The Role of Extra-role Behaviors and Social controls in Information Security Policy Effectiveness

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journalNot applicablepeer-review

56 Scopus Citations
View graph of relations

Author(s)

  • J S C HSU
  • S P SHIH
  • Y W HUNG
  • Paul Benjamin LOWRY

Related Research Unit(s)

Detail(s)

Original languageEnglish
Pages (from-to)282-300 -
Journal / PublicationInformation Systems Research
Volume26
Issue number2
Early online date19 Jun 2015
Publication statusPublished - Jun 2015

Abstract

Although most behavioral security studies focus on organizational in-role behaviors such as information security policy (ISP) compliance, the effect of organizational extra-role behaviors — security behaviors that benefit organizations but are not specified in ISPs — has long been overlooked. This study examines (1) the consequences of organizational in-role and extra-role security behaviors on the effectiveness of ISPs and (2) the role of formal and social controls in enhancing in-role and extra-role security behaviors in organizations. We propose that both in-role security behaviors and extra-role security behaviors contribute to ISP effectiveness. Furthermore, based on social control theory (SCT), we hypothesize that social control can boost both in- and extra-role security behaviors. Data collected from practitioners — including IS managers and employees at many organizations — confirmed most of our hypotheses. Survey data from IS managers substantiated the importance of extra-role behaviors in improving ISP effectiveness. Paired data, collected from managers and employees in the same organizations, indicated that formal control and social control individually and interactively enhance both in- and extra-role security behaviors. We conclude by discussing the implications of this research for academics and practitioners, along with compelling future research possibilities.

Research Area(s)

  • IS security, behavioral security, in-role behaviors, extra-role behaviors, social control theory (SCT), security management, information security policy (ISP), formal control, social control, organizations

Citation Format(s)

The Role of Extra-role Behaviors and Social controls in Information Security Policy Effectiveness. / HSU, J S C; SHIH, S P; HUNG, Y W; LOWRY, Paul Benjamin.

In: Information Systems Research, Vol. 26, No. 2, 06.2015, p. 282-300 -.

Research output: Journal Publications and Reviews (RGC: 21, 22, 62)21_Publication in refereed journalNot applicablepeer-review