[ieee 2013 46th hawaii international conference on system sciences (hicss) - wailea, hi, usa...

10
Explaining Opposing Compliance Motivations towards Organizational Information Security Policies Paul Benjamin Lowry City University of Hong Kong [email protected] Greg D. Moody University of Las Vegas-Nevada [email protected] Abstract Lack of compliance with organizational information security policies (ISPOs) is a widespread organizational issue that increasingly bears very large direct and qualitative costs. The purpose of our study was to explain the causes of tensions within organizations to either comply with new ISPOs or react negatively against them. To do so, we proposed an innovative model, which pits organizational control theory, as a force that explains ISPO compliance, against reactance theory, as a force that explains ISPO noncompliance and anger toward organizations. To test the model, we used a sample of 320 working professionals in a variety of industries to examine the likely organizational outcomes when a new ISPO is delivered to employees in the form of a typical memo sent throughout an organization. We found support for our newly proposed model, which is an important contribution to research on organizational security practices. 1.0 INTRODUCTION Organizations increasingly rely on information and related systems, which are also a source of much organizational risk. This environment has consequently increased the importance of managing information risks within organizations. This risk management has traditionally relied on technological solutions to improve information security. Yet, because employees are big threats to organizations’ information security and cause the majority of information security breaches, it is crucial to consider the socio- organization elements in assuring that information resources are secure [1].Thus , fostering employee compliance with information security policies (ISPOs) is a key approach that organizations use to attempt to improve this weak link [1, 2]. ISPOs are a set of formalized procedures, guidelines, roles, and responsibilities which employees are required to adhere to in order to safeguard and use the information and technology resources of their organizations properly. ISPO compliance is a critical consideration in organizational security governance, because internal controls are created, responsibilities are assigned, and accountability is maintained. ISPOs help ensure the security of organizational information resources by thwarting employee attempts to bypass information security, and by training employees to use information resources appropriately. Recent management research has applied several theories and frameworks to explain ISPO compliance and related phenomenon; yet, thus far, the findings are mixed. In practice, actual ISPO compliance is also highly mixed: many employees are apathetic about ISPOs and ignore them; other times employees try to circumvent ISPOs intentionally; and, even worse, some employees will often purposely do the opposite of the desired behavior. Extant literature has produced a strong foundation for organizational ISPO compliance research, but has left several gaps that provide opportunities for further research. One key opportunity is that although some studies have looked at ISPO compliance [e.g, 2] and others have looked at noncompliance [e.g., 1], no studies have directly considered their motivators in the same model. This is an important aspect, because human behavior often involves dual-process models of competing outcomes [e.g., 3]. Understanding the dual processes of increased and decreased desire to comply could explain the mixed results in the literature. Likewise, understanding both sides might help explain the most puzzling research results, in which increased ISPO controls sometimes backfire and increase pernicious employee behaviors in organizations. 2.0 CRCM THEORY AND HYPOTHESES We now provide more detail on the theoretical foundation of the Control-Reactance Compliance Model (CRCM), starting with control theory, from which we introduce the key constructs of formal control, mandatoriness, and security precautions. These are constructs that have already been established in the literature that we will use as a traditional explanation for why employees are motivated to comply with new ISPOs. 2013 46th Hawaii International Conference on System Sciences 1530-1605/12 $26.00 © 2012 IEEE DOI 10.1109/HICSS.2013.5 2996 2013 46th Hawaii International Conference on System Sciences 1530-1605/12 $26.00 © 2012 IEEE DOI 10.1109/HICSS.2013.5 2998

Upload: greg-d

Post on 08-Dec-2016

220 views

Category:

Documents


6 download

TRANSCRIPT

Explaining Opposing Compliance Motivations towards Organizational Information Security Policies

Paul Benjamin Lowry City University of Hong Kong [email protected]

Greg D. Moody University of Las Vegas-Nevada

[email protected]

AbstractLack of compliance with organizational

information security policies (ISPOs) is a widespread organizational issue that increasingly bears very large direct and qualitative costs. The purpose of our study was to explain the causes of tensions within organizations to either comply with new ISPOs or react negatively against them. To do so, we proposed an innovative model, which pits organizational control theory, as a force that explains ISPO compliance, against reactance theory, as a force that explains ISPO noncompliance and anger toward organizations. To test the model, we used a sample of 320 working professionals in a variety of industries to examine the likely organizational outcomes when a new ISPO is delivered to employees in the form of a typical memo sent throughout an organization. We found support for our newly proposed model, which is an important contribution to research on organizational security practices.

1.0 INTRODUCTION

Organizations increasingly rely on information and related systems, which are also a source of much organizational risk. This environment has consequently increased the importance of managing information risks within organizations. This risk management has traditionally relied on technological solutions to improve information security. Yet, because employees are big threats to organizations’ information security and cause the majority of information security breaches, it is crucial to consider the socio-organization elements in assuring that information resources are secure [1].Thus , fostering employee compliance with information security policies (ISPOs) is a key approach that organizations use to attempt to improve this weak link [1, 2]. ISPOs are a set of formalized procedures, guidelines, roles, and responsibilities which employees are required to adhere to in order to safeguard and use the information and technology resources of their organizations properly.

ISPO compliance is a critical consideration in organizational security governance, because internal controls are created, responsibilities are assigned, and accountability is maintained. ISPOs help ensure the security of organizational information resources by thwarting employee attempts to bypass information security, and by training employees to use information resources appropriately. Recent management research has applied several theories and frameworks to explain ISPO compliance and related phenomenon; yet, thus far, the findings are mixed. In practice, actual ISPO compliance is also highly mixed: many employees are apathetic about ISPOs and ignore them; other times employees try to circumvent ISPOs intentionally; and, even worse, some employees will often purposely do the opposite of the desired behavior.

Extant literature has produced a strong foundation for organizational ISPO compliance research, but has left several gaps that provide opportunities for further research. One key opportunity is that although some studies have looked at ISPO compliance [e.g, 2] and others have looked at noncompliance [e.g., 1], no studies have directly considered their motivators in the same model. This is an important aspect, because human behavior often involves dual-process models of competing outcomes [e.g., 3]. Understanding the dual processes of increased and decreased desire to comply could explain the mixed results in the literature. Likewise, understanding both sides might help explain the most puzzling research results, in which increased ISPO controls sometimes backfire and increase pernicious employee behaviors in organizations.

2.0 CRCM THEORY AND HYPOTHESES

We now provide more detail on the theoretical foundation of the Control-Reactance Compliance Model (CRCM), starting with control theory, from which we introduce the key constructs of formal control, mandatoriness, and security precautions. These are constructs that have already been established in the literature that we will use as a traditional explanation for why employees are motivated to comply with new ISPOs.

2013 46th Hawaii International Conference on System Sciences

1530-1605/12 $26.00 © 2012 IEEE

DOI 10.1109/HICSS.2013.5

2996

2013 46th Hawaii International Conference on System Sciences

1530-1605/12 $26.00 © 2012 IEEE

DOI 10.1109/HICSS.2013.5

2998

For this portion of CRCM, we build primarily on a model by Boss et al. that combines the use of control theory with the concept of mandatoriness to effectively explain that when individuals perceive organizational security policies to be mandatory, they are more likely to take security precautions. The foundation of the Boss et al. model is control theory. Control theory was originally developed to classify the different types of control utilized by organizations to constrain employees and to explain the social conditions in which different forms of control are used, depending upon the objectives and tasks characteristic of the organization.

Although this approach to control theory helps explain the environments and contexts in which particular controls are most likely to be used, later research further clarified the elements that constitute control itself. Namely, Kirsch [4] categorized controls as either formal, which are “formally documented and initiated by management,” or informal, which are “unwritten and often initiated by employees themselves” [4p. 375]. Formal controls are inherently more discernible because they are more structured, precisely regulated, and more recognizable. We assume formal controls in our study.

Building on Kirsch’s work, Boss et al. applied control theory in the realm of ISPOs by observing the general effect these policies have on specification (a.k.a., measurement), evaluation, and reward. Kirsch defined these as follows: specification is the measurability of expected behaviors or outcomes; evaluation is the exchange of information and the process of assessing performance; and reward is the result of the performance of expected behaviors, leading to goal achievement.

Boss et al. further observed the effect of formal controls on compliance with existing ISPOs by introducing the innovative concept of mandatoriness,which is “the degree to which individuals perceive that compliance with existing security policies and procedures is compulsory or expected by organizational management” (p. 151). They found that formal controls toward existing ISPOs do indeed increase the perceived mandatoriness of existing ISPOs. Boss et al.’s research suggested that, when policies are implemented, an organization signals that employees are expected to comply. That signal can vary in the degree of existing mandatoriness by manipulating the dimensions of the formal controls. For further modeling clarity, we term these existing, organizational, formal ISPO controls as existingorganizational formal controls.

Boss et al.’s model further explains that an individual’s existing perceived mandatoriness of existing organizational ISPOs will in turn affect the general range of ISPO security precautions the

individual takes within the organization. The researchers’ findings show that existing controls increase employees’ existing mandatoriness, and this mandatoriness increases the general ISPO security precautions taken by the employee [5]. Formally, we term these as existing ISPO precautions taken, which are defined as “the degree to which individuals perceive they take measures to secure their computers” in order to follow existing formal controls and ISPOs [5, p. 155].

2.1 Control Theory and ISPO Compliance

A key point of differentiation with Kirsch’s model and Boss et al.’s model is that these were proposed and tested around predicting how existing organizational conditions impact existing compliance to policies. CRCM adds the nuance of predicting how existing organizational conditions predict compliance to a new ISPO. In our context, the new ISPO will be introduced through a formal organizational memo, so that we can manipulate the formal control and language of the newly introduced ISPO as a persuasion attempt to encourage organizational compliance. Therefore, we ignored replications and predictions of how existing conditions predict existing compliance, as these are established and thus outside the scope of our study.

Thus, our first theoretical proposition is that because past related behavior is often a strong predictor of future related behavior [6], it logically follows that if an employee has a pattern of taking ISPO precautions, this pattern is likely to continue in terms of new ISPOs. One reason for this link is that past ISPO compliance suggests a more positive attitude toward ISPO compliance than that of an employee who has not complied with ISPOs. Such positive attitudes tend to be lasting and are strong predictors of future ISPO compliance [2, 7]. Further, individuals tend to maintain consistency between their outward behaviors and their internal motivations that drive such behaviors, thus their behaviors and motivations are expected to remain consistent over time [8].

Finally, past compliance and habit is a further explanation for the link between past and future ISPO compliance behaviors. Formally, habit is the “learnedsequences of acts that have become automatic responses to specific cues, and are functional in obtaining certain goals or end-states” [9, p. 104]. Behavioral habits toward ISPO compliance have been shown to predict continued and future ISPO compliance: as employees develop good attitudes, awareness, and knowledge of ISPOs, and comply with them over time, they develop normative beliefs and habits toward ISPO compliance [10].

H1. Existing ISPO precautions taken increases intent to comply with a new ISPO.

29972999

Aside from the habit of precautions taken, we posit that the existing organizational formal controls also have a direct impact on new ISPO compliance. Existing controls help to create a climate and culture where ISPO compliance is the norm and where expectations are clearer than in organizations without formal controls. That is, formal controls from management create normative beliefs around ISPO compliance, and these norms can evolve into strong social capital controls in organizations [11]. In our context, normative beliefs (a.k.a., norms) are “an employee’s perceived social pressure about compliance with the requirements of the ISPO caused by behavioral expectations of such important referents as executives, colleagues, and managers” [2, p. 529]; these norms increase compliance [2].

Such formal policies and controls can help create a positive information security climate, where compliance is more likely by also reinforcing normative beliefs [12]. Formally, an information security climate involves the organizational mechanisms and practices that define how an organization treats information security [13]. In positive climates, it is more likely that employees will perceive that the top management champions ISPOs, which is the degree to which employees perceive that the top managers in an organization firmly support or advocate for its ISPOs [13]. Such championship emphasizes the importance of the ISPO in the day-to-day work of an organization in protecting it from harm [14]. By evaluating and enforcing the use of ISPO controls in an organization, management again emphasizes the importance and the benefit of the ISPO to the entire organization.

Notably, positive security climates with perceived top management championship foster more ISPO compliance in employees [13]. Aside from perceived leadership, top management championship is effective because organizations with such management tend to have more preventative controls [15] and because top management support serves as a form of normative control against non-compliance [16]. Thus, if an organization lacks strong controls, then the security climate, associated expectations, and top management championship are more likely to be weaker—as will be ISPO compliance.

H2. Existing organizational formal controls increases intent to comply with a new ISPO.

We also propose that the perceived mandatoriness of a new ISPO affects ISPO compliance directly. We first assume the corollary that if existing ISPOs have an associated perceived mandatoriness, then new ISPOs will have their own associated perceived mandatoriness. To increase theoretical clarity, we define new ISPO mandatoriness as the degree to which

an individual perceives that compliance with a new ISPO is compulsory or expected by organizational management. Recall that Boss et al. found that the acts of specifying policies and evaluating behaviors (i.e., controls) are effective in convincing individuals that security policies are mandatory. Since Boss et al. show that existing controls are positively correlated with existing mandatoriness, then new controls should positively impact new mandatoriness similarly.

H3. New ISPO mandatoriness increases intent to comply with a new ISPO.

2.2 Reactance Theory and ISPO Noncompliance

Now that we have explained how formal controls, mandatoriness, and taking existing security precautions can influence organizational ISPO compliance, we now consider reactance theory to explain what discourages ISPO compliance. A key assumption of CRCM is that most employees have a predetermined level of tolerance for controlling management policies and a threshold for how much individual freedom the individuals will give up before negative consequences toward the organization will occur. This assumption is supported by a host of deterrence- and monitoring-related studies that show that overly controlling approaches can backfire and result in pernicious employee behaviors [e.g., 17, 18]. Thus, high levels of new ISPO control could lead to negative results for organizations—especially because punishments are often an integral part of formalized controls. Despite this promising connection, this issue has not been considered in the literature thus far. To address this issue, we leverage psychological reactance theory.

Reactance theory has historically been used in behavioral and psychological studies. For example, Silvia [19] studied the role of similarity in decreasing reactance. Others have used reactance theory in a variety of behavioral studies. However, we found no application in terms of organization policy compliance, including ISPO compliance.

Reactance theory predicts that any given person has a set of behavioral freedoms (a realm of personal freedom) that if eliminated, or threatened with elimination, will create an adverse state of arousal called reactance [20]. Reactance is a negative emotional response caused by threats or losses on behavioral freedom, which focuses on restoring the freedom in question. A key assumption for reactance to occur is that the person whose behavior is threatened has an expectation of free choice and thus is motivationally aroused any time that free choice is threatened [21]. Reactance has also been shown to occur when individuals are pressured (e.g., strongly persuaded or manipulated) to choose between two choices [22].

29983000

Accordingly, in our context, reactance is a negative emotional coping response that is a form of message rejection caused primarily by lost or threatened freedom, and thus focuses on re-establishing the threatened or eliminated behavioral freedom. Unlike avoidance, reactance is an active negative response to an external source that tries to influence/persuade behavior. During reactance, an individual systematically processes the sources of the negative emotion, but rather than trying to conceal the emotion, the individual is motivated to challenge the causes of the emotion (i.e., loss of behavioral freedoms), which allows him/her to invalidate the conclusions formed from the causes [23]. Accordingly, reactance is associated with more heated or emotional responses that allow individuals to displace the concern over missed opportunities with a sense of anger or frustration directed toward the source of information originally perceived to cause the concern [24]. Thus, reactance is a particularly pernicious organizational phenomenon, because it pits the will of the employee against the will of the employer, resulting in negative conflicts through undesired employee behaviors and emotions.

We propose that new organizational controls are key mechanisms that can drive reactance in organizations. We posit that newly introduced controls from a new ISPO can threaten one’s sense of freedom by challenging the existing balance of an employee’s valued behavioral freedoms. As support, formal control “depends heavily upon monitoring, evaluating, and correcting in an explicit manner” [4, 25, p.841]. Namely, the manager determines the behaviors, outcomes, procedures, goals, and so forth, that the employee is expected to meet. An established hierarchy of authority in an organization provides a context in which the roles and relationships can be understood. For example, an autocratic authority is a formal control, because of the clear and strong superior-subordinate relationship.

Notably, Ouchi explained and predicted that higher levels of control are “likely to offend people’s sense of autonomy and of self-control . . . [because], the more obvious and explicit the measurement, the more noxious it is to employees” (p. 841). Further explained that control can actually encourage deviance when control produces a perceived disparity between employee and employer [26]. It is thus not surprising that reactance research has shown that coercion, in particular, tends to lead to the strongest levels of reactance, because it goes beyond mere persuasion [27]. Hence, a strong display of authoritative power—for example, more explicit formal control measurements, whether in the form of specification, evaluation, or rewards and sanctions—can threaten an employee’s sense of freedom. That is, when a manager

specifies an employee’s appropriate outcomes or behaviors, the employee’s behavior alternatives are more limited [28]. Thus, the more specific and transparent the controls provided in a new ISPO are, the more such controlling approaches are likely to threaten an employee’s sense of freedom because of the specification, evaluation, and rewards around the specific behaviors.

The key to galvanizing the causal mechanisms of reactance is thus to threaten or eliminate personal freedoms that employees believe organizations should not threaten. In predicting reactance, the issue is not whether it is reasonable or legal to threaten or eliminate an employee’s freedom, the issue is how an employee feels about a threatened freedom. A study on underage drinking, which is illegal and generally not in keeping with common sense [29], illustrated this issue: in this study, despite legal and social mores, the more the students felt that drinking alcohol should be a personal freedom, the more the messages threatening them to not drink, influenced drinking. This study was later confirmed in a more advanced study on collegiate drinking [30], and similar results were shown in adolescent smoking research with dispositional reactance [31].

Thus, the question in our context is not whether it is reasonable or legal to threaten or eliminate employee freedoms in the workplace regarding ISPOs, but rather how employees perceive that the new ISPO controls threaten their valued freedoms. Many employees feel that there is an implicit contract of respecting privacy and personal space in the workplace, and are offended by the idea of their Internet access and emails being monitored [32]. Also, whether or not employers actually read employee emails is not the only salient factor. If employers publically reserve the right to read employees’ email—even if they never engage in reading them—that can cause enough of a threat to personal freedom to cause reactance.

Meanwhile, the more important the threatened freedom is or the greater the level of threat to freedom, the greater the magnitude of reactance will be [24]. A threat to freedom in a reactance context is the degree to which the actions of or communications from organizational management cause employees to believe their freedom to choose is threatened, manipulated, or pressured by management [24]. We define threat to freedom from a new ISPO as the degree to which a new ISPO delivered from an organization’s management causes the employees to believe their freedom to choose is threatened or manipulated by management. The importance of freedom in a reactance context is how much employees value the freedom to engage in specific behaviors in the workplace that might be controlled or eliminated by management [20]. In our context, the importance of ISPO freedom is how much

29993001

employees value the freedom associated with a specific computer-related behavior that might be controlled or eliminated by management through ISPOs.

H4. A threat to freedom from a new ISPO increases reactance to a new ISPO.

H5. The importance of ISPO freedom increases reactance to a new ISPO.

Likewise, increased behavioral freedom decreases reactance [27]. In our reactance context, we are concerned with the behavioral freedom associated with a new ISPO. Based on [24], we term this freedom as freedom from a new ISPO, which is the degree to which information regarding a new ISPO promotes individual choice and decision making, free of pressure and manipulation from management.

H6. Freedom from a new ISPO decreases reactance to a new ISPO.

As reactance theory has been further tested and extended over time, several important additions have been included that further drive our CRCM proposal. First, a promising phenomenon we found in the reactance literature is that a well-established measure of one’s reactance proneness (a.k.a., trait reactance)has been developed and validated; ironically, however, this measure has never been used to predict actual reactance [24]. We thus newly posit and test this relationship in our CRCM. Specifically, reactance proneness is one’s disposition or tendency to experience a state of reactance when one’s freedoms are restricted [24]. Given this conceptualization, it naturally follows that people who are more prone to reactance to freedom restrictions in general are more likely to manifest reactance when management introduces a new, freedom-restricting ISPO.

H7. Reactance proneness increases reactance to a new ISPO.

Quick and Kim [33] further demonstrated other negative effects of reactance with a construct the authors term boomerang effects. Boomerang effects emerge because of reactance and are the measurable efforts of individuals to directly restore freedoms and/or undo threats to freedoms that emerge in an organization. In an ISPO context, we propose that an undesired boomerang effect would be lack of compliance with the new ISPO as a purposeful act to restore a valued but threatened or eliminated freedom. Therefore, in our context, if an ISPO is seen by an employee as a direct threat to his or her personal freedom, the boomerang effects would be plausibly manifested as a decreased intention to follow the new ISPO in order to try to regain the lost freedoms and/or decrease the threats to freedoms resulting from the new

policy. Similar effects have also been proposed and found in the field of criminology.

H8. Reactance to a new ISPO decreases the intent to comply with a new ISPO.

Dillard and Shen [24] also theorized that reactance can result in “an amalgam of anger and negative cognitions” (p. 164), which has been empirically validated in [24, 33]. Such anger and negative cognitions, such as irritation, tend to focus on the related behavioral control incident, but can spread if further incidents continue. Formally, in a reactance context this anger/irritation is the degree to which a behavioral control from management that threatens or eliminates workplace freedom causes annoyance, irritation, anger, or aggravation toward management regarding the threatened or eliminated freedom. Such anger/irritation is a particularly pernicious outcome in organizations because such emotions are closely linked to destructive antisocial or aggressive behavior.

H9. Reactance to a new ISPO increases anger/irritation toward the organization about the new ISPO.

Figure 1 summarizes our proposed model, CRCM.

Figure 1. Control-Reactance Compliance Model (CRCM)

3.0 RESEARCH METHODS

Our experimental design was a 2x2 factorial design that provided professional ISPO memos from eight different, randomly selected IT security policies that were manipulated in terms of controlling language (high-low) and formal control (high-low). Eight different forms of IT policies were used with four manipulations each, for a total of 32 conditions. Each policy had four memos representing a combination of high-language high-control, high-language low-control, low-language high-control, and low-language low-control, for a between-groups factorial experiment.

We tested the CRCM by using a scenario-based method with professionals. The scenario method presents respondents with “written descriptions of

30003002

realistic situations and then request[s] responses on a number of rating scales that measure the dependent variables of interest” [34, p. 127-128]. This is the method most commonly applied to issues related to ethics [35]. Accordingly, this method is highly useful for studying ISPO compliance issues and thus has been increasingly used in the ISPO and computer-abuse literature [e.g., 13, 36, 37, 38].

The range of IT security policies was chosen to provide a realistic sample of the policies that are used in industry, some of which may be more restrictive and threatening to freedom than others. To develop these policies, we reviewed the academic and practitioner literature extensively for user-focused IT security policies. Notably, we focused on policies that end-users would notice and that they would understand in terms of the implications for the employees’ daily work. We thus avoided more technical behind-the-scenes security policies that end-users may not notice or understand, such as automatic network data encryption, honey pots set up to lure hackers, redundant data backups, and the like. The eight IT policies were built around the following common security issues: end-user software installation, antivirus and spyware software use with corporate networks, use of non-work-related software, inconsistent use of antivirus software, personal use of corporate email systems, lack of centralized data storage, use of USB drives for sensitive data, and personal Internet use. These issues are also thoroughly documented in organization security practice research in [13, 36]. Though many of the specific IT security policies are straightforward, they still have profound effects on overall IT security because organizational employees account for a majority of all of the information security problems [39].

For strong experimental control, each of the eight unique IT policies had four carefully constructed versions that did not alter the associated ISPO. Instead, the ISPO’s introductory and concluding text was changed to represent high-low controlling languageand high-low new control. The formal control manipulations were based on Boss et al.’s and Kirsch’s conceptualizations and measurements. All three elements of formal control were written into these manipulations for the high-control conditions: specification, evaluation, and rewards. Specificationwas introduced by providing more clarity and detail, much of which was achieved through the enhanced description of evaluation and rewards. Evaluation was introduced by explicitly stating how the system and management would monitor the end-users’ compliance. Rewards and punishments were also specified for compliance and noncompliance. The low-control conditions lacked this level of detail. To establish experimental control further, these wording

changes were exactly the same across all memos, regardless of the ISPO itself.

To ensure that the ISPO memo scenarios were realistic and effective for manipulating our theoretical constructs, we went through several rounds of development with experts, along with pilot testing graduate students who had industry and research expertise on information security.

For the increased generalizability of our study, we hired a market research firm to randomly select and invite industry participants from a total pool of nearly 3 million professionals to oversee the study as an online research panel. External panels have been used to elicit responses to survey instruments in various contexts [e.g., 40, 41] and are increasingly used in organizational research because panels have several established research advantages [e.g., 42, 43].

The marketing research firm commissioned 320 working professionals to participate; 160 were male (50%) and 160 were female (50%). Among all of the participants, 52 (16.3%) were part-time workers, and 268 (83.7%) were full-time workers. The average age was 45.2 years (SD = 11.9), average years of work experience was 21.3 (SD = 12.3), and average years of formal education was 15.5 (SD = 2.8). The participants represented several key industries. IRB approval was given, and all respondents participated with full consent.

Participants first filled out their demographic information and pre-experiment measures. The participants were then given a series of two randomly selected ISPO memos in two separate rounds of experimentation and measurement. Each memo was addressed individually, with the participant answering questions in regard to only the memo just viewed. The participants were asked to evaluate how they would feel about these memos in terms of their current organization and position. They then filled out the post-experiment measures after each memo, yielding 640 data points. The random presentation of the memos was designed to mitigate any potential ordering effects.

All of the measures were based on established measures. We also added several standard covariates as potential predictors of intent, anger, and reactance: age, education level, years of work experience, work status, gender, organizational size, and ISPO apathy [5]. We also created a one-item covariate that asked about the degree to which that participant’s organization had a similar ISPO in place. Finally, both controlling language and new control were operationalized into our experiment as actual manipulations within the memos given to the participants; given the lack of available established measurements, each had an associated one-item manipulation check that we used

30013003

to verify that the manipulation was in the intended direction.

4.0 ANALYSIS AND RESULTS

Prior to testing the CRCM, we conducted a pre-analysis and data validation according to the latest standards, for several purposes: (1) to establish the model specification, (2) to establish the factorial validity of the instrument through convergent and discriminant validities, (3) to establish that multicollinearity was not a problem for this model, (4) to check for common-methods bias using several approaches, and (5) to establish strong construct reliabilities. The results of our validation procedures show that our model data meets or exceeds the latest rigorous validation and reliability standards expected for partial least squares (PLS) based analysis. Before analysis we also performed manipulation checks that confirmed our manipulations were in the intended direction.

We used PLS regression analysis with SmartPLS version 2.0 [44] for model analysis. We analysed our model data by a bootstrap with 500 resamples. Figure 2 graphically depicts the results.

Figure 2. Results of Testing Proposed Model

5.0 DISCUSSION

Our experimental results provide extensive support for the CRCM. Existing organizational formal controls increased the intent to comply with the new ISPO (H2 supported). New ISPO mandatoriness increased the intent to comply with the new ISPO (H3 supported). A threat to freedom from the new ISPO increased reactance to the new ISPO (H4 supported). Reactance proneness (or trait reactance) increased reactance to the new ISPO (H7 supported). Reactance to the new ISPO decreased the intent to comply with the new ISPO (H8 supported, along with the hypothesized underlying boomerang effects). Reactance to the new ISPO increased anger/irritation toward the organization about the new ISPO (H9 supported).

Three hypotheses were not supported. The existing ISPO precautions taken had no effect on the intent to comply with the new ISPO (H1 rejected). Both the importance of ISPO freedom and freedom from the new ISPO had no effect on reactance (H5 and H6 rejected). In terms of covariates, we found that ISPO apathy increased reactance, while it decreased anger/irritation. Also, the degree to which similar ISPOs already existed in the organization decreased reactance and anger/irritation. Finally, gender (females) was a predictor of anger/irritation. Summarizing our results, Figure 3 provides our suggested updated version of the CRCM for ongoing research, including promising covariates.

Figure 3. Future Research Version of CRCM

5.1 Contributions to Research, Theory, and Practice

Our key contribution is an innovative model that examines two counterpoised forces to predict intent to comply with new ISPOs in organizations for the first time. Extant research tested models involving either ISPO compliance or noncompliance; however, no extant model or empirical research has considered the competing motivations together. CRCM considers both: organizational controls, as predicted by control theory, is shown as a positive predictor of intent to comply; whereas threats to personal freedom from organizational controls results in reactance, as predicted by reactance theory. We also demonstrate the illusive, theorized boomerang effects by showing a strong negative connection between reactance and intentions. While this effect has long been theorized, little empirical evidence on this effect has been established previously [19, 45].

We also demonstrate the potential creation of anger as a negative outcome of reactance. Looking beyond compliance, anger in the workplace is a particularly troublesome phenomenon as it is strongly linked to destructive antisocial behavior in the workplace. Hence, high levels of control might result in desired ISPO compliance, but workplace anger can create a potentially dangerous Pyrrhic victory for any organization. Hence, researchers and practitioners should no longer consider controls and deterrence in an

30023004

organizational vacuum without considering the potential for threats to freedom that can undermine controls and deterrence and result in unintended negative consequences. These results illustrate the danger of the common organizational practice of introducing new ISPOs (or other organizational policies) using controlling language in memos distributed widely throughout an organization. This finding indicates that managers need to be very cautious in choosing the manner, medium, and method of introducing new ISPOs and organizational policies. ISPOs are clearly necessary in organizations; however, when managers write or communicate potentially freedom-restricting policies, the managers need to take into account that employees consider themselves free agents with rights and freedoms that if threatened will cause employees to react negatively. Whereas ISPOs need formal written controls, they need to be written and delivered in a respectful manner that softens or eliminates imperatives and provides for a range of options, wherever possible. Most importantly, managers need to balance coercion with care [46].

Moreover, although reactance theory has been used for several decades and most reactance constructs in our CRCM have been measured in various studies, our extensive literature review of the theory reveals that no single study has ever tested the full reactance theory constructs in any context—let alone with organizational ISPOs. In fact, most studies do not directly examine the importance of freedom and threat level. Consequently, portions of the reactance theory model, and sometimes the whole model, are typically treated as a theoretical “black box” where the nomological relationships are assumed but not measured and validated. Moreover, given that, by definition, formal controls and freedom are diametrically opposed, we considered how newly introduced ISPOs might threaten existing freedoms (only those related to the new policies) and thus affect reactance, anger, and intent toward ISPO compliance. Notably, we found that the most influential freedom element that drives reactance was a threat to freedom, and not the importance of freedom. This serves as a particular warning to practice, because our study indicates that even threats to a “trivial” freedom can trigger reactance.

5.2 Limitations and Future Research

Our first key limitation, which points to promising future research, is the limited generalizability of our results, because they derived from a controlled laboratory experiment. Whereas we have every reason to believe that our CRCM should hold up in similar matters of organizational compliance—especially any involving high levels of control and potential threats to

personal freedom (e.g., audits, accounting controls, HR personnel policies, downsizing, mergers and acquisitions, and so on), further replication of the CRCM is needed to establish its generalizability. Moreover, following typical practices in attitudinal research, we considered intent but not actual compliance. Whereas our scenarios/vignettes approach to ISPO policy compliance is a standard and valid approach for predicting actual compliance [e.g., 36], testing our new model in actual organizations that are implementing new IT policies would be useful. Likewise, how long reactance perseveres and the factors that contribute to its weakening are important open issues that could affect generalizability. Thus, longitudinal organizational data that examines reactance strength and compliance over time would be valuable.

Likewise, we tested our CRCM in a Western culture—specifically with US-based employees. US employees have been shown to be highly individualistic, valuing individual freedom of choice at work more than employees in collectivistic societies, such as the People’s Republic of China [e.g., 47, 48]. Employees in highly collectivistic (e.g., China or France) or highly controlling cultures (e.g., Saudi Arabia or Iran) might demonstrate far less reactance and anger than those in highly individualistic cultures like the US, simply because those employees do not place the same importance on workplace freedom and instead focus more on the success of the organization. An important extension of this model would be to consider the differences in the perceptions of the threats to freedom—and subsequent reactance—in collectivistic versus individualistic cultures. Research could also consider the effects within organizations that are increasingly mixed and heterogeneous in terms of the cross-cultural propensities of employees, or even in terms of a firm’s organizational culture.

A final promising future research opportunity would be to consider the dual negative and positive effects of the CRCM through physiological measures further. Again, we showed that reactance constructs decrease intent, whereas control constructs increase intent. How is it that the counterbalancing forces can work together at the same time in one’s cognition? It could be that we are missing a key construct in the policy compliance literature—one of intent to notcomply, and that intent to not comply combined with intent to comply are actually what best predict compliance. This issue is similar to the issue in the trust and distrust literature of whether distrust was just low trust or whether it was actually a separate construct. Recent, groundbreaking research involving fMRI brain scan technology established that distrust and low trust are indeed separate constructs [49]. The same may be true with intent to comply and intent not

30033005

to comply. fMRI scans would also be potentially useful in examining the cognitive manifestations of reactance and the resulting anger.

Future research should examine just what it is that establishes some ISPO-related behaviors as cherished freedoms that are very personal to users, whereas others do not. It is possible that some of the drivers could relate to the degree to which a behavior involves personal information privacy issues [18]. Likewise, more research should be done on ways threats to freedoms can be increased and decreased. Possible factors that we did not examine could include how abruptly a policy is delivered; delivering policies face-to-face versus a more impersonal manner, such as email; establishing an environment of threat awareness; treating employees as security partners and allies, as opposed to security threats; explaining the wide variety of freedoms that employees have and should not assume to be restricted by new policies (e.g., the ability to freely surf the Web during lunch breaks); developing policies in conjunction with the employees who are to adhere to the policies; training that explains the rationale for IT security policies; and the like.

6.0 CONCLUSION

Organizations increasingly rely on ISPOs to help address the “weak link” of employees in organizational information security. Unfortunately, these ISPOs are

only partially effective, because employees often ignore them, circumvent them, or even do the opposite of what management desires. With ISPOs being the main method for ensuring secure behaviors by organizational members, it becomes imperative to understand how to increase compliance with said policies better. In order for ISPOs to be developed and communicated more effectively, the purpose of our study was to explain the opposing motivations regarding the compliance of new ISPOs better.

In this manuscript, we proposed an innovative model, CRCM, which pits organizational control theory, as a force that explains ISPO compliance, against reactance theory, as a force that explains ISPO noncompliance and anger toward organizations. We further explained that reactance to newly mandated policies could result in unanticipated negative outcomes for organizations, which might cause more harm than the intended good from the ISPO. The CRCM was tested and largely supported using a sample of 320 working professionals in a variety of industries. Our work highlights the important roles that managers have in promoting new policies, and that consideration should be given as to how these new policies are introduced and explained to employees.

We acknowledge funding from Hong Kong Research Grants Council General Research Fund (GRF) Grant #147712

[1] J. D'Arcy, A. Hovav, and D. F. Galletta, "User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach," Information Systems Research, vol. 20, pp. 79-98, 2009. [2] B. Bulgurcu, H. Cavusoglu, and I. Benbasat, "Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness," MIS Quarterly, vol. 34, pp. 523-548, 2010. [3] K. Witte, "Putting the fear back into fear appeals: The extended parallel process model," Communication Monographs, vol. 59, pp. 329-349, 1992. [4] L. J. Kirsch, "Deploying common systems globally: The dynamics of control," Information Systems Research, vol. 15, pp. 374-395, 2004. [5] S. R. Boss, L. J. Kirsch, I. Angermeier, R. A. Shingler, and R. W. Boss, "If someone is watching, I'll do what I'm asked: Mandatoriness, control, and information security," European Journal of Information Systems, vol. 18, pp. 151-164, 2009. [6] I. Ajzen, "Residual effects of past on later behavior: Habituation and reasoned action perspectives," Personality & Social Psychology Review (Lawrence Erlbaum Associates), vol. 6, pp. 107-122, 2002. [7] A. C. Johnston and M. Warkentin, "Fear appeals and information security behaviors: An empirical study," MIS Quarterly, vol. 34, pp. 549-566, 2010.

[8] H. H. Kelley and J. L. Michela, "Attribution theory and research " Annual Review of Psychology, vol. 31, pp. 457-501, 1980. [9] B. Verplanken and H. Aarts, "Habit, attitude, and planned behavior: Is habit an empty construct or an interesting case of goal-directed automaticity?," in European Review of Social Psychology, W. Stroebe and M. Hewstone, Eds. Chichester, England, 1999, pp. 101-134. [10] S. Pahnila, M. Siponen, and A. Mahmood, "Employees' behavior towards IS security policy compliance," in 40th Hawaii International Conference on Systems Sciences, Hawaii, USA, 2007, pp. 1-10. [11] L. J. Kirsch, D.-G. Ko, and M. H. Haney, "Investigating the antecedents of team-based clan control: Adding social capital as a predictor," Organization Science, vol. 21, pp. 469-489, 2010. [12] M. Chan, I. M. Y. Woon, and A. Kankanhalli, "Perceptions of information security at the workplace: Linking information security climate to compliant behavior," Journal of Information Privacy and Security, vol. 1, pp. 18-41, 2005. [13] Q. Hu, Z. Xu, T. Dinev, and H. Ling, "Does deterrence work in reducing information security policy abuse by employees?," Communications of the ACM, vol. 54, pp. 54-60, 2011. [14] B. Schneider, "The people make the place," PersonnelPsychology, vol. 40, pp. 437-453, 1987. [15] A. Kankanhalli, H.-H. Teo, B. C. Y. Tan, and K.-K.Wei, "An integrative study of information systems

30043006

security effectiveness," International Journal of Information Management, vol. 23, pp. 139-154, 2003. [16] J. Lee and Y. Lee, "A holistic model of computer abuse within organizations," Information Management & Computer Security, vol. 10, pp. 57-63, 2002. [17] B. J. Alge, G. A. Ballinger, S. Tangirala, and J. L. Oakley, "Information privacy in organizations: Empowering creative and extrarole performance," The Journal of Applied Psychology, vol. 91, pp. 221-232, 2006. [18] C. Posey, T. L. Roberts, R. Bennett, and P. B. Lowry, "When computer monitoring backfires: Invasion of privacy and organizational injustice as precursors to computer abuse," Journal of Information System Security, vol. 7, pp. 24-47, 2011.[19] P. Silvia, "Deflecting reactance: The role of similarity in increasing compliance and reducing resistance," Basic and Applied Social Psychology, vol. 27, pp. 277-284, 2005. [20] J. W. Brehm, A Theory of Psychological Reactance.London, U.K.: Academic Press, Inc., 1966. [21] J. W. Brehm, Response to Loss of Freedom: A Theory of Psychological Reactance. Morristown, NJ, USA: General Learning Press, 1972. [22] M. D. Heilman and B. L. Toffler, "Reacting to reactance: An interpersonal interpretation of the need for freedom," Journal of Experimental Social Psychology, vol.12, pp. 519-529, 1976. [23] G. Lee and W. Lee, "Psychological reactance to online recommendation services," Information & Management, vol.46, pp. 448-452, 2009. [24] J. P. Dillard and L. Shen, "On the nature of reactance and its role in persuasive health communication," Communication Monographs, vol. 72, pp. 144-168, 2005. [25] W. G. Ouchi, "A conceptual framework for the design of organizational control mechanisms," Management Science, vol. 25, pp. 833-848, 1979. [26] T. B. Lawrence and S. L. Robinson, "Ain't misbehavin: Workplace deviance as organizational resistance," Journal of Management, vol. 33, pp. 378-394, Jun 2007. [27] J. W. Brehm and S. S. Brehm, Psychological Reactance: A Theory of Freedom and Control. San Diego, CA, USA: Academic Press, 1981. [28] C. R. Tittle, "Refining control balance theory," Theoretical Criminology, vol. 8, pp. 395-428, 2004. [29] R. Engs and D. J. Hanson, "Reactance theory: A test with collegiate drinking," Psychological Reports, vol. 64, pp. 1083-1086, 1989. [30] D. N. Allen, D. G. Sprenkel, and P. A. Vitale, "Reactance theory and alcohol consumption laws: Further confirmation among collegiate alcohol consumers," Journalof Studies on Alcohol, vol. 55, pp. 34-40, 1994. [31] N. Wiium, L. E. Aarø, and J. Hetland, "Psychological reactance and adolescents' attitudes toward tobacco-control measures," Journal of Applied Social Psychology, vol. 39, pp. 1718-1738, 2009. [32] S. B. Sitkin and N. L. Roth, "Explaining the limited effectiveness of legalistic "remedies" for trust/distrust," Organization Science, vol. 4, pp. 367-392, 1993. [33] B. L. Quick and D. K. Kim, "Examining reactance and reactance restoration with South Korean adolescents: A test of psychological reactance within a collectivist culture," Communication Research, vol. 36, pp. 765-782, 2009.

[34] L. K. Trevino, "Experimental approaches to studying ethical-unethical behavior in organizations," Business Ethics Quarterly, vol. 2, pp. 121-136, 1992. [35] M. O'Fallon and K. Butterfield, "A review of the empirical ethical decision-making literature: 1996-2003," Journal of Business Ethics, vol. 59, pp. 375-413, 2005. [36] M. Siponen and A. Vance, "Neutralization: New insights into the problem of employee information systems security policy violations," MIS Quarterly, vol. 34, pp. 487-502, 2010. [37] K. Guo, Y. Yuan, N. Archer, and C. Connelly, "Understanding non-malicious security violations in the workplace: A composite behavior model," Journal of Management Information Systems, vol. 28, pp. 203-236, 2011.[38] F. Argelaguet, A. Kulik, A. Kunert, C. Andujar, and B. Froehlich, "See-through techniques for referential awareness in collaborative virtual reality," International Journal of Human-Computer Studies, vol. 69, pp. 387-400, Jun 2011. [39] C. L. Anderson and R. Agarwal, "Practicing safe computing: A multimethod empirical examination of home computer user security behavioral intentions," MISQuarterly, vol. 34, pp. 613-643, 2010. [40] R. J. Bennett and S. L. Robinson, "Development of a measure of workplace deviance," Journal of Applied Psychology, vol. 85, pp. 349-360, 2000. [41] R. Gibney, T. J. Zagenczyk, and M. F. Masters, "The negative aspects of social exchange: An introduction to perceived organizational obstruction," Group & Organization Management, vol. 34, pp. 665-697, 2009. [42] N. F. Awad and A. Ragowsky, "Establishing trust in electronic commerce through online word of mouth: An examination across genders," Journal of Management Information Systems, vol. 24, pp. 101-121, 2008. [43] C. Posey, P. B. Lowry, T. L. Roberts, and S. Ellis, "The culture-influenced online community self-disclosure model: The case of working professionals in France and the UK who use online communities," European Journal of Information Systems, vol. 19, pp. 181-195, 2010. [44] C. M. Ringle, S. Wende, and S. Will, "SmartPLS 2.0 (M3) Beta," Hamburg, Germany, 2005. [45] M. Burgoon, E. Alvaro, J. Grandpre, and M. Voulodakis, "Revisting the theory of psychological reactance," in The Persuasion Handbook: Developments in Theory and Practice, J. P. Dillard and M. Pfau, Eds. Thousand Oaks, CA, USA: Sage, 2002. [46] G. Sewell and J. R. Barker, "Coercion versus care: Using irony to make sense of organizational surveillance," Academy of Management Review, vol. 31, pp. 1-24, 2006. [47] P. B. Lowry, D. Zhang, L. Zhou, and X. Fu, "Effects of culture, social presence, and group composition on trust in technology-supported decision-making groups," Information Systems Journal, vol. 20, pp. 297-315, 2010. [48] D. Zhang, P. B. Lowry, L. Zhou, and X. Fu, "The impact of individualism-collectivism, social presence, and group diversity on group decision making under majority influence," Journal of Management Information Systems, vol. 23, pp. 53-80, 2007. [49] A. Dimoka, "What does the brain tell us about trust and distrust? Evidence from a functional neuroimaging study," MIS Quarterly, vol. 34, pp. 373-396, 2010.

30053007