Organizations' Information Security Policy Compliance: Stick or Carrot Approach?

Companies' information security efforts are often threatened by employee negligence and insider breach. To deal with these insider issues, this study draws on the compliance theory and the general deterrence theory to propose a research model in which the relations among coercive control, which has been advocated by scholars and widely practiced by companies; remunerative control, which is generally missing in both research and practice; and certainty of control are studied. A Web-based field experiment involving real-world employees in their natural settings was used to empirically test the model. While lending further support to the general deterrence theory, our findings highlight that reward enforcement, a remunerative control mechanism in the information systems security context, could be an alternative for organizations where sanctions do not successfully prevent violation. The significant interactions between punishment and reward found in the study further indicate a need for a more comprehensive enforcement system that should include a reward enforcement scheme through which the organizational moral standards and values are established or reemphasized. The findings of this study can potentially be used to guide the design of more effective security enforcement systems that encompass remunerative control mechanisms.

[1]  Daniel A. Levinthal A survey of agency models of organizations , 1988 .

[2]  G. Milkovich,et al.  Relationships Among Risk, Incentive Pay, and Organizational Performance , 1998 .

[3]  W. Edwards Reward probability, amount, and information as determiners of sequential two-alternative decisions. , 1956, Journal of experimental psychology.

[4]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[5]  R. Eisenberger,et al.  Detrimental effects of reward. Reality or myth? , 1996, The American psychologist.

[6]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[7]  V. Vroom Work and motivation , 1964 .

[8]  B. Loasby The External Control of Organizations. A Resource Dependence Perspective , 1979 .

[9]  Laurie J. Kirsch,et al.  Portfolios of Control Modes and IS Project Management , 1997, Inf. Syst. Res..

[10]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[11]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[12]  Kathleen M. Eisenhardt,et al.  Control: Organizational and Economic Approaches , 1985 .

[13]  William T. Harbaugh,et al.  The Carrot or the Stick: Rewards, Punishments and Cooperation , 2002 .

[14]  Mark Keil,et al.  Keeping Mum as the Project Goes Under: Toward an Explanatory Model , 2001, J. Manag. Inf. Syst..

[15]  E. Deci,et al.  Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. , 2000, The American psychologist.

[16]  Charles J. Kacmar,et al.  Developing and Validating Trust Measures for e-Commerce: An Integrative Typology , 2002, Inf. Syst. Res..

[17]  Jorgen P. Bansler,et al.  Corporate Intranet Implementation: Managing Emergent Technologies and Organizational Practices , 2000, J. Assoc. Inf. Syst..

[18]  J. Finch The Vignette Technique in Survey Research , 1987 .

[19]  Teresa M. Amabile,et al.  How to kill creativity. , 1998, Harvard business review.

[20]  Bernard C. Y. Tan,et al.  A Cross-Cultural Study on Escalation of Commitment Behavior in Software Projects , 2000, MIS Q..

[21]  Lyman W. Porter,et al.  Managerial attitudes and performance , 1968 .

[22]  L. Treviño,et al.  Managing Ethics and Legal Compliance: What Works and What Hurts , 1999 .

[23]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[24]  A. Kohn Why incentive plans cannot work , 1993 .

[25]  Nigel Nicholson,et al.  Ethics in organizations: A framework for theory and research , 1994 .

[26]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[27]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[28]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[29]  Russell Haines,et al.  Situational influences on ethical decision-making in an IT context , 2007, Inf. Manag..

[30]  G. Jasso Factorial Survey Methods for Studying Beliefs and Judgments , 2006 .

[31]  Timothy Paul Cronan,et al.  Modeling IT Ethics: A Study in Situational Ethics , 1998, MIS Q..

[32]  Ashley A. Bush,et al.  A Comparison of Transaction Cost, Agency, and Knowledge-Based Predictors of IT Outsourcing Decisions: A U.S.-Japan Cross-Cultural Field Study , 2007, J. Manag. Inf. Syst..

[33]  Trevor T. Moores,et al.  Ethical Decision Making in Software Piracy: Initial Development and a Test of a Four-Component Model , 2006, MIS Q..

[34]  James Weber,et al.  Scenarios in Business Ethics Research: Review, Critical Assessment, and Recommendations , 1992, Business Ethics Quarterly.

[35]  Peter A. Todd,et al.  Assessing IT usage: the role of prior experience , 1995 .

[36]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[37]  Robert N. Stern,et al.  The External Control of Organizations: A Resource Dependence Perspective. , 1979 .

[38]  David S. Ackerman,et al.  The Effects of Recognition and Group Need on Volunteerism: A Social Norm Perspective , 1998 .

[39]  Dennis F. Galletta,et al.  Software Piracy in the Workplace: A Model and Empirical Test , 2003, J. Manag. Inf. Syst..

[40]  Todd R. Zenger,et al.  Why do employers only reward extreme performance? Examining the relationships among performance, pay, and turnover. , 1992 .

[41]  G. Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[42]  Amitai Etzioni A comparative analysis of complex organizations: On power, involvement, and their correlates , 1975 .

[43]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[44]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[45]  John M. Ivancevich,et al.  Punishment in Organizations: A Review, Propositions, and Research Suggestions , 1980 .

[46]  T. Das,et al.  Between Trust and Control: Developing Confidence in Partner Cooperation in Alliances , 1998 .

[47]  Linda Klebe Trevino,et al.  The Social Effects of Punishment in Organizations: A Justice Perspective , 1992 .

[48]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[49]  Daniel J. Brass,et al.  Relationships and Unethical Behavior: A Social Network Perspective , 1998 .

[50]  Detmar W. Straub,et al.  Validation in Information Systems Research: A State-of-the-Art Assessment , 2001, MIS Q..

[51]  M. Hyman,et al.  Designing Vignette Studies in Marketing , 2002 .

[52]  A. Palumbo,et al.  Teams and management control systems : a synthesis of three organizational development approaches , 2005 .

[53]  Kevin J. Murphy,et al.  Compensation and Incentives: Practice vs. Theory , 1988 .

[54]  H. P. Sims,et al.  Further Thoughts on Punishment In Organizations , 1980 .

[55]  Tobias Greitemeyer,et al.  Asymmetrical Effects of Reward and Punishment on Attributions of Morality , 2008, The Journal of social psychology.

[56]  J. Nunnally Psychometric Theory (2nd ed), New York: McGraw-Hill. , 1978 .

[57]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[58]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[59]  Elena Karahanna,et al.  Time Flies When You're Having Fun: Cognitive Absorption and Beliefs About Information Technology Usage , 2000, MIS Q..

[60]  Gérard P. Cachon,et al.  Perspective: Complexity Theory and Organization Science , 1999, Organization Science.

[61]  M. Evans A Monte Carlo study of the effects of correlated method variance in moderated multiple regression analysis , 1985 .

[62]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[63]  Ernst Fehr,et al.  Adding a stick to the carrot? The interaction of bonuses and fines , 2007 .

[64]  Tim Weitzel,et al.  The Influence of Perceived Risks on Banking Managers' Intention to Outsource Business Processes: A Study of the German Banking and Finance Industry , 2006 .

[65]  R. N. Kanungo,et al.  The Empowerment Process: Integrating Theory and Practice , 1988 .

[66]  Robert P. Vecchio,et al.  A Social Influence Interpretation of Worker Motivation , 1982 .

[67]  Scott A. Fritzen Crafting performance measurement systems to reduce corruption risks in complex organizations: the case of the World Bank , 2007 .

[68]  Michael J. Ryan Behavioral intention formation : the interdependency of attitudinal and social influence variables , 1982 .

[69]  Linda D. Molm,et al.  Is Punishment Effective? Coercive Strategies in Social Exchange , 1994 .

[70]  Harold G. Grasmick,et al.  The Deterrent Effect of Perceived Severity of Punishment , 1980 .

[71]  George T. Milkovich,et al.  Organizational Differences in Managerial Compensation and Financial Performance , 1990 .

[72]  M. Bemelmans-videc Carrots, Sticks, and Sermons: Policy Instruments and Their Evaluation. , 1998 .

[73]  Gilbert A. Churchill A Paradigm for Developing Better Measures of Marketing Constructs , 1979 .

[74]  Lori N. K. Leonard,et al.  Illegal, Inappropriate, And Unethical Behavior In An Information Technology Context: A Study To Explain Influences , 2001, J. Assoc. Inf. Syst..

[75]  Paul A. Pavlou,et al.  Understanding and Predicting Electronic Commerce Adoption: An Extension of the Theory of Planned Behavior , 2006, MIS Q..