year":"2012"},{"key":"key2021041507284666600_ref036","doi-asserted-by":"crossref","unstructured":"Motowidlo, S.J. (2003), \u201cJob performance\u201d, in Borman, W.C., Ilgen, D.R. and Klimoski, R.J. (Eds), Handbook of Psychology, Wiley, London, pp. 39-52.","DOI":"10.1002\/0471264385.wei1203"},{"issue":"4","key":"key2021041507284666600_ref037","doi-asserted-by":"crossref","first-page":"815","DOI":"10.1016\/j.dss.2008.11.010","article-title":"Studying users\u2019 computer security behavior: a health belief perspective","volume":"46","year":"2009","journal-title":"Decision Support Systems"},{"key":"key2021041507284666600_ref038","unstructured":"NIST 800-50 (2003), \u201cBuilding an information technology security awareness and training program\u201d, available at: http:\/\/csrc.nist.gov\/publications\/PubsSPs.html (accessed February 13, 2017)."},{"issue":"5","key":"key2021041507284666600_ref039","doi-asserted-by":"crossref","first-page":"673","DOI":"10.1016\/j.cose.2012.04.004","article-title":"Taxonomy of compliant information security behavior","volume":"31","year":"2012","journal-title":"Computers & Security"},{"key":"key2021041507284666600_ref040","doi-asserted-by":"crossref","first-page":"165","DOI":"10.1016\/j.cose.2013.12.003","article-title":"Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q)","volume":"42","year":"2014","journal-title":"Computers & Security"},{"issue":"2","key":"key2021041507284666600_ref041","doi-asserted-by":"crossref","first-page":"167","DOI":"10.1016\/j.jsis.2004.02.002","article-title":"Beyond strategic information systems: towards an IS capability","volume":"13","year":"2004","journal-title":"Journal of Strategic Information Systems"},{"key":"key2021041507284666600_ref042","volume-title":"The Knowing-Doing Gap: How Smart Companies Turn Knowledge Into Action","year":"1999"},{"key":"key2021041507284666600_ref043","volume-title":"Project Management Competency Framework","author":"PMCF","year":"2007","edition":"2nd ed."},{"issue":"4","key":"key2021041507284666600_ref061","doi-asserted-by":"crossref","first-page":"757","DOI":"10.2307\/25750704","article-title":"Improving employees\u2019 compliance through information systems security training: an action research study","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2021041507284666600_ref044","article-title":"Employees\u2019 compliance with BYOD security policy: insights from reactance, organizational justice, and protection motivation theory","year":"2014"},{"key":"key2021041507284666600_ref045","unstructured":"Renck, R., Kahn, E.L. and Gardner, B.B. (1969), \u201cContinuing education in R&D careers\u201d, DSF report, Prepared by the Social Research, Chicago, pp. 69-20."},{"key":"key2021041507284666600_ref046","doi-asserted-by":"crossref","first-page":"93","DOI":"10.1080\/00223980.1975.9915803","article-title":"A protection motivation theory of fear appeals and attitude change","volume":"91","year":"1975","journal-title":"The Journal of Psychology"},{"key":"key2021041507284666600_ref047","unstructured":"Rogers, R.W. (1983), \u201cCognitive and physiological processes in fear appeals and attitude change: a revised theory of protected motivation\u201d, in Cacioppo, J.T. and Petty, R.E. (Eds), Social Psychophysiology: A Sourcebook, The Guilford Press, New York, NY, pp. 153-176."},{"issue":"1","key":"key2021041507284666600_ref048","first-page":"9","article-title":"Understanding human competence at work: an interpretative approach","volume":"43","year":"2010","journal-title":"Academy of Management Journal"},{"issue":"3","key":"key2021041507284666600_ref049","doi-asserted-by":"crossref","first-page":"703","DOI":"10.1111\/j.1744-6570.2000.tb00220.x","article-title":"The practice of competency modeling","volume":"53","year":"2000","journal-title":"Personnel Psychology"},{"key":"key2021041507284666600_ref050","volume-title":"SHRM Competency Model","author":"SHRM","year":"2012"},{"issue":"3","key":"key2021041507284666600_ref051","doi-asserted-by":"crossref","first-page":"487","DOI":"10.2307\/25750688","article-title":"Neutralization: new insights into the problem of employee information systems security policy violations","volume":"34","year":"2010","journal-title":"Management Information Systems Quarterly"},{"issue":"2","key":"key2021041507284666600_ref052","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1109\/MC.2010.35","article-title":"Compliance with information security policies: an empirical investigation","volume":"43","year":"2010","journal-title":"IEEE Computer"},{"issue":"1","key":"key2021041507284666600_ref067","doi-asserted-by":"crossref","first-page":"42","DOI":"10.1108\/IMCS-08-2012-0045","article-title":"Variables influencing information security policy compliance: a systematic review of quantitative studies","volume":"22","year":"2014","journal-title":"Information Management and Computer Security"},{"key":"key2021041507284666600_ref053","volume-title":"Competence at Work: Models for Superior Performance","year":"1993"},{"key":"key2021041507284666600_ref054","article-title":"Employee ISP compliance intentions: an empirical test of empowerment","year":"2015"},{"key":"key2021041507284666600_ref055","doi-asserted-by":"crossref","first-page":"128","DOI":"10.1016\/j.cose.2015.04.006","article-title":"Analyzing the role of cognitive and cultural biases in the internalization of information security policies: recommendations for information security awareness programs","volume":"52","year":"2015","journal-title":"Computers & Security"},{"issue":"1","key":"key2021041507284666600_ref056","doi-asserted-by":"crossref","first-page":"21","DOI":"10.4018\/joeuc.2012010102","article-title":"IS security policy violations: a rational choice perspective","volume":"24","year":"2012","journal-title":"Journal of Organizational and End User Computing"},{"issue":"3-4","key":"key2021041507284666600_ref068","doi-asserted-by":"crossref","first-page":"190","DOI":"10.1016\/j.im.2012.04.002","article-title":"Motivating IS security compliance: insights from habit and protection motivation theory","volume":"49","year":"2012","journal-title":"Information & Management"},{"key":"key2021041507284666600_ref069","unstructured":"Von Brocke, J., Simons, A., Niehaves, B., Niehaves, B., Reimer, K., Plattfaut, R. and Cleven, A. (2009), \u201cReconstructing the giant: on the importance of rigour in documenting the literature search process\u201d, in Newell, S., Whitley, E., Pouloudi, N., Wareham, J. and Mathiassen, L. (Eds), Proceedings of the 17th European Conference of Information Systems, pp. 2206-2217."},{"issue":"4","key":"key2021041507284666600_ref057","doi-asserted-by":"crossref","first-page":"52","DOI":"10.1080\/15536548.2013.10845690","article-title":"Control-related motivations and information security policy compliance: the role of autonomy and efficacy","volume":"9","year":"2013","journal-title":"Journal of Information Privacy and Security"},{"issue":"2","key":"key2021041507284666600_ref070","first-page":"xiii","article-title":"Analyzing the past to prepare for the future: writing a literature review","volume":"26","year":"2002","journal-title":"MIS Quarterly"},{"issue":"8\/9","key":"key2021041507284666600_ref058","first-page":"618","article-title":"Competences across Europe: highest common factor or lowest common denominator","volume":"33","year":"2009","journal-title":"Journal of European Industrial Training"},{"key":"key2021041507284666600_ref059","article-title":"A cross-cultural study of the effects of STEA programs and task characteristics on employees\u2019 behavior toward information system security policy compliance","year":"2011"}],"container-title":["Information Technology &amp; People"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ITP-02-2017-0052\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ITP-02-2017-0052\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T21:54:14Z","timestamp":1753394054000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/itp\/article\/31\/5\/1047-1068\/174761"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2018,7,17]]},"references-count":68,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2018,7,17]]},"published-print":{"date-parts":[[2018,9,4]]}},"alternative-id":["10.1108\/ITP-02-2017-0052"],"URL":"https:\/\/doi.org\/10.1108\/itp-02-2017-0052","relation":{},"ISSN":["0959-3845"],"issn-type":[{"value":"0959-3845","type":"print"}],"subject":[],"published":{"date-parts":[[2018,7,17]]}}}