Clashing Climates: How (In)Congruence Between Information Security Climate and Other Organizational Climates Affects Security Policy Compliance

Securing information assets against cyber-attacks requires organizations to bolster employees’ security behaviors, including compliance with information security policies (ISPs). A strong information security climate (ISC) has been found to be a powerful determinant of such behaviors. However, ISC does not exist in isolation, and its effect on ISP compliance can be impacted by other (in)congruent organizational climates that co-exist within an organization, as simultaneously perceived by employees. Drawing on the competing values framework, this research investigates the joint influences of ISC and co-existing climates on ISP compliance. Specifically, we analyze the interplay between ISC and other co-existing climates, considering their complementary or competing nature, and the extent to which employees perceive these climates to have similar (i.e., aligned) or discrepant (i.e., misaligned) magnitudes of intensity within the organization. Using polynomial regression and response surface analysis, we examine how each (mis)aligned condition is associated with ISP compliance. The results highlight the interplay of ISC with co-existing climates and provide nuanced insights into complex and non-linear relationships among these climates.