IDEAS home Printed from https://ideas.repec.org/a/spr/infosf/v24y2022i2d10.1007_s10796-021-10113-z.html
   My bibliography  Save this article

Theorizing the Behavioral Effects of Control Complementarity in Security Control Portfolios

Author

Listed:
  • Jeffrey D. Wall

    (Michigan Technological University)

  • Prashant Palvia

    (The University of North Carolina at Greensboro)

  • John D’Arcy

    (University of Delaware)

Abstract

Employees are a major cause of information security vulnerabilities and breaches. Organizations implement controls, such as information security policies, fear appeals, and computer monitoring, to manage the security threats that employees pose. Behavioral information security research seeks to understand how these security controls influence employees’ behaviors. In practice, organizations adopt many coexisting security controls in security control portfolios (SCPs). Unfortunately, the complexities of SCPs are not well understood in the information security literature. To assist in studying SCPs, we present a typology and a theoretical model of security control grounded in an extension of control theory. We identify twelve types of security controls that can exist in practice based on three important control dimensions. We develop a number of propositions to explain how the complementarity of security controls in SCPs affect motivation to protect information. Our efforts produce a behaviorally grounded extension of control theory that is well suited for studying individual-level security behavior governed by complex SCPs.

Suggested Citation

  • Jeffrey D. Wall & Prashant Palvia & John D’Arcy, 2022. "Theorizing the Behavioral Effects of Control Complementarity in Security Control Portfolios," Information Systems Frontiers, Springer, vol. 24(2), pages 637-658, April.
  • Handle: RePEc:spr:infosf:v:24:y:2022:i:2:d:10.1007_s10796-021-10113-z
    DOI: 10.1007/s10796-021-10113-z
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1007/s10796-021-10113-z
    File Function: Abstract
    Download Restriction: Access to the full text of the articles in this series is restricted.

    File URL: https://libkey.io/10.1007/s10796-021-10113-z?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Laurie J. Kirsch, 1996. "The Management of Complex Tasks in Organizations: Controlling the Systems Development Process," Organization Science, INFORMS, vol. 7(1), pages 1-21, February.
    2. Yajiong Xue & Huigang Liang & Liansheng Wu, 2011. "Punishment, Justice, and Compliance in Mandatory IT Settings," Information Systems Research, INFORMS, vol. 22(2), pages 400-414, June.
    3. Detmar W. Straub, 1990. "Effective IS Security: An Empirical Study," Information Systems Research, INFORMS, vol. 1(3), pages 255-276, September.
    4. M. Lynne Markus & Frantz Rowe, 2018. "Is IT changing the world?," Post-Print hal-03716243, HAL.
    5. Hwee-Joo Kam & Thomas Mattson & Sanjay Goel, 2020. "A Cross Industry Study of Institutional Pressures on Organizational Effort to Raise Information Security Awareness," Information Systems Frontiers, Springer, vol. 22(5), pages 1241-1264, October.
    6. William G. Ouchi, 1979. "A Conceptual Framework for the Design of Organizational Control Mechanisms," Management Science, INFORMS, vol. 25(9), pages 833-848, September.
    7. Robert E. Crossler & France Bélanger & Dustin Ormond, 2019. "The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats," Information Systems Frontiers, Springer, vol. 21(2), pages 343-357, April.
    8. John D’Arcy & Anat Hovav, 2009. "Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures," Journal of Business Ethics, Springer, vol. 89(1), pages 59-71, May.
    9. Kathleen M. Eisenhardt, 1985. "Control: Organizational and Economic Approaches," Management Science, INFORMS, vol. 31(2), pages 134-149, February.
    10. A. J. Burns & Clay Posey & James F. Courtney & Tom L. Roberts & Prabhashi Nanayakkara, 2017. "Organizational information security as a complex adaptive system: insights from three agent-based models," Information Systems Frontiers, Springer, vol. 19(3), pages 509-524, June.
    11. Laurie S. Kirsch, 1997. "Portfolios of Control Modes and IS Project Management," Information Systems Research, INFORMS, vol. 8(3), pages 215-239, September.
    12. Laurie J. Kirsch, 2004. "Deploying Common Systems Globally: The Dynamics of Control," Information Systems Research, INFORMS, vol. 15(4), pages 374-395, December.
    13. Laurie J. Kirsch & V. Sambamurthy & Dong-Gil Ko & Russell L. Purvis, 2002. "Controlling Information Systems Development Projects: The View from the Client," Management Science, INFORMS, vol. 48(4), pages 484-498, April.
    14. Jeffrey D. Wall & Prashant Palvia & Paul Benjamin Lowry, 2013. "Control-Related Motivations and Information Security Policy Compliance: The Role of Autonomy and Efficacy," Journal of Information Privacy and Security, Taylor & Francis Journals, vol. 9(4), pages 52-79, October.
    15. Simon Trang & Benedikt Brendel, 2019. "A Meta-Analysis of Deterrence Theory in Information Security Policy Compliance Research," Information Systems Frontiers, Springer, vol. 21(6), pages 1265-1284, December.
    16. Roland Bénabou & Jean Tirole, 2003. "Intrinsic and Extrinsic Motivation," The Review of Economic Studies, Review of Economic Studies Ltd, vol. 70(3), pages 489-520.
    17. Gregory D. Moody & Laurie J. Kirsch & Sandra A. Slaughter & Brian Kimball Dunn & Qin Weng, 2016. "Facilitating the Transformational: An Exploration of Control in Cyberinfrastructure Projects and the Discovery of Field Control," Information Systems Research, INFORMS, vol. 27(2), pages 324-346, June.
    18. John D'Arcy & Anat Hovav & Dennis Galletta, 2009. "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, INFORMS, vol. 20(1), pages 79-98, March.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Huigang Liang & Yajiong Xue & Liansheng Wu, 2013. "Ensuring Employees' IT Compliance: Carrot or Stick?," Information Systems Research, INFORMS, vol. 24(2), pages 279-294, June.
    2. Sandeep Rustagi & William R. King & Laurie J. Kirsch, 2008. "Predictors of Formal Control Usage in IT Outsourcing Partnerships," Information Systems Research, INFORMS, vol. 19(2), pages 126-143, June.
    3. Jack Shih-Chieh Hsu & Sheng-Pao Shih & Yu Wen Hung & Paul Benjamin Lowry, 2015. "The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness," Information Systems Research, INFORMS, vol. 26(2), pages 282-300, June.
    4. Pankaj Nagpal & Andreas I. Nicolaou & Kalle Lyytinen, 2014. "Outsourcing And Market Value Of The Firm: Toward A Comprehensive Model," Intelligent Systems in Accounting, Finance and Management, John Wiley & Sons, Ltd., vol. 21(1), pages 19-38, January.
    5. Anandasivam Gopal & Sanjay Gosain, 2010. "Research Note ---The Role of Organizational Controls and Boundary Spanning in Software Development Outsourcing: Implications for Project Performance," Information Systems Research, INFORMS, vol. 21(4), pages 960-982, December.
    6. Laurie J. Kirsch & Dong-Gil Ko & Mark H. Haney, 2010. "Investigating the Antecedents of Team-Based Clan Control: Adding Social Capital as a Predictor," Organization Science, INFORMS, vol. 21(2), pages 469-489, April.
    7. Likoebe M. Maruping & Viswanath Venkatesh & Ritu Agarwal, 2009. "A Control Theory Perspective on Agile Methodology Use and Changing User Requirements," Information Systems Research, INFORMS, vol. 20(3), pages 377-399, September.
    8. Christian Jung-Gehling & Erik Strauss, 2018. "A Contemporary Concept of Organizational Control: Its Dependence on Shared Values and Impact on Motivation," Schmalenbach Business Review, Springer;Schmalenbach-Gesellschaft, vol. 70(4), pages 341-374, November.
    9. Rob Gleasure & Kieran Conboy & Lorraine Morgan, 2019. "Talking Up a Storm: How Backers Use Public Discourse to Exert Control in Crowdfunded Systems Development Projects," Information Systems Research, INFORMS, vol. 30(2), pages 447-465, June.
    10. Donghwan Cho, 2019. "Exploring the Ambivalent Effects of Control Modes on Project Performance Dimensions in Software Development Outsourcing," International Journal of Business and Social Research, MIR Center for Socio-Economic Research, vol. 9(1), pages 1-7, January.
    11. Gregory D. Moody & Laurie J. Kirsch & Sandra A. Slaughter & Brian Kimball Dunn & Qin Weng, 2016. "Facilitating the Transformational: An Exploration of Control in Cyberinfrastructure Projects and the Discovery of Field Control," Information Systems Research, INFORMS, vol. 27(2), pages 324-346, June.
    12. Vivek Choudhury & Rajiv Sabherwal, 2003. "Portfolios of Control in Outsourced Software Development Projects," Information Systems Research, INFORMS, vol. 14(3), pages 291-314, September.
    13. Alex Estevam & Denis Dennehy & Kieran Conboy, 2022. "Using Flow Tools to Enact Control in Software Development Projects: A Cross-case Analysis," Information Systems Frontiers, Springer, vol. 24(1), pages 287-304, February.
    14. Donghwan Cho, 2019. "Exploring the Ambivalent Effects of Control Modes on Project Performance Dimensions in Software Development Outsourcing," International Journal of Business and Social Research, LAR Center Press, vol. 9(1), pages 1-7, January.
    15. Chris P. Long & Sim B. Sitkin & Laura B. Cardinal & Richard M. Burton, 2015. "How controls influence organizational information processing: insights from a computational modeling investigation," Computational and Mathematical Organization Theory, Springer, vol. 21(4), pages 406-436, December.
    16. Laurie J. Kirsch, 2004. "Deploying Common Systems Globally: The Dynamics of Control," Information Systems Research, INFORMS, vol. 15(4), pages 374-395, December.
    17. Liu, Shan & Deng, Zhaohua, 2015. "How environment risks moderate the effect of control on performance in information technology projects: Perspectives of project managers and user liaisons," International Journal of Information Management, Elsevier, vol. 35(1), pages 80-97.
    18. Alan R. Dennis & Lionel P. Robert & Aaron M. Curtis & Stacy T. Kowalczyk & Bryan K. Hasty, 2012. "Research Note ---Trust Is in the Eye of the Beholder: A Vignette Study of Postevent Behavioral Controls' Effects on Individual Trust in Virtual Teams," Information Systems Research, INFORMS, vol. 23(2), pages 546-558, June.
    19. Evgheni Croitor & Dominick Werner & Martin Adam & Alexander Benlian, 2022. "Opposing effects of input control and clan control for sellers on e-marketplace platforms," Electronic Markets, Springer;IIM University of St. Gallen, vol. 32(1), pages 201-216, March.
    20. Wessel, Michael & Thies, Ferdinand & Benlian, Alexander, 2015. "The Effects of Relinquishing Control in Platform Ecosystems: Implications from a Policy Change on Kickstarter," Publications of Darmstadt Technical University, Institute for Business Studies (BWL) 75205, Darmstadt Technical University, Department of Business Administration, Economics and Law, Institute for Business Studies (BWL).

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:spr:infosf:v:24:y:2022:i:2:d:10.1007_s10796-021-10113-z. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.springer.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.