Effective Cognitive Modes for Compliance with Information Security Policies over Time

Compliance with information security policies (ISPC) has long been conceptualized as rational and intention-driven behavior. However, recent scholarship suggests that individuals' reasoning strategies in security contexts are far more dynamic and context-dependent. This dissertation seeks to reframe how ISPC is understood by emphasizing the role of cognitive adaptation, i.e., how individuals shift between intuitive, quasirational, and analytical modes in response to environmental, task-related, and psychological factors. In this two-essay dissertation, we pursue three broad goals. In Essay 1, we achieve two objectives. First, we conduct a systematic literature review to explore how ISPC has been cognitively framed and behaviorally measured across prior information security research. This review identifies three limitations: 1) an overreliance on rational-choice and intention-based decision making; 2) insufficient attention to adaptive reasoning strategies; and 3) limited consideration of both cognitive and behavioral change in empirical measurement. In response, we develop five cognitive-behavioral reasoning chains that represent distinct processes of how employees navigate security decisions. Then, we conduct semi-structured interviews to validate these chains by providing empirical support for a cognitive framework that accommodates real-world complexity and dynamics. In Essay 2, we empirically examine cognitive and behavioral change in ISPC through a longitudinal study with an experience sampling method that captures real-time observations from participants over multiple workdays. This study demonstrates that employees' cognitive modes fluctuate in response to factors such as task complexity, decision fatigue, and task familiarity. Results show that analytical mode supports stronger compliance, task familiarity enhances analytical engagement, and decision fatigue increases intuitive but less secure behavior. This dissertation introduces a cognitively adaptive model of compliance behavior, provides empirical evidence of within-person variability, and offers actionable guidance for designing interventions that support security behavior in contextually sensitive ways.