The sufficiency of the theory of planned behavior for explaining information security policy compliance

Purpose: The theory of planned behavior is an established theory that has been found to predict compliance with information security policies well. This paper challenges this assumption that the theory includes all constructs that explain information security policy compliance and investigates if anticipated regret or constructs from the protection motivation theory add explanatory power. Design/methodology/approach: Responses from 306 respondents at a research organization was collected using a questionnaire-based survey. Extensions in terms of anticipated regret and constructs drawn from protection motivation theory are tested using through hierarchical regression analysis. Findings: Adding anticipated regret and the threat appraisal process results in improvements of the predictions of intentions. The improvements are of sufficient magnitude to warrant adjustments of the model of theory of planned behavior when it is used in the area of information security policy compliance. Originality/value: This study is the first test of anticipated regret as a predictor of information security policy compliance and the first to assess its influence in relation to the theory of planned behavior and protection motivation theory.