Towards analysing the rationale of information security non-compliance: Devising a Value-Based Compliance analysis method

- We develop a method for Value Based Compliance analysis of information security.
- We develop a set of design principles for a Value Based Compliance analysis method.
- We analyse value conflicts behind information security non-compliance.
- We provide a hands-on guide to Value Based Compliance analysis.

Employees' poor compliance with information security policies is a perennial problem. Current information security analysis methods do not allow information security managers to capture the rationalities behind employees' compliance and non-compliance. To address this shortcoming, this design science research paper suggests: (a) a Value-Based Compliance analysis method and (b) a set of design principles for methods that analyse different rationalities for information security. Our empirical demonstration shows that the method supports a systematic analysis of why employees comply/do not comply with policies. Thus we provide managers with a tool to make them more knowledgeable about employees' information security behaviours.