Information Security Policy Compliance: How Ethics Play a Role

Ellen Zheng presenting at the 58th Hawaii International Conference on System Sciences (HICSS) held January 7-10, 2025, in Waikoloa.

In 2005, the annual number of data compromises in the United States was 157. Dailin “Ellen” Zheng was a teenager then, but by the time her research on the topic of information security was published as an assistant professor in the School of Information Systems and Technology at San José State University, the number of annual data compromises had surpassed 3,205 and affected over 353 million people. In 2024, the global average cost of an organizational data breach was $4.88 million.  

Zheng and Zhiping Walter, an Associate Professor from the University of Colorado Denver, co-authored the recently published paper entitled “Moral Intensity Dimensions of Information Security Policy Compliance: Perspectives of Construal Level Theory and Ethical Theories”. They presented their findings at the 58th Hawaii International Conference on System Sciences (HICSS) held January 7-10, 2025, in Waikoloa. 

Their research examines why employees sometimes fail to follow information systems security policies (ISSPs) at work, even when penalties exist. Through real-world scenarios, their findings revealed that employees are more likely to adhere to ISSPs when they understand the real consequences of security breaches and feel a strong connection to their organization.  

Furthermore, rather than viewing compliance as a mere effort to avoid punishment, the study highlights that employees invest time and effort to comply while organizations benefit from reduced security risks. It frames compliance as an ethical decision influenced by peer behavior and perceived risks to the organization. When asked how she came up with this research idea, Zheng shared that she and Walter are both deeply interested in information security research. 

“As we explored the existing literature, we noticed that the issue of employee non-compliance with ISSPs has been persistently under addressed, despite the enforcement of well-designed, fear-based countermeasures,” Zheng explained. “What stood out to us was the unique nature of this issue—employees bear the direct cost of compliance in terms of time and effort, while the consequences of their decisions primarily affect the organization.”

“This misalignment led us to view compliance as more than just a reaction to penalties; rather, it aligns closely with ethical decision-making theories,” she continued. “Recognizing this gap, we aimed to investigate how employees’ perceptions of organizational risk, peer behavior, and ethical considerations influence their compliance decisions.”

The Impact and Value of Research

Zheng believes this research is impactful because it addresses the growing cost of data breaches in organizations, highlighting that non-malicious human error—often due to employee non-compliance with information security policies—remains a significant risk. She added that while many companies enforce security policies, relying on the fear of punishment is not an effective long-term strategy for ensuring compliance. Instead, this study examines the issue through the lens of ethical decision-making, offering a deeper understanding of why employees may fail to follow security policies. 

“To improve compliance, businesses should clearly communicate security risks, foster a workplace culture that values cybersecurity, and strengthen employees’ sense of responsibility for the organization’s well-being,” she outlined.

While sharing their research at the conference, the notable takeaway for Zheng was that their presentation sparked the audience’s interest, which led to potential collaborations with other researchers on new projects. 

Zheng’s next research topics revolve around ethical issues in AI with respect to information security, automation and robotics. To learn more about Zheng’s research, it can be found on her Google Scholar page

Lucas College and Graduate School of Business faculty, staff, students and alumni consistently make a significant impact in the San Francisco Bay Area and beyond. Many graduates have gone on to excel in various industries, with a notable presence in Silicon Valley. These organizations recognize and value the exceptional education and skills our alumni bring to their roles, making San José State University a key contributor to the region’s thriving economy. With competitive tuition and outstanding career outcomes, our college is among the top institutions for return on investment (ROI), delivering unparalleled value for money in higher education. We offer MBA, PMBA, MSFA, MSAA and MSTM degrees at the graduate level and 14 different BSBA concentrations at the undergraduate level, the largest set of offerings among the CSUs. These include accounting, accounting information systems, business analytics, corporate accounting & finance, entrepreneurship, finance, general business, hospitality, tourism, & event management, human resources management, international business, management, management information systems, marketing, and operations & supply chain management.

Leave a Reply

Your email address will not be published. Required fields are marked *