•  
  •  
 
Communications of the Association for Information Systems

Author ORCID Identifier

Jing Liu: 0000-0001-9933-2328

Jun Zhang: 0000-0001-6275-9387

Hemin Jiang: 0000-0002-5269-7925

Jingzhi Zhang: 0000-0002-1913-7379

Mikko Siponen: 0000-0001-7041-1313

Abstract

To mitigate security risks, organizations often implement various controls to motivate employee information security policy (ISP) compliance. Although prior research has examined various controls influencing ISP compliance, most studies have focused on the effects of formal controls and paid relatively less attention to informal controls. This is especially evident in recent meta-analyses. Drawing on 183 independent studies, we conduct a meta-analysis with a focus on informal controls. Specifically, we synthesize and compare the effectiveness of informal controls (i.e., clan and self-controls) with formal controls in promoting ISP compliance. We find that informal controls are not only effective but also generally more effective than formal controls in motivating ISP compliance. Moreover, the influence of informal controls remains largely stable across contextual and methodological factors, whereas the effectiveness of formal controls is contingent upon factors such as national culture, policy specificity, and behavioral measurement type. Using a meta-analytic structural equation modeling approach, we further reveal that formal controls indirectly enhance ISP compliance by shaping employees’ perceptions of informal controls through socialization and internalization processes. These findings highlight the critical yet underexplored role of informal controls, and provide a nuanced understanding of how informal controls are shaped by formal controls.

Share

COinS
 

When commenting on articles, please be friendly, welcoming, respectful and abide by the AIS eLibrary Discussion Thread Code of Conduct posted here.