Travel motivations, behavior and requirements of European ...
Explaining Opposing Compliance Motivations towards Organizational Information Security Policies
Transcript of Explaining Opposing Compliance Motivations towards Organizational Information Security Policies
1
Explaining Opposing Compliance Motivations towards Organizational
Information Security Policies
Paul Benjamin Lowry
City University of Hong Kong
Greg D. Moody
University of Las Vegas-Nevada
Abstract
Lack of compliance with organizational
information security policies (ISPOs) is a widespread
organizational issue that increasingly bears very large
direct and qualitative costs. The purpose of our study
was to explain the causes of tensions within
organizations to either comply with new ISPOs or
react negatively against them. To do so, we proposed
an innovative model, which pits organizational control
theory, as a force that explains ISPO compliance,
against reactance theory, as a force that explains ISPO
noncompliance and anger toward organizations. To
test the model, we used a sample of 320 working
professionals in a variety of industries to examine the
likely organizational outcomes when a new ISPO is
delivered to employees in the form of a typical memo
sent throughout an organization. We found support for
our newly proposed model, which is an important
contribution to research on organizational security
practices.
1.0 INTRODUCTION
Organizations increasingly rely on information
and related systems, which are also a source of much
organizational risk. This environment has consequently
increased the importance of managing information
risks within organizations. This risk management has
traditionally relied on technological solutions to
improve information security. Yet, because employees
are big threats to organizations’ information security
and cause the majority of information security
breaches, it is crucial to consider the socio-
organization elements in assuring that information
resources are secure [1].Thus , fostering employee
compliance with information security policies (ISPOs)
is a key approach that organizations use to attempt to
improve this weak link [1, 2]. ISPOs are a set of
formalized procedures, guidelines, roles, and
responsibilities which employees are required to
adhere to in order to safeguard and use the information
and technology resources of their organizations
properly.
ISPO compliance is a critical consideration in
organizational security governance, because internal
controls are created, responsibilities are assigned, and
accountability is maintained. ISPOs help ensure the
security of organizational information resources by
thwarting employee attempts to bypass information
security, and by training employees to use information
resources appropriately. Recent management research
has applied several theories and frameworks to explain
ISPO compliance and related phenomenon; yet, thus
far, the findings are mixed. In practice, actual ISPO
compliance is also highly mixed: many employees are
apathetic about ISPOs and ignore them; other times
employees try to circumvent ISPOs intentionally; and,
even worse, some employees will often purposely do
the opposite of the desired behavior.
Extant literature has produced a strong foundation
for organizational ISPO compliance research, but has
left several gaps that provide opportunities for further
research. One key opportunity is that although some
studies have looked at ISPO compliance [e.g, 2] and
others have looked at noncompliance [e.g., 1], no
studies have directly considered their motivators in the
same model. This is an important aspect, because
human behavior often involves dual-process models of
competing outcomes [e.g., 3]. Understanding the dual
processes of increased and decreased desire to comply
could explain the mixed results in the literature.
Likewise, understanding both sides might help explain
the most puzzling research results, in which increased
ISPO controls sometimes backfire and increase
pernicious employee behaviors in organizations.
2.0 CRCM THEORY AND HYPOTHESES
We now provide more detail on the theoretical
foundation of the Control-Reactance Compliance
Model (CRCM), starting with control theory, from
which we introduce the key constructs of formal
control, mandatoriness, and security precautions. These
are constructs that have already been established in the
literature that we will use as a traditional explanation
for why employees are motivated to comply with new
ISPOs.
2
For this portion of CRCM, we build primarily on a
model by Boss et al. that combines the use of control
theory with the concept of mandatoriness to effectively
explain that when individuals perceive organizational
security policies to be mandatory, they are more likely
to take security precautions. The foundation of the
Boss et al. model is control theory. Control theory was
originally developed to classify the different types of
control utilized by organizations to constrain
employees and to explain the social conditions in
which different forms of control are used, depending
upon the objectives and tasks characteristic of the
organization.
Although this approach to control theory helps
explain the environments and contexts in which
particular controls are most likely to be used, later
research further clarified the elements that constitute
control itself. Namely, Kirsch [4] categorized controls
as either formal, which are “formally documented and
initiated by management,” or informal, which are
“unwritten and often initiated by employees
themselves” [4p. 375]. Formal controls are inherently
more discernible because they are more structured,
precisely regulated, and more recognizable. We
assume formal controls in our study.
Building on Kirsch’s work, Boss et al. applied
control theory in the realm of ISPOs by observing the
general effect these policies have on specification
(a.k.a., measurement), evaluation, and reward. Kirsch
defined these as follows: specification is the
measurability of expected behaviors or outcomes;
evaluation is the exchange of information and the
process of assessing performance; and reward is the
result of the performance of expected behaviors,
leading to goal achievement.
Boss et al. further observed the effect of formal
controls on compliance with existing ISPOs by
introducing the innovative concept of mandatoriness,
which is “the degree to which individuals perceive that
compliance with existing security policies and
procedures is compulsory or expected by
organizational management” (p. 151). They found that
formal controls toward existing ISPOs do indeed
increase the perceived mandatoriness of existing
ISPOs. Boss et al.’s research suggested that, when
policies are implemented, an organization signals that
employees are expected to comply. That signal can
vary in the degree of existing mandatoriness by
manipulating the dimensions of the formal controls.
For further modeling clarity, we term these existing,
organizational, formal ISPO controls as existing
organizational formal controls.
Boss et al.’s model further explains that an
individual’s existing perceived mandatoriness of
existing organizational ISPOs will in turn affect the
general range of ISPO security precautions the
individual takes within the organization. The
researchers’ findings show that existing controls
increase employees’ existing mandatoriness, and this
mandatoriness increases the general ISPO security
precautions taken by the employee [5]. Formally, we
term these as existing ISPO precautions taken, which
are defined as “the degree to which individuals
perceive they take measures to secure their computers”
in order to follow existing formal controls and ISPOs
[5, p. 155].
2.1 Control Theory and ISPO Compliance
A key point of differentiation with Kirsch’s model
and Boss et al.’s model is that these were proposed and
tested around predicting how existing organizational
conditions impact existing compliance to policies.
CRCM adds the nuance of predicting how existing
organizational conditions predict compliance to a new
ISPO. In our context, the new ISPO will be introduced
through a formal organizational memo, so that we can
manipulate the formal control and language of the
newly introduced ISPO as a persuasion attempt to
encourage organizational compliance. Therefore, we
ignored replications and predictions of how existing
conditions predict existing compliance, as these are
established and thus outside the scope of our study.
Thus, our first theoretical proposition is that
because past related behavior is often a strong
predictor of future related behavior [6], it logically
follows that if an employee has a pattern of taking
ISPO precautions, this pattern is likely to continue in
terms of new ISPOs. One reason for this link is that
past ISPO compliance suggests a more positive attitude
toward ISPO compliance than that of an employee who
has not complied with ISPOs. Such positive attitudes
tend to be lasting and are strong predictors of future
ISPO compliance [2, 7]. Further, individuals tend to
maintain consistency between their outward behaviors
and their internal motivations that drive such
behaviors, thus their behaviors and motivations are
expected to remain consistent over time [8].
Finally, past compliance and habit is a further
explanation for the link between past and future ISPO
compliance behaviors. Formally, habit is the “learned
sequences of acts that have become automatic
responses to specific cues, and are functional in
obtaining certain goals or end-states” [9, p. 104].
Behavioral habits toward ISPO compliance have been
shown to predict continued and future ISPO
compliance: as employees develop good attitudes,
awareness, and knowledge of ISPOs, and comply with
them over time, they develop normative beliefs and
habits toward ISPO compliance [10]. H1. Existing ISPO precautions taken increases intent to
comply with a new ISPO.
3
Aside from the habit of precautions taken, we
posit that the existing organizational formal controls
also have a direct impact on new ISPO compliance.
Existing controls help to create a climate and culture
where ISPO compliance is the norm and where
expectations are clearer than in organizations without
formal controls. That is, formal controls from
management create normative beliefs around ISPO
compliance, and these norms can evolve into strong
social capital controls in organizations [11]. In our
context, normative beliefs (a.k.a., norms) are “an
employee’s perceived social pressure about compliance
with the requirements of the ISPO caused by
behavioral expectations of such important referents as
executives, colleagues, and managers” [2, p. 529];
these norms increase compliance [2].
Such formal policies and controls can help create a
positive information security climate, where
compliance is more likely by also reinforcing
normative beliefs [12]. Formally, an information
security climate involves the organizational
mechanisms and practices that define how an
organization treats information security [13]. In
positive climates, it is more likely that employees will
perceive that the top management champions ISPOs,
which is the degree to which employees perceive that
the top managers in an organization firmly support or
advocate for its ISPOs [13]. Such championship
emphasizes the importance of the ISPO in the day-to-
day work of an organization in protecting it from harm
[14]. By evaluating and enforcing the use of ISPO
controls in an organization, management again
emphasizes the importance and the benefit of the ISPO
to the entire organization.
Notably, positive security climates with perceived
top management championship foster more ISPO
compliance in employees [13]. Aside from perceived
leadership, top management championship is effective
because organizations with such management tend to
have more preventative controls [15] and because top
management support serves as a form of normative
control against non-compliance [16]. Thus, if an
organization lacks strong controls, then the security
climate, associated expectations, and top management
championship are more likely to be weaker—as will be
ISPO compliance. H2. Existing organizational formal controls increases
intent to comply with a new ISPO.
We also propose that the perceived mandatoriness
of a new ISPO affects ISPO compliance directly. We
first assume the corollary that if existing ISPOs have
an associated perceived mandatoriness, then new
ISPOs will have their own associated perceived
mandatoriness. To increase theoretical clarity, we
define new ISPO mandatoriness as the degree to which
an individual perceives that compliance with a new
ISPO is compulsory or expected by organizational
management. Recall that Boss et al. found that the acts
of specifying policies and evaluating behaviors (i.e.,
controls) are effective in convincing individuals that
security policies are mandatory. Since Boss et al. show
that existing controls are positively correlated with
existing mandatoriness, then new controls should
positively impact new mandatoriness similarly. H3. New ISPO mandatoriness increases intent to
comply with a new ISPO.
2.2 Reactance Theory and ISPO Noncompliance
Now that we have explained how formal controls,
mandatoriness, and taking existing security precautions
can influence organizational ISPO compliance, we now
consider reactance theory to explain what discourages
ISPO compliance. A key assumption of CRCM is that
most employees have a predetermined level of
tolerance for controlling management policies and a
threshold for how much individual freedom the
individuals will give up before negative consequences
toward the organization will occur. This assumption is
supported by a host of deterrence- and monitoring-
related studies that show that overly controlling
approaches can backfire and result in pernicious
employee behaviors [e.g., 17, 18]. Thus, high levels of
new ISPO control could lead to negative results for
organizations—especially because punishments are
often an integral part of formalized controls. Despite
this promising connection, this issue has not been
considered in the literature thus far. To address this
issue, we leverage psychological reactance theory.
Reactance theory has historically been used in
behavioral and psychological studies. For example,
Silvia [19] studied the role of similarity in decreasing
reactance. Others have used reactance theory in a
variety of behavioral studies. However, we found no
application in terms of organization policy compliance,
including ISPO compliance.
Reactance theory predicts that any given person
has a set of behavioral freedoms (a realm of personal
freedom) that if eliminated, or threatened with
elimination, will create an adverse state of arousal
called reactance [20]. Reactance is a negative
emotional response caused by threats or losses on
behavioral freedom, which focuses on restoring the
freedom in question. A key assumption for reactance to
occur is that the person whose behavior is threatened
has an expectation of free choice and thus is
motivationally aroused any time that free choice is
threatened [21]. Reactance has also been shown to
occur when individuals are pressured (e.g., strongly
persuaded or manipulated) to choose between two
choices [22].
4
Accordingly, in our context, reactance is a
negative emotional coping response that is a form of
message rejection caused primarily by lost or
threatened freedom, and thus focuses on re-establishing
the threatened or eliminated behavioral freedom.
Unlike avoidance, reactance is an active negative
response to an external source that tries to
influence/persuade behavior. During reactance, an
individual systematically processes the sources of the
negative emotion, but rather than trying to conceal the
emotion, the individual is motivated to challenge the
causes of the emotion (i.e., loss of behavioral
freedoms), which allows him/her to invalidate the
conclusions formed from the causes [23]. Accordingly,
reactance is associated with more heated or emotional
responses that allow individuals to displace the concern
over missed opportunities with a sense of anger or
frustration directed toward the source of information
originally perceived to cause the concern [24]. Thus,
reactance is a particularly pernicious organizational
phenomenon, because it pits the will of the employee
against the will of the employer, resulting in negative
conflicts through undesired employee behaviors and
emotions.
We propose that new organizational controls are
key mechanisms that can drive reactance in
organizations. We posit that newly introduced controls
from a new ISPO can threaten one’s sense of freedom
by challenging the existing balance of an employee’s
valued behavioral freedoms. As support, formal control
“depends heavily upon monitoring, evaluating, and
correcting in an explicit manner” [4, 25, p.841].
Namely, the manager determines the behaviors,
outcomes, procedures, goals, and so forth, that the
employee is expected to meet. An established
hierarchy of authority in an organization provides a
context in which the roles and relationships can be
understood. For example, an autocratic authority is a
formal control, because of the clear and strong
superior-subordinate relationship.
Notably, Ouchi explained and predicted that
higher levels of control are “likely to offend people’s
sense of autonomy and of self-control . . . [because],
the more obvious and explicit the measurement, the
more noxious it is to employees” (p. 841). Further
explained that control can actually encourage deviance
when control produces a perceived disparity between
employee and employer [26]. It is thus not surprising
that reactance research has shown that coercion, in
particular, tends to lead to the strongest levels of
reactance, because it goes beyond mere persuasion
[27]. Hence, a strong display of authoritative power—
for example, more explicit formal control
measurements, whether in the form of specification,
evaluation, or rewards and sanctions—can threaten an
employee’s sense of freedom. That is, when a manager
specifies an employee’s appropriate outcomes or
behaviors, the employee’s behavior alternatives are
more limited [28]. Thus, the more specific and
transparent the controls provided in a new ISPO are,
the more such controlling approaches are likely to
threaten an employee’s sense of freedom because of
the specification, evaluation, and rewards around the
specific behaviors.
The key to galvanizing the causal mechanisms of
reactance is thus to threaten or eliminate personal
freedoms that employees believe organizations should
not threaten. In predicting reactance, the issue is not
whether it is reasonable or legal to threaten or
eliminate an employee’s freedom, the issue is how an
employee feels about a threatened freedom. A study on
underage drinking, which is illegal and generally not in
keeping with common sense [29], illustrated this issue:
in this study, despite legal and social mores, the more
the students felt that drinking alcohol should be a
personal freedom, the more the messages threatening
them to not drink, influenced drinking. This study was
later confirmed in a more advanced study on collegiate
drinking [30], and similar results were shown in
adolescent smoking research with dispositional
reactance [31].
Thus, the question in our context is not whether it
is reasonable or legal to threaten or eliminate employee
freedoms in the workplace regarding ISPOs, but rather
how employees perceive that the new ISPO controls
threaten their valued freedoms. Many employees feel
that there is an implicit contract of respecting privacy
and personal space in the workplace, and are offended
by the idea of their Internet access and emails being
monitored [32]. Also, whether or not employers
actually read employee emails is not the only salient
factor. If employers publically reserve the right to read
employees’ email—even if they never engage in
reading them—that can cause enough of a threat to
personal freedom to cause reactance.
Meanwhile, the more important the threatened
freedom is or the greater the level of threat to freedom,
the greater the magnitude of reactance will be [24]. A
threat to freedom in a reactance context is the degree to
which the actions of or communications from
organizational management cause employees to believe
their freedom to choose is threatened, manipulated, or
pressured by management [24]. We define threat to
freedom from a new ISPO as the degree to which a new
ISPO delivered from an organization’s management
causes the employees to believe their freedom to
choose is threatened or manipulated by management.
The importance of freedom in a reactance context is
how much employees value the freedom to engage in
specific behaviors in the workplace that might be
controlled or eliminated by management [20]. In our
context, the importance of ISPO freedom is how much
5
employees value the freedom associated with a specific
computer-related behavior that might be controlled or
eliminated by management through ISPOs. H4. A threat to freedom from a new ISPO increases
reactance to a new ISPO.
H5. The importance of ISPO freedom increases
reactance to a new ISPO.
Likewise, increased behavioral freedom decreases
reactance [27]. In our reactance context, we are
concerned with the behavioral freedom associated with
a new ISPO. Based on [24], we term this freedom as
freedom from a new ISPO, which is the degree to
which information regarding a new ISPO promotes
individual choice and decision making, free of pressure
and manipulation from management. H6. Freedom from a new ISPO decreases reactance to a
new ISPO.
As reactance theory has been further tested and
extended over time, several important additions have
been included that further drive our CRCM proposal.
First, a promising phenomenon we found in the
reactance literature is that a well-established measure
of one’s reactance proneness (a.k.a., trait reactance)
has been developed and validated; ironically, however,
this measure has never been used to predict actual
reactance [24]. We thus newly posit and test this
relationship in our CRCM. Specifically, reactance
proneness is one’s disposition or tendency to
experience a state of reactance when one’s freedoms
are restricted [24]. Given this conceptualization, it
naturally follows that people who are more prone to
reactance to freedom restrictions in general are more
likely to manifest reactance when management
introduces a new, freedom-restricting ISPO. H7. Reactance proneness increases reactance to a new
ISPO.
Quick and Kim [33] further demonstrated other
negative effects of reactance with a construct the
authors term boomerang effects. Boomerang effects
emerge because of reactance and are the measurable
efforts of individuals to directly restore freedoms
and/or undo threats to freedoms that emerge in an
organization. In an ISPO context, we propose that an
undesired boomerang effect would be lack of
compliance with the new ISPO as a purposeful act to
restore a valued but threatened or eliminated freedom.
Therefore, in our context, if an ISPO is seen by an
employee as a direct threat to his or her personal
freedom, the boomerang effects would be plausibly
manifested as a decreased intention to follow the new
ISPO in order to try to regain the lost freedoms and/or
decrease the threats to freedoms resulting from the new
policy. Similar effects have also been proposed and
found in the field of criminology. H8. Reactance to a new ISPO decreases the intent to
comply with a new ISPO.
Dillard and Shen [24] also theorized that reactance
can result in “an amalgam of anger and negative
cognitions” (p. 164), which has been empirically
validated in [24, 33]. Such anger and negative
cognitions, such as irritation, tend to focus on the
related behavioral control incident, but can spread if
further incidents continue. Formally, in a reactance
context this anger/irritation is the degree to which a
behavioral control from management that threatens or
eliminates workplace freedom causes annoyance,
irritation, anger, or aggravation toward management
regarding the threatened or eliminated freedom. Such
anger/irritation is a particularly pernicious outcome in
organizations because such emotions are closely linked
to destructive antisocial or aggressive behavior. H9. Reactance to a new ISPO increases anger/irritation
toward the organization about the new ISPO.
Figure 1 summarizes our proposed model, CRCM.
Figure 1. Control-Reactance Compliance Model (CRCM)
3.0 RESEARCH METHODS
Our experimental design was a 2x2 factorial
design that provided professional ISPO memos from
eight different, randomly selected IT security policies
that were manipulated in terms of controlling language
(high-low) and formal control (high-low). Eight
different forms of IT policies were used with four
manipulations each, for a total of 32 conditions. Each
policy had four memos representing a combination of
high-language high-control, high-language low-
control, low-language high-control, and low-language
low-control, for a between-groups factorial experiment.
We tested the CRCM by using a scenario-based
method with professionals. The scenario method
presents respondents with “written descriptions of
6
realistic situations and then request[s] responses on a
number of rating scales that measure the dependent
variables of interest” [34, p. 127-128]. This is the
method most commonly applied to issues related to
ethics [35]. Accordingly, this method is highly useful
for studying ISPO compliance issues and thus has been
increasingly used in the ISPO and computer-abuse
literature [e.g., 13, 36, 37, 38].
The range of IT security policies was chosen to
provide a realistic sample of the policies that are used
in industry, some of which may be more restrictive and
threatening to freedom than others. To develop these
policies, we reviewed the academic and practitioner
literature extensively for user-focused IT security
policies. Notably, we focused on policies that end-
users would notice and that they would understand in
terms of the implications for the employees’ daily
work. We thus avoided more technical behind-the-
scenes security policies that end-users may not notice
or understand, such as automatic network data
encryption, honey pots set up to lure hackers,
redundant data backups, and the like. The eight IT
policies were built around the following common
security issues: end-user software installation, antivirus
and spyware software use with corporate networks, use
of non-work-related software, inconsistent use of
antivirus software, personal use of corporate email
systems, lack of centralized data storage, use of USB
drives for sensitive data, and personal Internet use.
These issues are also thoroughly documented in
organization security practice research in [13, 36].
Though many of the specific IT security policies are
straightforward, they still have profound effects on
overall IT security because organizational employees
account for a majority of all of the information security
problems [39].
For strong experimental control, each of the eight
unique IT policies had four carefully constructed
versions that did not alter the associated ISPO. Instead,
the ISPO’s introductory and concluding text was
changed to represent high-low controlling language
and high-low new control. The formal control
manipulations were based on Boss et al.’s and Kirsch’s
conceptualizations and measurements. All three
elements of formal control were written into these
manipulations for the high-control conditions:
specification, evaluation, and rewards. Specification
was introduced by providing more clarity and detail,
much of which was achieved through the enhanced
description of evaluation and rewards. Evaluation was
introduced by explicitly stating how the system and
management would monitor the end-users’
compliance. Rewards and punishments were also
specified for compliance and noncompliance. The low-
control conditions lacked this level of detail. To
establish experimental control further, these wording
changes were exactly the same across all memos,
regardless of the ISPO itself.
To ensure that the ISPO memo scenarios were
realistic and effective for manipulating our theoretical
constructs, we went through several rounds of
development with experts, along with pilot testing
graduate students who had industry and research
expertise on information security.
For the increased generalizability of our study, we
hired a market research firm to randomly select and
invite industry participants from a total pool of nearly 3
million professionals to oversee the study as an online
research panel. External panels have been used to elicit
responses to survey instruments in various contexts
[e.g., 40, 41] and are increasingly used in
organizational research because panels have several
established research advantages [e.g., 42, 43].
The marketing research firm commissioned 320
working professionals to participate; 160 were male
(50%) and 160 were female (50%). Among all of the
participants, 52 (16.3%) were part-time workers, and
268 (83.7%) were full-time workers. The average age
was 45.2 years (SD = 11.9), average years of work
experience was 21.3 (SD = 12.3), and average years of
formal education was 15.5 (SD = 2.8). The participants
represented several key industries. IRB approval was
given, and all respondents participated with full
consent.
Participants first filled out their demographic
information and pre-experiment measures. The
participants were then given a series of two randomly
selected ISPO memos in two separate rounds of
experimentation and measurement. Each memo was
addressed individually, with the participant answering
questions in regard to only the memo just viewed. The
participants were asked to evaluate how they would
feel about these memos in terms of their current
organization and position. They then filled out the
post-experiment measures after each memo, yielding
640 data points. The random presentation of the
memos was designed to mitigate any potential ordering
effects.
All of the measures were based on established
measures. We also added several standard covariates as
potential predictors of intent, anger, and reactance: age,
education level, years of work experience, work status,
gender, organizational size, and ISPO apathy [5]. We
also created a one-item covariate that asked about the
degree to which that participant’s organization had a
similar ISPO in place. Finally, both controlling
language and new control were operationalized into
our experiment as actual manipulations within the
memos given to the participants; given the lack of
available established measurements, each had an
associated one-item manipulation check that we used
7
to verify that the manipulation was in the intended
direction.
4.0 ANALYSIS AND RESULTS
Prior to testing the CRCM, we conducted a pre-
analysis and data validation according to the latest
standards, for several purposes: (1) to establish the
model specification, (2) to establish the factorial
validity of the instrument through convergent and
discriminant validities, (3) to establish that
multicollinearity was not a problem for this model, (4)
to check for common-methods bias using several
approaches, and (5) to establish strong construct
reliabilities. The results of our validation procedures
show that our model data meets or exceeds the latest
rigorous validation and reliability standards expected
for partial least squares (PLS) based analysis. Before
analysis we also performed manipulation checks that
confirmed our manipulations were in the intended
direction.
We used PLS regression analysis with SmartPLS
version 2.0 [44] for model analysis. We analysed our
model data by a bootstrap with 500 resamples. Figure 2
graphically depicts the results.
Figure 2. Results of Testing Proposed Model
5.0 DISCUSSION
Our experimental results provide extensive support for
the CRCM. Existing organizational formal controls
increased the intent to comply with the new ISPO (H2
supported). New ISPO mandatoriness increased the
intent to comply with the new ISPO (H3 supported). A
threat to freedom from the new ISPO increased
reactance to the new ISPO (H4 supported). Reactance
proneness (or trait reactance) increased reactance to the
new ISPO (H7 supported). Reactance to the new ISPO
decreased the intent to comply with the new ISPO (H8
supported, along with the hypothesized underlying
boomerang effects). Reactance to the new ISPO
increased anger/irritation toward the organization about
the new ISPO (H9 supported).
Three hypotheses were not supported. The existing
ISPO precautions taken had no effect on the intent to
comply with the new ISPO (H1 rejected). Both the
importance of ISPO freedom and freedom from the
new ISPO had no effect on reactance (H5 and H6
rejected). In terms of covariates, we found that ISPO
apathy increased reactance, while it decreased
anger/irritation. Also, the degree to which similar
ISPOs already existed in the organization decreased
reactance and anger/irritation. Finally, gender
(females) was a predictor of anger/irritation.
Summarizing our results, Figure 3 provides our
suggested updated version of the CRCM for ongoing
research, including promising covariates.
Figure 3. Future Research Version of CRCM
5.1 Contributions to Research, Theory, and Practice
Our key contribution is an innovative model that
examines two counterpoised forces to predict intent to
comply with new ISPOs in organizations for the first
time. Extant research tested models involving either
ISPO compliance or noncompliance; however, no
extant model or empirical research has considered the
competing motivations together. CRCM considers
both: organizational controls, as predicted by control
theory, is shown as a positive predictor of intent to
comply; whereas threats to personal freedom from
organizational controls results in reactance, as
predicted by reactance theory. We also demonstrate the
illusive, theorized boomerang effects by showing a
strong negative connection between reactance and
intentions. While this effect has long been theorized,
little empirical evidence on this effect has been
established previously [19, 45].
We also demonstrate the potential creation of
anger as a negative outcome of reactance. Looking
beyond compliance, anger in the workplace is a
particularly troublesome phenomenon as it is strongly
linked to destructive antisocial behavior in the
workplace. Hence, high levels of control might result
in desired ISPO compliance, but workplace anger can
create a potentially dangerous Pyrrhic victory for any
organization. Hence, researchers and practitioners
should no longer consider controls and deterrence in an
8
organizational vacuum without considering the
potential for threats to freedom that can undermine
controls and deterrence and result in unintended
negative consequences. These results illustrate the
danger of the common organizational practice of
introducing new ISPOs (or other organizational
policies) using controlling language in memos
distributed widely throughout an organization. This
finding indicates that managers need to be very
cautious in choosing the manner, medium, and method
of introducing new ISPOs and organizational policies.
ISPOs are clearly necessary in organizations; however,
when managers write or communicate potentially
freedom-restricting policies, the managers need to take
into account that employees consider themselves free
agents with rights and freedoms that if threatened will
cause employees to react negatively. Whereas ISPOs
need formal written controls, they need to be written
and delivered in a respectful manner that softens or
eliminates imperatives and provides for a range of
options, wherever possible. Most importantly,
managers need to balance coercion with care [46].
Moreover, although reactance theory has been
used for several decades and most reactance constructs
in our CRCM have been measured in various studies,
our extensive literature review of the theory reveals
that no single study has ever tested the full reactance
theory constructs in any context—let alone with
organizational ISPOs. In fact, most studies do not
directly examine the importance of freedom and threat
level. Consequently, portions of the reactance theory
model, and sometimes the whole model, are typically
treated as a theoretical “black box” where the
nomological relationships are assumed but not
measured and validated. Moreover, given that, by
definition, formal controls and freedom are
diametrically opposed, we considered how newly
introduced ISPOs might threaten existing freedoms
(only those related to the new policies) and thus affect
reactance, anger, and intent toward ISPO compliance.
Notably, we found that the most influential freedom
element that drives reactance was a threat to freedom,
and not the importance of freedom. This serves as a
particular warning to practice, because our study
indicates that even threats to a “trivial” freedom can
trigger reactance.
5.2 Limitations and Future Research
Our first key limitation, which points to promising
future research, is the limited generalizability of our
results, because they derived from a controlled
laboratory experiment. Whereas we have every reason
to believe that our CRCM should hold up in similar
matters of organizational compliance—especially any
involving high levels of control and potential threats to
personal freedom (e.g., audits, accounting controls, HR
personnel policies, downsizing, mergers and
acquisitions, and so on), further replication of the
CRCM is needed to establish its generalizability.
Moreover, following typical practices in attitudinal
research, we considered intent but not actual
compliance. Whereas our scenarios/vignettes approach
to ISPO policy compliance is a standard and valid
approach for predicting actual compliance [e.g., 36],
testing our new model in actual organizations that are
implementing new IT policies would be useful.
Likewise, how long reactance perseveres and the
factors that contribute to its weakening are important
open issues that could affect generalizability. Thus,
longitudinal organizational data that examines
reactance strength and compliance over time would be
valuable.
Likewise, we tested our CRCM in a Western
culture—specifically with US-based employees. US
employees have been shown to be highly
individualistic, valuing individual freedom of choice at
work more than employees in collectivistic societies,
such as the People’s Republic of China [e.g., 47, 48].
Employees in highly collectivistic (e.g., China or
France) or highly controlling cultures (e.g., Saudi
Arabia or Iran) might demonstrate far less reactance
and anger than those in highly individualistic cultures
like the US, simply because those employees do not
place the same importance on workplace freedom and
instead focus more on the success of the organization.
An important extension of this model would be to
consider the differences in the perceptions of the
threats to freedom—and subsequent reactance—in
collectivistic versus individualistic cultures. Research
could also consider the effects within organizations
that are increasingly mixed and heterogeneous in terms
of the cross-cultural propensities of employees, or even
in terms of a firm’s organizational culture.
A final promising future research opportunity
would be to consider the dual negative and positive
effects of the CRCM through physiological measures
further. Again, we showed that reactance constructs
decrease intent, whereas control constructs increase
intent. How is it that the counterbalancing forces can
work together at the same time in one’s cognition? It
could be that we are missing a key construct in the
policy compliance literature—one of intent to not
comply, and that intent to not comply combined with
intent to comply are actually what best predict
compliance. This issue is similar to the issue in the
trust and distrust literature of whether distrust was just
low trust or whether it was actually a separate
construct. Recent, groundbreaking research involving
fMRI brain scan technology established that distrust
and low trust are indeed separate constructs [49]. The
same may be true with intent to comply and intent not
9
to comply. fMRI scans would also be potentially useful
in examining the cognitive manifestations of reactance
and the resulting anger.
Future research should examine just what it is that
establishes some ISPO-related behaviors as cherished
freedoms that are very personal to users, whereas
others do not. It is possible that some of the drivers
could relate to the degree to which a behavior involves
personal information privacy issues [18]. Likewise,
more research should be done on ways threats to
freedoms can be increased and decreased. Possible
factors that we did not examine could include how
abruptly a policy is delivered; delivering policies face-
to-face versus a more impersonal manner, such as
email; establishing an environment of threat
awareness; treating employees as security partners and
allies, as opposed to security threats; explaining the
wide variety of freedoms that employees have and
should not assume to be restricted by new policies
(e.g., the ability to freely surf the Web during lunch
breaks); developing policies in conjunction with the
employees who are to adhere to the policies; training
that explains the rationale for IT security policies; and
the like.
6.0 CONCLUSION
Organizations increasingly rely on ISPOs to help
address the “weak link” of employees in organizational
information security. Unfortunately, these ISPOs are
only partially effective, because employees often
ignore them, circumvent them, or even do the opposite
of what management desires. With ISPOs being the
main method for ensuring secure behaviors by
organizational members, it becomes imperative to
understand how to increase compliance with said
policies better. In order for ISPOs to be developed and
communicated more effectively, the purpose of our
study was to explain the opposing motivations
regarding the compliance of new ISPOs better.
In this manuscript, we proposed an innovative
model, CRCM, which pits organizational control
theory, as a force that explains ISPO compliance,
against reactance theory, as a force that explains ISPO
noncompliance and anger toward organizations. We
further explained that reactance to newly mandated
policies could result in unanticipated negative
outcomes for organizations, which might cause more
harm than the intended good from the ISPO. The
CRCM was tested and largely supported using a
sample of 320 working professionals in a variety of
industries. Our work highlights the important roles that
managers have in promoting new policies, and that
consideration should be given as to how these new
policies are introduced and explained to employees
within the organization.
7.0. REFERENCES
[1] J. D'Arcy, A. Hovav, and D. F. Galletta, "User
awareness of security countermeasures and its impact on
information systems misuse: A deterrence approach,"
Information Systems Research, vol. 20, pp. 79-98, 2009.
[2] B. Bulgurcu, H. Cavusoglu, and I. Benbasat,
"Information security policy compliance: An empirical study
of rationality-based beliefs and information security
awareness," MIS Quarterly, vol. 34, pp. 523-548, 2010.
[3] K. Witte, "Putting the fear back into fear appeals: The
extended parallel process model," Communication
Monographs, vol. 59, pp. 329-349, 1992.
[4] L. J. Kirsch, "Deploying common systems globally: The
dynamics of control," Information Systems Research, vol. 15,
pp. 374-395, 2004.
[5] S. R. Boss, L. J. Kirsch, I. Angermeier, R. A. Shingler,
and R. W. Boss, "If someone is watching, I'll do what I'm
asked: Mandatoriness, control, and information security,"
European Journal of Information Systems, vol. 18, pp. 151-
164, 2009.
[6] I. Ajzen, "Residual effects of past on later behavior:
Habituation and reasoned action perspectives," Personality &
Social Psychology Review (Lawrence Erlbaum Associates),
vol. 6, pp. 107-122, 2002.
[7] A. C. Johnston and M. Warkentin, "Fear appeals and
information security behaviors: An empirical study," MIS
Quarterly, vol. 34, pp. 549-566, 2010.
[8] H. H. Kelley and J. L. Michela, "Attribution theory
and research " Annual Review of Psychology, vol. 31, pp.
457-501, 1980.
[9] B. Verplanken and H. Aarts, "Habit, attitude, and
planned behavior: Is habit an empty construct or an
interesting case of goal-directed automaticity?," in European
Review of Social Psychology, W. Stroebe and M. Hewstone,
Eds. Chichester, England, 1999, pp. 101-134.
[10] S. Pahnila, M. Siponen, and A. Mahmood,
"Employees' behavior towards IS security policy
compliance," in 40th Hawaii International Conference on
Systems Sciences, Hawaii, USA, 2007, pp. 1-10.
[11] L. J. Kirsch, D.-G. Ko, and M. H. Haney,
"Investigating the antecedents of team-based clan control:
Adding social capital as a predictor," Organization Science,
vol. 21, pp. 469-489, 2010.
[12] M. Chan, I. M. Y. Woon, and A. Kankanhalli,
"Perceptions of information security at the workplace:
Linking information security climate to compliant behavior,"
Journal of Information Privacy and Security, vol. 1, pp. 18-
41, 2005.
[13] Q. Hu, Z. Xu, T. Dinev, and H. Ling, "Does deterrence
work in reducing information security policy abuse by
employees?," Communications of the ACM, vol. 54, pp. 54-
60, 2011.
[14] B. Schneider, "The people make the place," Personnel
Psychology, vol. 40, pp. 437-453, 1987.
[15] A. Kankanhalli, H.-H. Teo, B. C. Y. Tan, and K.-
K.Wei, "An integrative study of information systems
10
security effectiveness," International Journal of Information
Management, vol. 23, pp. 139-154, 2003.
[16] J. Lee and Y. Lee, "A holistic model of computer abuse
within organizations," Information Management & Computer
Security, vol. 10, pp. 57-63, 2002.
[17] B. J. Alge, G. A. Ballinger, S. Tangirala, and J. L.
Oakley, "Information privacy in organizations: Empowering
creative and extrarole performance," The Journal of Applied
Psychology, vol. 91, pp. 221-232, 2006.
[18] C. Posey, T. L. Roberts, R. Bennett, and P. B. Lowry,
"When computer monitoring backfires: Invasion of privacy
and organizational injustice as precursors to computer abuse,"
Journal of Information System Security, vol. 7, pp. 24-47,
2011.
[19] P. Silvia, "Deflecting reactance: The role of similarity
in increasing compliance and reducing resistance," Basic and
Applied Social Psychology, vol. 27, pp. 277-284, 2005.
[20] J. W. Brehm, A Theory of Psychological Reactance.
London, U.K.: Academic Press, Inc., 1966.
[21] J. W. Brehm, Response to Loss of Freedom: A Theory
of Psychological Reactance. Morristown, NJ, USA: General
Learning Press, 1972.
[22] M. D. Heilman and B. L. Toffler, "Reacting to
reactance: An interpersonal interpretation of the need for
freedom," Journal of Experimental Social Psychology, vol.
12, pp. 519-529, 1976.
[23] G. Lee and W. Lee, "Psychological reactance to online
recommendation services," Information & Management, vol.
46, pp. 448-452, 2009.
[24] J. P. Dillard and L. Shen, "On the nature of reactance
and its role in persuasive health communication,"
Communication Monographs, vol. 72, pp. 144-168, 2005.
[25] W. G. Ouchi, "A conceptual framework for the design
of organizational control mechanisms," Management Science,
vol. 25, pp. 833-848, 1979.
[26] T. B. Lawrence and S. L. Robinson, "Ain't misbehavin:
Workplace deviance as organizational resistance," Journal of
Management, vol. 33, pp. 378-394, Jun 2007.
[27] J. W. Brehm and S. S. Brehm, Psychological
Reactance: A Theory of Freedom and Control. San Diego,
CA, USA: Academic Press, 1981.
[28] C. R. Tittle, "Refining control balance theory,"
Theoretical Criminology, vol. 8, pp. 395-428, 2004.
[29] R. Engs and D. J. Hanson, "Reactance theory: A test
with collegiate drinking," Psychological Reports, vol. 64, pp.
1083-1086, 1989.
[30] D. N. Allen, D. G. Sprenkel, and P. A. Vitale,
"Reactance theory and alcohol consumption laws: Further
confirmation among collegiate alcohol consumers," Journal
of Studies on Alcohol, vol. 55, pp. 34-40, 1994.
[31] N. Wiium, L. E. Aarø, and J. Hetland, "Psychological
reactance and adolescents' attitudes toward tobacco-control
measures," Journal of Applied Social Psychology, vol. 39, pp.
1718-1738, 2009.
[32] S. B. Sitkin and N. L. Roth, "Explaining the limited
effectiveness of legalistic "remedies" for trust/distrust,"
Organization Science, vol. 4, pp. 367-392, 1993.
[33] B. L. Quick and D. K. Kim, "Examining reactance and
reactance restoration with South Korean adolescents: A test of
psychological reactance within a collectivist culture,"
Communication Research, vol. 36, pp. 765-782, 2009.
[34] L. K. Trevino, "Experimental approaches to studying
ethical-unethical behavior in organizations," Business Ethics
Quarterly, vol. 2, pp. 121-136, 1992.
[35] M. O'Fallon and K. Butterfield, "A review of the
empirical ethical decision-making literature: 1996-2003,"
Journal of Business Ethics, vol. 59, pp. 375-413, 2005.
[36] M. Siponen and A. Vance, "Neutralization: New
insights into the problem of employee information systems
security policy violations," MIS Quarterly, vol. 34, pp. 487-
502, 2010.
[37] K. Guo, Y. Yuan, N. Archer, and C. Connelly,
"Understanding non-malicious security violations in the
workplace: A composite behavior model," Journal of
Management Information Systems, vol. 28, pp. 203-236,
2011.
[38] F. Argelaguet, A. Kulik, A. Kunert, C. Andujar, and B.
Froehlich, "See-through techniques for referential awareness
in collaborative virtual reality," International Journal of
Human-Computer Studies, vol. 69, pp. 387-400, Jun 2011.
[39] C. L. Anderson and R. Agarwal, "Practicing safe
computing: A multimethod empirical examination of home
computer user security behavioral intentions," MIS
Quarterly, vol. 34, pp. 613-643, 2010.
[40] R. J. Bennett and S. L. Robinson, "Development of a
measure of workplace deviance," Journal of Applied
Psychology, vol. 85, pp. 349-360, 2000.
[41] R. Gibney, T. J. Zagenczyk, and M. F. Masters, "The
negative aspects of social exchange: An introduction to
perceived organizational obstruction," Group &
Organization Management, vol. 34, pp. 665-697, 2009.
[42] N. F. Awad and A. Ragowsky, "Establishing trust in
electronic commerce through online word of mouth: An
examination across genders," Journal of Management
Information Systems, vol. 24, pp. 101-121, 2008.
[43] C. Posey, P. B. Lowry, T. L. Roberts, and S. Ellis,
"The culture-influenced online community self-disclosure
model: The case of working professionals in France and the
UK who use online communities," European Journal of
Information Systems, vol. 19, pp. 181-195, 2010.
[44] C. M. Ringle, S. Wende, and S. Will, "SmartPLS 2.0
(M3) Beta," Hamburg, Germany, 2005.
[45] M. Burgoon, E. Alvaro, J. Grandpre, and M.
Voulodakis, "Revisting the theory of psychological
reactance," in The Persuasion Handbook: Developments in
Theory and Practice, J. P. Dillard and M. Pfau, Eds.
Thousand Oaks, CA, USA: Sage, 2002.
[46] G. Sewell and J. R. Barker, "Coercion versus care:
Using irony to make sense of organizational surveillance,"
Academy of Management Review, vol. 31, pp. 1-24, 2006.
[47] P. B. Lowry, D. Zhang, L. Zhou, and X. Fu, "Effects
of culture, social presence, and group composition on trust in
technology-supported decision-making groups," Information
Systems Journal, vol. 20, pp. 297-315, 2010.
[48] D. Zhang, P. B. Lowry, L. Zhou, and X. Fu, "The
impact of individualism-collectivism, social presence, and
group diversity on group decision making under majority
influence," Journal of Management Information Systems,
vol. 23, pp. 53-80, 2007.
[49] A. Dimoka, "What does the brain tell us about trust
and distrust? Evidence from a functional neuroimaging
study," MIS Quarterly, vol. 34, pp. 373-396, 2010.