Using Theories of Formal Control, Mandatoriness, and Reactance to Explain Working Professionals’ Intent to Comply with New IT Security Policies

Substantial research has shown that employees are both a major IT security threat but also a potential security ally in organizations. Recent behavioral IS security research has looked at ways to increase IT security compliance with employees to mitigate this substantial threat. Research has typically focused on deterrence theory as a means of influencing individuals to comply, though the results of this research have been mixed - showing that oftentimes deterrence approaches backfire into undesired behavior. More recently control theory has been extended using the construct of mandatoriness as a key construct in predicting employee compliance. However, to date, research has not very well addressed why deterrence and control approaches can backfire. Better understanding this phenomenon can better help researchers and practictioners understand how to implement effective IT security policies. Accordingly, we introduce psychological reactance theory as an innovative theory that can explain why controlling approaches to IT security policies can backfire. The theory explains that when an individual’s freedoms are threatened, he or she will respond with reactance by attempting to reestablish the threatened freedoms. We thus combined control theory and reactance theory into a cohesive model, the control-reactance model, to better address the inherent conflict between the andatoriness and threats to freedom. We found that the general perception of mandatoriness was influential in the perceived mandatoriness of a newly introduced policy, which also positively predicted subsequent intent to comply. We also discovered that the threat to freedom was the most salient construct in predicting reactance, which reactance then leads to a decreased intent to comply. Given these sets of results, we conclude that while creating a sense of mandatoriness is important for compliance, if this sense of mandatoriness is over communicated or if the policy is too restrictive of personal freedoms (regardless of how good of an idea it is), new IT policies can backfire on organizations and create negative unintended consequences. From these findings, we propose recommendations for practice, including carefully communicating policy, understanding the importance of freedoms to employees, and establishing an environment of threat awareness.

[1]  I. Ajzen Residual Effects of Past on Later Behavior: Habituation and Reasoned Action Perspectives , 2002 .

[2]  G. Sewell,et al.  Coercion Versus Care: Using Irony to Make Sense of Organizational Surveillance , 2006 .

[3]  James Price Dillard,et al.  Affect and Persuasion , 2000, Commun. Res..

[4]  Claude H. Miller,et al.  Psychological Reactance and Promotional Health Messages: The Effects of Controlling Language, Lexical Concreteness, and the Restoration of Freedom , 2007 .

[5]  Xiaolan Fu,et al.  The Impact of Individualism—Collectivism, Social Presence, and Group Diversity on Group Decision Making Under Majority Influence , 2007, J. Manag. Inf. Syst..

[6]  R. Bennett,et al.  Development of a measure of workplace deviance. , 2000, The Journal of applied psychology.

[7]  Bradley J. Alge,et al.  Effects of computer surveillance on perceptions of privacy and procedural justice. , 2001, The Journal of applied psychology.

[8]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[9]  J. Dillard,et al.  On the Nature of Reactance and its Role in Persuasive Health Communication , 2005 .

[10]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[11]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[12]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[13]  Gurpreet Dhillon,et al.  Refereed Papers: Violation of Safeguards by Trusted Personnel and Understanding Related Information Security Concerns , 2001 .

[14]  Sung-Mook Hong,et al.  A Psychological Reactance Scale: Development, Factor Structure and Reliability , 1989 .

[15]  Brian L. Quick,et al.  Examining Reactance and Reactance Restoration With South Korean Adolescents: A Test of Psychological Reactance Within a Collectivist Culture , 2009, Commun. Res..

[16]  Kenneth D. Butterfield,et al.  A Review of The Empirical Ethical Decision-Making Literature: 1996–2003 , 2005 .

[17]  Thomas J. Zagenczyk,et al.  The Negative Aspects of Social Exchange: An Introduction to Perceived Organizational Obstruction , 2009 .

[18]  Brad J. Bushman,et al.  Effects of Warning and Information Labels on Consumption of Full-Fat, Reduced-Fat, and No-Fat Products , 1998 .

[19]  Arik Ragowsky,et al.  Establishing Trust in Electronic Commerce Through Online Word of Mouth: An Examination Across Genders , 2008, J. Manag. Inf. Syst..

[20]  H. Winklhofer,et al.  Index Construction with Formative Indicators: An Alternative to Scale Development , 2001 .

[21]  A. O'Leary-Kelly,et al.  Monkey See, Monkey Do: The Influence of Work Groups on the Antisocial Behavior of Employees , 1998 .

[22]  J. Brehm,et al.  Psychological Reactance: A Theory of Freedom and Control , 1981 .

[23]  John P. Charlton,et al.  The Development and Validation of the Computer Apathy and Anxiety Scale , 1995 .

[24]  Wynne W. Chin,et al.  A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study , 2003, Inf. Syst. Res..

[25]  P. Silvia Deflecting Reactance: The Role of Similarity in Increasing Compliance and Reducing Resistance , 2005 .

[26]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[27]  R. Bennett,et al.  A TYPOLOGY OF DEVIANT WORKPLACE BEHAVIORS: A MULTIDIMENSIONAL SCALING STUDY , 1995 .

[28]  Naresh K. Malhotra,et al.  Internet Users' Information Privacy Concerns (IUIPC): The Construct, the Scale, and a Causal Model , 2004, Inf. Syst. Res..

[29]  J. Brehm A theory of psychological reactance. , 1981 .

[30]  Sonny S. Ariss,et al.  Computer monitoring: benefits and pitfalls facing management , 2002, Inf. Manag..

[31]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[32]  Joey F. George,et al.  Computer-Based Monitoring: Common Perceptions and Empirical Results , 1996, MIS Q..

[33]  Yoav Vardi,et al.  The Effects of Organizational and Ethical Climates on Misconduct at Work , 2001 .

[34]  Laurie J. Kirsch,et al.  Deploying Common Systems Globally: The Dynamics of Control , 2004, Inf. Syst. Res..

[35]  Bradley J. Alge,et al.  Information privacy in organizations: empowering creative and extrarole performance. , 2006, The Journal of applied psychology.

[36]  James Weber,et al.  Scenarios in Business Ethics Research: Review, Critical Assessment, and Recommendations , 1992, Business Ethics Quarterly.

[37]  R. Bagozzi Attitudes, intentions, and behavior: A test of some key hypotheses. , 1981 .

[38]  Qing Hu,et al.  The role of external and internal influences on information systems security - a neo-institutional perspective , 2007, J. Strateg. Inf. Syst..

[39]  Xiaolan Fu,et al.  Effects of culture, social presence, and group composition on trust in technology‐supported decision‐making groups , 2010, Inf. Syst. J..

[40]  Andrew L. Geers,et al.  Rebel Without a (Conscious) Cause: Priming a Nonconscious Goal for Psychological Reactance , 2009 .

[41]  B. Bushman,et al.  Narcissism, sexual refusal, and aggression: testing a narcissistic reactance model of sexual coercion. , 2003, Journal of personality and social psychology.

[42]  Wendy Wood,et al.  Habit and intention in everyday life: The multiple processes by which past behavior predicts future behavior. , 1998 .

[43]  Timothy Paul Cronan,et al.  Modeling IT Ethics: A Study in Situational Ethics , 1998, MIS Q..

[44]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[45]  Jeffrey M. Stanton,et al.  Reactions to Employee Performance Monitoring: Framework, Review, and Research Directions , 2000 .

[46]  Trevor T. Moores,et al.  Ethical Decision Making in Software Piracy: Initial Development and a Test of a Four-Component Model , 2006, MIS Q..

[47]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[48]  W. Ouchi A Conceptual Framework for the Design of Organizational Control Mechanisms , 1979 .