Abstract
Despite the rapid rise in social engineering attacks, not all employees are as compliant with information security policies (ISPs) to the extent that organisations expect them to be. ISP non-compliance is caused by a variety of psychological motivation. This study investigates the effect of psychological contract breach (PCB) of employees on ISP compliance intention by dividing them into intrinsic and extrinsic motivation using the theory of planned behaviour and the general deterrence theory. Data analysis from UK employees (n = 206) showed that the higher the PCB, the lower the ISP compliance intentions. The study also found that PCBs significantly reduced intrinsic motivation (attitude and perceived fairness) for ISP compliance intentions, whereas PCBs did not moderate the relationship between extrinsic motivation (sanction severity and sanctions certainty) and ISP compliance intentions. As a result, this study successfully addresses the risks of PCBs in the field of Information System (IS) security and proposes effective solutions for employees with high PCBs.
Similar content being viewed by others
Data availability
Not applicable.
References
Abela F, Debono M (2019) The relationship between psychological contract breach and job-related attitudes within a manufacturing plant. SAGE Open 9 (1): 2158244018822179 (ISSN 2158-2440)
Abraham S (2011) Information security behavior: factors and research directions
Al-Abrrow H Alnoor A, Ismail E, Eneizan B, Makhamreh HZ(2019) Psychological contract and organizational misbehavior: Exploring the moderating and mediating effects of organizational health and psychological contract breach in Iraqi oil tanks company. Cogent Bus Manag 6 (1): 1683123 (ISSN 2331-1975)
Alshaikh M (2020) Developing cybersecurity culture to influence employee behavior: a practice perspective. Comput Secur 98:102003
Alzahrani A, Johnson C, Altamimi S (2018) Information security policy compliance: investigating the role of intrinsic motivation towards policy compliance in the organisation. In: 2018 4th international conference on information management (ICIM), pp 125–132. IEEE, New York
Bada M, Sasse AM, Nurse Jason RC (2019) Cyber security awareness campaigns: why do they fail to change behaviour? arXiv preprint arXiv:1901.02672
Bal PM, De Cooman R, Mol ST (2013) Dynamics of psychological contracts with work engagement and turnover intention: the influence of organizational tenure. Eur J Work Organ Psychol 22(1): 107–122 (ISSN 1359-432X)
Bal P, Chiaburu DS, Jansen PGW (2010) Psychological contract breach and work performance: is social exchange a buffer or an intensifier? J Manag Psychol (ISSN 0268-3946)
Benabou R, Tirole J (2003) Intrinsic and extrinsic motivation. Rev Econ Stud 70(3):489–520
Berman EM, West JP (2003) Psychological contracts in local government: a preliminary survey. Rev Public Pers Admin 23(4):267–285
Bravo GA, Won D, Chiu W (2019) Psychological contract, job satisfaction, commitment, and turnover intention: exploring the moderating role of psychological contract breach in national collegiate athletic association coaches. Int J Sports Sci Coach 14(3):273–284
Brown TA (2015) Confirmatory factor analysis for applied research. Guilford Publications, New York
Bulgurcu B, Cavusoglu H, Benbasat I (2009) Roles of information security awareness and perceived fairness in information security policy compliance. In: AMCIS 2009 proceedings, p 419
Bulgurcu B, Cavusoglu H, Benbasat I (2010) Quality and fairness of an information security policy as antecedents of employees’ security engagement in the workplace: an empirical investigation. In: 2010 43rd Hawaii international conference on system sciences, pp 1–7. IEEE, New York
Bulgurcu B, Cavusoglu H, Benbasat I (2011) Information security policy compliance: the role of fairness, commitment, and cost beliefs. In: MCIS 2011 proceedings
CERT/CC (2016) Cert insider threat center, 2016. https://resources.sei.cmu.edu/asset_files/Brochure/2017_015_001_452233.pdf
Chiu HH (2018) Employees’ intrinsic and extrinsic motivations in innovation implementation: the moderation role of managers’ persuasive and assertive strategies. J Change Manag 18(3):218–239
Conner M (2020) Theory of planned behavior. In: Handbook of sport psychology, pp 1–18
de Lange AH, Bal PM, Van der Heijden BIJM, de Jong N, Schaufeli WB (2011) When I’m 64: psychological contract breach, work motivation and the moderating roles of future time perspective and regulatory focus. Work Stress 25(4):338–354
De Clercq D, Haq IU, Azeem MU (2019) Perceived contract violation and job satisfaction: buffering roles of emotion regulation skills and work-related self-efficacy. Int J Organ Anal (ISSN 1934-8835)
Ertan A, Crossland G, Denny D, Jensen R (2018) Everyday cyber security in organisations. Claude Heath, London
Fathian F, Dehghan Z, Eslamian S (2014) Analysis of water level changes in lake Urmia based on data characteristics and non-parametric test. Int J Hydrol Sci Technol 4(1):18–38
Flores WR, Ekstedt M (2016) Shaping intention to resist social engineering through transformational leadership, information security culture and awareness. Comput Secur 59:26–44
Han JY, Kim YJ, Kim H (2017) An integrative model of information security policy compliance with psychological contract: examining a bilateral perspective. Comput Secur 66: 52–65 (ISSN 0167-4048)
Han JY, Kim YJ, Kim H (2017) An integrative model of information security policy compliance with psychological contract: examining a bilateral perspective. Comput Secur 66: 52–65 (ISSN 0167-4048)
Harrington JR, Lee JH (2015) What drives perceived fairness of performance appraisal? Exploring the effects of psychological contract fulfillment on employees’ perceived fairness of performance appraisal in US Federal Agencies. Public Pers Manag 44(2):214–238
Herath T, Rao HR (2009) Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis Supp Syst 47(2):154–165
Herath T, Rao HR (2009) Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur J Inf Syst 18(2):106–125
Ifinedo P (2012) Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput Secur 31(1):83–95
ISF (2020) Human-centred security, 2020. https://www.securityforum.org/human-centred-security-positively-influencing-security-behaviour/
Landoll DJ (2017) Information security policies, procedures, and standards: a practitioner’s reference. CRC Press, London
Leach J (2003) Improving user security behaviour. Comput Secur 22 (8): 685–692 (ISSN 0167-4048)
Lebek B, Uffen J, Neumann M, Hohler B, Breitner MH (2014) Information security awareness and behavior: a theory-based literature review. Manag Res Rev
Lin T-C, Huang S-L, Chiang S-C (2018) User resistance to the implementation of information systems: a psychological contract breach perspective. J Assoc Inf Syst 19(4): 2 (ISSN 1536-9323)
Mai KM, Ellis APJ, Christian JS, Porter COLH (2016) Examining the effects of turnover intentions on organizational citizenship behaviors and deviance behaviors: a psychological contract approach. J Appl Psychol 101(8): 1067 (ISSN 1939-1854)
Mai KM, Ellis APJ, Christian JS, Porter COLH (2016) Examining the effects of turnover intentions on organizational citizenship behaviors and deviance behaviors: a psychological contract approach. J Appl Psychol 101(8):1067
Makki A, Abid M (2017) Influence of intrinsic and extrinsic motivation on employee’s task performance. Stud Asian Soc Sci 4(1):38–43
Ma B, Liu S, Lassleben H, Ma G (2019) The relationships between job insecurity, psychological contract breach and counterproductive workplace behavior. Pers Rev (ISSN 0048-3486)
Millward LJ, Hopkins LJ (1998) Psychological contracts, organizational and job commitment. J Appl Soc Psychol 28(16):1530–1556
Morrison EW, Robinson SL (1997) When employees feel betrayed: a model of how psychological contract violation develops. Acad Manag Rev 22(1):226–256
MRC (2013) What thresholds should I use for factor loading cut-offs? https://imaging.mrc-cbu.cam.ac.uk/statswiki/FAQ/thresholds
Nasir A, Arshah RA, Hamid MRA (2017) Information security policy compliance behavior based on comprehensive dimensions of information security culture: a conceptual framework. In: Proceedings of the 2017 international conference on information system and data mining, pp 56–60
Pate J, Martin G, McGoldrick J (2003) The impact of psychological contract violation on employee attitudes and behaviour. Employee Relat (ISSN 0142-5455)
Robinson SL , Morrison EW (2000) The development of psychological contract breach and violation: a longitudinal study. J Organ Behav 21(5): 525–546 (ISSN 0894-3796)
Robinson SL (1996) Trust and breach of the psychological contract. Admin Sci Q 41:574–599
Robinson SL, Rousseau DM (1994) Violating the psychological contract: not the exception but the norm. J Organ Behav 15(3):245–259
Robinson SL, Kraatz MS, Rousseau DM (1994) Changing obligations and the psychological contract: a longitudinal study. Acad Manag J 37(1):137–152
Rousseau DM (1989) Psychological and implied contracts in organizations. Employee Respons Rights J 2(2):121–139
Safa NS, Maple C, Azad Furnell SMA, Perera C, Dabbagh M, Sookhak M (2019) Deterrence and prevention-based model to mitigate information security insider threats in organisations. Future Gener Comput Syst 97:587–597
Shamini L (2021) A study on the influence job satisfaction of millennial workers in beverage manufacturing industry. Electron J Bus Manag 6(1):60–80
Topa I, Karyda M (2015) Identifying factors that influence employees’ security behavior for enhancing ISP compliance. In: International conference on trust and privacy in digital business. Springer, New York, pp 169–179
Trybou J, Gemmel P (2016) The mediating role of psychological contract violation between psychological contract breach and nurses’ organizational attitudes. Nurs Econ 34(6): 296–303 (ISSN 0746-1739)
van Gilst E, Schalk R, Kluijtmans T, Poell R (2020) The role of remediation in mitigating the negative consequences of psychological contract breach: a qualitative study in the banking sector. J Change Manag 20(3):264–282
Wiktorowicz J et al (2016) Exploratory factor analysis in the measurement of the competencies of older people. Ekonometria
Williams KR, Hawkins R (1986) Perceptual research on general deterrence: a critical review. Law Soc Rev 545–572 (ISSN 0023-9216)
Zhao H, Wayne SJ, Glibkowski BC, Bravo J (2007) The impact of psychological contract breach on work-related outcomes: a meta-analysis. Pers Psychol 60(3): 647–680 (ISSN 0031-5826)
Acknowledgements
I completed this research thanks to a lot of support and assistance from the following people. First, thanks to my supervisor, Dr Nadine Michaelides, for providing guidance, sophisticated critique, connection to the partner company, and encouragement. Without her supervision and encouragement, I would not have been able to complete a dissertation of this quality. I would also like to thank Dr Harjinder Lallie, a course leader, for helping me publish my research as a quality journal article. Their contributions supported me to get through my master’s degree. Furthermore, I would like to thank my anonymous contributor, a multinational industrial goods and services company. In particular, I cannot thank enough the CISO and two stakeholders of the company, who supported random sampling and survey distribution to their employees to conduct surveys anonymously and confidentially. I am also grateful for the over 260 employees of the company who participated in my online questionnaire. Thank you for taking your valuable time to participate in this thesis. Finally, my appreciation goes to my friends and family for not only being involved in the pilot testing of my study, but also supporting me emotionally and mentally as always.
Author information
Authors and Affiliations
Contributions
DL wrote the original manuscript. She gathered the data under the supervision of both NM and HSL. NM is DL's primary supervisor, she guided DL on research direction, and specifically on methods of analysis. HSL has reviewed, scrutinised, critiqued and edited the final submission. All authors reviewed the manuscript.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that we have no competing financial or non-financial interests that are directly or indirectly related to the work submitted for publication.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Appendix A
Part one: Personal characteristics
1. What is your age?
[ ] Under 20
[ ] 20–29
[ ] 30–39
[ ] 40–49
[ ] 50–59
[ ] 60 and above
2. What is your gender?
[ ] Female
[ ] Male
3. What is your job position?
[ ] Manager
[ ] Non-manager
4. How long have you worked in this organisation?
[ ] Less than 1 year
[ ] 1–5 years
[ ] 6–10 years
[ ] 10–15 years
[ ] More than 15 years
5. What is your type of employment?
[ ] Temporary
[ ] Permanent
Part two: Motivational process for ISP compliance intention
To what extent do you agree?
* ISP (Information Security Policy) prescribes employee’s cybersecurity behaviour within an organisation (e.g. use of personal computers, access to the internal systems, opening emails and attachments, data leakage from social media, password management, and software downloads from the internet).
See Table 5.
Appendix B
For analysis, the values of PCB 1–3 were reverse coded as PCB represent a negative factor, whereas PCB 4–9 remained the same. Similar, the values of PF 1–4 were reverse coded as perceived fairness was a positive motivator. Therefore, a low value for the PCB indicator can be interpreted as positive, while a high value is associated with a positive factor for the other 25 indicators.
See Table 6.
Appendix C
Appendix D
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Lee, D., Lallie, H.S. & Michaelides, N. The impact of an employee’s psychological contract breach on compliance with information security policies: intrinsic and extrinsic motivation. Cogn Tech Work 25, 273–289 (2023). https://doi.org/10.1007/s10111-023-00727-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10111-023-00727-5