IDEAS home Printed from https://ideas.repec.org/a/inm/orisre/v26y2015i2p282-300.html
   My bibliography  Save this article

The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness

Author

Listed:
  • Jack Shih-Chieh Hsu

    (Department of Information Management, National Sun Yat-sen University, Kaohsiung 80424, Taiwan)

  • Sheng-Pao Shih

    (Department of Information Management, Tamkang University, New Taipei City 25137, Taiwan)

  • Yu Wen Hung

    (Department of Information Management, National Sun Yat-sen University, Kaohsiung 80424, Taiwan)

  • Paul Benjamin Lowry

    (Department of Information Systems, City University of Hong Kong, Kowloon, Hong Kong)

Abstract

Although most behavioral security studies focus on organizational in-role behaviors such as information security policy (ISP) compliance, the role of organizational extra-role behaviors—security behaviors that benefit organizations but are not specified in ISPs—has long been overlooked. This study examines (1) the consequences of organizational in-role and extra-role security behaviors on the effectiveness of ISPs and (2) the role of formal and social controls in enhancing in-role and extra-role security behaviors in organizations. We propose that both in-role security behaviors and extra-role security behaviors contribute to ISP effectiveness. Furthermore, based on social control theory, we hypothesize that social control can boost both in- and extra-role security behaviors. Data collected from practitioners—including information systems (IS) managers and employees at many organizations—confirmed most of our hypotheses. Survey data from IS managers substantiated the importance of extra-role behaviors in improving ISP effectiveness. Paired data, collected from managers and employees in the same organizations, indicated that formal control and social control individually and interactively enhance both in- and extra-role security behaviors. We conclude by discussing the implications of this research for academics and practitioners, along with compelling future research possibilities.

Suggested Citation

  • Jack Shih-Chieh Hsu & Sheng-Pao Shih & Yu Wen Hung & Paul Benjamin Lowry, 2015. "The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness," Information Systems Research, INFORMS, vol. 26(2), pages 282-300, June.
    • Handle: RePEc:inm:orisre:v:26:y:2015:i:2:p:282-300
    DOI: 10.1287/isre.2015.0569
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/isre.2015.0569
    Download Restriction: no
    File URL: https://libkey.io/10.1287/isre.2015.0569?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Kenneth J. Knapp & Thomas E. Marshall & R. Kelly Rainer Jr. & F. Nelson Ford, 2007. "Information Security Effectiveness: Conceptualization and Validation of a Theory," International Journal of Information Security and Privacy (IJISP), IGI Global, vol. 1(2), pages 37-60, April.
    2. Yoav Vardi & Yoash Wiener, 1996. "Misbehavior in Organizations: A Motivational Framework," Organization Science, INFORMS, vol. 7(2), pages 151-165, April.
    3. Kathleen M. Eisenhardt, 1985. "Control: Organizational and Economic Approaches," Management Science, INFORMS, vol. 31(2), pages 134-149, February.
    4. Laurie J. Kirsch, 2004. "Deploying Common Systems Globally: The Dynamics of Control," Information Systems Research, INFORMS, vol. 15(4), pages 374-395, December.
    5. Jeffrey D. Wall & Prashant Palvia & Paul Benjamin Lowry, 2013. "Control-Related Motivations and Information Security Policy Compliance: The Role of Autonomy and Efficacy," Journal of Information Privacy and Security, Taylor & Francis Journals, vol. 9(4), pages 52-79, October.
    6. John D'Arcy & Anat Hovav & Dennis Galletta, 2009. "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, INFORMS, vol. 20(1), pages 79-98, March.
    7. Laurie J. Kirsch, 1996. "The Management of Complex Tasks in Organizations: Controlling the Systems Development Process," Organization Science, INFORMS, vol. 7(1), pages 1-21, February.
    8. Paul Lowry & Clay Posey & Tom Roberts & Rebecca Bennett, 2014. "Is Your Banker Leaking Your Personal Information? The Roles of Ethics and Individual-Level Cultural Characteristics in Predicting Organizational Computer Abuse," Journal of Business Ethics, Springer, vol. 121(3), pages 385-401, May.
    9. Martin Hoegl & Hans Georg Gemuenden, 2001. "Teamwork Quality and the Success of Innovative Projects: A Theoretical Concept and Empirical Evidence," Organization Science, INFORMS, vol. 12(4), pages 435-449, August.
    10. Detmar W. Straub, 1990. "Effective IS Security: An Empirical Study," Information Systems Research, INFORMS, vol. 1(3), pages 255-276, September.
    11. Laurie J. Kirsch & Dong-Gil Ko & Mark H. Haney, 2010. "Investigating the Antecedents of Team-Based Clan Control: Adding Social Capital as a Predictor," Organization Science, INFORMS, vol. 21(2), pages 469-489, April.
    12. Wynne W. Chin & Barbara L. Marcolin & Peter R. Newsted, 2003. "A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic-Mail Emotion/Adoption Study," Information Systems Research, INFORMS, vol. 14(2), pages 189-217, June.
    13. Mark Chan & Irene Woon & Atreyi Kankanhalli, 2005. "Perceptions of Information Security in the Workplace: Linking Information Security Climate to Compliant Behavior," Journal of Information Privacy and Security, Taylor & Francis Journals, vol. 1(3), pages 18-41, July.
    14. repec:ucp:bkecon:9780226316529 is not listed on IDEAS
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Le Wang & Paul Benjamin Lowry & Xin (Robert) Luo & Han Li, 2023. "Moving Consumers from Free to Fee in Platform-Based Markets: An Empirical Study of Multiplayer Online Battle Arena Games," Information Systems Research, INFORMS, vol. 34(1), pages 275-296, March.
    2. Zhenjiao Chen & Yaqing Liu, 2020. "The Effects of Leadership and Reward Policy on Employees’ Electricity Saving Behaviors: An Empirical Study in China," IJERPH, MDPI, vol. 17(6), pages 1-15, March.
    3. Debabrata Dey & Abhijeet Ghoshal & Atanu Lahiri, 2022. "Circumventing Circumvention: An Economic Analysis of the Role of Education and Enforcement," Management Science, INFORMS, vol. 68(4), pages 2914-2931, April.
    4. John D’Arcy & Idris Adjerid & Corey M. Angst & Ante Glavas, 2020. "Too Good to Be True: Firm Social Performance and the Risk of Data Breach," Information Systems Research, INFORMS, vol. 31(4), pages 1200-1223, December.
    5. Wallbach, Sören, 2020. "Assimilation and Diffusion of Multi-Sided Platforms in Dynamic B2B Networks: Inhibiting Factors and Their Consequences," Publications of Darmstadt Technical University, Institute for Business Studies (BWL) 123277, Darmstadt Technical University, Department of Business Administration, Economics and Law, Institute for Business Studies (BWL).
    6. Kumju Hwang & Hyemi Um, 2021. "Social Controls and Bonds of Public Information Consumer on Sustainable Utilization and Provision for Computing," Sustainability, MDPI, vol. 13(9), pages 1-20, May.
    7. Saggi Nevo & Dorit Nevo & Alain Pinsonneault, 2021. "Personal Achievement Goals, Learning Strategies, and Perceived IT Affordances," Information Systems Research, INFORMS, vol. 32(4), pages 1298-1322, December.
    8. Hadi Karimikia & Narges Safari & Harminder Singh, 2020. "Being useful: How information systems professionals influence the use of information systems in enterprises," Information Systems Frontiers, Springer, vol. 22(2), pages 429-453, April.
    9. Murilo Catussi Almeida & Adilson Carlos Yoshikuni & Rajeev Dwivedi & Cláudio Luís Carvalho Larieira, 2022. "Do Leadership Styles Influence Employee Information Systems Security Intention? A Study of the Banking Industry," Global Journal of Flexible Systems Management, Springer;Global Institute of Flexible Systems Management, vol. 23(4), pages 535-550, December.
    10. Cui, Xiling, 2017. "In- and extra-role knowledge sharing among information technology professionals: The five-factor model perspective," International Journal of Information Management, Elsevier, vol. 37(5), pages 380-389.
    11. Guang Zhu & Hu Liu & Mining Feng, 2018. "Sustainability of Information Security Investment in Online Social Networks: An Evolutionary Game-Theoretic Approach," Mathematics, MDPI, vol. 6(10), pages 1-19, September.
    12. A. J. Burns & Tom L. Roberts & Clay Posey & Paul Benjamin Lowry, 2019. "The Adaptive Roles of Positive and Negative Emotions in Organizational Insiders’ Security-Based Precaution Taking," Information Systems Research, INFORMS, vol. 30(4), pages 1228-1247, December.
    13. Rao Faizan Ali & P.D.D. Dominic & Kashif Ali, 2020. "Organizational Governance, Social Bonds and Information Security Policy Compliance: A Perspective towards Oil and Gas Employees," Sustainability, MDPI, vol. 12(20), pages 1-27, October.
    14. Rezaee, Zabihollah & Zhou, Gaoguang & Bu, Luofan (Luther), 2024. "Corporate social irresponsibility and the occurrence of data breaches: A stakeholder management perspective," International Journal of Accounting Information Systems, Elsevier, vol. 53(C).

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Jeffrey D. Wall & Prashant Palvia & John D’Arcy, 2022. "Theorizing the Behavioral Effects of Control Complementarity in Security Control Portfolios," Information Systems Frontiers, Springer, vol. 24(2), pages 637-658, April.
    2. Huigang Liang & Yajiong Xue & Liansheng Wu, 2013. "Ensuring Employees' IT Compliance: Carrot or Stick?," Information Systems Research, INFORMS, vol. 24(2), pages 279-294, June.
    3. Liu, Shan & Deng, Zhaohua, 2015. "How environment risks moderate the effect of control on performance in information technology projects: Perspectives of project managers and user liaisons," International Journal of Information Management, Elsevier, vol. 35(1), pages 80-97.
    4. Gregory D. Moody & Laurie J. Kirsch & Sandra A. Slaughter & Brian Kimball Dunn & Qin Weng, 2016. "Facilitating the Transformational: An Exploration of Control in Cyberinfrastructure Projects and the Discovery of Field Control," Information Systems Research, INFORMS, vol. 27(2), pages 324-346, June.
    5. Anandasivam Gopal & Sanjay Gosain, 2010. "Research Note ---The Role of Organizational Controls and Boundary Spanning in Software Development Outsourcing: Implications for Project Performance," Information Systems Research, INFORMS, vol. 21(4), pages 960-982, December.
    6. repec:mth:ijafr8:v:8:y:2018:i:2:p:236-257 is not listed on IDEAS
    7. Bart A. De Jong & Katinka M. Bijlsma-Frankema & Laura B. Cardinal, 2014. "Stronger Than the Sum of Its Parts? The Performance Implications of Peer Control Combinations in Teams," Organization Science, INFORMS, vol. 25(6), pages 1703-1721, December.
    8. Sandeep Rustagi & William R. King & Laurie J. Kirsch, 2008. "Predictors of Formal Control Usage in IT Outsourcing Partnerships," Information Systems Research, INFORMS, vol. 19(2), pages 126-143, June.
    9. Christian Jung-Gehling & Erik Strauss, 2018. "A Contemporary Concept of Organizational Control: Its Dependence on Shared Values and Impact on Motivation," Schmalenbach Business Review, Springer;Schmalenbach-Gesellschaft, vol. 70(4), pages 341-374, November.
    10. Rob Gleasure & Kieran Conboy & Lorraine Morgan, 2019. "Talking Up a Storm: How Backers Use Public Discourse to Exert Control in Crowdfunded Systems Development Projects," Information Systems Research, INFORMS, vol. 30(2), pages 447-465, June.
    11. Ling Xue & Gautam Ray & Bin Gu, 2011. "Environmental Uncertainty and IT Infrastructure Governance: A Curvilinear Relationship," Information Systems Research, INFORMS, vol. 22(2), pages 389-399, June.
    12. Downes, Rebecca & Daellenbach, Urs & Donnelly, Noelle, 2023. "Remote control: Attitude monitoring and informal control in distributed teams," Journal of Business Research, Elsevier, vol. 154(C).
    13. Rauter, Romana & Globocnik, Dietfried & Baumgartner, Rupert J., 2023. "The role of organizational controls to advance sustainability innovation performance," Technovation, Elsevier, vol. 128(C).
    14. Pankaj Nagpal & Andreas I. Nicolaou & Kalle Lyytinen, 2014. "Outsourcing And Market Value Of The Firm: Toward A Comprehensive Model," Intelligent Systems in Accounting, Finance and Management, John Wiley & Sons, Ltd., vol. 21(1), pages 19-38, January.
    15. Yang, Feifei & Shinkle, George A. & Goudsmit, Mirjam, 2022. "The efficacy of organizational control interactions: External environmental uncertainty as a critical contingency," Journal of Business Research, Elsevier, vol. 139(C), pages 855-868.
    16. Myeonggil Choi, 2016. "Leadership of Information Security Manager on the Effectiveness of Information Systems Security for Secure Sustainable Computing," Sustainability, MDPI, vol. 8(7), pages 1-21, July.
    17. Emil Inauen & Margit Osterloh & Bruno Frey & Fabian Homberg, 2015. "How a multiple orientation of control reduces governance failures: a focus on monastic auditing," Journal of Management & Governance, Springer;Accademia Italiana di Economia Aziendale (AIDEA), vol. 19(4), pages 763-796, November.
    18. Jorge Walter & Markus Kreutzer & Karin Kreutzer, 2021. "Setting the Tone for the Team: A Multi‐Level Analysis of Managerial Control, Peer Control, and their Consequences for Job Satisfaction and Team Performance," Journal of Management Studies, Wiley Blackwell, vol. 58(3), pages 849-878, May.
    19. Carsten Schultz & Oliver Gretsch & Alexander Kock, 2021. "The influence of shared R&D-project innovativeness perceptions on university-industry collaboration performance," The Journal of Technology Transfer, Springer, vol. 46(4), pages 1144-1172, August.
    20. Laurie J. Kirsch & Dong-Gil Ko & Mark H. Haney, 2010. "Investigating the Antecedents of Team-Based Clan Control: Adding Social Capital as a Predictor," Organization Science, INFORMS, vol. 21(2), pages 469-489, April.
    21. Yajiong Xue & Huigang Liang & Liansheng Wu, 2011. "Punishment, Justice, and Compliance in Mandatory IT Settings," Information Systems Research, INFORMS, vol. 22(2), pages 400-414, June.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:orisre:v:26:y:2015:i:2:p:282-300. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.