If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security

Information security has become increasingly important to organizations. Despite the prevalence of technical security measures, individual employees remain the key link – and frequently the weakest link – in corporate defenses. When individuals choose to disregard security policies and procedures, the organization is at risk. How, then, can organizations motivate their employees to follow security guidelines? Using an organizational control lens, we build a model to explain individual information security precaution-taking behavior. Specific hypotheses are developed and tested using a field survey. We examine elements of control and introduce the concept of ‘mandatoriness,’ which we define as the degree to which individuals perceive that compliance with existing security policies and procedures is compulsory or expected by organizational management. We find that the acts of specifying policies and evaluating behaviors are effective in convincing individuals that security policies are mandatory. The perception of mandatoriness is effective in motivating individuals to take security precautions, thus if individuals believe that management watches, they will comply.

[1]  Terry S. Overton,et al.  Estimating Nonresponse Bias in Mail Surveys , 1977 .

[2]  Dennis F. Galletta,et al.  How Endogenous Motivations Influence User Intentions: Beyond the Dichotomy of Extrinsic and Intrinsic User Motivations , 2008, J. Manag. Inf. Syst..

[3]  Peter Caputi,et al.  An integrative model of information systems use in mandatory environments , 1998, ICIS '98.

[4]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[5]  John P. Charlton,et al.  The Development and Validation of the Computer Apathy and Anxiety Scale , 1995 .

[6]  H. Kelman Compliance, identification, and internalization three processes of attitude change , 1958 .

[7]  S. Milgram Obedience to Authority: An Experimental View , 1975 .

[8]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[9]  H. Kelman PROCESSES OF OPINION CHANGE , 1961 .

[10]  Venkateshviswanath,et al.  A Theoretical Extension of the Technology Acceptance Model , 2000 .

[11]  A. D. Jones,et al.  Obedience to Authority , 1974 .

[12]  Simson Garfinkel,et al.  UNIX System Security Tools , 1999 .

[13]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[14]  Laurie J. Kirsch,et al.  Portfolios of Control Modes and IS Project Management , 1997, Inf. Syst. Res..

[15]  Laura B. Cardinal Technological Innovation in the Pharmaceutical Industry: The Use of Organizational Control in Managing Research and Development , 2001 .

[16]  S. Snell Control Theory In Strategic Human Resource Management: The Mediating Effect Of Administrative Information , 1992 .

[17]  Bassam Hasan,et al.  Delineating the effects of general and system-specific computer self-efficacy beliefs on IS acceptance , 2006, Inf. Manag..

[18]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[19]  Jill M. D'Aquila,et al.  Financial Accountants' Perceptions of Management's Ethical Standards , 2001 .

[20]  Joel S. Demski,et al.  Cost Accounting: Accounting Data for Management's Decisions , 1969 .

[21]  Mani R. Subramani,et al.  The Matrix of Control: Combining Process and Structure Approaches to Managing Software Development , 2003, J. Manag. Inf. Syst..

[22]  E. Deci,et al.  Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. , 2000, The American psychologist.

[23]  Simson L. Garfinkel,et al.  Practical UNIX and Internet Security , 1996 .

[24]  Laura B. Cardinal,et al.  Balancing and Rebalancing in the Creation and Evolution of Organizational Control , 2004, Organ. Sci..

[25]  Kathleen M. Eisenhardt,et al.  Control: Organizational and Economic Approaches , 1985 .

[26]  W. Ouchi The Relationship Between Organizational Structure and Organizational Control. , 1977 .

[27]  K. Eisenhardt Agency- and Institutional-Theory Explanations: The Case of Retail Sales Compensation , 1988 .

[28]  Edward G. Carmines,et al.  Reliability and Validity Assessment , 1979 .

[29]  Qing Hu,et al.  Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management , 2007, MIS Q..

[30]  Peter A. Todd,et al.  Assessing IT usage: the role of prior experience , 1995 .

[31]  James R. Frederickson,et al.  Carrot or Stick? Contract Frame and Use of Decision-Influencing Information in a Principal-Agent Setting , 2005 .

[32]  J. Scott Armstrong,et al.  Estimating nonresponse bias in mail surveys. , 1977 .

[33]  Thompson S. H. Teo,et al.  How do I loaf here? let me count the ways , 2002, CACM.

[34]  Bernard J. Jaworski Toward a Theory of Marketing Control: Environmental Context, Control Types, and Consequences , 1988 .

[35]  L. Kirsch The Management of Complex Tasks in Organizations: Controlling the Systems Development Process , 1996 .

[36]  Wynne W. Chin The partial least squares approach for structural equation modeling. , 1998 .

[37]  Amitava Dutta,et al.  Management's Role in Information Security in a Cyber Economy , 2002 .

[38]  Henri Barki,et al.  Explaining the Role of User Participation in Information System Use , 1994 .

[39]  Laurie J. Kirsch,et al.  Deploying Common Systems Globally: The Dynamics of Control , 2004, Inf. Syst. Res..

[40]  Dennis F. Galletta,et al.  A Multidimensional Commitment Model of Volitional Systems Adoption and Usage Behavior , 2005, J. Manag. Inf. Syst..

[41]  Bongsug Chae,et al.  Mandates and technology acceptance: A tale of two enterprise technologies , 2005, J. Strateg. Inf. Syst..

[42]  Jacob G. Birnberg,et al.  Culture and control: A field study , 1988 .

[43]  Icek Ajzen,et al.  From Intentions to Actions: A Theory of Planned Behavior , 1985 .

[44]  E. Miller Handbook of Social Psychology , 1946, Mental Health.

[45]  Joan L. Luft,et al.  Bonus and penalty incentives contract choice by employees , 1994 .

[46]  Sarah Cook,et al.  Performance Management as the Key to Customer Service , 1994 .

[47]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[48]  M. Lynne Markus,et al.  Power, politics, and MIS implementation , 1987, CACM.

[49]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[50]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.

[51]  A. Blumstein,et al.  Deterrence and incapacitation : estimating the effects of criminal sanctions on crime rates , 1980 .

[52]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[53]  S. Fiske,et al.  The Handbook of Social Psychology , 1935 .

[54]  P. Shrout,et al.  Mediation in experimental and nonexperimental studies: new procedures and recommendations. , 2002, Psychological methods.

[55]  Russell L. Purvis,et al.  Controlling Information Systems Development Projects: The View from the Client , 2002, Manag. Sci..

[56]  Wendelin Schnedler,et al.  Legitimacy of Control , 2007, SSRN Electronic Journal.

[57]  E. Deci,et al.  Handbook of Self-Determination Research , 2002 .

[58]  Qing Hu,et al.  The role of external and internal influences on information systems security - a neo-institutional perspective , 2007, J. Strateg. Inf. Syst..

[59]  Detmar W. Straub,et al.  The psychological origins of perceived usefulness and ease-of-use , 1999, Inf. Manag..

[60]  Stephanie Watts,et al.  Informational Influence in Organizations: An Integrated Approach to Knowledge Adoption , 2003, Inf. Syst. Res..

[61]  Armin Falk,et al.  Distrust - the Hidden Cost of Control , 2004, SSRN Electronic Journal.

[62]  P. Shrout,et al.  Mediation in experimental and nonexperimental studies: new procedures and recommendations. , 2002, Psychological methods.

[63]  Susan A. Brown,et al.  Do I really have to? User acceptance of mandated technology , 2002, Eur. J. Inf. Syst..

[64]  D. A. Kenny,et al.  The moderator-mediator variable distinction in social psychological research: conceptual, strategic, and statistical considerations. , 1986, Journal of personality and social psychology.

[65]  W. Ouchi A Conceptual Framework for the Design of Organizational Control Mechanisms , 1979 .

[66]  Wynne W. Chin,et al.  Adoption intention in GSS: relative importance of beliefs , 1995, DATB.

[67]  T. Das,et al.  Between Trust and Control: Developing Confidence in Partner Cooperation in Alliances , 1998 .

[68]  Wynne W. Chin,et al.  Extending the technology acceptance model: the influence of perceived user resources , 2001, DATB.

[69]  Rajiv Sabherwal,et al.  Portfolios of Control in Outsourced Software Development Projects , 2003, Inf. Syst. Res..

[70]  Gurpreet Dhillon,et al.  Refereed Papers: Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns , 2001 .