The Role of Extra-role Behaviors and Social controls in Information Security Policy Effectiveness

Although most behavioral security studies focus on organizational in-role behaviors such as information security policy (ISP) compliance, the effect of organizational extra-role behaviors — security behaviors that benefit organizations but are not specified in ISPs — has long been overlooked. This study examines (1) the consequences of organizational in-role and extra-role security behaviors on the effectiveness of ISPs and (2) the role of formal and social controls in enhancing in-role and extra-role security behaviors in organizations. We propose that both in-role security behaviors and extra-role security behaviors contribute to ISP effectiveness. Furthermore, based on social control theory (SCT), we hypothesize that social control can boost both in- and extra-role security behaviors. Data collected from practitioners — including IS managers and employees at many organizations — confirmed most of our hypotheses. Survey data from IS managers substantiated the importance of extra-role behaviors in improving ISP effectiveness. Paired data, collected from managers and employees in the same organizations, indicated that formal control and social control individually and interactively enhance both in- and extra-role security behaviors. We conclude by discussing the implications of this research for academics and practitioners, along with compelling future research possibilities.