Employees are a major cause of information security vulnerabilities and breaches. Organizations implement controls, such as information security policies, fear appeals, and computer monitoring, to manage the security threats that employees pose. Behavioral information security research seeks to understand how these security controls influence employees’ behaviors. In practice, organizations adopt many coexisting security controls in security control portfolios (SCPs). Unfortunately, the complexities of SCPs are not well understood in the information security literature. To assist in studying SCPs, we present a typology and a theoretical model of security control grounded in an extension of control theory. We identify twelve types of security controls that can exist in practice based on three important control dimensions. We develop a number of propositions to explain how the complementarity of security controls in SCPs affect motivation to protect information. Our efforts produce a behaviorally grounded extension of control theory that is well suited for studying individual-level security behavior governed by complex SCPs.

员工是信息安全漏洞和破坏的主要原因。组织实施诸如信息安全策略，恐惧诉求和计算机监视之类的控制措施，以管理员工所构成的安全威胁。行为信息安全研究旨在了解这些安全控制措施如何影响员工的行为。在实践中，组织在安全控制组合（SCP）中采用许多共存的安全控制。不幸的是，SCP的复杂性在信息安全文献中并未得到很好的理解。为了协助研究SCP，我们以控制理论的扩展为基础，提出了安全控制的类型学和理论模型。我们基于三个重要的控制维度，确定了实际上可以存在的十二种安全控制类型。我们提出了许多命题来解释SCP中安全控制措施的互补性如何影响保护信息的动机。我们的努力产生了行为理论上的行为控制理论的扩展，非常适合研究由复杂SCP控制的个人级别的安全行为。