Because most security breaches are caused by human error, employees are perceived as the first line of defense against threats. Accordingly, organizations invest in information security policy (ISP) creation, implementation, and training initiatives. However, despite a vast stream of research, employee compliance with the information security policy remains an issue. We argue that it is not enough to study the motivations behind ISP compliance, since the motivation for adaptive behavior (ISP compliance) may be different from maladaptive behaviors (avoidance and non-compliance); therefore, we take a rule-following perspective to study both. We argue that when the requirements of ISP disrupt their work, employees face rule tension. In response to rule tension, they are less likely to exhibit adaptive behaviors and more likely to exhibit maladaptive behaviors. In addition, we propose that two common governance approaches - (1) command-and-control, and (2) self-regulatory approach moderate the relationship between rule tension and adaptive and maladaptive behaviors in the context of ISP rule-following.