An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective

Highlights

• Psychological contract fulfillment is integrated into ISP compliance research model.

• The difference between supervisor and supervisee groups was found in the integrated model.

• The mediating effect of psychological contract fulfillment exists in the supervisor group.

• Employees anticipate to comply with ISP when they recognize the benefits of ISP compliance.

Abstract

Organizations are trying to induce employees to comply with information security policy (ISP) as organizational damage of information breach incidents gets serious. Many previous approaches to ISP compliance have focused on security technologies. However, researchers in this area agree that technology approach is not sufficient so that other approaches such as behavioral and social are required. This study suggests the integrated research model including ISP compliance antecedents and psychological contract fulfillment. The study investigates the mediating effect of psychological contract fulfillment between perceived costs and ISP compliance intention comparing supervisor and supervisee groups. The results show that psychological contract fulfillment can mitigate the negative effect of costs on ISP compliance intention in supervisor group. Employees also anticipate complying with ISP when they recognize the benefits of ISP compliance. This study could shed more lights on the ISP compliance area by integrating and examining ISP compliance research model with psychological contract as a social factor.

Introduction

Research on information security offers various approaches to protecting organizational information and mitigating threats. These studies may belong to technology, behavior, management, and organization approaches (Zafar and Clark, 2009). However, previous studies tend to focus on security technologies such as detection systems and firewalls; research on employees' behavior is scant (Crossler et al., 2013). The International Federation for Information Processing (IFIP) Working Group 8.11/11.13 on Information Systems Security Research argued that further study from an organizational behavior perspective is required and that the determining factors in information security policy (ISP) compliance should be investigated (Crossler et al., 2013). The meta-analysis on ISP compliance of Lebek et al. (2014) also called for research on the social factors connecting employees and their organizations. Although several studies have examined social factors as antecedents or moderators of ISP compliance (Bulgurcu et al, 2009, Herath, Rao, 2009, Myyry et al, 2009), these efforts are insufficient for building a substantial theoretical foundation.

For extending of ISP compliance theory, this study combines the key ISP constructs drawn from information security countermeasures and rational choice theory with psychological contracts, which, to our knowledge, have not yet been applied to the information security context. Psychological contracts have been examined in terms of tax compliance (Feld and Frey, 2007). Since all individuals in organizations have employment relationships, a theoretical perspective based on contractual mechanisms can also be applied to ISP compliance.

This study aims to provide a research model for employees' ISP compliance intention and shed light on the application of psychological contract theory to ISP compliance research. A research model drawing from information security countermeasures, rational choice theory, and psychological contract theory is tested to provide supporting evidence. This paper makes important contributions to theory and practice. We draw upon and synthesize psychological contract theory and apply it to the context of information security where, to our knowledge, it has not yet been applied. We propose an empirically testable theoretical model combining psychological contract and several constructs drawn from ISP and rational choice theory, the dominant theoretical framework for ISP studies. To the best of our knowledge, this is among the first studies to discuss how the contractual mechanism can encourage ISP in organizations.

The rest of this paper proceeds as follows. The next section reviews the literature on ISP compliance and psychological contract theory. The following sections describe the study's research model and hypotheses. In Section 4, the research methodology is described. Section 5 presents the results and their analysis. In Section 6, we discuss findings of the study. Finally, the study’s limitations and implications and possible future research directions are discussed in Section 7.