Abstract
Information security has become increasingly important to organizations. Despite the prevalence of technical security measures, individual employees remain the key link – and frequently the weakest link – in corporate defenses. When individuals choose to disregard security policies and procedures, the organization is at risk. How, then, can organizations motivate their employees to follow security guidelines? Using an organizational control lens, we build a model to explain individual information security precaution-taking behavior. Specific hypotheses are developed and tested using a field survey. We examine elements of control and introduce the concept of ‘mandatoriness,’ which we define as the degree to which individuals perceive that compliance with existing security policies and procedures is compulsory or expected by organizational management. We find that the acts of specifying policies and evaluating behaviors are effective in convincing individuals that security policies are mandatory. The perception of mandatoriness is effective in motivating individuals to take security precautions, thus if individuals believe that management watches, they will comply.
Similar content being viewed by others
References
Ajzen I (1985) From intentions to actions: a theory of planned behavior. In Action Control, from Cognition to Behavior (KUHL J, and BECKMANN J, Eds), pp 11–39, Springer-Verlag, Berlin, NY.
American National Standards Institute (2005) Iso ics 35 Information Technology. American National Standards Institute, Washington DC.
Armstrong JS and Overton TS (1977) Estimating nonresponse bias in mail surveys. Journal of Marketing Research 14 (3), 396–402.
Baron RM and Kenny DA (1986) The moderator mediator variable distinction in social psychological-research – conceptual, strategic, and statistical considerations. Journal of Personality and Social Psychology 51 (6), 1173–1182.
Birnberg JG and Snodgrass C (1988) Culture and control – a field-study. Accounting Organizations and Society 13 (5), 447–464.
Blumstein A (1978) Introduction. In Deterrence and Incapacitation: Estimating the Effects of Criminal Sanctions on Crime Rates (BLUMSTIEN A, COHEN J and NAGIN D, Eds), National Academy of Sciences, Washington DC.
Brown SA, Massey AP, Montoya-Weiss MM and Burkman JR (2002) Do I really have to? User acceptance of mandated technology. European Journal of Information Systems 11 (4), 283–295.
Cardinal LB (2001) Technological innovation in the pharmaceutical industry: the use of organizational control in managing research and development. Organization Science 12 (1), 19–36.
Cardinal LB, Sitkin SB and Long CP (2004) Balancing and rebalancing in the creation and evolution of organizational control. Organization Science 15 (4), 411–431.
Carmines EG and Zeller RA (1979) Reliability and Validity Assessment. Sage Publications, Beverly Hills, CA.
Chae B and Poole MS (2005) Mandates and technology acceptance: a tale of two enterprise technologies. Journal of Strategic Information Systems 14 (2), 147–166.
Charlton JP and Birkett PE (1995) The development and validation of the computer apathy and anxiety scale. Journal of Educational Computing Research 13 (1), 41–59.
Chin WW (1998) The partial least squares approach for structural equation modeling. In Modern Methods for Business Research (MARCOULIDES GA, Ed), pp 295–336, Lawrence Erlbaum, Mahwah, NJ.
Chin WW and Gopal A (1995) Adoption intention in gss – relative importance of beliefs. Data Base for Advances in Information Systems 26 (2–3), 42–64.
Choudhury V and Sabherwal R (2003) Portfolios of control in outsourced software development projects. Information Systems Research 14 (3), 291–314.
Chow CW, Hirst M and Shields MD (1995) The effects of pay schemes and probabilistic management audits on subordinate misrepresentation of private information: an experimental investigation in a resource allocation context. Behavioral Research in Accounting 7, 1–15.
Cohen J (1977) Statistical Power Analysis for the Behavioral Sciences. Academic Press, New York.
Compeau DR and Higgins CA (1995) Computer self-efficacy – development of a measure and initial test. MIS Quarterly 19 (2), 189–211.
Coren M (2005) Experts: Cyber-Crime Bigger Threat than Cyber-Terror. Cable News Network LP, LLLP, Atlanta, GA.
D’Aquila JM (2001) Financial accountants’ perceptions of management's ethical standards. Journal of Business Ethics 31 (3), 233–244.
Das TK and Teng BS (1998) Between trust and control: developing confidence in partner cooperation in alliances. Academy of Management Review 23 (3), 491–512.
Deci EL and Ryan RM (2002) Handbook of Self-determination Research. University of Rochester Press, Rochester, NY.
Dhillon G (2001) Violation of safeguards by trusted personnel and understanding related information security concerns. Computers & Security 20 (2), 165–172.
Dopuch N, Birnberg JG and Demski JS (1982) Cost Accounting: Accounting Data for Management's Decisions. Harcourt Brace Jovanovich, New York.
Dutta A and McCrohan K (2002) Management's role in information security in a cyber economy. California Management Review 45 (1), 67–87.
Eisenhardt KM (1985) Control: organizational and economic approaches. Management Science 31 (2), 134–149.
Eisenhardt KM (1988) Agency-theory and institutional-theory explanations – the case of retail sales compensation. Academy of Management Journal 31 (3), 488–511.
Falk A and Kosfeld M (2004) Distrust – The Hidden Cost of Control. National Bureau of Economic Research, Cambridge, MA.
Fornell C and Larcker DF (1981) Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research 18 (1), 39–50.
Frederickson JR and Waller W (2005) Carrot or stick? Contract frame and use of decision-influencing information in a principal-agent setting. Journal of Accounting Research 43 (5), 709–733.
Garfinkel S, Spafford G and Schwartz A (2003) Practical Unix and Internet Security. O’Reilly, Beijing, Sebastopol, CA.
Hartwick J and Barki H (1994) Explaining the role of user participation in information-system use. Management Science 40 (4), 440–465.
Hasan B (2006) Delineating the effects of general and system-specific computer self-efficacy beliefs on is acceptance. Information & Management 43 (5), 565–571.
Hu Q, Hart P and Cooke D (2007) The role of external and internal influences on information systems security – a neo-institutional perspective. Journal of Strategic Information Systems 16 (2), 153–172.
Jaworski BJ (1988) Toward a theory of marketing control: environmental context, control types, and consequences. Theory of Marketing Control 52, 23–39.
Kadam A (2002) Writing an information security policy. Network Magazine. Indian Express Group, Mumbai, India.
Karahanna E and Straub DW (1999) The psychological origins of perceived usefulness and ease-of-use. Information & Management 35 (4), 237–250.
Kelman HC (1958) Compliance, identification, and internationalization: three processes of attitude change? Journal of Conflict Resolution 2 (1), 51–60.
Kelman HC (1961) Processes of opinion change. Public Opinion Quarterly 25 (1), 57–78.
Kenny DA, Kashy DA and Bolger N (1998) The handbook of social psychology. In The Handbook of Social Psychology (GILBERT DT, FISKE ST and LINDZEY G, Eds), pp 233–265, McGraw-Hill, Boston, NY.
Kirsch LJ (1996) The management of complex tasks in organizations: controlling the systems development process. Organization Science 7 (1), 1–21.
Kirsch LJ (1997) Portfolios of control modes and is project management. Information Systems Research 8 (3), 215–239.
Kirsch LJ (2004) Deploying common solutions globally: the dynamics of control. Information Systems Research 15 (4), 374–395.
Kirsch LJ, Sambamurthy V, Ko DG and Purvis RL (2002) Controlling information systems development projects: the view from the client. Management Science 48 (4), 484–498.
Liang HG, Saraf N, Hu Q and Xue YJ (2007) Assimilation of enterprise systems: the effect of institutional pressures and the mediating role of top management. MIS Quarterly 31 (1), 59–87.
Lim VKG, Teo TSH and Loo GL (2002) How do I loaf here? Let me count the ways. Communications of the ACM 45 (1), 66–70.
Lorange P and Scott-Morton MS (1974) A framework for management control systems. Sloan Management Review 16 (1), 47–56.
Luft J (1994) Bonus and penalty incentives contract choice by employees. Journal of Accounting & Economics 18 (2), 181–206.
Macaulay S and Cook S (1994) Performance management as the key to customer service. Industrial and Commercial Training 26 (11), 3–8.
Malhotra Y and Galletta D (2005) A multidimensional commitment model of volitional systems adoption and usage behavior. Journal of Management Information Systems 22 (1), 117–151.
Malhotra Y, Galletta DF and Kirsch LJ (2008) How endogenous motivations influence user intentions: beyond the dichotomy of extrinsic and intrinsic user motivations. Journal of Management Information Systems 25 (1), 267–299.
Markus ML (1983) Power, politics, and mis implementation. Communications of the ACM 26 (6), 430–444.
Mathieson K, Peacock E and Chin WW (2001) Extending the technology acceptance model: the influence of perceived user resources. Database for Advances in Information Systems 32 (3), 86–112.
Milgram S (1974) Obedience to Authority; an Experimental View. Harper & Row, New York.
National Cyber Security Alliance (2005) Top Ten Cybersecurity Tips. National Cyber Security Alliance, Washington DC.
National Cyber Security Alliance and McAfee Corporation (2008) Mcafee-ncsa Online Safety Study. National Cyber Security Alliance and McAfee Corporation, Washingtion DC.
Nidumolu SR and Subramani MR (2003) The matrix of control: combining process and structure approaches to managing software development. Journal of Management Information Systems 20 (3), 159–196.
Nunnally JC and Bernstein IH (1994) Psychometric Theory. McGraw-Hill, New York.
Ouchi WG (1977) Relationship between organizational-structure and organizational control. Administrative Science Quarterly 22 (1), 95–113.
Ouchi WG (1979) Conceptual-framework for the design of organizational control mechanisms. Management Science 25 (9), 833–848.
Petter S, Straub D and Rai A (2007) Specifying formative constructs in information systems research. MIS Quarterly 31 (4), 623–656.
Podsakoff PM, MacKenzie SB, Lee JY and Podsakoff NP (2003) Common method biases in behavioral research: a critical review of the literature and recommended remedies. Journal of Applied Psychology 88 (5), 879–903.
Rawstorne P, Jayasuriya R and Caputi P (1998) An integrative model of information systems use in mandatory environments. In International Conference on Information Systems pp 325–330, Association for Computing Machinery, Helsinki, Finland.
Ross ST (1999) Unix System Security Tools. McGraw-Hill, New York.
Ryan RM and Deci EL (2000) Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. American Psychologist 55 (1), 68–78.
Schnedler W and Vadovic R (2007) Legitimacy of Control. Institute for the Study of Labor (IZA), Bonn, Germany.
Schneider FW, Gruman JA and Coutts LM (2005) Applied Social Psychology: Understanding and Addressing Social and Practical Problems. Sage Publications, Thousand Oaks, CA.
Shrout PE and Bolger N (2002) Mediation in experimental and nonexperimental studies: new procedures and recommendations. Psychological Methods 7 (4), 422–445.
Snell SA (1992) Control-theory in strategic human-resource management – the mediating effect of administrative information. Academy of Management Journal 35 (2), 292–327.
Straub DW (1990) Effective is security: an empirical study. Information Systems Research 1 (3), 255–273.
Straub DW and Welke RJ (1998) Coping with systems risk: security planning models for management decision making. MIS Quarterly 22 (4), 441–469.
Sussman SW and Siegal WS (2003) Informational influence in organizations: an integrated approach to knowledge adoption. Information Systems Research 14 (1), 47–65.
Symantec Corporation (2007) Symantec Reports Rise in Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers’ Financial Gain. Symantec Corporation, Cupertino, CA.
Taylor S and Todd P (1995) Assessing it usage: the role of prior experience. MIS Quarterly 19 (4), 561–570.
Venkatesh V and Davis FD (2000) A theoretical extension of the technology acceptance model: four longitudinal field studies. Management Science 46 (2), 186–204.
Author information
Authors and Affiliations
Corresponding author
Additional information
An earlier version of this paper was presented in Montreal, Quebec, Canada at the International Conference on Information Systems, 2008.
Rights and permissions
About this article
Cite this article
Boss, S., Kirsch, L., Angermeier, I. et al. If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security. Eur J Inf Syst 18, 151–164 (2009). https://doi.org/10.1057/ejis.2009.8
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1057/ejis.2009.8