Control-Related Motivations and Information Security Policy Compliance: The Effect of Reflective and Reactive Autonomy

Employees’ failures to follow information security policy can be costly to organizations. Organizations implement security controls in order to motivate employees. Many control-related motivations have been explored in information security research (e.g., self-efficacy and behavioral control); however, self-determination has yet to receive attention. Selfdetermination theory is widely used in other fields to explain intrinsically driven performance. This paper examines the effect self-determination—conceptualized as reflective autonomy, and psychological reactance—conceptualized as reactive autonomy have on employees’ intentions to comply with security policy. Reflective and reactive autonomy offer complementary yet opposite conceptualizations of autonomy, offering a more holistic view of control-related motivation. We find that both reflective and reactive autonomy affect information security policy compliance intentions. Reflective autonomy increases and reactive autonomy decreases compliance intentions. Managers should become aware of the way employees view security controls in order to develop controls that maximize reflective autonomy and minimize reactive autonomy in employees.