Conceptual inconsistencies in variable definitions and measurement items within ISP non-/compliance research: A systematic literature review

Abstract

The rich stream of research focusing on employee non-/compliance with information security policies (ISPs) suffers from inconsistent results. Attempts to explain such inconsistencies have included investigation of possible contextual moderating factors. Another promising, yet not systematically investigated, explanation concerns conceptual inconsistencies in variable definitions and in questionnaire measurement items.

Based on a systematic literature review covering 36 ISP non-/compliance articles using Protection Motivation Theory (PMT) and/or Theory of Planned Behavior (TPB), we found four major types of conceptual inconsistencies and unclarities within and across studies; (i) inconsistencies in variable definitions; (ii) inconsistencies between variable measurement items; (iii) inconsistencies between variable definitions and measurement items; and (iv) unclearly/vaguely worded measurement items. The review contributes to the field by demonstrating that the inconsistent results in the field may not only be due to unknown contextual moderators, but also to conceptual incongruences within and across studies.