This study addresses the gaps of existing research on Information Security Policy (ISP) compliance by focusing on the role of individual capabilities. Organizations face significant challenges in ensuring ISP compliance, as compliance depends heavily on employees’ ability to perceive and execute security policies effectively. Using Social Cognitive Theory (SCT) as the theoretical foundation, this study examines the impact of Threat Control Ability (TCA) and Security Policy Competence (SPC) on ISP compliance awareness, attitude, and intention. Survey data collected from 319 respondents were analyzed to validate the proposed model. The findings indicate that both TCA and SPC positively influence ISP compliance intention but do not have a significant impact on ISP compliance attitude. TCA significantly affects ISP compliance awareness, while SPC does not, suggesting that TCA helps employees understand the necessity of compliance, whereas SPC focuses on facilitating the practical execution of policies. The study highlights the differentiated roles of TCA and SPC in the ISP compliance process, emphasizing the importance of addressing both “why” and “how” aspects of compliance.