Out of Fear or Desire: Why do Employees Follow Information Systems Security Policies?

Two well-grounded motivational models—command-and-control and self-regulation, which are viewed as competing explanations of why individuals follow rules (Tyler and Blader 2005)—are used as conceptual lenses through which to view employees’ adherence to information systems security policy (ISSP). Specifically, we aim to identify specific factors drawn from each of the two competing approaches that determine the level of employees’ adherence to their organization’s ISSP, and to develop and empirically test a conceptual model based on the two groups of determinants to be identified. Further, we will compare the relative efficacy of the two approaches to predict each of the two types of ISSP adherence behaviors. Our conceptual arguments will be tested with data to be collected via a survey in large-scale field studies. When completed, the results of this proposed study should contribute to the literature of corporate security management by advancing our knowledge of the central determinants of employees’ adherence to ISSP. Gaining such an understanding will also be managerially important because organizations can design more effective security training and education programs to promote their employees’ adherence behaviors related to ISSP.