Out of Fear or Desire: Why do Employees Follow Information Systems Security Policies?

Two well-grounded motivational models—command-and-control and self-regulation, which are viewed as competing explanations of why individuals follow rules (Tyler and Blader 2005)—are used as conceptual lenses through which to view employees’ adherence to information systems security policy (ISSP). Specifically, we aim to identify specific factors drawn from each of the two competing approaches that determine the level of employees’ adherence to their organization’s ISSP, and to develop and empirically test a conceptual model based on the two groups of determinants to be identified. Further, we will compare the relative efficacy of the two approaches to predict each of the two types of ISSP adherence behaviors. Our conceptual arguments will be tested with data to be collected via a survey in large-scale field studies. When completed, the results of this proposed study should contribute to the literature of corporate security management by advancing our knowledge of the central determinants of employees’ adherence to ISSP. Gaining such an understanding will also be managerially important because organizations can design more effective security training and education programs to promote their employees’ adherence behaviors related to ISSP.

[1]  P. Cook Research in Criminal Deterrence: Laying the Groundwork for the Second Decade , 1980, Crime and Justice.

[2]  Tom R. Tyler,et al.  Can Businesses Effectively Regulate Employee Conduct? The Antecedents of Rule Following in Work Settings , 2005 .

[3]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[4]  I. Ehrlich Participation in Illegitimate Activities: A Theoretical and Empirical Investigation , 1973, Journal of Political Economy.

[5]  E. Deci,et al.  Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. , 2000, The American psychologist.

[6]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[7]  Kyung Kyu Kim,et al.  Initial trust and the adoption of B2C e-commerce: The case of internet banking , 2004, DATB.

[8]  D. Parker Computer Security Management , 1981 .

[9]  Michael A. Hitt,et al.  Conflicting Voices: The Effects of Institutional Ownership Heterogeneity and Internal Governance on Corporate Innovation Strategies , 2002 .

[10]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[11]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[12]  Michael J. Lenox,et al.  Industry Self-Regulation Without Sanctions: The Chemical Industry's Responsible Care Program , 2000 .

[13]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[14]  Mark C. Suchman Managing Legitimacy: Strategic and Institutional Approaches , 1995 .

[15]  K. Bollen A New Incremental Fit Index for General Structural Equation Models , 1989 .

[16]  Jordan Shropshire,et al.  Personality and IT security: An application of the five-factor model , 2006, AMCIS.

[17]  G. Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[18]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[19]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..