Abstract
Employees are a major cause of information security vulnerabilities and breaches. Organizations implement controls, such as information security policies, fear appeals, and computer monitoring, to manage the security threats that employees pose. Behavioral information security research seeks to understand how these security controls influence employees’ behaviors. In practice, organizations adopt many coexisting security controls in security control portfolios (SCPs). Unfortunately, the complexities of SCPs are not well understood in the information security literature. To assist in studying SCPs, we present a typology and a theoretical model of security control grounded in an extension of control theory. We identify twelve types of security controls that can exist in practice based on three important control dimensions. We develop a number of propositions to explain how the complementarity of security controls in SCPs affect motivation to protect information. Our efforts produce a behaviorally grounded extension of control theory that is well suited for studying individual-level security behavior governed by complex SCPs.
Similar content being viewed by others
References
Akers, R. L. (2009). Social learning and social structure: A general theory of crime and deviance. Brunswick: Transaction Publishers.
Bandura, A. (1977). Self-efficacy: Toward a unifying theory of behavioral change. Psychological Review, 84(2), 191–215.
Bandura, A. (1986). Social foundations of thought and action: A social cognitive theory. Englewood Cliffs: Prentice Hall.
Bandura, A. (2012). On the functional properties of perceived self-efficacy revisited. Journal of Management, 38(1), 9–44.
Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2013). Don’t make excuses! Discouraging neutralization to reduce IT policy violation. Computers & Security, 39(Part B), 145–159.
Barlow, J. B., Warkentin, M., Ormond, D., & Dennis, A. R. (2018). Don’t even think about it! The effects of anti-neutralization, informational, and normative communication on information security compliance. Journal of the Association for Information Systems, forthcoming, 19(8), 3
Bénabou, R., & Tirole, J. (2003). Intrinsic and extrinsic motivation. The Review of Economic Studies, 70(3), 489–520.
Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do users have to fear? Using fear appeals to engender threats and fear that motivate protective behaviors in users. MIS Quarterly, 39(4), 837–864.
Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., & Boss, W. R. (2009). If someone is watching, I’ll do what I’m asked: manditoriness, control, and information security. European Journal of Information Systems, 18, 151–164.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.
Burns, A. J., Courtney, J. F., Roberts, T. L., & Nanayakkara, P. (2017). Organizational information security as a complex adaptive system: Insights from three agent-based models. Information Systems Frontiers, 19, 509–524.
Burns, A. J., Posey, C., & Roberts, T. L. (2019). Insiders’ adaptations to security-based demands in the workplace: An examination of security behavioral complexity. Information Systems Frontiers, 1–18. https://doi.org/10.1007/s10796-019-09951-9.
Chen, Y., Ramamurthy, K. R., & Wen, K. W. (2012). Organizations’ information security policy compliance: Stick or carrot approach? Journal of Management Information Systems, 29(3), 157–188.
Cram, W. A., Proudfoot, J., & D’Arcy, J. (2017) Seeing the forest and the trees: A meta-analysis of information security policy compliance literature. In Hawaii International Conference on System Sciences, Hawaii.
Crossler, R. E., Bélanger, F., & Ormond, D. (2019). The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats. Information Systems Frontiers, 21, 343–357.
CSI. (2011). 2010/2011 CSI computer crime and security survey (pp. 1–42). New York: Computer Security Institute.
da Viega, A., & Martins, N. (2017). Defining and identifying dominant information security cultures and subcultures. Computers & Security, 70(1), 72–94.
D’Arcy, J., & Devaraj, S. (2012). Employee misuse of information technology resources: Testing a contemporary deterrence model. Decision Sciences, 43(6), 1091–1124.
D’Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems, 20, 643–658.
D’Arcy, J., & Hovav, A. (2009). Does one size fit all? Examining the differential effects of IS security countermeasures. Journal of Business Ethics, 89, 59–71.
D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79–98.
Deci, E. L., Eghrari, H., Patrick, B. C., & Leone, D. R. (1994). Facilitating internalization: The self-determination theory perspective. Journal of Personality, 62(1), 119–142.
Deci, E. L., Koestner, R., & Ryan, R. M. (1999). A meta-analytic review of experiments examining the effects of extrinsic rewards on intrinsic motivation. Psychological Bulletin, 125(6), 627–668.
Dhillon, G., & Backhouse, J. (2001). Current directions in IS security research: Towards socio-organizational perspectives. Information Systems Journal, 11(2), 127–153.
Dhillon, G., Syed, R., & Pedron, C. (2016). Interpreting information security culture: An organizational transformation case study. Computers & Security, 56(1), 63–69.
Eisenberger, R., Pierce, W. D., & Cameron, J. (1999). Effects of reward on intrinsic motivation—negative, neutral, and positive: Comment on Deci, Koestner, and Ryan (1999). Psychological Bulletin, 125(6), 677–691.
Eisenhardt, K. M. (1985). Control: Organizational and economic approaches. Management Science, 31(2), 134–149.
Foucault, M. (1977). Discipline and punishment: The birth of the prison (A. Sheridan, Trans.). New York: Vintage Books.
Guo, K. H., Yuan, Y., Archer, N. P., & Connelly, C. E. (2011). Understanding nonmalicious security violations in the workplace: A composite behavior model. Journal of Management Information Systems, 28(2), 203–236.
Gwebu, K. L., Wang, J., & Hu, M. Y. (2020). Information security policy noncompliance: An integrative social influence model. Information Systems Journal, 30(2), 220–269.
Harrington, S. J. (1996). The effect codes of ethics and personal denial of responsibility on computer abuse judgements and intentions. MIS Quarterly, 20(3), 257–278.
Hassan, N. R. (2014) Useful products in theorizing for information systems. In Thirty Fifth International Conference on Information Systems, Auckland, NZ (pp. 1–21).
Hassan, N. R., & Lowry, P. B. (2015) Seeking middle-range theories in information systems research. In Thirty Sixth International Conference on Information Systems, Fort Worth, TX (pp. 1–19).
Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125.
Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012). Managing employee compliance with information security policy: The critical role of top management and organizational culture. Decision Sciences, 43(4), 615–659.
Jaworski, B. J. (1988). Toward a theory of marketing control: Environmental context, control types, and consequences. Journal of Marketing, 52(3), 23–39.
Johnston, A. C., & Warkentin, M. (2010a). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34(3), 549–566.
Johnston, A. C., & Warkentin, M. (2010b). The influence of perceived source credibility on end user attitudes and intentions to comply with recommended IT actions. Journal of Organizational and End User Computing, 22(3), 1–21.
Johnston, A. C., Warkentin, M., McBride, M., & Carter, L. D. (2016). Dispositional and Situational Factors: Influences on IS Security Policy Violations. European Journal of Information Systems, 25(3), 231–251.
Johnston, A. C., Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: Leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113–134.
Kajzer, M., D’Arcy, J., Crowell, C. R., Striegel, A., & Van Bruggen, D. (2014). An exploratory investigation of message-person congruence in information security awareness campaigns. Computers & Security, 43, 65–76.
Kam, H. J., Mattson, T., & Goel, S. (2020). A cross industry study of institutional pressures on organizational effort to raise information security awareness. Information Systems Frontiers, 22, 1241–1264.
Kirsch, L. J. (1996). The management of complex tasks in organizations: Controlling the systems development process. Organization Science, 17(1), 1–21.
Kirsch, L. J. (1997). Portfolios of control modes and IS project management. Information Systems Research, 8(3), 215–239.
Kirsch, L. J. (2004). Deploying common systems globally: The dynamics of control. Information Systems Research, 15(4), 374–395.
Kirsch, L. J., Sambamurthy, V., Ko, D.-G., & Purvis, R. L. (2002). Controlling information systems development projects: The view from the client. Management Science, 48(4), 484–498.
Kostova, T., Roth, K., & Dacin, M. T. (2009). Theorizing on MNCs: A promise for institutional theory. Academy of Management Review, 34(1), 171–173.
Kweon, E., Lee, H., Chai, S., & Yoo, K. (2019). The utility of information security training and education on cybersecurity incidents: An empirical evidence. Information Systems Frontiers. https://doi.org/10.1007/s10796-019-09977-z.
Lange, D. (2008). A multidimensional conceptualization of organizational corruption control. Academy of Management Review, 33(3), 710–729.
Lee, S. M., Lee, S.-G., & Yoo, S. (2004). An integrative model of computer abuse based on social control and general deterrence theories. Information & Management, 41(6), 707–718.
Lehman, D. W., & Ramanujam, R. (2009). Selectivity in organizational rule violations. Academy of Management Review, 34(4), 643–657.
Leonard, L. N. K., Cronan, T. P., & Kreie, J. (2004). What influences IT ethical behavior intentions—planned behavior, reasoned action, perceived importance, or individual characteristics? Information & Management, 42(1), 143–158.
Li, H., Zhang, J., & Sarathy, R. (2010). Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems, 48(4), 635–645.
Lowry, P. B., Moody, G., Galletta, D., & Vance, A. (2012). The drivers in the use of online whistle-blowing reporting systems. Journal of Management Information Systems, 30(1), 153–189.
March, J. G., & Simon, H. A. (1958). Organizations. New York: Wiley.
Markus, M. L., & Rowe, F. (2018). Is IT changing the world? Conceptions of causality for information systems theorizing. MIS Quarterly, 42(4), 1255–1280.
Marsden, K. E., Ma, W. J., Deci, E. L., Ryan, R. M., & Chiu, P. H. (2015). Diminished neural responses predict enhanced intrinsic motivation and sensitivity to external incentive. Cognitive, Affective, & Behavioral Neuroscience, 15(2), 276–286.
Menard, P., Bott, G. J., & Crossler, R. E. (2017). User motivations in protecting information security: Protection motivation theory versus self-determination theory. Journal of Management Information Systems, 34(4), 1203–1230.
Miller, E. K., & Buschman, T. J. (2015). Working memory capacity: Limits on the bandwidth of cognition. Dædalus, 144(1), 112–122.
Moody, G. D., Kirsch, L. J., Slaughter, S. A., Dunn, B. K., & Weng, Q. (2016). Facilitating the transformational: An exploration of control in cyberinfrastructure projects and the discovery of field control. Information Systems Research, 27(2), 324–346.
Mwagwabi, F., McGill, T., & Dixon, M. (2018). Short-term and long-term effects of fear appeals in improving compliance with password guidelines. Communications of the AIS, 42(1), 147–182.
Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., & Vance, A. (2009). What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems, 18(2), 126–139.
Ng, B.-Y., Kankanhalli, A., & Xu, Y. C. (2009). Studying users’ computer security behavior: A health belief perspective. Decision Support Systems, 46(4), 815–825.
Ouchi, W. G. (1977). The relationship between organizational structure and organizational control. Administrative Science Quarterly, 22(1), 95–113.
Ouchi, W. G. (1979). A conceptual framework for the design of organizational control mechanisms. Management Science, 25(9), 833–848.
Ouchi, W. G., & Maguire, M. A. (1975). Organizational control: Two functions. Administrative Science Quarterly, 20(4), 559–569.
Posey, C., Bennett, R. J., & Roberts, T. L. (2011a). Understanding the mindset of the abusive insider: An examination of insiders’ causal reasoning following internal security changes. Computers & Security, 30(6), 486–497.
Posey, C., Bennett, R. J., Roberts, T. L., & Lowry, P. B. (2011b). When computer monitoring backfires: Privacy invasions and organizational injustice as precursors to computer abuse. Journal of Information Systems Security, 7(1), 24–47.
Posey, C., Roberts, T. L., Lowry, P. B., & Hightower, R. T. (2014). Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders. Information & Management, 51(5), 551–567.
Puhakainen, P., & Siponen, M. (2010). Improving employees’ compliance through information systems security training: An action research study. MIS Quarterly, 34(4), 757–778.
Ryan, R. M., & Deci, E. L. (1985). Intrinsic motivation and self-determination in human behavior. New York: Plenum Press.
Ryan, R. M., & Deci, E. L. (2000). Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. American Psychologist, 55(1), 68–78.
Schuetz, S. W., Lowry, P. B., Pienta, D. A., & Thatcher, J. B. (2020). The effectivness of abstract versus concrete fear appeals in information security. Journal of Management Information Systems, 37(3), 723–757.
Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487–502.
Son, J.-Y. (2011). Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information & Management, 48(7), 296–302.
Spears, J. L., & Barki, H. (2010). User participation in information systems security risk management. MIS Quarterly, 34(3), 503–522.
Straub, D., & Welke, R. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22(4), 441–469.
Straub, D. W. (1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255–276.
Straub, D. W. J., & Nance, W. D. (1990). Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly, 14(1), 45–60.
Sykes, G., & Matza, D. (1957). Techniques of neutralization: A theory of delinquency. American Sociological Review, 22(6), 664–670.
Trang, S., & Brendel, B. (2019). A meta-analysis of deterrence theory in information security policy compliance research. Information Systems Frontiers, 21(1), 1265–1284.
Trice, H. (1993). Occupational subcultures in the workplace. Ithaca: ILR Press.
Van Niekerk, J. F., & Von Solms, R. (2010). Information security culture: A management perspective. Computers & Security, 29(4), 476–486.
Vance, A., & Siponen, M. (2012). IS security policy violations: A rational choice perspective. Journal of Organizational and End User Computing, 24(1), 21–41.
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from habit and protection motivation theory. Information & Management, 49(3), 190–198.
Vroom, V. H. (1964). Work and Motivation. Oxford: Wiley.
Wall, J. D., & Buche, M. W. (2017). To fear or not to fear? A critical review and analysis of fear appeals in the information security context. Communications of the AIS, 41(1), 277–300.
Wall, J. D., Lowry, P. B., & Barlow, J. B. (2016). Organizational violations of externally governed privacy and security rules: Explaining and predicting selective violations under conditions of strain and excess. Journal of the Association for Information Systems, 17(1), 39–76.
Wall, J. D., & Palvia, P. (2021). Understanding employees’ information security identities: An interpretive narrative approach. Information Technology & People, forthcoming.
Wall, J. D., Palvia, P., & Lowry, P. B. (2013). Control-related motivations and information security policy compliance: The role of autonomy and efficacy. Journal of Information Privacy and Security, 9(4), 52–79.
Wall, J. D., & Singh, R. (2018). The Organization Man and the Innovator: Theoretical archetypes to information behavioral information security research. The Data Base for Advances in Information Systems, 49(SI), 67–80.
Wall, J. D., & Warkentin, M. (2019). Perceived argument quality’s effect on threat and coping appraisals in fear appeals: An experiment and exploration of realism check heuristics. Information & Management, 56(8), 1–13.
Willison, R., & Warkentin, M. (2013). Beyond deterrence: An expanded view of employee computer abuse. MIS Quarterly, 37(1), 1–20.
Willison, R., Warkentin, M., & Johnston, A. C. (2018). Examining employee computer abuse intentions: Insights from justice, deterrence, and neutralization perspectives. Information Systems Journal, 28(2), 266–293.
Xue, Y., Liang, H., & Wu, L. (2011). Punishment, justice, and compliance in mandatory IT settings. Information Systems Research, 22(2), 400–414.
Author information
Authors and Affiliations
Corresponding authors
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
Comparison of Revised Typology with Traditional Control Typologies
Tables of Security Control Types with Examples
Rights and permissions
About this article
Cite this article
Wall, J.D., Palvia, P. & D’Arcy, J. Theorizing the Behavioral Effects of Control Complementarity in Security Control Portfolios. Inf Syst Front 24, 637–658 (2022). https://doi.org/10.1007/s10796-021-10113-z
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-021-10113-z