Help
Cart
Skip main navigation

Available Issues

April 10, 2013 - April 2, 2026

Available Issues

April 10, 2013 - April 2, 2026

The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness

Published Online:19 Jun 2015https://doi.org/10.1287/isre.2015.0569

References

  • Ajzen I, Fishbein M (1980) Understanding Attitudes and Predicting Social Behavior (Prentice-Hall, Englewood Cliffs, NJ).Google Scholar
  • Albrechtsen E (2007) A qualitative study of users’ view on information security. Comput. Security 26(4):276–289.CrossrefGoogle Scholar
  • Allen NJ, Meyer JP (1990) The measurement and antecedents of affective, continuance and normative commitment to the organization. J. Occupational Psych. 63(1):1–18.CrossrefGoogle Scholar
  • Aurigemma S, Panko R (2012) A composite framework for behavioral compliance with information security policies. Sprague RH Jr, ed. Proc. 45th Hawaii Internat. Conf. Systems Sci. (IEEE, Los Alamitos, CA), 3248–3257.CrossrefGoogle Scholar
  • Bachrach DG, Powell BC, Collins BJ, Richey RG (2006) Effects of task interdependence on the relationship between helping behavior and group performance. J. Appl. Psych. 91(6):1396–1405.CrossrefGoogle Scholar
  • Banerjee D, Cronan TP, Jones TW (1998) Modeling IT ethics: A study in situational ethics. MIS Quart. 22(1):31–60.CrossrefGoogle Scholar
  • Black JS, Gregersen HB (1997) Participative decision-making: An integration of multiple dimensions. Human Relations 50(7):859–878.CrossrefGoogle Scholar
  • Boss SR, Kirsch LJ, Angermeier I, Shingler RA, Boss RW (2009) If someone is watching, I’ll do what I’m asked: Mandatoriness, control, and information security. Eur. J. Inform. Systems 18(2):151–164.CrossrefGoogle Scholar
  • Brislin RW (1980) Translation and content analysis of oral and written material. Triandis HC, Berry JW, eds. Handbook of Cross-Cultural Psychology (Allyn & Bacon, Boston), 389–444.Google Scholar
  • Bulgurcu B, Cavusoglu H, Benbasat I (2010a) Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quart. 34(3):523–548.CrossrefGoogle Scholar
  • Bulgurcu B, Cavusoglu H, Benbasat I (2010b) The role of information security policy fairness and organizational commitment in managing information security. 5th Pre-ICIS AIS SIGSEC Workshop Inform. Security and Privacy (AIS, Atlanta).Google Scholar
  • Chan M, Woon I, Kankanhalli A (2005) Perceptions of information security in the workplace: Linking information security climate to compliant behavior. J. Inform. Privacy Security 1(3):18–41.CrossrefGoogle Scholar
  • Cheng L, Li Y, Li W, Holm E, Zhai Q (2013) Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory. Comput. Security 39(B):447–459.CrossrefGoogle Scholar
  • Chin WW, Marcolin BL, Newsted PR (2003) A partial least squares latent variable modeling approach for measuring interaction effects: Results from a Monte Carlo simulation study and an electronic-mail emotion/adoption study. Inform. Systems Res. 14(2):189–218.LinkGoogle Scholar
  • Chiu CM, Hsu MH, Wang ETG (2006) Understanding knowledge sharing in virtual communities: An integration of social capital and social cognitive theories. Decision Support Systems 42(3):1872–1888.CrossrefGoogle Scholar
  • Cotton JL, Vollrath DA, Froggatt KL, Lengnick-Hall ML, Jennings KR (1988) Employee participation: Diverse forms and different outcomes. Acad. Management Rev. 13(1):8–22.CrossrefGoogle Scholar
  • D’Arcy J, Devaraj S (2012) Employee misuse of information technology resources: Testing a contemporary deterrence model. Decision Sci. 43(6):1091–1124.CrossrefGoogle Scholar
  • D’Arcy J, Herath T (2011) A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. Eur. J. Inform. Systems 20(6):643–658.CrossrefGoogle Scholar
  • D’Arcy J, Hovav A (2009) Does one size fit all? Examining the differential effects of IS security countermeasures. J. Bus. Ethics 89(1):59–71.CrossrefGoogle Scholar
  • D’Arcy J, Hovav A, Galletta D (2009) User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Inform. Systems Res. 20(1):79–98.LinkGoogle Scholar
  • Diamantopoulos A (2011) Incorporating formative measures into covariance-based structural equation models. MIS Quart. 35(2):335–358.CrossrefGoogle Scholar
  • Eisenhardt KM (1985) Control: Organizational and economic approaches. Management Sci. 31(2):134–149.LinkGoogle Scholar
  • Fishbein M, Ajzen I (1975) Belief, Attitude, Intention and Behaviour: An Introduction to Theory and Research (Addison-Wesley, Reading, MA).Google Scholar
  • Griffin MA, Neal A, Parker SK (2007) A new model of work role performance: Positive behavior in uncertain and interdependent contexts. Acad. Management J. 50(2):327–347.CrossrefGoogle Scholar
  • Guo KH (2013) Security-related behavior in using information systems in the workplace: A review and synthesis. Comput. Security 32(1):242–251.CrossrefGoogle Scholar
  • Guo KH, Yuan Y (2012) The effects of multilevel sanctions on information security violations: A mediating model. Inform. Management 49(6):320–326.CrossrefGoogle Scholar
  • Guo KH, Yuan Y, Archer NP, Connelly CE (2011) Understanding nonmalicious security violations in the workplace: A composite behavior model. J. Management Inform. Systems 28(2):203–236.CrossrefGoogle Scholar
  • Hair JF, Ringle CM, Sarstedt M (2011) PLS-SEM: Indeed a silver bullet. J. Marketing Theory Practice 19(2):139–152.CrossrefGoogle Scholar
  • Harman HH (1976) Modern Factor Analysis (University of Chicago Press, Chicago).Google Scholar
  • Herath T, Rao HR (2009a) Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems 47(2):154–165.CrossrefGoogle Scholar
  • Herath T, Rao HR (2009b) Protection motivation and deterrence: A framework for security policy compliance in organisations. Eur. J. Inform. Systems 18(2):106–125.CrossrefGoogle Scholar
  • Hirschi T (1969) Causes of Delinquency (University of California Press, Berkeley, CA).Google Scholar
  • Hoegl M, Gemuenden HG (2001) Teamwork quality and the success of innovative projects: A theoretical concept and empirical evidence. Organ. Sci. 12(4):435–449.LinkGoogle Scholar
  • Ifinedo P (2014) Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition. Inform. Management 51(1):69–79.CrossrefGoogle Scholar
  • Irvin RA, Stansbury J (2004) Citizen participation in decision making: Is it worth the effort? Public Admin. Rev. 64(1):55–65.CrossrefGoogle Scholar
  • James HL (1996) Managing information systems security: A soft approach. Sipple RS, ed. Proc. Inform. Systems Conf. New Zealand (IEEE, Los Alamitos, CA), 10–20.CrossrefGoogle Scholar
  • Johnston AC, Warkentin M (2010) Fear appeals and information security behaviors: An empirical study. MIS Quart. 34(3):549–566.CrossrefGoogle Scholar
  • Katz D (1964) The motivational basis of organizational behavior. Behav. Sci. 9(2):131–146.CrossrefGoogle Scholar
  • Katz D, Kahn RL (1978) The Social Psychology of Organizations (Wiley, New York).Google Scholar
  • Kirsch LJ (1996) The management of complex tasks in organizations: Controlling the systems development process. Organ. Sci. 7(1):1–21.LinkGoogle Scholar
  • Kirsch LJ (2004) Deploying common systems globally: The dynamics of control. Inform. Systems Res. 15(4):374–395.LinkGoogle Scholar
  • Kirsch LJ, Ko DG, Haney MH (2010) Investigating the antecedents of team-based clan control: Adding social capital as a predictor. Organ. Sci. 21(2):469–489.LinkGoogle Scholar
  • Knapp KJ (2005) A model of managerial effectiveness in information security: From grounded theory to empirical test. Unpublished doctoral dissertation, Department of Management, Auburn University, Auburn, AL.Google Scholar
  • Knapp KJ, Marshall TE, Rainer RK Jr, Ford FN (2007) Information security effectiveness: Conceptualization and validation of a theory. Internat. J. Inform. Security Privacy 1(2):37–60.CrossrefGoogle Scholar
  • Law KS, Wong CS, Mobley WM (1998) Toward a taxonomy of multidimensional constructs. Acad. Management Rev. 23(4):741–755.CrossrefGoogle Scholar
  • Lee J, Lee Y (2002) A holistic model of computer abuse within organizations. Inform. Management Comput. Security 10(2):57–63.CrossrefGoogle Scholar
  • Lee SM, Lee SG, Yoo S (2004) An integrative model of computer abuse based on social control and general deterrence theories. Inform. Management 41(6):707–718.CrossrefGoogle Scholar
  • Lee Y, Larsen KR (2009) Threat or coping appraisal: Determinants of SMB executives’ decision to adopt anti-malware software. Eur. J. Inform. Systems 18(2):177–187.CrossrefGoogle Scholar
  • Leonard LN, Cronan TP (2001) Illegal, inappropriate, and unethical behavior in an information technology context: A study to explain influences. J. Assoc. Inform. Systems 1(12):1–31.Google Scholar
  • Li H, Zhang J, Sarathy R (2010) Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems 48(4):635–645.CrossrefGoogle Scholar
  • Liang H, Saraf N, Hu Q, Xue Y (2007) Assimilation of enterprise systems: The effect of institutional pressures and the mediating role of top management. MIS Quart. 31(1):59–87.CrossrefGoogle Scholar
  • Lowry P, Cao J, Everard A (2011) Privacy concerns versus desire for interpersonal awareness in driving the use of self-disclosure technologies: The case of instant messaging in two cultures. J. Management Inform. Systems 27(4):163–200.CrossrefGoogle Scholar
  • Lowry PB, Gaskin J (2014) Partial least squares (PLS) structural equation modeling (SEM) for building and testing behavioral causal theory: When to choose it and how to use it. IEEE Trans. Prof. Commun. 57(2):123–146.CrossrefGoogle Scholar
  • Lowry PB, Moody GD (2014) Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organizational information security policies. Inform. Systems J., ePub ahead of print July 8, http://dx.doi.org/10.1111/isj.12043.Google Scholar
  • Lowry PB, Posey C, Roberts TL, Bennett RJ (2014) Is your banker leaking your personal information? The roles of ethics and individual-level cultural characteristics in predicting organizational computer abuse. J. Bus. Ethics 121(3):385–401.CrossrefGoogle Scholar
  • Lowry PB, Zhang D, Zhou L, Fu X (2010) Effects of culture, social presence, and group composition on trust in technology-supported decision-making groups. Inform. Systems J. 20(3):297–315.CrossrefGoogle Scholar
  • Malhotra Y, Galletta D (2005) A multidimensional commitment model of volitional systems adoption and usage behavior. J. Management Inform. Systems 22(1):117–151.CrossrefGoogle Scholar
  • Meyer JP, Herscovitch L (2001) Commitment in the workplace: Toward a general model. Human Resource Management Rev. 11(3):299–326.CrossrefGoogle Scholar
  • Mowday RT, Steers RM, Porter LW (1979) The measurement of organizational commitment. J. Vocational Behav. 14(2):224–247.CrossrefGoogle Scholar
  • Nagin DS, Paternoster R (1993) Enduring individual differences and rational choice theories of crime. Law Soc. Rev. 27(3):467–496.CrossrefGoogle Scholar
  • O’Reilly CA, Chatman J (1986) Organizational commitment and psychological attachment: The effects of compliance, identification, and internalization on prosocial behavior. J. Appl. Psych. 71(3):492–499.CrossrefGoogle Scholar
  • Organ DW (1988) Organizational Citizenship Behavior: The Good Soldier Syndrome (Lexington Books, Lexington, MA).Google Scholar
  • Organ DW, Ryan K (1995) A meta-analytic review of attitudinal and dispositional predictors of organizational citizenship behavior. Prospect. Psych. 48(4):775–802.CrossrefGoogle Scholar
  • Pahnila S, Siponen M, Mahmood A (2007) Employees’ behavior towards IS security policy compliance. Sprague RH Jr, ed. Proc. 40th Hawaii Internat. Conf. System Sci. (HICSS 2007) (IEEE, Los Alamitos, CA), 156b.CrossrefGoogle Scholar
  • Paternoster R, Simpson S (1996) Sanction threats and appeals to morality: Testing a rational choice model of corporate crime. Law Soc. Rev. 30(3):549–583.CrossrefGoogle Scholar
  • Pavlou PA, Liang H, Xue Y (2007) Understanding and mitigating uncertainty in online exchange relationships: A principal-agent perspective. MIS Quart. 31(1):105–136.CrossrefGoogle Scholar
  • Peace AG, Galletta DF, Thong JYL (2003) Software piracy in the workplace: A model and empirical test. J. Management Inform. Systems 20(1):153–177.CrossrefGoogle Scholar
  • Posey C, Bennett RJ, Roberts TL, Lowry PB (2011) When computer monitoring backfires: Privacy invasions and organizational injustice as precursors to computer abuse. J. Inform. Systems Security 7(1):24–47.Google Scholar
  • Posey C, Roberts TL, Lowry PB, Hightower RT (2014) Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders. Inform. Management 51(5):551–567.CrossrefGoogle Scholar
  • Posey C, Roberts TL, Lowry PB, Bennett RJ, Courtney JF (2013) Insiders’ protection of organizational information assets: Development of a systematics-based taxonomy and theory of diversity for protection-motivated behaviors. MIS Quart. 37(4):1189–1210.CrossrefGoogle Scholar
  • Ringle CM, Wende S, Will A (2005) SmartPLS 2.0. Accessed October 1, 2013. http://www.smartpls.de.Google Scholar
  • Roberts TL, Lowry PB, Sweeney PD (2006) An evaluation of the impact of social presence through group size and the use of collaborative software on group member “voice” in face-to-face and computer-mediated task groups. IEEE Trans. Prof. Commun. 49(1):28–43.CrossrefGoogle Scholar
  • Scholl RW (1981) Differentiating organizational commitment from expectancy as a motivating force. Acad. Management Rev. 6(4):589–599.CrossrefGoogle Scholar
  • Siponen M, Vance A (2010) Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quart. 34(3):487–502.CrossrefGoogle Scholar
  • Siponen M, Vance A, Willison R (2012) New insights into the problem of software piracy: The effects of neutralization, shame, and moral beliefs. Inform. Management 49(7):334–341.CrossrefGoogle Scholar
  • Sivo SA, Saunders C, Chang Q, Jiang JJ (2006) How low should you go? Low response rates and the validity of inference in IS questionnaire research. J. Assoc. Inform. Systems 7(6):351–414.Google Scholar
  • Stanton JM, Stam KR, Mastrangelo P, Jolton J (2005) Analysis of end user security behaviors. Comput. Security 24(2):124–133.CrossrefGoogle Scholar
  • Straub DW (1990) Effective IS security. Inform. Systems Res. 1(3):255–276.LinkGoogle Scholar
  • Theoharidou M, Kokolakis S, Karyda M, Kiountouzis E (2005) The insider threat to information systems and the effectiveness of ISO17799. Comput. Security 24(6):472–484.CrossrefGoogle Scholar
  • Tiwana A, Keil M (2009) Control in internal and outsourced software projects. J. Management Inform. Systems 26(3):9–44.CrossrefGoogle Scholar
  • Van Dyne L, Ang S (1998) Organizational citizenship behavior of contingent workers in Singapore. Acad. Management J. 41(6):692–703.CrossrefGoogle Scholar
  • Van Dyne L, LePine JA (1998) Helping and voice extra-role behaviors: Evidence of construct and predictive validity. Acad. Management J. 41(1):108–119.CrossrefGoogle Scholar
  • Van Dyne L, Graham JW, Dienesch RM (1994) Organizational citizenship behavior: Construct redefinition, measurement, and validation. Acad. Management J. 37(4):765–802.CrossrefGoogle Scholar
  • Vance A, Lowry PB, Eggett D (2013) Using accountability to reduce access policy violations in information systems. J. Management Inform. Systems 29(4):263–289.CrossrefGoogle Scholar
  • Vardi Y, Wiener Y (1996) Misbehavior in organizations: A motivational framework. Organ. Sci. 7(2):151–165.LinkGoogle Scholar
  • Vey MA, Campbell JP (2004) In-role or extra-role organizational citizenship behavior: Which are we measuring? Human Perform. 17(1):119–135.CrossrefGoogle Scholar
  • Wall JD, Palvia P, Lowry PB (2013) Control-related motivations and information security policy compliance: The role of autonomy and efficacy. J. Inform. Privacy Security 9(4):52–79.CrossrefGoogle Scholar
  • Welbourne TM, Johnson DE, Erez A (1998) The role-based performance scale: Validity analysis of a theory-based measure. Acad. Management J. 41(5):540–555.CrossrefGoogle Scholar
  • Wiener Y (1982) Commitment in organizations: A normative view. Acad. Management Rev. 7(31):418–428.CrossrefGoogle Scholar
  • Williams LJ, Anderson SE (1991) Job satisfaction and organizational commitment as predictors of organizational citizenship and in-role behaviors. J. Management 17(3):601–617.Google Scholar
  • Zhang D, Lowry PB, Zhou L, Fu X (2007) The impact of individualism—Collectivism, social presence, and group diversity on group decision making under majority influence. J. Management Inform. Systems 23(4):53–80.CrossrefGoogle Scholar
Previous
Back to Top
Next
INFORMS site uses cookies to store information on your computer. Some are essential to make our site work; Others help us improve the user experience. By using this site, you consent to the placement of these cookies. Please read our Privacy Statement to learn more.
Agree