Paper ID
1391
Paper Type
full
Description
Employees are regarded as the weakest link in organizations’ information security management, and their security compliance is crucial in determining organizations’ information security success. Prior literature has extensively investigated the influences of formal management controls (i.e. deterrence, rewards, and monitoring) on employees’ security compliance; however, other control mechanisms such as social control and self-control have drawn less attention. In this study, we proposed a taxonomy of the formal and informal control mechanisms used in security management, and proposed an integrative, control-based model to understand employees’ security compliance behaviors. We further validated the model with a meta-analysis. Our model was largely supported by the meta-analysis results. We found informal social controls and self-control to be more effective in promoting security compliance than formal controls. In addition, we found that the influences of formal and informal controls on security compliance were moderated by the eastern / western culture context.
Recommended Citation
Liu, Jing; Zhang, Jun; and Zhang, Jingzhi, "Validating a Control-Based Model of Information Security Policy Compliance – A Meta-Analysis" (2019). ICIS 2019 Proceedings. 26.
https://aisel.aisnet.org/icis2019/cyber_security_privacy_ethics_IS/cyber_security_privacy/26
Validating a Control-Based Model of Information Security Policy Compliance – A Meta-Analysis
Employees are regarded as the weakest link in organizations’ information security management, and their security compliance is crucial in determining organizations’ information security success. Prior literature has extensively investigated the influences of formal management controls (i.e. deterrence, rewards, and monitoring) on employees’ security compliance; however, other control mechanisms such as social control and self-control have drawn less attention. In this study, we proposed a taxonomy of the formal and informal control mechanisms used in security management, and proposed an integrative, control-based model to understand employees’ security compliance behaviors. We further validated the model with a meta-analysis. Our model was largely supported by the meta-analysis results. We found informal social controls and self-control to be more effective in promoting security compliance than formal controls. In addition, we found that the influences of formal and informal controls on security compliance were moderated by the eastern / western culture context.