1. ¹Department of Social Psychology, Faculty of Social Sciences, University of Helsinki, Finland
2. ²Department of Information Systems, University of Oulu, Finland
3. ³Turku School of Economics, Pori Unit, Finland
4. ⁴Information Systems Department, Marriott School of Management, Brigham Young University, Provo, Utah, USA

Correspondence: Mikko Siponen, Department of Information Systems, University of Oulu, Finland. Tel: +358 (0) 400 752 661; Fax: +358 (0) 553 1890; E-mail: mikko.siponen@oulu.fi

Received 6 April 2008; Revised 22 August 2008; Re-revised 4 February 2009; Accepted 23 February 2009; Published online 21 April 2009.

Abstract

It is widely agreed that employee non-adherence to information security policies poses a major problem for organizations. Previous research has pointed to the potential of theories of moral reasoning to better understand this problem. However, we find no empirical studies that examine the influence of moral reasoning on compliance with information security policies. We address this research gap by proposing a theoretical model that explains non-compliance in terms of moral reasoning and values. The model integrates two well-known psychological theories: the Theory of Cognitive Moral Development by Kohlberg and the Theory of Motivational Types of Values by Schwartz. Our empirical findings largely support the proposed model and suggest implications for practice and research on how to improve information security policy compliance.