|
| Variables | Definition | Items | Related research |
|
| Intentions of compliance | The degree of intentions which protects the information and resources of the organization from potential threats by the compliance of information security policy | IN1~3 | Bulgurcu et al. [3] |
|
| Normative belief | The degree of perceptive social pressure of neighbors such as the supervisor, colleague, and manager when they comply with the policy | NB1~3 | Bulgurcu et al. [3] |
|
| Neutralization | The degree of logic which nullifies the existing norm of society that is related to the compliance of information security policy by justifying the violation of the norm. | |
Sykes and Matza [14]
Siponen and Vance [12]
S. J. Lee and M. J. Lee [16] |
| Neutralization theory | | |
| Denial of responsibility | The degree that the violator denies responsibility of the compliance violation of the information security policy | DR1~3 |
| Denial of injury | The degree that what they did was the best way to minimize the injury of the compliance violation of the information security policy. | DI1~3 |
| Appeal to higher loyalties | The degree that they believe there was no other way to protect their groups except through the compliance violation of the information security policy. | AL1~3 |
| Condemnation of condemners | The degree that the violators condemn the condemners to neutralize the compliance violation of the information security policy. | CC1~3 |
| Metaphor of the ledger | The degree of belief that the compliance violation of information security policy would be accepted because of the many good deeds that they have done in the past. | ML1~3 |
| Defense of necessity | The degree that there is no need to feel guilty for the compliance violation of the information security policy because the violation was unavoidable. | DN1~3 |
| Defense of ubiquity | The degree that the violators justify the compliance violation of the information security policy by insisting that almost everybody violates policies. | DU1 |
|
| Attitude | The degree to which compliance of information security policy affects the evaluation positively | AT1~4 | Bulgurcu et al. [3] |
|
| Benefit of compliance | The degree of the perception of benefit by the members of the organization towards information security policy compliance | BE1~4 | Bulgurcu et al. [3] |
|
| Cost of compliance | The degree of the perception of cost by the members of the organization towards information security policy compliance | CO1~3 | Bulgurcu et al. [3] |
|
| Cost of noncompliance | The degree of the perception of cost by the members of the organization towards information security policy noncompliance | NC1~4 | Bulgurcu et al. [3] |
|
| Self-efficacy | The degree of the individual’s confidence that they have enough techniques, knowledge, and ability on the information security policy | SE1~3 | Bulgurcu et al. [3] |
|
| Response efficacy | The degree of belief that the information security policy can handle the threats efficiently | RE1~3 | Johnston and Warkentin [23] |
|
