1

Explaining Opposing Compliance Motivations towards Organizational

Information Security Policies

Paul Benjamin Lowry

City University of Hong Kong

Paul.Lowry.PhD@gmail.com

Greg D. Moody

University of Las Vegas-Nevada

Greg.Moody@gmail.com

Abstract

Lack of compliance with organizational

information security policies (ISPOs) is a widespread

organizational issue that increasingly bears very large

direct and qualitative costs. The purpose of our study

was to explain the causes of tensions within

organizations to either comply with new ISPOs or

react negatively against them. To do so, we proposed

an innovative model, which pits organizational control

theory, as a force that explains ISPO compliance,

against reactance theory, as a force that explains ISPO

noncompliance and anger toward organizations. To

test the model, we used a sample of 320 working

professionals in a variety of industries to examine the

likely organizational outcomes when a new ISPO is

delivered to employees in the form of a typical memo

sent throughout an organization. We found support for

our newly proposed model, which is an important

contribution to research on organizational security

practices.

1.0 INTRODUCTION

Organizations increasingly rely on information

and related systems, which are also a source of much

organizational risk. This environment has consequently

increased the importance of managing information

risks within organizations. This risk management has

traditionally relied on technological solutions to

improve information security. Yet, because employees

are big threats to organizations’ information security

and cause the majority of information security

breaches, it is crucial to consider the socio-

organization elements in assuring that information

resources are secure [1].Thus , fostering employee

compliance with information security policies (ISPOs)

is a key approach that organizations use to attempt to

improve this weak link [1, 2]. ISPOs are a set of

formalized procedures, guidelines, roles, and

responsibilities which employees are required to

adhere to in order to safeguard and use the information

and technology resources of their organizations

properly.

ISPO compliance is a critical consideration in

organizational security governance, because internal

controls are created, responsibilities are assigned, and

accountability is maintained. ISPOs help ensure the

security of organizational information resources by

thwarting employee attempts to bypass information

security, and by training employees to use information

resources appropriately. Recent management research

has applied several theories and frameworks to explain

ISPO compliance and related phenomenon; yet, thus

far, the findings are mixed. In practice, actual ISPO

compliance is also highly mixed: many employees are

apathetic about ISPOs and ignore them; other times

employees try to circumvent ISPOs intentionally; and,

even worse, some employees will often purposely do

the opposite of the desired behavior.

Extant literature has produced a strong foundation

for organizational ISPO compliance research, but has

left several gaps that provide opportunities for further

research. One key opportunity is that although some

studies have looked at ISPO compliance [e.g, 2] and

others have looked at noncompliance [e.g., 1], no

studies have directly considered their motivators in the

same model. This is an important aspect, because

human behavior often involves dual-process models of

competing outcomes [e.g., 3]. Understanding the dual

processes of increased and decreased desire to comply

could explain the mixed results in the literature.

Likewise, understanding both sides might help explain

the most puzzling research results, in which increased

ISPO controls sometimes backfire and increase

pernicious employee behaviors in organizations.

2.0 CRCM THEORY AND HYPOTHESES

We now provide more detail on the theoretical

foundation of the Control-Reactance Compliance

Model (CRCM), starting with control theory, from

which we introduce the key constructs of formal

control, mandatoriness, and security precautions. These

are constructs that have already been established in the

literature that we will use as a traditional explanation

for why employees are motivated to comply with new

ISPOs.

2

For this portion of CRCM, we build primarily on a

model by Boss et al. that combines the use of control

theory with the concept of mandatoriness to effectively

explain that when individuals perceive organizational

security policies to be mandatory, they are more likely

to take security precautions. The foundation of the

Boss et al. model is control theory. Control theory was

originally developed to classify the different types of

control utilized by organizations to constrain

employees and to explain the social conditions in

which different forms of control are used, depending

upon the objectives and tasks characteristic of the

organization.

Although this approach to control theory helps

explain the environments and contexts in which

particular controls are most likely to be used, later

research further clarified the elements that constitute

control itself. Namely, Kirsch [4] categorized controls

as either formal, which are “formally documented and

initiated by management,” or informal, which are

“unwritten and often initiated by employees

themselves” [4p. 375]. Formal controls are inherently

more discernible because they are more structured,

precisely regulated, and more recognizable. We

assume formal controls in our study.

Building on Kirsch’s work, Boss et al. applied

control theory in the realm of ISPOs by observing the

general effect these policies have on specification

(a.k.a., measurement), evaluation, and reward. Kirsch

defined these as follows: specification is the

measurability of expected behaviors or outcomes;

evaluation is the exchange of information and the

process of assessing performance; and reward is the

result of the performance of expected behaviors,

leading to goal achievement.

Boss et al. further observed the effect of formal

controls on compliance with existing ISPOs by

introducing the innovative concept of mandatoriness,

which is “the degree to which individuals perceive that

compliance with existing security policies and

procedures is compulsory or expected by

organizational management” (p. 151). They found that

formal controls toward existing ISPOs do indeed

increase the perceived mandatoriness of existing

ISPOs. Boss et al.’s research suggested that, when

policies are implemented, an organization signals that

employees are expected to comply. That signal can

vary in the degree of existing mandatoriness by

manipulating the dimensions of the formal controls.

For further modeling clarity, we term these existing,

organizational, formal ISPO controls as existing

organizational formal controls.

Boss et al.’s model further explains that an

individual’s existing perceived mandatoriness of

existing organizational ISPOs will in turn affect the

general range of ISPO security precautions the

individual takes within the organization. The

researchers’ findings show that existing controls

increase employees’ existing mandatoriness, and this

mandatoriness increases the general ISPO security

precautions taken by the employee [5]. Formally, we

term these as existing ISPO precautions taken, which

are defined as “the degree to which individuals

perceive they take measures to secure their computers”

in order to follow existing formal controls and ISPOs

[5, p. 155].

2.1 Control Theory and ISPO Compliance

A key point of differentiation with Kirsch’s model

and Boss et al.’s model is that these were proposed and

tested around predicting how existing organizational

conditions impact existing compliance to policies.

CRCM adds the nuance of predicting how existing

organizational conditions predict compliance to a new

ISPO. In our context, the new ISPO will be introduced

through a formal organizational memo, so that we can

manipulate the formal control and language of the

newly introduced ISPO as a persuasion attempt to

encourage organizational compliance. Therefore, we

ignored replications and predictions of how existing

conditions predict existing compliance, as these are

established and thus outside the scope of our study.

Thus, our first theoretical proposition is that

because past related behavior is often a strong

predictor of future related behavior [6], it logically

follows that if an employee has a pattern of taking

ISPO precautions, this pattern is likely to continue in

terms of new ISPOs. One reason for this link is that

past ISPO compliance suggests a more positive attitude

toward ISPO compliance than that of an employee who

has not complied with ISPOs. Such positive attitudes

tend to be lasting and are strong predictors of future

ISPO compliance [2, 7]. Further, individuals tend to

maintain consistency between their outward behaviors

and their internal motivations that drive such

behaviors, thus their behaviors and motivations are

expected to remain consistent over time [8].

Finally, past compliance and habit is a further

explanation for the link between past and future ISPO

compliance behaviors. Formally, habit is the “learned

sequences of acts that have become automatic

responses to specific cues, and are functional in

obtaining certain goals or end-states” [9, p. 104].

Behavioral habits toward ISPO compliance have been

shown to predict continued and future ISPO

compliance: as employees develop good attitudes,

awareness, and knowledge of ISPOs, and comply with

them over time, they develop normative beliefs and

habits toward ISPO compliance [10]. H1. Existing ISPO precautions taken increases intent to

comply with a new ISPO.

3

Aside from the habit of precautions taken, we

posit that the existing organizational formal controls

also have a direct impact on new ISPO compliance.

Existing controls help to create a climate and culture

where ISPO compliance is the norm and where

expectations are clearer than in organizations without

formal controls. That is, formal controls from

management create normative beliefs around ISPO

compliance, and these norms can evolve into strong

social capital controls in organizations [11]. In our

context, normative beliefs (a.k.a., norms) are “an

employee’s perceived social pressure about compliance

with the requirements of the ISPO caused by

behavioral expectations of such important referents as

executives, colleagues, and managers” [2, p. 529];

these norms increase compliance [2].

Such formal policies and controls can help create a

positive information security climate, where

compliance is more likely by also reinforcing

normative beliefs [12]. Formally, an information

security climate involves the organizational

mechanisms and practices that define how an

organization treats information security [13]. In

positive climates, it is more likely that employees will

perceive that the top management champions ISPOs,

which is the degree to which employees perceive that

the top managers in an organization firmly support or

advocate for its ISPOs [13]. Such championship

emphasizes the importance of the ISPO in the day-to-

day work of an organization in protecting it from harm

[14]. By evaluating and enforcing the use of ISPO

controls in an organization, management again

emphasizes the importance and the benefit of the ISPO

to the entire organization.

Notably, positive security climates with perceived

top management championship foster more ISPO

compliance in employees [13]. Aside from perceived

leadership, top management championship is effective

because organizations with such management tend to

have more preventative controls [15] and because top

management support serves as a form of normative

control against non-compliance [16]. Thus, if an

organization lacks strong controls, then the security

climate, associated expectations, and top management

championship are more likely to be weaker—as will be

ISPO compliance. H2. Existing organizational formal controls increases

intent to comply with a new ISPO.

We also propose that the perceived mandatoriness

of a new ISPO affects ISPO compliance directly. We

first assume the corollary that if existing ISPOs have

an associated perceived mandatoriness, then new

ISPOs will have their own associated perceived

mandatoriness. To increase theoretical clarity, we

define new ISPO mandatoriness as the degree to which

an individual perceives that compliance with a new

ISPO is compulsory or expected by organizational

management. Recall that Boss et al. found that the acts

of specifying policies and evaluating behaviors (i.e.,

controls) are effective in convincing individuals that

security policies are mandatory. Since Boss et al. show

that existing controls are positively correlated with

existing mandatoriness, then new controls should

positively impact new mandatoriness similarly. H3. New ISPO mandatoriness increases intent to

comply with a new ISPO.

2.2 Reactance Theory and ISPO Noncompliance

Now that we have explained how formal controls,

mandatoriness, and taking existing security precautions

can influence organizational ISPO compliance, we now

consider reactance theory to explain what discourages

ISPO compliance. A key assumption of CRCM is that

most employees have a predetermined level of

tolerance for controlling management policies and a

threshold for how much individual freedom the

individuals will give up before negative consequences

toward the organization will occur. This assumption is

supported by a host of deterrence- and monitoring-

related studies that show that overly controlling

approaches can backfire and result in pernicious

employee behaviors [e.g., 17, 18]. Thus, high levels of

new ISPO control could lead to negative results for

organizations—especially because punishments are

often an integral part of formalized controls. Despite

this promising connection, this issue has not been

considered in the literature thus far. To address this

issue, we leverage psychological reactance theory.

Reactance theory has historically been used in

behavioral and psychological studies. For example,

Silvia [19] studied the role of similarity in decreasing

reactance. Others have used reactance theory in a

variety of behavioral studies. However, we found no

application in terms of organization policy compliance,

including ISPO compliance.

Reactance theory predicts that any given person

has a set of behavioral freedoms (a realm of personal

freedom) that if eliminated, or threatened with

elimination, will create an adverse state of arousal

called reactance [20]. Reactance is a negative

emotional response caused by threats or losses on

behavioral freedom, which focuses on restoring the

freedom in question. A key assumption for reactance to

occur is that the person whose behavior is threatened

has an expectation of free choice and thus is

motivationally aroused any time that free choice is

threatened [21]. Reactance has also been shown to

occur when individuals are pressured (e.g., strongly

persuaded or manipulated) to choose between two

choices [22].

4

Accordingly, in our context, reactance is a

negative emotional coping response that is a form of

message rejection caused primarily by lost or

threatened freedom, and thus focuses on re-establishing

the threatened or eliminated behavioral freedom.

Unlike avoidance, reactance is an active negative

response to an external source that tries to

influence/persuade behavior. During reactance, an

individual systematically processes the sources of the

negative emotion, but rather than trying to conceal the

emotion, the individual is motivated to challenge the

causes of the emotion (i.e., loss of behavioral

freedoms), which allows him/her to invalidate the

conclusions formed from the causes [23]. Accordingly,

reactance is associated with more heated or emotional

responses that allow individuals to displace the concern

over missed opportunities with a sense of anger or

frustration directed toward the source of information

originally perceived to cause the concern [24]. Thus,

reactance is a particularly pernicious organizational

phenomenon, because it pits the will of the employee

against the will of the employer, resulting in negative

conflicts through undesired employee behaviors and

emotions.

We propose that new organizational controls are

key mechanisms that can drive reactance in

organizations. We posit that newly introduced controls

from a new ISPO can threaten one’s sense of freedom

by challenging the existing balance of an employee’s

valued behavioral freedoms. As support, formal control

“depends heavily upon monitoring, evaluating, and

correcting in an explicit manner” [4, 25, p.841].

Namely, the manager determines the behaviors,

outcomes, procedures, goals, and so forth, that the

employee is expected to meet. An established

hierarchy of authority in an organization provides a

context in which the roles and relationships can be

understood. For example, an autocratic authority is a

formal control, because of the clear and strong

superior-subordinate relationship.

Notably, Ouchi explained and predicted that

higher levels of control are “likely to offend people’s

sense of autonomy and of self-control . . . [because],

the more obvious and explicit the measurement, the

more noxious it is to employees” (p. 841). Further

explained that control can actually encourage deviance

when control produces a perceived disparity between

employee and employer [26]. It is thus not surprising

that reactance research has shown that coercion, in

particular, tends to lead to the strongest levels of

reactance, because it goes beyond mere persuasion

[27]. Hence, a strong display of authoritative power—

for example, more explicit formal control

measurements, whether in the form of specification,

evaluation, or rewards and sanctions—can threaten an

employee’s sense of freedom. That is, when a manager

specifies an employee’s appropriate outcomes or

behaviors, the employee’s behavior alternatives are

more limited [28]. Thus, the more specific and

transparent the controls provided in a new ISPO are,

the more such controlling approaches are likely to

threaten an employee’s sense of freedom because of

the specification, evaluation, and rewards around the

specific behaviors.

The key to galvanizing the causal mechanisms of

reactance is thus to threaten or eliminate personal

freedoms that employees believe organizations should

not threaten. In predicting reactance, the issue is not

whether it is reasonable or legal to threaten or

eliminate an employee’s freedom, the issue is how an

employee feels about a threatened freedom. A study on

underage drinking, which is illegal and generally not in

keeping with common sense [29], illustrated this issue:

in this study, despite legal and social mores, the more

the students felt that drinking alcohol should be a

personal freedom, the more the messages threatening

them to not drink, influenced drinking. This study was

later confirmed in a more advanced study on collegiate

drinking [30], and similar results were shown in

adolescent smoking research with dispositional

reactance [31].

Thus, the question in our context is not whether it

is reasonable or legal to threaten or eliminate employee

freedoms in the workplace regarding ISPOs, but rather

how employees perceive that the new ISPO controls

threaten their valued freedoms. Many employees feel

that there is an implicit contract of respecting privacy

and personal space in the workplace, and are offended

by the idea of their Internet access and emails being

monitored [32]. Also, whether or not employers

actually read employee emails is not the only salient

factor. If employers publically reserve the right to read

employees’ email—even if they never engage in

reading them—that can cause enough of a threat to

personal freedom to cause reactance.

Meanwhile, the more important the threatened

freedom is or the greater the level of threat to freedom,

the greater the magnitude of reactance will be [24]. A

threat to freedom in a reactance context is the degree to

which the actions of or communications from

organizational management cause employees to believe

their freedom to choose is threatened, manipulated, or

pressured by management [24]. We define threat to

freedom from a new ISPO as the degree to which a new

ISPO delivered from an organization’s management

causes the employees to believe their freedom to

choose is threatened or manipulated by management.

The importance of freedom in a reactance context is

how much employees value the freedom to engage in

specific behaviors in the workplace that might be

controlled or eliminated by management [20]. In our

context, the importance of ISPO freedom is how much

5

employees value the freedom associated with a specific

computer-related behavior that might be controlled or

eliminated by management through ISPOs. H4. A threat to freedom from a new ISPO increases

reactance to a new ISPO.

H5. The importance of ISPO freedom increases

reactance to a new ISPO.

Likewise, increased behavioral freedom decreases

reactance [27]. In our reactance context, we are

concerned with the behavioral freedom associated with

a new ISPO. Based on [24], we term this freedom as

freedom from a new ISPO, which is the degree to

which information regarding a new ISPO promotes

individual choice and decision making, free of pressure

and manipulation from management. H6. Freedom from a new ISPO decreases reactance to a

new ISPO.

As reactance theory has been further tested and

extended over time, several important additions have

been included that further drive our CRCM proposal.

First, a promising phenomenon we found in the

reactance literature is that a well-established measure

of one’s reactance proneness (a.k.a., trait reactance)

has been developed and validated; ironically, however,

this measure has never been used to predict actual

reactance [24]. We thus newly posit and test this

relationship in our CRCM. Specifically, reactance

proneness is one’s disposition or tendency to

experience a state of reactance when one’s freedoms

are restricted [24]. Given this conceptualization, it

naturally follows that people who are more prone to

reactance to freedom restrictions in general are more

likely to manifest reactance when management

introduces a new, freedom-restricting ISPO. H7. Reactance proneness increases reactance to a new

ISPO.

Quick and Kim [33] further demonstrated other

negative effects of reactance with a construct the

authors term boomerang effects. Boomerang effects

emerge because of reactance and are the measurable

efforts of individuals to directly restore freedoms

and/or undo threats to freedoms that emerge in an

organization. In an ISPO context, we propose that an

undesired boomerang effect would be lack of

compliance with the new ISPO as a purposeful act to

restore a valued but threatened or eliminated freedom.

Therefore, in our context, if an ISPO is seen by an

employee as a direct threat to his or her personal

freedom, the boomerang effects would be plausibly

manifested as a decreased intention to follow the new

ISPO in order to try to regain the lost freedoms and/or

decrease the threats to freedoms resulting from the new

policy. Similar effects have also been proposed and

found in the field of criminology. H8. Reactance to a new ISPO decreases the intent to

comply with a new ISPO.

Dillard and Shen [24] also theorized that reactance

can result in “an amalgam of anger and negative

cognitions” (p. 164), which has been empirically

validated in [24, 33]. Such anger and negative

cognitions, such as irritation, tend to focus on the

related behavioral control incident, but can spread if

further incidents continue. Formally, in a reactance

context this anger/irritation is the degree to which a

behavioral control from management that threatens or

eliminates workplace freedom causes annoyance,

irritation, anger, or aggravation toward management

regarding the threatened or eliminated freedom. Such

anger/irritation is a particularly pernicious outcome in

organizations because such emotions are closely linked

to destructive antisocial or aggressive behavior. H9. Reactance to a new ISPO increases anger/irritation

toward the organization about the new ISPO.

Figure 1 summarizes our proposed model, CRCM.

Figure 1. Control-Reactance Compliance Model (CRCM)

3.0 RESEARCH METHODS

Our experimental design was a 2x2 factorial

design that provided professional ISPO memos from

eight different, randomly selected IT security policies

that were manipulated in terms of controlling language

(high-low) and formal control (high-low). Eight

different forms of IT policies were used with four

manipulations each, for a total of 32 conditions. Each

policy had four memos representing a combination of

high-language high-control, high-language low-

control, low-language high-control, and low-language

low-control, for a between-groups factorial experiment.

We tested the CRCM by using a scenario-based

method with professionals. The scenario method

presents respondents with “written descriptions of

6

realistic situations and then request[s] responses on a

number of rating scales that measure the dependent

variables of interest” [34, p. 127-128]. This is the

method most commonly applied to issues related to

ethics [35]. Accordingly, this method is highly useful

for studying ISPO compliance issues and thus has been

increasingly used in the ISPO and computer-abuse

literature [e.g., 13, 36, 37, 38].

The range of IT security policies was chosen to

provide a realistic sample of the policies that are used

in industry, some of which may be more restrictive and

threatening to freedom than others. To develop these

policies, we reviewed the academic and practitioner

literature extensively for user-focused IT security

policies. Notably, we focused on policies that end-

users would notice and that they would understand in

terms of the implications for the employees’ daily

work. We thus avoided more technical behind-the-

scenes security policies that end-users may not notice

or understand, such as automatic network data

encryption, honey pots set up to lure hackers,

redundant data backups, and the like. The eight IT

policies were built around the following common

security issues: end-user software installation, antivirus

and spyware software use with corporate networks, use

of non-work-related software, inconsistent use of

antivirus software, personal use of corporate email

systems, lack of centralized data storage, use of USB

drives for sensitive data, and personal Internet use.

These issues are also thoroughly documented in

organization security practice research in [13, 36].

Though many of the specific IT security policies are

straightforward, they still have profound effects on

overall IT security because organizational employees

account for a majority of all of the information security

problems [39].

For strong experimental control, each of the eight

unique IT policies had four carefully constructed

versions that did not alter the associated ISPO. Instead,

the ISPO’s introductory and concluding text was

changed to represent high-low controlling language

and high-low new control. The formal control

manipulations were based on Boss et al.’s and Kirsch’s

conceptualizations and measurements. All three

elements of formal control were written into these

manipulations for the high-control conditions:

specification, evaluation, and rewards. Specification

was introduced by providing more clarity and detail,

much of which was achieved through the enhanced

description of evaluation and rewards. Evaluation was

introduced by explicitly stating how the system and

management would monitor the end-users’

compliance. Rewards and punishments were also

specified for compliance and noncompliance. The low-

control conditions lacked this level of detail. To

establish experimental control further, these wording

changes were exactly the same across all memos,

regardless of the ISPO itself.

To ensure that the ISPO memo scenarios were

realistic and effective for manipulating our theoretical

constructs, we went through several rounds of

development with experts, along with pilot testing

graduate students who had industry and research

expertise on information security.

For the increased generalizability of our study, we

hired a market research firm to randomly select and

invite industry participants from a total pool of nearly 3

million professionals to oversee the study as an online

research panel. External panels have been used to elicit

responses to survey instruments in various contexts

[e.g., 40, 41] and are increasingly used in

organizational research because panels have several

established research advantages [e.g., 42, 43].

The marketing research firm commissioned 320

working professionals to participate; 160 were male

(50%) and 160 were female (50%). Among all of the

participants, 52 (16.3%) were part-time workers, and

268 (83.7%) were full-time workers. The average age

was 45.2 years (SD = 11.9), average years of work

experience was 21.3 (SD = 12.3), and average years of

formal education was 15.5 (SD = 2.8). The participants

represented several key industries. IRB approval was

given, and all respondents participated with full

consent.

Participants first filled out their demographic

information and pre-experiment measures. The

participants were then given a series of two randomly

selected ISPO memos in two separate rounds of

experimentation and measurement. Each memo was

addressed individually, with the participant answering

questions in regard to only the memo just viewed. The

participants were asked to evaluate how they would

feel about these memos in terms of their current

organization and position. They then filled out the

post-experiment measures after each memo, yielding

640 data points. The random presentation of the

memos was designed to mitigate any potential ordering

effects.

All of the measures were based on established

measures. We also added several standard covariates as

potential predictors of intent, anger, and reactance: age,

education level, years of work experience, work status,

gender, organizational size, and ISPO apathy [5]. We

also created a one-item covariate that asked about the

degree to which that participant’s organization had a

similar ISPO in place. Finally, both controlling

language and new control were operationalized into

our experiment as actual manipulations within the

memos given to the participants; given the lack of

available established measurements, each had an

associated one-item manipulation check that we used

7

to verify that the manipulation was in the intended

direction.

4.0 ANALYSIS AND RESULTS

Prior to testing the CRCM, we conducted a pre-

analysis and data validation according to the latest

standards, for several purposes: (1) to establish the

model specification, (2) to establish the factorial

validity of the instrument through convergent and

discriminant validities, (3) to establish that

multicollinearity was not a problem for this model, (4)

to check for common-methods bias using several

approaches, and (5) to establish strong construct

reliabilities. The results of our validation procedures

show that our model data meets or exceeds the latest

rigorous validation and reliability standards expected

for partial least squares (PLS) based analysis. Before

analysis we also performed manipulation checks that

confirmed our manipulations were in the intended

direction.

We used PLS regression analysis with SmartPLS

version 2.0 [44] for model analysis. We analysed our

model data by a bootstrap with 500 resamples. Figure 2

graphically depicts the results.

Figure 2. Results of Testing Proposed Model

5.0 DISCUSSION

Our experimental results provide extensive support for

the CRCM. Existing organizational formal controls

increased the intent to comply with the new ISPO (H2

supported). New ISPO mandatoriness increased the

intent to comply with the new ISPO (H3 supported). A

threat to freedom from the new ISPO increased

reactance to the new ISPO (H4 supported). Reactance

proneness (or trait reactance) increased reactance to the

new ISPO (H7 supported). Reactance to the new ISPO

decreased the intent to comply with the new ISPO (H8

supported, along with the hypothesized underlying

boomerang effects). Reactance to the new ISPO

increased anger/irritation toward the organization about

the new ISPO (H9 supported).

Three hypotheses were not supported. The existing

ISPO precautions taken had no effect on the intent to

comply with the new ISPO (H1 rejected). Both the

importance of ISPO freedom and freedom from the

new ISPO had no effect on reactance (H5 and H6

rejected). In terms of covariates, we found that ISPO

apathy increased reactance, while it decreased

anger/irritation. Also, the degree to which similar

ISPOs already existed in the organization decreased

reactance and anger/irritation. Finally, gender

(females) was a predictor of anger/irritation.

Summarizing our results, Figure 3 provides our

suggested updated version of the CRCM for ongoing

research, including promising covariates.

Figure 3. Future Research Version of CRCM

5.1 Contributions to Research, Theory, and Practice

Our key contribution is an innovative model that

examines two counterpoised forces to predict intent to

comply with new ISPOs in organizations for the first

time. Extant research tested models involving either

ISPO compliance or noncompliance; however, no

extant model or empirical research has considered the

competing motivations together. CRCM considers

both: organizational controls, as predicted by control

theory, is shown as a positive predictor of intent to

comply; whereas threats to personal freedom from

organizational controls results in reactance, as

predicted by reactance theory. We also demonstrate the

illusive, theorized boomerang effects by showing a

strong negative connection between reactance and

intentions. While this effect has long been theorized,

little empirical evidence on this effect has been

established previously [19, 45].

We also demonstrate the potential creation of

anger as a negative outcome of reactance. Looking

beyond compliance, anger in the workplace is a

particularly troublesome phenomenon as it is strongly

linked to destructive antisocial behavior in the

workplace. Hence, high levels of control might result

in desired ISPO compliance, but workplace anger can

create a potentially dangerous Pyrrhic victory for any

organization. Hence, researchers and practitioners

should no longer consider controls and deterrence in an

8

organizational vacuum without considering the

potential for threats to freedom that can undermine

controls and deterrence and result in unintended

negative consequences. These results illustrate the

danger of the common organizational practice of

introducing new ISPOs (or other organizational

policies) using controlling language in memos

distributed widely throughout an organization. This

finding indicates that managers need to be very

cautious in choosing the manner, medium, and method

of introducing new ISPOs and organizational policies.

ISPOs are clearly necessary in organizations; however,

when managers write or communicate potentially

freedom-restricting policies, the managers need to take

into account that employees consider themselves free

agents with rights and freedoms that if threatened will

cause employees to react negatively. Whereas ISPOs

need formal written controls, they need to be written

and delivered in a respectful manner that softens or

eliminates imperatives and provides for a range of

options, wherever possible. Most importantly,

managers need to balance coercion with care [46].

Moreover, although reactance theory has been

used for several decades and most reactance constructs

in our CRCM have been measured in various studies,

our extensive literature review of the theory reveals

that no single study has ever tested the full reactance

theory constructs in any context—let alone with

organizational ISPOs. In fact, most studies do not

directly examine the importance of freedom and threat

level. Consequently, portions of the reactance theory

model, and sometimes the whole model, are typically

treated as a theoretical “black box” where the

nomological relationships are assumed but not

measured and validated. Moreover, given that, by

definition, formal controls and freedom are

diametrically opposed, we considered how newly

introduced ISPOs might threaten existing freedoms

(only those related to the new policies) and thus affect

reactance, anger, and intent toward ISPO compliance.

Notably, we found that the most influential freedom

element that drives reactance was a threat to freedom,

and not the importance of freedom. This serves as a

particular warning to practice, because our study

indicates that even threats to a “trivial” freedom can

trigger reactance.

5.2 Limitations and Future Research

Our first key limitation, which points to promising

future research, is the limited generalizability of our

results, because they derived from a controlled

laboratory experiment. Whereas we have every reason

to believe that our CRCM should hold up in similar

matters of organizational compliance—especially any

involving high levels of control and potential threats to

personal freedom (e.g., audits, accounting controls, HR

personnel policies, downsizing, mergers and

acquisitions, and so on), further replication of the

CRCM is needed to establish its generalizability.

Moreover, following typical practices in attitudinal

research, we considered intent but not actual

compliance. Whereas our scenarios/vignettes approach

to ISPO policy compliance is a standard and valid

approach for predicting actual compliance [e.g., 36],

testing our new model in actual organizations that are

implementing new IT policies would be useful.

Likewise, how long reactance perseveres and the

factors that contribute to its weakening are important

open issues that could affect generalizability. Thus,

longitudinal organizational data that examines

reactance strength and compliance over time would be

valuable.

Likewise, we tested our CRCM in a Western

culture—specifically with US-based employees. US

employees have been shown to be highly

individualistic, valuing individual freedom of choice at

work more than employees in collectivistic societies,

such as the People’s Republic of China [e.g., 47, 48].

Employees in highly collectivistic (e.g., China or

France) or highly controlling cultures (e.g., Saudi

Arabia or Iran) might demonstrate far less reactance

and anger than those in highly individualistic cultures

like the US, simply because those employees do not

place the same importance on workplace freedom and

instead focus more on the success of the organization.

An important extension of this model would be to

consider the differences in the perceptions of the

threats to freedom—and subsequent reactance—in

collectivistic versus individualistic cultures. Research

could also consider the effects within organizations

that are increasingly mixed and heterogeneous in terms

of the cross-cultural propensities of employees, or even

in terms of a firm’s organizational culture.

A final promising future research opportunity

would be to consider the dual negative and positive

effects of the CRCM through physiological measures

further. Again, we showed that reactance constructs

decrease intent, whereas control constructs increase

intent. How is it that the counterbalancing forces can

work together at the same time in one’s cognition? It

could be that we are missing a key construct in the

policy compliance literature—one of intent to not

comply, and that intent to not comply combined with

intent to comply are actually what best predict

compliance. This issue is similar to the issue in the

trust and distrust literature of whether distrust was just

low trust or whether it was actually a separate

construct. Recent, groundbreaking research involving

fMRI brain scan technology established that distrust

and low trust are indeed separate constructs [49]. The

same may be true with intent to comply and intent not

9

to comply. fMRI scans would also be potentially useful

in examining the cognitive manifestations of reactance

and the resulting anger.

Future research should examine just what it is that

establishes some ISPO-related behaviors as cherished

freedoms that are very personal to users, whereas

others do not. It is possible that some of the drivers

could relate to the degree to which a behavior involves

personal information privacy issues [18]. Likewise,

more research should be done on ways threats to

freedoms can be increased and decreased. Possible

factors that we did not examine could include how

abruptly a policy is delivered; delivering policies face-

to-face versus a more impersonal manner, such as

email; establishing an environment of threat

awareness; treating employees as security partners and

allies, as opposed to security threats; explaining the

wide variety of freedoms that employees have and

should not assume to be restricted by new policies

(e.g., the ability to freely surf the Web during lunch

breaks); developing policies in conjunction with the

employees who are to adhere to the policies; training

that explains the rationale for IT security policies; and

the like.

6.0 CONCLUSION

Organizations increasingly rely on ISPOs to help

address the “weak link” of employees in organizational

information security. Unfortunately, these ISPOs are

only partially effective, because employees often

ignore them, circumvent them, or even do the opposite

of what management desires. With ISPOs being the

main method for ensuring secure behaviors by

organizational members, it becomes imperative to

understand how to increase compliance with said

policies better. In order for ISPOs to be developed and

communicated more effectively, the purpose of our

study was to explain the opposing motivations

regarding the compliance of new ISPOs better.

In this manuscript, we proposed an innovative

model, CRCM, which pits organizational control

theory, as a force that explains ISPO compliance,

against reactance theory, as a force that explains ISPO

noncompliance and anger toward organizations. We

further explained that reactance to newly mandated

policies could result in unanticipated negative

outcomes for organizations, which might cause more

harm than the intended good from the ISPO. The

CRCM was tested and largely supported using a

sample of 320 working professionals in a variety of

industries. Our work highlights the important roles that

managers have in promoting new policies, and that

consideration should be given as to how these new

policies are introduced and explained to employees

within the organization.

7.0. REFERENCES

[1] J. D'Arcy, A. Hovav, and D. F. Galletta, "User

awareness of security countermeasures and its impact on

information systems misuse: A deterrence approach,"

Information Systems Research, vol. 20, pp. 79-98, 2009.

[2] B. Bulgurcu, H. Cavusoglu, and I. Benbasat,

"Information security policy compliance: An empirical study

of rationality-based beliefs and information security

awareness," MIS Quarterly, vol. 34, pp. 523-548, 2010.

[3] K. Witte, "Putting the fear back into fear appeals: The

extended parallel process model," Communication

Monographs, vol. 59, pp. 329-349, 1992.

[4] L. J. Kirsch, "Deploying common systems globally: The

dynamics of control," Information Systems Research, vol. 15,

pp. 374-395, 2004.

[5] S. R. Boss, L. J. Kirsch, I. Angermeier, R. A. Shingler,

and R. W. Boss, "If someone is watching, I'll do what I'm

asked: Mandatoriness, control, and information security,"

European Journal of Information Systems, vol. 18, pp. 151-

164, 2009.

[6] I. Ajzen, "Residual effects of past on later behavior:

Habituation and reasoned action perspectives," Personality &

Social Psychology Review (Lawrence Erlbaum Associates),

vol. 6, pp. 107-122, 2002.

[7] A. C. Johnston and M. Warkentin, "Fear appeals and

information security behaviors: An empirical study," MIS

Quarterly, vol. 34, pp. 549-566, 2010.

[8] H. H. Kelley and J. L. Michela, "Attribution theory

and research " Annual Review of Psychology, vol. 31, pp.

457-501, 1980.

[9] B. Verplanken and H. Aarts, "Habit, attitude, and

planned behavior: Is habit an empty construct or an

interesting case of goal-directed automaticity?," in European

Review of Social Psychology, W. Stroebe and M. Hewstone,

Eds. Chichester, England, 1999, pp. 101-134.

[10] S. Pahnila, M. Siponen, and A. Mahmood,

"Employees' behavior towards IS security policy

compliance," in 40th Hawaii International Conference on

Systems Sciences, Hawaii, USA, 2007, pp. 1-10.

[11] L. J. Kirsch, D.-G. Ko, and M. H. Haney,

"Investigating the antecedents of team-based clan control:

Adding social capital as a predictor," Organization Science,

vol. 21, pp. 469-489, 2010.

[12] M. Chan, I. M. Y. Woon, and A. Kankanhalli,

"Perceptions of information security at the workplace:

Linking information security climate to compliant behavior,"

Journal of Information Privacy and Security, vol. 1, pp. 18-

41, 2005.

[13] Q. Hu, Z. Xu, T. Dinev, and H. Ling, "Does deterrence

work in reducing information security policy abuse by

employees?," Communications of the ACM, vol. 54, pp. 54-

60, 2011.

[14] B. Schneider, "The people make the place," Personnel

Psychology, vol. 40, pp. 437-453, 1987.

[15] A. Kankanhalli, H.-H. Teo, B. C. Y. Tan, and K.-

K.Wei, "An integrative study of information systems

10

security effectiveness," International Journal of Information

Management, vol. 23, pp. 139-154, 2003.

[16] J. Lee and Y. Lee, "A holistic model of computer abuse

within organizations," Information Management & Computer

Security, vol. 10, pp. 57-63, 2002.

[17] B. J. Alge, G. A. Ballinger, S. Tangirala, and J. L.

Oakley, "Information privacy in organizations: Empowering

creative and extrarole performance," The Journal of Applied

Psychology, vol. 91, pp. 221-232, 2006.

[18] C. Posey, T. L. Roberts, R. Bennett, and P. B. Lowry,

"When computer monitoring backfires: Invasion of privacy

and organizational injustice as precursors to computer abuse,"

Journal of Information System Security, vol. 7, pp. 24-47,

2011.

[19] P. Silvia, "Deflecting reactance: The role of similarity

in increasing compliance and reducing resistance," Basic and

Applied Social Psychology, vol. 27, pp. 277-284, 2005.

[20] J. W. Brehm, A Theory of Psychological Reactance.

London, U.K.: Academic Press, Inc., 1966.

[21] J. W. Brehm, Response to Loss of Freedom: A Theory

of Psychological Reactance. Morristown, NJ, USA: General

Learning Press, 1972.

[22] M. D. Heilman and B. L. Toffler, "Reacting to

reactance: An interpersonal interpretation of the need for

freedom," Journal of Experimental Social Psychology, vol.

12, pp. 519-529, 1976.

[23] G. Lee and W. Lee, "Psychological reactance to online

recommendation services," Information & Management, vol.

46, pp. 448-452, 2009.

[24] J. P. Dillard and L. Shen, "On the nature of reactance

and its role in persuasive health communication,"

Communication Monographs, vol. 72, pp. 144-168, 2005.

[25] W. G. Ouchi, "A conceptual framework for the design

of organizational control mechanisms," Management Science,

vol. 25, pp. 833-848, 1979.

[26] T. B. Lawrence and S. L. Robinson, "Ain't misbehavin:

Workplace deviance as organizational resistance," Journal of

Management, vol. 33, pp. 378-394, Jun 2007.

[27] J. W. Brehm and S. S. Brehm, Psychological

Reactance: A Theory of Freedom and Control. San Diego,

CA, USA: Academic Press, 1981.

[28] C. R. Tittle, "Refining control balance theory,"

Theoretical Criminology, vol. 8, pp. 395-428, 2004.

[29] R. Engs and D. J. Hanson, "Reactance theory: A test

with collegiate drinking," Psychological Reports, vol. 64, pp.

1083-1086, 1989.

[30] D. N. Allen, D. G. Sprenkel, and P. A. Vitale,

"Reactance theory and alcohol consumption laws: Further

confirmation among collegiate alcohol consumers," Journal

of Studies on Alcohol, vol. 55, pp. 34-40, 1994.

[31] N. Wiium, L. E. Aarø, and J. Hetland, "Psychological

reactance and adolescents' attitudes toward tobacco-control

measures," Journal of Applied Social Psychology, vol. 39, pp.

1718-1738, 2009.

[32] S. B. Sitkin and N. L. Roth, "Explaining the limited

effectiveness of legalistic "remedies" for trust/distrust,"

Organization Science, vol. 4, pp. 367-392, 1993.

[33] B. L. Quick and D. K. Kim, "Examining reactance and

reactance restoration with South Korean adolescents: A test of

psychological reactance within a collectivist culture,"

Communication Research, vol. 36, pp. 765-782, 2009.

[34] L. K. Trevino, "Experimental approaches to studying

ethical-unethical behavior in organizations," Business Ethics

Quarterly, vol. 2, pp. 121-136, 1992.

[35] M. O'Fallon and K. Butterfield, "A review of the

empirical ethical decision-making literature: 1996-2003,"

Journal of Business Ethics, vol. 59, pp. 375-413, 2005.

[36] M. Siponen and A. Vance, "Neutralization: New

insights into the problem of employee information systems

security policy violations," MIS Quarterly, vol. 34, pp. 487-

502, 2010.

[37] K. Guo, Y. Yuan, N. Archer, and C. Connelly,

"Understanding non-malicious security violations in the

workplace: A composite behavior model," Journal of

Management Information Systems, vol. 28, pp. 203-236,

2011.

[38] F. Argelaguet, A. Kulik, A. Kunert, C. Andujar, and B.

Froehlich, "See-through techniques for referential awareness

in collaborative virtual reality," International Journal of

Human-Computer Studies, vol. 69, pp. 387-400, Jun 2011.

[39] C. L. Anderson and R. Agarwal, "Practicing safe

computing: A multimethod empirical examination of home

computer user security behavioral intentions," MIS

Quarterly, vol. 34, pp. 613-643, 2010.

[40] R. J. Bennett and S. L. Robinson, "Development of a

measure of workplace deviance," Journal of Applied

Psychology, vol. 85, pp. 349-360, 2000.

[41] R. Gibney, T. J. Zagenczyk, and M. F. Masters, "The

negative aspects of social exchange: An introduction to

perceived organizational obstruction," Group &

Organization Management, vol. 34, pp. 665-697, 2009.

[42] N. F. Awad and A. Ragowsky, "Establishing trust in

electronic commerce through online word of mouth: An

examination across genders," Journal of Management

Information Systems, vol. 24, pp. 101-121, 2008.

[43] C. Posey, P. B. Lowry, T. L. Roberts, and S. Ellis,

"The culture-influenced online community self-disclosure

model: The case of working professionals in France and the

UK who use online communities," European Journal of

Information Systems, vol. 19, pp. 181-195, 2010.

[44] C. M. Ringle, S. Wende, and S. Will, "SmartPLS 2.0

(M3) Beta," Hamburg, Germany, 2005.

[45] M. Burgoon, E. Alvaro, J. Grandpre, and M.

Voulodakis, "Revisting the theory of psychological

reactance," in The Persuasion Handbook: Developments in

Theory and Practice, J. P. Dillard and M. Pfau, Eds.

Thousand Oaks, CA, USA: Sage, 2002.

[46] G. Sewell and J. R. Barker, "Coercion versus care:

Using irony to make sense of organizational surveillance,"

Academy of Management Review, vol. 31, pp. 1-24, 2006.

[47] P. B. Lowry, D. Zhang, L. Zhou, and X. Fu, "Effects

of culture, social presence, and group composition on trust in

technology-supported decision-making groups," Information

Systems Journal, vol. 20, pp. 297-315, 2010.

[48] D. Zhang, P. B. Lowry, L. Zhou, and X. Fu, "The

impact of individualism-collectivism, social presence, and

group diversity on group decision making under majority

influence," Journal of Management Information Systems,

vol. 23, pp. 53-80, 2007.

[49] A. Dimoka, "What does the brain tell us about trust

and distrust? Evidence from a functional neuroimaging

study," MIS Quarterly, vol. 34, pp. 373-396, 2010.