Skip to main content

If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security

Abstract

Information security has become increasingly important to organizations. Despite the prevalence of technical security measures, individual employees remain the key link – and frequently the weakest link – in corporate defenses. When individuals choose to disregard security policies and procedures, the organization is at risk. How, then, can organizations motivate their employees to follow security guidelines? Using an organizational control lens, we build a model to explain individual information security precaution-taking behavior. Specific hypotheses are developed and tested using a field survey. We examine elements of control and introduce the concept of ‘mandatoriness,’ which we define as the degree to which individuals perceive that compliance with existing security policies and procedures is compulsory or expected by organizational management. We find that the acts of specifying policies and evaluating behaviors are effective in convincing individuals that security policies are mandatory. The perception of mandatoriness is effective in motivating individuals to take security precautions, thus if individuals believe that management watches, they will comply.

This is a preview of subscription content, access via your institution.

Figure 1
Figure 2

References

  • Ajzen I (1985) From intentions to actions: a theory of planned behavior. In Action Control, from Cognition to Behavior (KUHL J, and BECKMANN J, Eds), pp 11–39, Springer-Verlag, Berlin, NY.

    Google Scholar 

  • American National Standards Institute (2005) Iso ics 35 Information Technology. American National Standards Institute, Washington DC.

  • Armstrong JS and Overton TS (1977) Estimating nonresponse bias in mail surveys. Journal of Marketing Research 14 (3), 396–402.

    Article  Google Scholar 

  • Baron RM and Kenny DA (1986) The moderator mediator variable distinction in social psychological-research – conceptual, strategic, and statistical considerations. Journal of Personality and Social Psychology 51 (6), 1173–1182.

    Article  Google Scholar 

  • Birnberg JG and Snodgrass C (1988) Culture and control – a field-study. Accounting Organizations and Society 13 (5), 447–464.

    Article  Google Scholar 

  • Blumstein A (1978) Introduction. In Deterrence and Incapacitation: Estimating the Effects of Criminal Sanctions on Crime Rates (BLUMSTIEN A, COHEN J and NAGIN D, Eds), National Academy of Sciences, Washington DC.

    Google Scholar 

  • Brown SA, Massey AP, Montoya-Weiss MM and Burkman JR (2002) Do I really have to? User acceptance of mandated technology. European Journal of Information Systems 11 (4), 283–295.

    Article  Google Scholar 

  • Cardinal LB (2001) Technological innovation in the pharmaceutical industry: the use of organizational control in managing research and development. Organization Science 12 (1), 19–36.

    Article  Google Scholar 

  • Cardinal LB, Sitkin SB and Long CP (2004) Balancing and rebalancing in the creation and evolution of organizational control. Organization Science 15 (4), 411–431.

    Article  Google Scholar 

  • Carmines EG and Zeller RA (1979) Reliability and Validity Assessment. Sage Publications, Beverly Hills, CA.

    Book  Google Scholar 

  • Chae B and Poole MS (2005) Mandates and technology acceptance: a tale of two enterprise technologies. Journal of Strategic Information Systems 14 (2), 147–166.

    Article  Google Scholar 

  • Charlton JP and Birkett PE (1995) The development and validation of the computer apathy and anxiety scale. Journal of Educational Computing Research 13 (1), 41–59.

    Article  Google Scholar 

  • Chin WW (1998) The partial least squares approach for structural equation modeling. In Modern Methods for Business Research (MARCOULIDES GA, Ed), pp 295–336, Lawrence Erlbaum, Mahwah, NJ.

    Google Scholar 

  • Chin WW and Gopal A (1995) Adoption intention in gss – relative importance of beliefs. Data Base for Advances in Information Systems 26 (2–3), 42–64.

    Article  Google Scholar 

  • Choudhury V and Sabherwal R (2003) Portfolios of control in outsourced software development projects. Information Systems Research 14 (3), 291–314.

    Article  Google Scholar 

  • Chow CW, Hirst M and Shields MD (1995) The effects of pay schemes and probabilistic management audits on subordinate misrepresentation of private information: an experimental investigation in a resource allocation context. Behavioral Research in Accounting 7, 1–15.

    Google Scholar 

  • Cohen J (1977) Statistical Power Analysis for the Behavioral Sciences. Academic Press, New York.

    Google Scholar 

  • Compeau DR and Higgins CA (1995) Computer self-efficacy – development of a measure and initial test. MIS Quarterly 19 (2), 189–211.

    Article  Google Scholar 

  • Coren M (2005) Experts: Cyber-Crime Bigger Threat than Cyber-Terror. Cable News Network LP, LLLP, Atlanta, GA.

    Google Scholar 

  • D’Aquila JM (2001) Financial accountants’ perceptions of management's ethical standards. Journal of Business Ethics 31 (3), 233–244.

    Article  Google Scholar 

  • Das TK and Teng BS (1998) Between trust and control: developing confidence in partner cooperation in alliances. Academy of Management Review 23 (3), 491–512.

    Google Scholar 

  • Deci EL and Ryan RM (2002) Handbook of Self-determination Research. University of Rochester Press, Rochester, NY.

    Google Scholar 

  • Dhillon G (2001) Violation of safeguards by trusted personnel and understanding related information security concerns. Computers & Security 20 (2), 165–172.

    Article  Google Scholar 

  • Dopuch N, Birnberg JG and Demski JS (1982) Cost Accounting: Accounting Data for Management's Decisions. Harcourt Brace Jovanovich, New York.

    Google Scholar 

  • Dutta A and McCrohan K (2002) Management's role in information security in a cyber economy. California Management Review 45 (1), 67–87.

    Article  Google Scholar 

  • Eisenhardt KM (1985) Control: organizational and economic approaches. Management Science 31 (2), 134–149.

    Article  Google Scholar 

  • Eisenhardt KM (1988) Agency-theory and institutional-theory explanations – the case of retail sales compensation. Academy of Management Journal 31 (3), 488–511.

    Article  Google Scholar 

  • Falk A and Kosfeld M (2004) Distrust – The Hidden Cost of Control. National Bureau of Economic Research, Cambridge, MA.

    Google Scholar 

  • Fornell C and Larcker DF (1981) Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research 18 (1), 39–50.

    Article  Google Scholar 

  • Frederickson JR and Waller W (2005) Carrot or stick? Contract frame and use of decision-influencing information in a principal-agent setting. Journal of Accounting Research 43 (5), 709–733.

    Article  Google Scholar 

  • Garfinkel S, Spafford G and Schwartz A (2003) Practical Unix and Internet Security. O’Reilly, Beijing, Sebastopol, CA.

    Google Scholar 

  • Hartwick J and Barki H (1994) Explaining the role of user participation in information-system use. Management Science 40 (4), 440–465.

    Article  Google Scholar 

  • Hasan B (2006) Delineating the effects of general and system-specific computer self-efficacy beliefs on is acceptance. Information & Management 43 (5), 565–571.

    Article  Google Scholar 

  • Hu Q, Hart P and Cooke D (2007) The role of external and internal influences on information systems security – a neo-institutional perspective. Journal of Strategic Information Systems 16 (2), 153–172.

    Article  Google Scholar 

  • Jaworski BJ (1988) Toward a theory of marketing control: environmental context, control types, and consequences. Theory of Marketing Control 52, 23–39.

    Google Scholar 

  • Kadam A (2002) Writing an information security policy. Network Magazine. Indian Express Group, Mumbai, India.

    Google Scholar 

  • Karahanna E and Straub DW (1999) The psychological origins of perceived usefulness and ease-of-use. Information & Management 35 (4), 237–250.

    Article  Google Scholar 

  • Kelman HC (1958) Compliance, identification, and internationalization: three processes of attitude change? Journal of Conflict Resolution 2 (1), 51–60.

    Article  Google Scholar 

  • Kelman HC (1961) Processes of opinion change. Public Opinion Quarterly 25 (1), 57–78.

    Article  Google Scholar 

  • Kenny DA, Kashy DA and Bolger N (1998) The handbook of social psychology. In The Handbook of Social Psychology (GILBERT DT, FISKE ST and LINDZEY G, Eds), pp 233–265, McGraw-Hill, Boston, NY.

    Google Scholar 

  • Kirsch LJ (1996) The management of complex tasks in organizations: controlling the systems development process. Organization Science 7 (1), 1–21.

    Article  Google Scholar 

  • Kirsch LJ (1997) Portfolios of control modes and is project management. Information Systems Research 8 (3), 215–239.

    Article  Google Scholar 

  • Kirsch LJ (2004) Deploying common solutions globally: the dynamics of control. Information Systems Research 15 (4), 374–395.

    Article  Google Scholar 

  • Kirsch LJ, Sambamurthy V, Ko DG and Purvis RL (2002) Controlling information systems development projects: the view from the client. Management Science 48 (4), 484–498.

    Article  Google Scholar 

  • Liang HG, Saraf N, Hu Q and Xue YJ (2007) Assimilation of enterprise systems: the effect of institutional pressures and the mediating role of top management. MIS Quarterly 31 (1), 59–87.

    Google Scholar 

  • Lim VKG, Teo TSH and Loo GL (2002) How do I loaf here? Let me count the ways. Communications of the ACM 45 (1), 66–70.

    Article  Google Scholar 

  • Lorange P and Scott-Morton MS (1974) A framework for management control systems. Sloan Management Review 16 (1), 47–56.

    Google Scholar 

  • Luft J (1994) Bonus and penalty incentives contract choice by employees. Journal of Accounting & Economics 18 (2), 181–206.

    Article  Google Scholar 

  • Macaulay S and Cook S (1994) Performance management as the key to customer service. Industrial and Commercial Training 26 (11), 3–8.

    Article  Google Scholar 

  • Malhotra Y and Galletta D (2005) A multidimensional commitment model of volitional systems adoption and usage behavior. Journal of Management Information Systems 22 (1), 117–151.

    Google Scholar 

  • Malhotra Y, Galletta DF and Kirsch LJ (2008) How endogenous motivations influence user intentions: beyond the dichotomy of extrinsic and intrinsic user motivations. Journal of Management Information Systems 25 (1), 267–299.

    Article  Google Scholar 

  • Markus ML (1983) Power, politics, and mis implementation. Communications of the ACM 26 (6), 430–444.

    Article  Google Scholar 

  • Mathieson K, Peacock E and Chin WW (2001) Extending the technology acceptance model: the influence of perceived user resources. Database for Advances in Information Systems 32 (3), 86–112.

    Article  Google Scholar 

  • Milgram S (1974) Obedience to Authority; an Experimental View. Harper & Row, New York.

    Google Scholar 

  • National Cyber Security Alliance (2005) Top Ten Cybersecurity Tips. National Cyber Security Alliance, Washington DC.

  • National Cyber Security Alliance and McAfee Corporation (2008) Mcafee-ncsa Online Safety Study. National Cyber Security Alliance and McAfee Corporation, Washingtion DC.

  • Nidumolu SR and Subramani MR (2003) The matrix of control: combining process and structure approaches to managing software development. Journal of Management Information Systems 20 (3), 159–196.

    Google Scholar 

  • Nunnally JC and Bernstein IH (1994) Psychometric Theory. McGraw-Hill, New York.

    Google Scholar 

  • Ouchi WG (1977) Relationship between organizational-structure and organizational control. Administrative Science Quarterly 22 (1), 95–113.

    Article  Google Scholar 

  • Ouchi WG (1979) Conceptual-framework for the design of organizational control mechanisms. Management Science 25 (9), 833–848.

    Article  Google Scholar 

  • Petter S, Straub D and Rai A (2007) Specifying formative constructs in information systems research. MIS Quarterly 31 (4), 623–656.

    Google Scholar 

  • Podsakoff PM, MacKenzie SB, Lee JY and Podsakoff NP (2003) Common method biases in behavioral research: a critical review of the literature and recommended remedies. Journal of Applied Psychology 88 (5), 879–903.

    Article  Google Scholar 

  • Rawstorne P, Jayasuriya R and Caputi P (1998) An integrative model of information systems use in mandatory environments. In International Conference on Information Systems pp 325–330, Association for Computing Machinery, Helsinki, Finland.

    Google Scholar 

  • Ross ST (1999) Unix System Security Tools. McGraw-Hill, New York.

    Google Scholar 

  • Ryan RM and Deci EL (2000) Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. American Psychologist 55 (1), 68–78.

    Article  Google Scholar 

  • Schnedler W and Vadovic R (2007) Legitimacy of Control. Institute for the Study of Labor (IZA), Bonn, Germany.

    Google Scholar 

  • Schneider FW, Gruman JA and Coutts LM (2005) Applied Social Psychology: Understanding and Addressing Social and Practical Problems. Sage Publications, Thousand Oaks, CA.

    Google Scholar 

  • Shrout PE and Bolger N (2002) Mediation in experimental and nonexperimental studies: new procedures and recommendations. Psychological Methods 7 (4), 422–445.

    Article  Google Scholar 

  • Snell SA (1992) Control-theory in strategic human-resource management – the mediating effect of administrative information. Academy of Management Journal 35 (2), 292–327.

    Article  Google Scholar 

  • Straub DW (1990) Effective is security: an empirical study. Information Systems Research 1 (3), 255–273.

    Article  Google Scholar 

  • Straub DW and Welke RJ (1998) Coping with systems risk: security planning models for management decision making. MIS Quarterly 22 (4), 441–469.

    Article  Google Scholar 

  • Sussman SW and Siegal WS (2003) Informational influence in organizations: an integrated approach to knowledge adoption. Information Systems Research 14 (1), 47–65.

    Article  Google Scholar 

  • Symantec Corporation (2007) Symantec Reports Rise in Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers’ Financial Gain. Symantec Corporation, Cupertino, CA.

  • Taylor S and Todd P (1995) Assessing it usage: the role of prior experience. MIS Quarterly 19 (4), 561–570.

    Article  Google Scholar 

  • Venkatesh V and Davis FD (2000) A theoretical extension of the technology acceptance model: four longitudinal field studies. Management Science 46 (2), 186–204.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Scott R Boss.

Additional information

An earlier version of this paper was presented in Montreal, Quebec, Canada at the International Conference on Information Systems, 2008.

Appendices

Appendix A

See Table A1.

Table a1 Survey scale items (All items measured on a 7 point likert-type scale)

Appendix B

See Table B1.

Table b1 Common method bias analysis

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Boss, S., Kirsch, L., Angermeier, I. et al. If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security. Eur J Inf Syst 18, 151–164 (2009). https://doi.org/10.1057/ejis.2009.8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1057/ejis.2009.8

Keywords

  • information security
  • control
  • mandatoriness