An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective
Introduction
Research on information security offers various approaches to protecting organizational information and mitigating threats. These studies may belong to technology, behavior, management, and organization approaches (Zafar and Clark, 2009). However, previous studies tend to focus on security technologies such as detection systems and firewalls; research on employees' behavior is scant (Crossler et al., 2013). The International Federation for Information Processing (IFIP) Working Group 8.11/11.13 on Information Systems Security Research argued that further study from an organizational behavior perspective is required and that the determining factors in information security policy (ISP) compliance should be investigated (Crossler et al., 2013). The meta-analysis on ISP compliance of Lebek et al. (2014) also called for research on the social factors connecting employees and their organizations. Although several studies have examined social factors as antecedents or moderators of ISP compliance (Bulgurcu et al, 2009, Herath, Rao, 2009, Myyry et al, 2009), these efforts are insufficient for building a substantial theoretical foundation.
For extending of ISP compliance theory, this study combines the key ISP constructs drawn from information security countermeasures and rational choice theory with psychological contracts, which, to our knowledge, have not yet been applied to the information security context. Psychological contracts have been examined in terms of tax compliance (Feld and Frey, 2007). Since all individuals in organizations have employment relationships, a theoretical perspective based on contractual mechanisms can also be applied to ISP compliance.
This study aims to provide a research model for employees' ISP compliance intention and shed light on the application of psychological contract theory to ISP compliance research. A research model drawing from information security countermeasures, rational choice theory, and psychological contract theory is tested to provide supporting evidence. This paper makes important contributions to theory and practice. We draw upon and synthesize psychological contract theory and apply it to the context of information security where, to our knowledge, it has not yet been applied. We propose an empirically testable theoretical model combining psychological contract and several constructs drawn from ISP and rational choice theory, the dominant theoretical framework for ISP studies. To the best of our knowledge, this is among the first studies to discuss how the contractual mechanism can encourage ISP in organizations.
The rest of this paper proceeds as follows. The next section reviews the literature on ISP compliance and psychological contract theory. The following sections describe the study's research model and hypotheses. In Section 4, the research methodology is described. Section 5 presents the results and their analysis. In Section 6, we discuss findings of the study. Finally, the study’s limitations and implications and possible future research directions are discussed in Section 7.
Section snippets
ISP compliance
Several standards and guidelines have been created or revised to reflect external and insider threats. For example, NIST SP 800-53 Revision 4 was updated considering incidents response, security awareness training, and third-party personnel security (NIST, 2013). Cybersecurity framework for improving critical infrastructure cybersecurity provides organizations to apply the principles and best practices of risk (NIST, 2014). Payment Card Industry Data Security Standard (PCI DSS) also released
Hypothesis development
The research model and hypotheses depicted in Fig. 1 include security countermeasure, perceived cost, perceived benefits, psychological contract fulfillment, and compliance intention. The RCT assumes that individuals have preferences among the available alternatives (McCarthy, 2002, Paternoster, Pogarsky, 2009). This study considers an employee's alternatives whether or not comply with ISP. Employees deciding whether to comply with what is prescribed in an ISP will consider the costs and
Development of measures
The unit of analysis is an individual who is working or has worked for a company with more than 100 employees. The company must utilize enterprise information systems. We used a survey questionnaire to validate our research model. Most of the questions were adapted from previous instruments (see Table 1) and were modified to fit our research framework. In the research model, perceived psychological contract is measured as a second-order factor, while the rest of the constructs are assessed as
Data analysis and results
We used Partial Least Squares (PLS) to examine the proposed model, for the following reasons: it is suitable for assessing theories in the early stages of development (Chin et al., 2003), as in the case of this study; in addition, compared to the other SEM (Structural Equation Model) techniques, PLS requires minimal demands on sample size (Chin et al., 2003). We used SPSS21.0 and SmartPLS 2.0 M3 to analyze the measurement and structural models.
Discussion
A summary of hypotheses test results are shown in Table 9. The results of the study partially support the hypotheses. While the perceived cost of RCT impacts ISP compliance intention only insignificantly, perceived benefits influence ISP compliance intention in both the supervisor and supervisee groups. Moreover, high costs are perceived when individuals from the supervisor group are aware of the ISP. Perceived psychological contract fulfillment has no mediating effect on the relationship
Theoretical implications
This study examined the psychological contract as the influential factor in ISP compliance and validated the mediating effects between perceived costs and ISP compliance. It integrated ISP compliance determinants identified in prior research with the psychological contract, explaining employees' security behavior in terms of RCT. In the RCT perspective, we examined influential factors on ISP compliance considering cost–benefit factors which are not available in GDT and PMT perspectives. More
JinYoung Han is an industry-university cooperation professor at College of ICT Engineering, Chung-Ang University in Seoul, Korea. She earned Ph.D. degree in MIS from Korea University Business School in Seoul. She holds a Masters in software engineering from Hankuk University of Foreign Studies and has over ten year's industry experience in project management and IS strategy consulting. Her research interests include information security, project management, Green IT, open innovation, and cross
References (59)
- et al.
Psychological contract breach and job attitudes: a meta-analysis of age as a moderator
J Vocat Behav
(2008) - et al.
Optimistic bias about online privacy risks: testing the moderating effects of perceived controllability and prior experience
Comp Human Behav
(2010) - et al.
Future directions for behavioral information security research
Comput Secur
(2013) - et al.
Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the US and South Korea
Inform Manage
(2012) Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory
Comput Secur
(2012)Understanding anti-plagiarism software adoption: an extended protection motivation theory perspective
Decis Support Syst
(2011)- et al.
Understanding compliance with internet use policy from the perspective of rational choice theory
Decis Support Syst
(2010) - et al.
The impact of psychological contract fulfillment on the performance of in-role and organizational citizenship behaviors
J Manage
(2003) - et al.
Motivating IS security compliance: insights from habit and protection motivation theory
Inform Manage
(2012) In defense of the realm: understanding the threats to information security
Int J Inform Manage
(2004)
Security lapses and the omission of information security measures: a threat control model and empirical test
Comp Human Behav
Structural equation modeling in practice: a review and recommended two-step approach
Psychol Bull
Crime and punishment: an economic approach
Roles of information security awareness and perceived fairness in information security policy compliance
Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness
MIS Quart
The partial least squares approach to structural equation modeling
A partial least squares latent variable modeling approach for measuring interaction effects: results from a Monte Carlo simulation study and an electronic-mail emotion/adoption study
Inform Syst Res
The reciprocal relationship between psychological contract fulfilment and employee performance and the moderating role of perceived organizational support and tenure
J Occup Organ Psychol
User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach
Inform Syst Res
Intrinsic motivation and self-determination in human behavior
Tax compliance as the result of a psychological tax contract: the role of incentives and responsive regulation
Law Policy
Evaluating structural equation models with unobservable variables and measurement error
J Market Res
Multivariate data analysis: with readings
Protection motivation and deterrence: a framework for security policy compliance in organisations
Eur J Inform Syst
Social behavior: its elementary forms
Managing employee compliance with information security policies: the critical role of top management and organizational culture
Decis Sci
Broken promises: equity sensitivity as a moderator between psychological contract breach and employee attitudes and behavior
J Bus Psychol
The effect of personalization provider characteristics on privacy attitudes and behaviors: an elaboration likelihood model approach
J Assoc Info Sci Tech
The psychological contract: managing the joining-up process
Calif Manage Rev
Cited by (91)
Employees' in-role and extra-role information security behaviors from the P-E fit perspective
2023, Computers and SecurityBanking Information Resource Cybersecurity System Modeling
2022, Journal of Open Innovation: Technology, Market, and ComplexityTIME WILL TELL: THE CASE FOR AN IDIOGRAPHIC APPROACH TO BEHAVIORAL CYBERSECURITY RESEARCH
2024, MIS Quarterly: Management Information SystemsCritical success factors for Security Education, Training and Awareness (SETA) programme effectiveness: an empirical comparison of practitioner perspectives
2024, Information and Computer Security
JinYoung Han is an industry-university cooperation professor at College of ICT Engineering, Chung-Ang University in Seoul, Korea. She earned Ph.D. degree in MIS from Korea University Business School in Seoul. She holds a Masters in software engineering from Hankuk University of Foreign Studies and has over ten year's industry experience in project management and IS strategy consulting. Her research interests include information security, project management, Green IT, open innovation, and cross culture. She published in Journal of International Project Management, Computers in Human Behavior, Journal of Computer Information Systems and Electronic Commerce Research and Applications.
Yoo Jung Kim received Ph.D. degree in MIS from Korea University Business School in Seoul in 1999. She holds a Masters in MIS from Hankuk University of Foreign Studies. Dr. Kim had been a leader of Next Generation Internet team of government agency called National Information Society Agency for nearly four years. Dr. Kim joined the faculty of the Department of Business Administration at Hoseo University, Chungcheongnam-do, Korea, in 2006. Her research interests include business intelligence, digital convergence business model, mobile business strategy, and information security.
Hyungjin Kim is a Ph.D. Candidate of Management Engineering at College of Business, Korea Advanced Institute of Science and Technology (KAIST). He received his B.S. and M.S. degree in Management Information System from Korea University. His current research interest is entertainment industry analysis, customer relationship management, and information security. He published in Journal of Intelligence and Information Systems (Korea).