Validating a Control-Based Model of Information Security Policy Compliance – A Meta-Analysis

Jing Liu; Jun Zhang; Jingzhi Zhang

Validating a Control-Based Model of Information Security Policy Compliance – A Meta-Analysis

Jing Liu, Jun Zhang^*, Jingzhi Zhang

^*Corresponding author for this work

Department of Information Systems

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

2 Citations (Scopus)

Abstract

Employees are regarded as the weakest link in organizations' information security management, and their security compliance is crucial in determining organizations' information security success. Prior literature has extensively investigated the influences of formal management controls (i.e. deterrence, rewards, and monitoring) on employees' security compliance; however, other control mechanisms such as social control and self-control have drawn less attention. In this study, we proposed a taxonomy of the formal and informal control mechanisms used in security management, and proposed an integrative, control-based model to understand employees' security compliance behaviors. We further validated the model with a meta-analysis. Our model was largely supported by the meta-analysis results. We found informal social controls and self-control to be more effective in promoting security compliance than formal controls. In addition, we found that the influences of formal and informal controls on security compliance were moderated by the eastern / western culture context.

Original language	English
Title of host publication	International Conference on Information Systems 2019 Proceedings
Publisher	Association for Information Systems
ISBN (Electronic)	9780996683197
Publication status	Published - Dec 2019
Event	40th International Conference on Information Systems (ICIS 2019) - Internationales Congress Center München (ICM), Munich, Germany Duration: 15 Dec 2019 → 18 Dec 2019 https://icis2019.aisconferences.org/ https://aisel.aisnet.org/icis2019/

Publication series

Name	International Conference on Information Systems, ICIS

Conference

Conference	40th International Conference on Information Systems (ICIS 2019)
Place	Germany
City	Munich
Period	15/12/19 → 18/12/19
Internet address	https://icis2019.aisconferences.org/ https://aisel.aisnet.org/icis2019/

Research Keywords

Deterrence
Formal control
Informal control
Information security
Meta-analysis
Policy compliance

Access Output

https://aisel.aisnet.org/icis2019/cyber_security_privacy_ethics_IS/cyber_security_privacy/26/

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

Liu, J., Zhang, J., & Zhang, J. (2019). Validating a Control-Based Model of Information Security Policy Compliance – A Meta-Analysis. In International Conference on Information Systems 2019 Proceedings Article 1391 (International Conference on Information Systems, ICIS). Association for Information Systems. https://aisel.aisnet.org/icis2019/cyber_security_privacy_ethics_IS/cyber_security_privacy/26/

@inproceedings{047c83356ca7477d99b85e2ac0af2af7,

title = "Validating a Control-Based Model of Information Security Policy Compliance – A Meta-Analysis",

abstract = "Employees are regarded as the weakest link in organizations' information security management, and their security compliance is crucial in determining organizations' information security success. Prior literature has extensively investigated the influences of formal management controls (i.e. deterrence, rewards, and monitoring) on employees' security compliance; however, other control mechanisms such as social control and self-control have drawn less attention. In this study, we proposed a taxonomy of the formal and informal control mechanisms used in security management, and proposed an integrative, control-based model to understand employees' security compliance behaviors. We further validated the model with a meta-analysis. Our model was largely supported by the meta-analysis results. We found informal social controls and self-control to be more effective in promoting security compliance than formal controls. In addition, we found that the influences of formal and informal controls on security compliance were moderated by the eastern / western culture context.",

keywords = "Deterrence, Formal control, Informal control, Information security, Meta-analysis, Policy compliance",

author = "Jing Liu and Jun Zhang and Jingzhi Zhang",

year = "2019",

month = dec,

language = "English",

series = "International Conference on Information Systems, ICIS",

publisher = "Association for Information Systems",

booktitle = "International Conference on Information Systems 2019 Proceedings",

address = "United States",

note = "40th International Conference on Information Systems (ICIS 2019) ; Conference date: 15-12-2019 Through 18-12-2019",

url = "https://icis2019.aisconferences.org/, https://aisel.aisnet.org/icis2019/",

}

Liu, J, Zhang, J & Zhang, J 2019, Validating a Control-Based Model of Information Security Policy Compliance – A Meta-Analysis. in International Conference on Information Systems 2019 Proceedings., 1391, International Conference on Information Systems, ICIS, Association for Information Systems, 40th International Conference on Information Systems (ICIS 2019), Munich, Germany, 15/12/19. <https://aisel.aisnet.org/icis2019/cyber_security_privacy_ethics_IS/cyber_security_privacy/26/>

Validating a Control-Based Model of Information Security Policy Compliance – A Meta-Analysis. / Liu, Jing; Zhang, Jun; Zhang, Jingzhi.
International Conference on Information Systems 2019 Proceedings. Association for Information Systems, 2019. 1391 (International Conference on Information Systems, ICIS).

Research output: Chapters, Conference Papers, Creative and Literary Works › RGC 32 - Refereed conference paper (with host publication) › peer-review

TY - GEN

T1 - Validating a Control-Based Model of Information Security Policy Compliance – A Meta-Analysis

AU - Liu, Jing

AU - Zhang, Jun

AU - Zhang, Jingzhi

PY - 2019/12

Y1 - 2019/12

N2 - Employees are regarded as the weakest link in organizations' information security management, and their security compliance is crucial in determining organizations' information security success. Prior literature has extensively investigated the influences of formal management controls (i.e. deterrence, rewards, and monitoring) on employees' security compliance; however, other control mechanisms such as social control and self-control have drawn less attention. In this study, we proposed a taxonomy of the formal and informal control mechanisms used in security management, and proposed an integrative, control-based model to understand employees' security compliance behaviors. We further validated the model with a meta-analysis. Our model was largely supported by the meta-analysis results. We found informal social controls and self-control to be more effective in promoting security compliance than formal controls. In addition, we found that the influences of formal and informal controls on security compliance were moderated by the eastern / western culture context.

AB - Employees are regarded as the weakest link in organizations' information security management, and their security compliance is crucial in determining organizations' information security success. Prior literature has extensively investigated the influences of formal management controls (i.e. deterrence, rewards, and monitoring) on employees' security compliance; however, other control mechanisms such as social control and self-control have drawn less attention. In this study, we proposed a taxonomy of the formal and informal control mechanisms used in security management, and proposed an integrative, control-based model to understand employees' security compliance behaviors. We further validated the model with a meta-analysis. Our model was largely supported by the meta-analysis results. We found informal social controls and self-control to be more effective in promoting security compliance than formal controls. In addition, we found that the influences of formal and informal controls on security compliance were moderated by the eastern / western culture context.

KW - Deterrence

KW - Formal control

KW - Informal control

KW - Information security

KW - Meta-analysis

KW - Policy compliance

UR - http://www.scopus.com/inward/record.url?scp=85114902355&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85114902355&origin=recordpage

M3 - RGC 32 - Refereed conference paper (with host publication)

T3 - International Conference on Information Systems, ICIS

BT - International Conference on Information Systems 2019 Proceedings

PB - Association for Information Systems

T2 - 40th International Conference on Information Systems (ICIS 2019)

Y2 - 15 December 2019 through 18 December 2019

ER -

Validating a Control-Based Model of Information Security Policy Compliance – A Meta-Analysis

Abstract

Publication series

Conference

Research Keywords

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Cite this