Motivating information security policy compliance: The critical role of supervisor-subordinate guanxi and organizational commitment

Abstract Employees’ non-compliance with organizational information security policy (ISP) when using informational resources has become the main reason for continuous security incidents. Drawing upon technology threat avoidance theory (TTAT) and social exchange theory (SET), our study investigates the influence of supervisor-subordinate guanxi (SSG) and organizational commitment in the information security management. Our hypotheses were tested using survey data from 235 Chinese government employees. Results not only confirm the direct effect of SSG on government employees’ ISP compliance but also suggest that SSG indirectly influences compliance behavior via the mediation of organizational commitment. Organizational commitment weakens the negative influence of perceived costs on compliance behavior and also weakens the positive effect of self-efficacy on employees’ ISP compliance. For low-commitment employees, the negative influence of perceived costs on compliance behavior is more significant than that of those with strong organizational commitment, and self-efficacy exerts a stronger effect on ISP compliance for low-commitment employees than it does for high-commitment employees. This study contributes to current literature on information systems (IS) by confirming the critical roles of SSG and organizational commitment in motivating employees’ compliance behavior.

[1]  G. Hofstede Culture′s Consequences: Comparing Values, Behaviors, Institutions and Organizations Across Nations , 2001 .

[2]  J. Edwards A Cybernetic Theory of Stress, Coping, and Well-Being in Organizations , 1992 .

[3]  Thomas E. Becker,et al.  Employee commitment and motivation: a conceptual analysis and integrative model. , 2004, The Journal of applied psychology.

[4]  Danielle E. Warren,et al.  Social Exchange in China: The Double-Edged Sword of Guanxi , 2004 .

[5]  Paul A. Pavlou,et al.  Swift Guanxi in Online Marketplaces: The Role of Computer-Mediated Communication Technologies , 2014, MIS Q..

[6]  Andreas Wald,et al.  Leadership in the Context of Temporary Organizations , 2014 .

[7]  Toon W. Taris,et al.  Extending the job demands-resources model with guanxi exchange , 2016 .

[8]  Rathindra Sarathy,et al.  Exploring the effects of organizational justice, personal ethics and sanction on internet use policy compliance , 2014, Inf. Syst. J..

[9]  Joseph F. Hair,et al.  When to use and how to report the results of PLS-SEM , 2019, European Business Review.

[10]  Dazhong Wu,et al.  Sanction severity and employees' information security policy compliance: Investigating mediating, moderating, and control variables , 2018, Inf. Manag..

[11]  Jun Liu,et al.  Political Skill, Supervisor–Subordinate Guanxi and Career Prospects in Chinese Firms , 2010 .

[12]  Nancy G. Boyd,et al.  A developmental approach to the examination of friendship in leader-follower relationships , 1998 .

[13]  Anna-Maija Lämsä,et al.  The Leader–Member Exchange Theory in the Chinese Context and the Ethical Challenge of Guanxi , 2015 .

[14]  David P Mackinnon,et al.  Resampling and Distribution of the Product Methods for Testing Indirect Effects in Complex Models , 2008, Structural equation modeling : a multidisciplinary journal.

[15]  Celia V. Harquail,et al.  Organizational images and member identification. , 1994 .

[16]  P. Blau Exchange and Power in Social Life , 1964 .

[17]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[18]  Bradley R. Barnes,et al.  Investigating guanxi dimensions and relationship outcomes: Insights from Sino-Anglo business relationships , 2011 .

[19]  Robert M. Davison,et al.  Digital work in a digitally challenged organization , 2017, Inf. Manag..

[20]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[21]  Chi-Sum Wong,et al.  Antecedents and Outcomes of Employees' Trust in Chinese Joint Ventures , 2003 .

[22]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[23]  Shaoxue Wu,et al.  In what ways do Chinese employees speak up? An exchange approach to supervisor–subordinate guanxi and voice behavior , 2019 .

[24]  Chih-Yun Wu,et al.  The effects of job satisfaction and organization commitment on information security policy adoption and compliance , 2012, 2012 IEEE International Conference on Management of Innovation & Technology (ICMIT).

[25]  R. Mauborgne,et al.  Procedural justice, attitudes, and subsidiary top management compliance with multinationals' corporate strategic decisions. , 1993 .

[26]  K. R. Moore,et al.  Social exchange behavior in logistics relationships: a shipper perspective , 1999 .

[27]  JinYoung Han,et al.  An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective , 2017, Comput. Secur..

[28]  J. Pearce,et al.  Guanxi: Connections As Substitutes for Formal Institutional Support , 1996 .

[29]  Steve Love,et al.  Security awareness of computer users: A phishing threat avoidance perspective , 2014, Comput. Hum. Behav..

[30]  Straub,et al.  Editor's Comments: An Update and Extension to SEM Guidelines for Administrative and Social Science Research , 2011 .

[31]  Deborah J. Armstrong,et al.  The impact of relational leadership and social alignment on information security system effectiveness in Korean governmental organizations , 2018, Int. J. Inf. Manag..

[32]  Ninghui Li,et al.  Enhancing security behaviour by supporting the user , 2018, Comput. Secur..

[33]  Chao C. Chen,et al.  On the Intricacies of the Chinese Guanxi: A Process Model of Guanxi Development , 2004 .

[34]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[35]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[36]  Robert M. Davison,et al.  Promoting indigenous theory , 2018, Inf. Syst. J..

[37]  Rui Chen,et al.  Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service , 2014, Inf. Syst. J..

[38]  Qing Hu,et al.  The Role of Rational Calculus in Controlling Individual Propensity Toward Information Security Policy Non-Compliance Behavior , 2018, HICSS.

[39]  Merrill Warkentin,et al.  Examining employee computer abuse intentions: insights from justice, deterrence and neutralization perspectives , 2018, Inf. Syst. J..

[40]  Lyman W. Porter,et al.  Employee-Organization Linakges: The Psychology of Commitment, Absenteeism and Turnover , 1985 .

[41]  Robert S. Dooley,et al.  The Role of Trustworthiness in Maintaining Employee Commitment During Restructuring in China , 2004 .

[42]  Bor-Shiuan Cheng,et al.  The Influence of Relational Demography and Guanxi : the Chinese Case , 1998 .

[43]  D. Randall Commitment and the Organization: The Organization Man Revisited , 1987 .

[44]  Millissa F. Y. Cheung,et al.  Participatory management and employee work outcomes: The moderating role of supervisor‐subordinate guanxi , 2011 .

[45]  Gurpreet Dhillon,et al.  Stakeholder perceptions of information security policy: Analyzing personal constructs , 2020, Int. J. Inf. Manag..

[46]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[47]  John P. Meyer,et al.  A three-component conceptualization of organizational commitment , 1991 .

[48]  Robert M. Davison,et al.  Interpersonal knowledge exchange in China: The impact of guanxi and social media , 2017, Inf. Manag..

[49]  W. Alec Cram,et al.  Organizational information security policies: a review and research framework , 2017, Eur. J. Inf. Syst..

[50]  P. Hom,et al.  Embedding social networks: How guanxi ties reinforce Chinese employees’ retention , 2011 .

[51]  Kristopher J Preacher,et al.  SPSS and SAS procedures for estimating indirect effects in simple mediation models , 2004, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[52]  Yajiong Xue,et al.  Ensuring Employees' IT Compliance: Carrot or Stick? , 2013, Inf. Syst. Res..

[53]  Qing Hu,et al.  User behaviour towards protective information technologies: the role of national cultural differences , 2009, Inf. Syst. J..

[54]  Charles Chen,et al.  Why do Chinese employees engage in building supervisor-subordinate guanxi?: A planned behavior perspective , 2018 .

[55]  Inho Hwang,et al.  Examining technostress creators and role stress as potential threats to employees' information security compliance , 2018, Comput. Hum. Behav..

[56]  Jacob Cohen,et al.  Applied multiple regression/correlation analysis for the behavioral sciences , 1979 .

[57]  Ernst Fehr,et al.  Does Social Exchange Increase Voluntary Cooperation , 1996 .

[58]  D. Organ,et al.  A META-ANALYTIC REVIEW OF ATTITUDINAL AND DISPOSITIONAL PREDICTORS OF ORGANIZATIONAL CITIZENSHIP BEHAVIOR , 1995 .

[59]  Randall P. Settoon,et al.  Social Exchange in Organizations: Perceived Organizational Support, Leader-Member Exchange, and Employee Reciprocity , 1996 .

[60]  John P. Meyer,et al.  The measurement and antecedents of affective, continuance and normative commitment to the organization , 1990 .

[61]  W. Alec Cram,et al.  Seeing the Forest and the Trees: A Meta-Analysis of the Antecedents to Information Security Policy Compliance , 2019, MIS Q..

[62]  S. P. Schappe,et al.  The influence of job satisfaction, organizational commitment, and fairness perceptions on organizational citizenship behavior. , 1998, The Journal of psychology.

[63]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[64]  R. Cropanzano,et al.  Social Exchange Theory: An Interdisciplinary Review , 2005 .

[65]  Malcolm Robert Pattinson,et al.  A study of information security awareness in Australian government organisations , 2014, Inf. Manag. Comput. Secur..

[66]  Millissa F. Y. Cheung,et al.  Supervisor–Subordinate Guanxi and Employee Work Outcomes: The Mediating Role of Job Satisfaction , 2009 .

[67]  Y. Bian Bringing strong ties back in: Indirect ties, network bridges, and job searches in China , 1997 .

[68]  Ning Li,et al.  Putting non-work ties to work: The case of guanxi in supervisor–subordinate relationships ☆ , 2015 .

[69]  Detmar W. Straub,et al.  The amplification effects of procedural justice on a threat control model of information systems security behaviours , 2009, Behav. Inf. Technol..

[70]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[71]  Yingyan Wang Emotional bonds with supervisor and co-workers: Relationship to organizational commitment in China's foreign-invested companies , 2008 .

[72]  Jing Wang,et al.  Abusive supervision and organizational citizenship behaviour: is supervisor–subordinate guanxi a mediator? , 2013 .

[73]  John G. Lynch,et al.  Reconsidering Baron and Kenny: Myths and Truths about Mediation Analysis , 2010 .

[74]  F. Bookstein,et al.  Two Structural Equation Models: LISREL and PLS Applied to Consumer Exit-Voice Theory: , 1982 .

[75]  K. Hwang,et al.  Guanxi and Mientze: Conflict Resolution in Chinese Society , 1997 .

[76]  Tom L. Roberts,et al.  The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets , 2015, J. Manag. Inf. Syst..

[77]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[78]  Kenneth S. Law,et al.  Effect of supervisor–subordinate guanxi on supervisory decisions in China: an empirical investigation , 2000 .

[79]  Yajiong Xue,et al.  How intrinsic motivation and extrinsic incentives affect task effort in crowdsourcing contests: A mediated moderation model , 2018, Comput. Hum. Behav..

[80]  Richard T. Mowday,et al.  Reflections on the study and relevance of organizational commitment , 1998 .

[81]  Cheng Lu Wang,et al.  Guanxi as a governance mechanism in business markets: Its characteristics, relevant theories, and future research directions , 2011 .

[82]  Huigang Liang,et al.  How Paternalistic Leadership Influences IT Security Policy Compliance: The Mediating Role of the Social Bond , 2019, J. Assoc. Inf. Syst..

[83]  Paul Benjamin Lowry,et al.  Cognitive‐affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study , 2019, Inf. Syst. J..

[84]  Indira R. Guzman,et al.  Examining the linkage between organizational commitment and information security , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[85]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[86]  Robert M. Davison,et al.  Subverting organizational IS policy with feral systems: a case in China , 2018, Ind. Manag. Data Syst..

[87]  Tom R. Tyler,et al.  Can Businesses Effectively Regulate Employee Conduct? The Antecedents of Rule Following in Work Settings , 2005 .

[88]  Kweku-Muata Osei-Bryson,et al.  Cybersecurity compliance behavior: Exploring the influences of individual decision style and other antecedents , 2020, Int. J. Inf. Manag..

[89]  Marko Sarstedt,et al.  An assessment of the use of partial least squares structural equation modeling in marketing research , 2012 .

[90]  L. Porter,et al.  The Measurement of Organizational Commitment. , 1979 .

[91]  Chao-chuan Chen,et al.  Developmental leadership and organizational citizenship behavior: Mediating effects of self-determination, supervisor identification, and organizational identification , 2013 .

[92]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[93]  Jingguo Wang,et al.  Employees' information security policy compliance: A norm activation perspective , 2016, Decis. Support Syst..

[94]  Irene M. Y. Woon,et al.  Forthcoming: Journal of Information Privacy and Security , 2022 .

[95]  Chao Miao,et al.  Supervisor-subordinate guanxi: A meta-analytic review and future research agenda , 2020 .

[96]  Mikko T. Siponen,et al.  IS Security Policy Violations: A Rational Choice Perspective , 2012, J. Organ. End User Comput..

[97]  Silas Formunyuy Verkijika,et al.  "If you know what to do, will you take action to avoid mobile phishing attacks": Self-efficacy, anticipated regret, and gender , 2019, Comput. Hum. Behav..

[98]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[99]  Robert E. Crossler,et al.  Espoused cultural values as antecedents of individuals' threat and coping appraisal toward protective information technologies: Study of U.S. and Ghana , 2019, Inf. Manag..

[100]  R. Friedman,et al.  Supervisor–Subordinate Guanxi: Developing a Three-Dimensional Model and Scale , 2009, Management and Organization Review.

[101]  A. Hayes Beyond Baron and Kenny: Statistical Mediation Analysis in the New Millennium , 2009 .

[102]  Wu He,et al.  Investigating the impact of cybersecurity policy awareness on employees' cybersecurity behavior , 2019, Int. J. Inf. Manag..

[103]  Qihai Huang,et al.  Organizational commitment of Chinese employees in foreign-invested firms , 2008 .

[104]  Robert M. Davison,et al.  Information technology to support informal knowledge sharing , 2013, Inf. Syst. J..

[105]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[106]  Yajiong Xue,et al.  Punishment, Justice, and Compliance in Mandatory IT Settings , 2011, Inf. Syst. Res..

[107]  Serpil Aytac,et al.  Factors influencing information security management in small- and medium-sized enterprises: A case study from Turkey , 2011, Int. J. Inf. Manag..

[108]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[109]  T. Kostova,et al.  Adoption of an Organizational Practice by Subsidiaries of Multinational Corporations: Institutional and Relational Effects , 2002 .

[110]  Denise M. Rousseau,et al.  Special Issue on Corporate Transformation in the People's Republic of China: Employment Relationships in China: Do Workers Relate to the Organization or to People? , 2004, Organ. Sci..