Paper ID

1391

Paper Type

full

Description

Employees are regarded as the weakest link in organizations’ information security management, and their security compliance is crucial in determining organizations’ information security success. Prior literature has extensively investigated the influences of formal management controls (i.e. deterrence, rewards, and monitoring) on employees’ security compliance; however, other control mechanisms such as social control and self-control have drawn less attention. In this study, we proposed a taxonomy of the formal and informal control mechanisms used in security management, and proposed an integrative, control-based model to understand employees’ security compliance behaviors. We further validated the model with a meta-analysis. Our model was largely supported by the meta-analysis results. We found informal social controls and self-control to be more effective in promoting security compliance than formal controls. In addition, we found that the influences of formal and informal controls on security compliance were moderated by the eastern / western culture context.

Share

COinS
 

Validating a Control-Based Model of Information Security Policy Compliance – A Meta-Analysis

Employees are regarded as the weakest link in organizations’ information security management, and their security compliance is crucial in determining organizations’ information security success. Prior literature has extensively investigated the influences of formal management controls (i.e. deterrence, rewards, and monitoring) on employees’ security compliance; however, other control mechanisms such as social control and self-control have drawn less attention. In this study, we proposed a taxonomy of the formal and informal control mechanisms used in security management, and proposed an integrative, control-based model to understand employees’ security compliance behaviors. We further validated the model with a meta-analysis. Our model was largely supported by the meta-analysis results. We found informal social controls and self-control to be more effective in promoting security compliance than formal controls. In addition, we found that the influences of formal and informal controls on security compliance were moderated by the eastern / western culture context.