Exploring the role of intrinsic motivation in ISSP compliance: enterprise digital rights management system case

PurposeEmployee compliance with information system security policies (ISSPs) has been emphasized as a key factor in protecting information assets against insider threats. Even though previous studies have identified extrinsic factors (in the form of external pressure, rewards and social norms) influencing employee compliance, the functioning of employees' intrinsic motivation has not been clearly analyzed. Thus, the aim of this study is to explore the influence of intrinsic motivations on employees' ISSP compliance.Design/methodology/approachThis study follows a survey approach and conducts structural equation modeling using WarpPLS 5.0 to test the research model and hypotheses. The survey respondents are users of an enterprise digital rights management (EDRM) system.FindingsThe analysis results demonstrate that work impediments, perceived responsibility and self-efficacy significantly influence the intention to comply with ISSP. Additionally, autonomy significantly affects self-efficacy and perceived responsibility. Furthermore, autonomy plays a moderating role in the relationship between work impediment and ISSP compliance intentions.Originality/valueThis study initiatively explores the effect of intrinsic motivations on ISSP compliance intention of employees for a specific information security system (i.e. the EDRM system). This study clarifies the enabling role of intrinsic motivations in ISSP compliance and helps organizations to understand that employee's self-motivated intention, i.e. autonomy, is an essential factor that achieves a higher level of ISSP compliance in the workplace.

[1]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[2]  Ned Kock,et al.  Using Data Labels to Discover Moderating Effects in PLS-Based Structural Equation Modeling , 2014, Int. J. e Collab..

[3]  Chuan-Hoo Tan,et al.  Inducing Intrinsic Motivation to Explore the Enterprise System: The Supremacy of Organizational Levers , 2012, J. Manag. Inf. Syst..

[4]  S. Schwartz Normative Influences on Altruism , 1977 .

[5]  Aaron Tsai,et al.  Design and microarchitecture of the IBM system z10 microprocessor , 2009 .

[6]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[7]  S. Parker,et al.  Enhancing role breadth self-efficacy: the roles of job enrichment and other organizational interventions. , 1998, The Journal of applied psychology.

[8]  Jeffrey D. Wall,et al.  Control-Related Motivations and Information Security Policy Compliance: The Role of Autonomy and Efficacy , 2013 .

[9]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[10]  Elaine H. Ferneley,et al.  Resist, comply or workaround? An examination of different facets of user engagement with information systems , 2006, Eur. J. Inf. Syst..

[11]  E. Deci,et al.  Facilitating internalization: the self-determination theory perspective. , 1994, Journal of personality.

[12]  Fujun Lai,et al.  Using Partial Least Squares in Operations Management Research: A Practical Guideline and Summary of Past Research , 2012 .

[13]  Ryan West,et al.  The psychology of security , 2008, CACM.

[14]  E. Deci,et al.  Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. , 2000, The American psychologist.

[15]  E. Deci,et al.  The general causality orientations scale: Self-determination in personality , 1985 .

[16]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[17]  Jamal El-Den,et al.  Stress-based security compliance model - an exploratory study , 2016, Inf. Comput. Secur..

[18]  Yong Jin Kim,et al.  The effect of compliance knowledge and compliance support systems on information security compliance behavior , 2017, J. Knowl. Manag..

[19]  Robert LaRose,et al.  Online safety begins with you and me: Convincing Internet users to protect themselves , 2015, Comput. Hum. Behav..

[20]  Ping Zhang,et al.  The Effects of Extrinsic Motivations and Satisfaction in Open Source Software Development , 2010, J. Assoc. Inf. Syst..

[21]  Tom R. Tyler,et al.  Can Businesses Effectively Regulate Employee Conduct? The Antecedents of Rule Following in Work Settings , 2005 .

[22]  Jing Zhou Feedback valence, feedback style, task autonomy, and achievement orientation: Interactive effects on creative performance. , 1998 .

[23]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[24]  Gaby Odekerken-Schröder,et al.  Using PLS path modeling for assessing hierarchial construct models: guidelines and impirical illustration , 2009 .

[25]  Robert LaRose,et al.  Promoting personal responsibility for internet safety , 2008, CACM.

[26]  Joey F. George,et al.  IT Road Warriors: Balancing Work--Family Conflict, Job Autonomy, and Work Overload to Mitigate Turnover Intentions , 2007, MIS Q..

[27]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[28]  Anat Hovav,et al.  Strategic value and drivers behind organizational adoption of enterprise DRM: The korean case , 2012, J. Serv. Sci. Res..

[29]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[30]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[31]  Claus W. Langfred,et al.  Effects of task autonomy on performance: an extended model considering motivational, informational, and structural mechanisms. , 2004, The Journal of applied psychology.

[32]  Ramakrishna Ayyagari An Exploratory Analysis of Data Breaches from 2005-2011: Trends and Insights , 2012 .

[33]  Rebecca Lawton,et al.  Not working to rule: Understanding procedural violations at work , 1998 .

[34]  Gerald C. Kane,et al.  The Shoemaker's Children: Using Wikis for Information Systems Teaching, Research, and Publication , 2009, MIS Q..

[35]  Ned Kock,et al.  Lateral Collinearity and Misleading Results in Variance-Based SEM: An Illustration and Recommendations , 2012, J. Assoc. Inf. Syst..

[36]  R. W. Rogers,et al.  Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. , 1987, Journal of personality and social psychology.

[37]  E. Deci,et al.  The support of autonomy and the control of behavior. , 1987, Journal of personality and social psychology.

[38]  Anat Hovav,et al.  This is my device! Why should I follow your rules? Employees' compliance with BYOD security policy , 2016, Pervasive Mob. Comput..

[39]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[40]  Wynne W. Chin The partial least squares approach for structural equation modeling. , 1998 .

[41]  Yajiong Xue,et al.  Ensuring Employees' IT Compliance: Carrot or Stick? , 2013, Inf. Syst. Res..

[42]  Carlos Daniel Alves Sousa,et al.  Personal Values, Autonomy, and Self‐Efficacy: Evidence from Frontline Service Employees , 2012 .

[43]  Jordan Shropshire,et al.  The influence of the informal social learning environment on information privacy policy compliance efficacy and intention , 2011, Eur. J. Inf. Syst..

[44]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[45]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[46]  Paul A. Pavlou,et al.  Understanding and Predicting Electronic Commerce Adoption: An Extension of the Theory of Planned Behavior , 2006, MIS Q..

[47]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[48]  Philip Fei Wu,et al.  A Mixed Methods Approach to Technology Acceptance Research , 2011, J. Assoc. Inf. Syst..

[49]  Michel Tenenhaus,et al.  PLS path modeling , 2005, Comput. Stat. Data Anal..

[50]  D. Rousseau,et al.  Active on the Job—Proactive in Change , 2007 .

[51]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[52]  Steven L. Alter,et al.  USF Scholarship: a digital repository @ Gleeson Library | Geschke Center , 2016 .

[53]  Yan Xiao,et al.  Work coordination, workflow, and workarounds in a medical context , 2005, CHI Extended Abstracts.

[54]  Cheolho Yoon,et al.  Understanding computer security behavioral intention in the workplace: An empirical study of Korean firms , 2013, Inf. Technol. People.

[55]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[56]  A. Bandura Social cognitive theory: an agentic perspective. , 1999, Annual review of psychology.

[57]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[58]  Andrea Back,et al.  Employee Acceptance and Use of Unified Communications and Collaboration in a Cross-Cultural Environment , 2014, Int. J. e Collab..

[59]  Jonathon R. B. Halbesleben,et al.  Research Paper: Technology Implementation and Workarounds in the Nursing Home , 2008, J. Am. Medical Informatics Assoc..

[60]  P. Sparks,et al.  Reactance, autonomy and paths to persuasion: Examining perceptions of threats to freedom and informational value , 2009 .

[61]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[62]  G. Spreitzer PSYCHOLOGICAL EMPOWERMENT IN THE WORKPLACE: DIMENSIONS, MEASUREMENT, AND VALIDATION , 1995 .

[63]  Ben S. Gerber,et al.  Data-centric security: Integrating data privacy and data security , 2009, IBM J. Res. Dev..

[64]  Anat Hovav,et al.  Rethinking the Prevailing Security Paradigm , 2018, Data Base.

[65]  M. Kiggundu,et al.  Task Interdependence and the Theory of Job Design , 1981 .

[66]  Guangping Wang,et al.  The effects of job autonomy, customer demandingness, and trait competitiveness on salesperson learning, self-efficacy, and performance , 2002 .