If an employee believes that relevant others expect information security policy compliance from them, they are more likely
to undertake appropriate security actions Subjective norms is used in five of eight (62%) of the supporting models of the composite framework.