Exploring the Impact of Paternalistic Leadership on Employees' Information Security Policy Compliance

家長式領導對員工信息安全政策遵從行為的影響機制研究

Student thesis: Doctoral Thesis

View graph of relations

Author(s)

Detail(s)

Awarding Institution
Supervisors/Advisors
  • Kwok Leung TSUI (Co-supervisor)
  • Kwai Sang CHIN (Supervisor)
  • Gengzhong Feng (External person) (Supervisor)
Award date26 Feb 2021

Abstract

ISP Compliance refers to employees’ compliance to the company’s Information Security Policies (ISP), such as locking the computer screen when leaving the desk, updating the user password frequently, forbidding using pirated software, forbidding using personal devices for work and et al. However, due to that ISP Compliance often causes inconvenience to work and is hard to monitor, the non-compliance to ISP is frequently happening. According to the investigation of The Aberdeen Group, about 64% of the information security accidents of companies are caused by employees’ non-compliance to the ISP. Therefore, understanding the influencing factors of employees’ ISP Compliance and designing effective managerial strategies is an essential issue for company’s information security management. According to the 2018 McKinsey Information Security Report, leaders of different leadership styles will result in employees’ different perceptions regarding the importance and feasibility of ISP Compliance, which will further affect their ISP Compliance. Hence, leadership style is an important factor to motivate employees’ ISP Compliance. However, existing literature hasn’t investigated how leadership styles affect employee’s ISP Compliance.

In light of the culture background of China, this thesis focuses on the impact of Paternalistic Leadership (PL), which is a prevalent and local leadership style in China. On the purpose of revealing the impact and influencing mechanisms of PL on employees’ ISP compliance, four studies are developed based on the Organismic Integration view from the Self-determination Theory. Structural Equation Model is applied as the main research methodology for this thesis. In addition, Social Desirability Analysis is conducted to eliminate Common Method Bias and Non-nested Model Comparison is conducted for the Post-hoc Analysis. Based on the survey data collected from 760 Chinese employees, including 314 employee-leader pair-wise data, we applied AMOS and R Language to empirically examine the theoretical models. The innovative contributions of this thesis are summarized as follows.

Firstly, this thesis proved that the three dimensions of PL, i.e., AL, BL and ML, all positively influence employees’ ISP Compliance and the two-way interaction effects among the three dimensions are all negative. Leaders play an important role in motivating employees’ ISP Compliance. However, existing literature only examined the impact of leaders’ information security participation and support (Moody et al.2018, MISQ) on employees’ ISP Compliance, the impact of leadership style is overlooked. Meanwhile, though existing literature has already proved the significant influence of PL on employees’ general compliance, ISP Compliance has its own uniqueness. For example, ISP Compliance is hard to define clearly or to list completely, the benefit of ISP Compliance is the happening of nothing, complying to ISP may cause inconvenience to work, the monitoring of ISP Compliance is difficult and et al. Therefore, existing findings regarding general compliance can only provide limited implication to explain how PL influences employees’ ISP Compliance. Based on these research gaps, our research proposed and found that the three dimensions of PL all have positive impact on employees’ ISP Compliance and their two-way interaction effects are all negative. This research supplements the existing literature which only studied the impact of PL on employees’ general compliance and lacked of in-depth investigation regarding the impact of PL on employees’ compliance to certain specific policies. With this research, we advance our overall knowledge about the effect of PL in motivating employees’ compliance.

Secondly, this thesis proved that the three dimensions of PL, i.e., AL, BL and ML, can affect employees’ perceptions of different control mechanisms (i.e., Sanction Severity and Information Security Climate), creating the sense of external pressure (External Regulation Motivation), and then motivate employees’ ISP Compliance. Existing literature mostly focused on verifying how employees’ perceptions of the control mechanisms affect their ISP Compliance (Chen et al 2012, JMIS) but overlooked the determinant role of leaders in the implementation of control mechanisms, which can affect how employees perceive the actual magnitude of the control mechanisms. The answer to how leaders affect employees’ perceptions of the control mechanisms and then further affect their ISP Compliance has not be explored yet. Based on the Control Mechanisms Theory, we developed a mediation effect model which describes how PL affects employees’ perceptions of the control mechanisms and then affects their ISP Compliance. Perceived Sanction Severity and Information Security Climate are adopted as the two mediators in this influencing process. The result showed that AL facilitates employees’ ISP Compliance by increasing their perception of the Sanction Severity, while BL and ML facilitate employees’ ISP Compliance by increasing their perception of the Information Security Climate.

Thirdly, this thesis proved that the BL dimension and ML dimension of PL can affect employees’ perception of Social Bond, creating the sense of self-discipline (Introjected Regulation Motivation), and then motivate employees’ ISP Compliance. Existing literature only examined how leaders’ efforts in the information security activities affect employee’s ISP Compliance but overlooked how leaders’ behavior in the daily routine work affects ISP Compliance. Based on Social Bond Theory, we developed a mediation effect model which describes how PL affects employees’ perception of Social Bond (a 2nd-order construct formed by four dimensions, including Attachment to Leaders, Commitment to Goals, Involvement in Work and Beliefs in Norms), and then affects their ISP Compliance. The result showed that Social Bond has no mediation effect between AL and employees’ ISP Compliance, while BL and ML can facilitate employees’ ISP Compliance by increasing employees’ perception of Social Bond, which suggests that by showing their benevolence and morality in the daily work interaction with employees, leaders can cultivate employees’ perception of Social Bond and then motivate their ISP Compliance..

Forth, this thesis proved that the three dimensions of PL, i.e., AL, BL and ML, can affect employees’ perceptions of different Protection Motivation elements (i.e., Information Security Threat Severity, Threat Susceptibility, Response Efficacy, Self-efficacy and Mal-adaptive Reward), creating the sense of identification to ISP Compliance (Identified Regulation Motivation), and then motivate employees’ ISP Compliance. Existing literature mostly focused on how the form and content of information security education and communication affect employees’ perceptions of the information security threats and the coping measures but overlooked the impact of leaders who are the organizers and instructors in the information security education and communication. The answer to how leaders affect employees’ perceptions of the information security threats and the coping measures and then further affect their ISP Compliance has not been explored yet. Based on the Protection Motivation Theory, , we developed a mediation effect model which describes how PL affects employees’ perceptions of the information security threats and the coping measures and then affects their ISP Compliance. Employees’ perceptions of Information Security Threat Severity, Threat Susceptibility, Response Efficacy, Self-efficacy and Mal-adaptive Reward are adopted as the mediators in this influencing process. The result showed that AL facilitates employees’ ISP Compliance by increasing their perception of the Information Security Threat Severity, BL facilitates employees’ ISP Compliance by increasing their perceptions of the Response Efficacy and Self-efficacy, ML facilitates employees’ ISP Compliance by decreasing their perception of the Mal-adaptive Reward and increasing their perception of the Response Efficacy.

    Research areas

  • Information Security, Employees’ Behavior, Influencing Factors, Empirical Research, Leadership Style