Understanding Compliance with Internet Use Policy: An Integrative Model Based on Command-and- Control and Self-Regulatory Approaches

Internet security risks, the leading security threats confronting today’s organizations, often result from employees’ non-compliance with the Internet use policy (IUP). Extant studies on the compliance with security policies have largely ignored the impact of intrinsic motivations on employees’ compliance intention. This paper proposes a theoretical model that integrates an extrinsic sanction-based command-and-control approach with an intrinsic self-regulatory approach to examine employees’ IUP compliance intention. The self-regulatory approach centers on the effect of organizational justice and personal moral beliefs against Internet abuses. The results of this study suggest that the self-regulatory approach is more effective than the sanctionbased command-and-control approach. Organizational justice not only influences IUP compliance intention directly, but also indirectly through fostering favorable personal moral beliefs against Internet abuses.

[1]  Wynne W. Chin,et al.  Factors motivating software piracy: a longitudinal study , 2004, IEEE Transactions on Engineering Management.

[2]  Rathindra Sarathy,et al.  Understanding Situational Online Information Disclosure as a Privacy Calculus , 2010, J. Comput. Inf. Syst..

[3]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[4]  R. Paternoster,et al.  Sanction threats and appeals to morality : Testing a rational choice model of corporate crime , 1996 .

[5]  S. Kelley,et al.  Perceived justice needs and recovery evaluation: a contingency approach , 2000 .

[6]  R. Paternoster,et al.  The deterrent effect of the perceived certainty and severity of punishment: A review of the evidence and issues , 1987 .

[7]  R. Mauborgne,et al.  Procedural justice, attitudes, and subsidiary top management compliance with multinationals' corporate strategic decisions. , 1993 .

[8]  T. Tyler The Psychology of Legitimacy: A Relational Perspective on Voluntary Deference to Authorities , 1997, Personality and social psychology review : an official journal of the Society for Personality and Social Psychology, Inc.

[9]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[10]  A. Mahmood,et al.  Factors Influencing Protection Motivation and IS Security Policy Compliance , 2006, 2006 Innovations in Information Technology.

[11]  Gee-Woo Bock,et al.  Non-work related computing (NWRC) , 2009, CACM.

[12]  Michael Wenzel,et al.  Motivation or rationalisation? Causal relations between ethics, norms and tax compliance , 2005 .

[13]  Jeffrey R Frost,et al.  Armed, and Dangerous (?): Motivating Rule Adherence Among Agents of Social Control. , 2007 .

[14]  Phani Tej Adidam,et al.  The Impact of Perceived Fairness on Satisfaction: Are Airport Security Measures Fair? Does it Matter? , 2006 .

[15]  M. Lindell,et al.  Accounting for common method variance in cross-sectional research designs. , 2001, The Journal of applied psychology.

[16]  Catherine E. Connelly,et al.  In Justice We Trust: Predicting User Acceptance of E-Customer Services , 2008, J. Manag. Inf. Syst..

[17]  Wynne W. Chin,et al.  A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study , 2003, Inf. Syst. Res..

[18]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[19]  M. Wenzel The Social Side of Sanctions: Personal and Social Norms as Moderators of Deterrence , 2004, Law and human behavior.

[20]  W. Au,et al.  A Qualitative and Quantitative Review of Antecedents of Counterproductive Behavior in Organizations , 2003 .

[21]  Dennis F. Galletta,et al.  Software Piracy in the Workplace: A Model and Empirical Test , 2003, J. Manag. Inf. Syst..

[22]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[23]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[24]  J. Colquitt On the dimensionality of organizational justice: a construct validation of a measure. , 2001, The Journal of applied psychology.

[25]  Kimberly Young,et al.  Internet Abuse in the Workplace: New Trends in Risk Management , 2004, Cyberpsychology Behav. Soc. Netw..

[26]  L. G. Pee,et al.  Explaining non-work-related computing in the workplace: A comparison of alternative models , 2008, Inf. Manag..

[27]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[28]  J. Greenberg,et al.  The social side of fairness: Interpersonal and informational classes of organizational justice. , 1993 .

[29]  Paul E. Spector,et al.  The Role of Justice in Organizations: A Meta-Analysis , 2001 .

[30]  R. Bagozzi,et al.  On the evaluation of structural equation models , 1988 .

[31]  J O'Byrne,et al.  Armed and dangerous. , 1988, Nursing standard (Royal College of Nursing (Great Britain) : 1987).

[32]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[33]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[34]  V. Lim The IT way of loafing on the job: cyberloafing, neutralizing and organizational justice , 2002 .

[35]  Mikko T. Siponen,et al.  Employees' Behavior towar ds IS Secur ity Policy Compliance , 2007 .

[36]  T. Tyler Restorative Justice and Procedural Justice: Dealing with Rule Breaking , 2006 .

[37]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .