Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies

Given the significant role of people in the management of security, attention has recently been paid to the issue of how to motivate employees to improve security performance of organizations. However, past work has been dependent on deterrence theory rooted in an extrinsic motivation model to help understand why employees do or do not follow security rules in their organization. We postulated that we could better explain employees' security-related rule-following behavior with an approach rooted in an intrinsic motivation model. We therefore developed a model of employees' motivation to comply with IS security policies which incorporated both extrinsic and intrinsic models of human behavior. It was tested with data collected through a survey of 602 employees in the United States. We found that variables rooted in the intrinsic motivation model contributed significantly more to the explained variance of employees' compliance than did those rooted in the extrinsic motivation model.

[1]  Qing Hu,et al.  Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management , 2007, MIS Q..

[2]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[3]  J. Edwards,et al.  The value of value congruence. , 2009, The Journal of applied psychology.

[4]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[5]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[6]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[7]  Sanjay Goel,et al.  Estimating the market impact of security breach announcements on firm values , 2009, Inf. Manag..

[8]  Tom R. Tyler,et al.  Can Businesses Effectively Regulate Employee Conduct? The Antecedents of Rule Following in Work Settings , 2005 .

[9]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[10]  T. Tyler,et al.  Psychological perspectives on legitimacy and legitimation. , 2006, Annual review of psychology.

[11]  Mikko T. Siponen,et al.  Information security management standards: Problems and solutions , 2009, Inf. Manag..

[12]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[13]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..