European Journal of Information Systems

, Volume 18, Issue 2, pp 151–164 | Cite as

If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security

  • Scott R Boss
  • Laurie J Kirsch
  • Ingo Angermeier
  • Raymond A Shingler
  • R Wayne Boss
Original Article


Information security has become increasingly important to organizations. Despite the prevalence of technical security measures, individual employees remain the key link – and frequently the weakest link – in corporate defenses. When individuals choose to disregard security policies and procedures, the organization is at risk. How, then, can organizations motivate their employees to follow security guidelines? Using an organizational control lens, we build a model to explain individual information security precaution-taking behavior. Specific hypotheses are developed and tested using a field survey. We examine elements of control and introduce the concept of ‘mandatoriness,’ which we define as the degree to which individuals perceive that compliance with existing security policies and procedures is compulsory or expected by organizational management. We find that the acts of specifying policies and evaluating behaviors are effective in convincing individuals that security policies are mandatory. The perception of mandatoriness is effective in motivating individuals to take security precautions, thus if individuals believe that management watches, they will comply.


information security control mandatoriness 



  1. Ajzen I (1985) From intentions to actions: a theory of planned behavior. In Action Control, from Cognition to Behavior (KUHL J, and BECKMANN J, Eds), pp 11–39, Springer-Verlag, Berlin, NY.Google Scholar
  2. American National Standards Institute (2005) Iso ics 35 Information Technology. American National Standards Institute, Washington DC.Google Scholar
  3. Armstrong JS and Overton TS (1977) Estimating nonresponse bias in mail surveys. Journal of Marketing Research 14 (3), 396–402.CrossRefGoogle Scholar
  4. Baron RM and Kenny DA (1986) The moderator mediator variable distinction in social psychological-research – conceptual, strategic, and statistical considerations. Journal of Personality and Social Psychology 51 (6), 1173–1182.CrossRefGoogle Scholar
  5. Birnberg JG and Snodgrass C (1988) Culture and control – a field-study. Accounting Organizations and Society 13 (5), 447–464.CrossRefGoogle Scholar
  6. Blumstein A (1978) Introduction. In Deterrence and Incapacitation: Estimating the Effects of Criminal Sanctions on Crime Rates (BLUMSTIEN A, COHEN J and NAGIN D, Eds), National Academy of Sciences, Washington DC.Google Scholar
  7. Brown SA, Massey AP, Montoya-Weiss MM and Burkman JR (2002) Do I really have to? User acceptance of mandated technology. European Journal of Information Systems 11 (4), 283–295.CrossRefGoogle Scholar
  8. Cardinal LB (2001) Technological innovation in the pharmaceutical industry: the use of organizational control in managing research and development. Organization Science 12 (1), 19–36.CrossRefGoogle Scholar
  9. Cardinal LB, Sitkin SB and Long CP (2004) Balancing and rebalancing in the creation and evolution of organizational control. Organization Science 15 (4), 411–431.CrossRefGoogle Scholar
  10. Carmines EG and Zeller RA (1979) Reliability and Validity Assessment. Sage Publications, Beverly Hills, CA.CrossRefGoogle Scholar
  11. Chae B and Poole MS (2005) Mandates and technology acceptance: a tale of two enterprise technologies. Journal of Strategic Information Systems 14 (2), 147–166.CrossRefGoogle Scholar
  12. Charlton JP and Birkett PE (1995) The development and validation of the computer apathy and anxiety scale. Journal of Educational Computing Research 13 (1), 41–59.CrossRefGoogle Scholar
  13. Chin WW (1998) The partial least squares approach for structural equation modeling. In Modern Methods for Business Research (MARCOULIDES GA, Ed), pp 295–336, Lawrence Erlbaum, Mahwah, NJ.Google Scholar
  14. Chin WW and Gopal A (1995) Adoption intention in gss – relative importance of beliefs. Data Base for Advances in Information Systems 26 (2–3), 42–64.CrossRefGoogle Scholar
  15. Choudhury V and Sabherwal R (2003) Portfolios of control in outsourced software development projects. Information Systems Research 14 (3), 291–314.CrossRefGoogle Scholar
  16. Chow CW, Hirst M and Shields MD (1995) The effects of pay schemes and probabilistic management audits on subordinate misrepresentation of private information: an experimental investigation in a resource allocation context. Behavioral Research in Accounting 7, 1–15.Google Scholar
  17. Cohen J (1977) Statistical Power Analysis for the Behavioral Sciences. Academic Press, New York.Google Scholar
  18. Compeau DR and Higgins CA (1995) Computer self-efficacy – development of a measure and initial test. MIS Quarterly 19 (2), 189–211.CrossRefGoogle Scholar
  19. Coren M (2005) Experts: Cyber-Crime Bigger Threat than Cyber-Terror. Cable News Network LP, LLLP, Atlanta, GA.Google Scholar
  20. D’Aquila JM (2001) Financial accountants’ perceptions of management's ethical standards. Journal of Business Ethics 31 (3), 233–244.CrossRefGoogle Scholar
  21. Das TK and Teng BS (1998) Between trust and control: developing confidence in partner cooperation in alliances. Academy of Management Review 23 (3), 491–512.Google Scholar
  22. Deci EL and Ryan RM (2002) Handbook of Self-determination Research. University of Rochester Press, Rochester, NY.Google Scholar
  23. Dhillon G (2001) Violation of safeguards by trusted personnel and understanding related information security concerns. Computers & Security 20 (2), 165–172.CrossRefGoogle Scholar
  24. Dopuch N, Birnberg JG and Demski JS (1982) Cost Accounting: Accounting Data for Management's Decisions. Harcourt Brace Jovanovich, New York.Google Scholar
  25. Dutta A and McCrohan K (2002) Management's role in information security in a cyber economy. California Management Review 45 (1), 67–87.CrossRefGoogle Scholar
  26. Eisenhardt KM (1985) Control: organizational and economic approaches. Management Science 31 (2), 134–149.CrossRefGoogle Scholar
  27. Eisenhardt KM (1988) Agency-theory and institutional-theory explanations – the case of retail sales compensation. Academy of Management Journal 31 (3), 488–511.CrossRefGoogle Scholar
  28. Falk A and Kosfeld M (2004) Distrust – The Hidden Cost of Control. National Bureau of Economic Research, Cambridge, MA.Google Scholar
  29. Fornell C and Larcker DF (1981) Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research 18 (1), 39–50.CrossRefGoogle Scholar
  30. Frederickson JR and Waller W (2005) Carrot or stick? Contract frame and use of decision-influencing information in a principal-agent setting. Journal of Accounting Research 43 (5), 709–733.CrossRefGoogle Scholar
  31. Garfinkel S, Spafford G and Schwartz A (2003) Practical Unix and Internet Security. O’Reilly, Beijing, Sebastopol, CA.Google Scholar
  32. Hartwick J and Barki H (1994) Explaining the role of user participation in information-system use. Management Science 40 (4), 440–465.CrossRefGoogle Scholar
  33. Hasan B (2006) Delineating the effects of general and system-specific computer self-efficacy beliefs on is acceptance. Information & Management 43 (5), 565–571.CrossRefGoogle Scholar
  34. Hu Q, Hart P and Cooke D (2007) The role of external and internal influences on information systems security – a neo-institutional perspective. Journal of Strategic Information Systems 16 (2), 153–172.CrossRefGoogle Scholar
  35. Jaworski BJ (1988) Toward a theory of marketing control: environmental context, control types, and consequences. Theory of Marketing Control 52, 23–39.Google Scholar
  36. Kadam A (2002) Writing an information security policy. Network Magazine. Indian Express Group, Mumbai, India.Google Scholar
  37. Karahanna E and Straub DW (1999) The psychological origins of perceived usefulness and ease-of-use. Information & Management 35 (4), 237–250.CrossRefGoogle Scholar
  38. Kelman HC (1958) Compliance, identification, and internationalization: three processes of attitude change? Journal of Conflict Resolution 2 (1), 51–60.CrossRefGoogle Scholar
  39. Kelman HC (1961) Processes of opinion change. Public Opinion Quarterly 25 (1), 57–78.CrossRefGoogle Scholar
  40. Kenny DA, Kashy DA and Bolger N (1998) The handbook of social psychology. In The Handbook of Social Psychology (GILBERT DT, FISKE ST and LINDZEY G, Eds), pp 233–265, McGraw-Hill, Boston, NY.Google Scholar
  41. Kirsch LJ (1996) The management of complex tasks in organizations: controlling the systems development process. Organization Science 7 (1), 1–21.CrossRefGoogle Scholar
  42. Kirsch LJ (1997) Portfolios of control modes and is project management. Information Systems Research 8 (3), 215–239.CrossRefGoogle Scholar
  43. Kirsch LJ (2004) Deploying common solutions globally: the dynamics of control. Information Systems Research 15 (4), 374–395.CrossRefGoogle Scholar
  44. Kirsch LJ, Sambamurthy V, Ko DG and Purvis RL (2002) Controlling information systems development projects: the view from the client. Management Science 48 (4), 484–498.CrossRefGoogle Scholar
  45. Liang HG, Saraf N, Hu Q and Xue YJ (2007) Assimilation of enterprise systems: the effect of institutional pressures and the mediating role of top management. MIS Quarterly 31 (1), 59–87.Google Scholar
  46. Lim VKG, Teo TSH and Loo GL (2002) How do I loaf here? Let me count the ways. Communications of the ACM 45 (1), 66–70.CrossRefGoogle Scholar
  47. Lorange P and Scott-Morton MS (1974) A framework for management control systems. Sloan Management Review 16 (1), 47–56.Google Scholar
  48. Luft J (1994) Bonus and penalty incentives contract choice by employees. Journal of Accounting & Economics 18 (2), 181–206.CrossRefGoogle Scholar
  49. Macaulay S and Cook S (1994) Performance management as the key to customer service. Industrial and Commercial Training 26 (11), 3–8.CrossRefGoogle Scholar
  50. Malhotra Y and Galletta D (2005) A multidimensional commitment model of volitional systems adoption and usage behavior. Journal of Management Information Systems 22 (1), 117–151.Google Scholar
  51. Malhotra Y, Galletta DF and Kirsch LJ (2008) How endogenous motivations influence user intentions: beyond the dichotomy of extrinsic and intrinsic user motivations. Journal of Management Information Systems 25 (1), 267–299.CrossRefGoogle Scholar
  52. Markus ML (1983) Power, politics, and mis implementation. Communications of the ACM 26 (6), 430–444.CrossRefGoogle Scholar
  53. Mathieson K, Peacock E and Chin WW (2001) Extending the technology acceptance model: the influence of perceived user resources. Database for Advances in Information Systems 32 (3), 86–112.CrossRefGoogle Scholar
  54. Milgram S (1974) Obedience to Authority; an Experimental View. Harper & Row, New York.Google Scholar
  55. National Cyber Security Alliance (2005) Top Ten Cybersecurity Tips. National Cyber Security Alliance, Washington DC.Google Scholar
  56. National Cyber Security Alliance and McAfee Corporation (2008) Mcafee-ncsa Online Safety Study. National Cyber Security Alliance and McAfee Corporation, Washingtion DC.Google Scholar
  57. Nidumolu SR and Subramani MR (2003) The matrix of control: combining process and structure approaches to managing software development. Journal of Management Information Systems 20 (3), 159–196.Google Scholar
  58. Nunnally JC and Bernstein IH (1994) Psychometric Theory. McGraw-Hill, New York.Google Scholar
  59. Ouchi WG (1977) Relationship between organizational-structure and organizational control. Administrative Science Quarterly 22 (1), 95–113.CrossRefGoogle Scholar
  60. Ouchi WG (1979) Conceptual-framework for the design of organizational control mechanisms. Management Science 25 (9), 833–848.CrossRefGoogle Scholar
  61. Petter S, Straub D and Rai A (2007) Specifying formative constructs in information systems research. MIS Quarterly 31 (4), 623–656.Google Scholar
  62. Podsakoff PM, MacKenzie SB, Lee JY and Podsakoff NP (2003) Common method biases in behavioral research: a critical review of the literature and recommended remedies. Journal of Applied Psychology 88 (5), 879–903.CrossRefGoogle Scholar
  63. Rawstorne P, Jayasuriya R and Caputi P (1998) An integrative model of information systems use in mandatory environments. In International Conference on Information Systems pp 325–330, Association for Computing Machinery, Helsinki, Finland.Google Scholar
  64. Ross ST (1999) Unix System Security Tools. McGraw-Hill, New York.Google Scholar
  65. Ryan RM and Deci EL (2000) Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. American Psychologist 55 (1), 68–78.CrossRefGoogle Scholar
  66. Schnedler W and Vadovic R (2007) Legitimacy of Control. Institute for the Study of Labor (IZA), Bonn, Germany.Google Scholar
  67. Schneider FW, Gruman JA and Coutts LM (2005) Applied Social Psychology: Understanding and Addressing Social and Practical Problems. Sage Publications, Thousand Oaks, CA.Google Scholar
  68. Shrout PE and Bolger N (2002) Mediation in experimental and nonexperimental studies: new procedures and recommendations. Psychological Methods 7 (4), 422–445.CrossRefGoogle Scholar
  69. Snell SA (1992) Control-theory in strategic human-resource management – the mediating effect of administrative information. Academy of Management Journal 35 (2), 292–327.CrossRefGoogle Scholar
  70. Straub DW (1990) Effective is security: an empirical study. Information Systems Research 1 (3), 255–273.CrossRefGoogle Scholar
  71. Straub DW and Welke RJ (1998) Coping with systems risk: security planning models for management decision making. MIS Quarterly 22 (4), 441–469.CrossRefGoogle Scholar
  72. Sussman SW and Siegal WS (2003) Informational influence in organizations: an integrated approach to knowledge adoption. Information Systems Research 14 (1), 47–65.CrossRefGoogle Scholar
  73. Symantec Corporation (2007) Symantec Reports Rise in Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers’ Financial Gain. Symantec Corporation, Cupertino, CA.Google Scholar
  74. Taylor S and Todd P (1995) Assessing it usage: the role of prior experience. MIS Quarterly 19 (4), 561–570.CrossRefGoogle Scholar
  75. Venkatesh V and Davis FD (2000) A theoretical extension of the technology acceptance model: four longitudinal field studies. Management Science 46 (2), 186–204.CrossRefGoogle Scholar

Copyright information

© Palgrave Macmillan 2009

Authors and Affiliations

  • Scott R Boss
    • 1
  • Laurie J Kirsch
    • 2
  • Ingo Angermeier
    • 3
  • Raymond A Shingler
    • 4
  • R Wayne Boss
    • 5
  1. 1.Department of AccountancyBentley UniversityU.S.A.
  2. 2.Joseph M. Katz Graduate School of Business & College of Business Administration, University of PittsburghU.S.A.
  3. 3.Spartanburg Regional Medical CenterU.S.A.
  4. 4.Spartanburg Regional Medical CenterU.S.A.
  5. 5.Leeds School of Business, University of Colorado at BoulderU.S.A.

Personalised recommendations