We examine elements of control and introduce the concept of ‘mandatoriness,’ which we define as the degree to which individuals perceive that compliance with existing security policies and procedures is compulsory or expected by organizational management. We find that the acts of specifying policies and evaluating behaviors are effective in convincing individuals that security policies are mandatory. The perception of mandatoriness is effective in motivating individuals to take security precautions, thus if individuals believe that management watches, they will comply.
| Construct | Cites | Category | Questions given? | Content validity | Pretests | Response type | Notes |
|---|---|---|---|---|---|---|---|
| Specification | Kirsch, 1996, Cardinal, 2001 | yes | feedback from 28 MBA students | pilot with 80 employees | 7 point likert-type scale | ||
| Evaluation | Cardinal, 2001, Eisenhardt, 1985 | yes | feedback from 28 MBA students | pilot with 80 employees | 7 point likert-type scale | ||
| Reward | Kirsch, 1996, Cardinal, 2001 | yes | feedback from 28 MBA students | pilot with 80 employees | 7 point likert-type scale | ||
| Mandatoriness | Kirsch, 1996, Cardinal, 2001, Chae, 2005, Hartwick, 1994 | yes | feedback from 28 MBA students | pilot with 80 employees | 7 point likert-type scale | ||
| General precautions | NEW | yes | feedback from 28 MBA students | pilot with 80 employees | 7 point likert-type scale | ||
| computer self-efficacy | Compeau, 1995 | yes | feedback from 28 MBA students | pilot with 80 employees | 7 point likert-type scale | ||
| Apathy | NEW | yes | feedback from 28 MBA students | pilot with 80 employees | 7 point likert-type scale |
Scott R. Boss, Laurie J. Kirsch, Ingo Angermeier, Raymond A. Shingler, and R. Wayne Boss. If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security. European Journal of Information Systems, 18(2):151–164, April 2009. doi:10.1057/ejis.2009.8.
@article{boss_if_2009,
abstract = {Information security has become increasingly important to organizations. Despite the prevalence of technical security measures, individual employees remain the key link \textendash{} and frequently the weakest link \textendash{} in corporate defenses. When individuals choose to disregard security policies and procedures, the organization is at risk. How, then, can organizations motivate their employees to follow security guidelines? Using an organizational control lens, we build a model to explain individual information security precaution-taking behavior. Specific hypotheses are developed and tested using a field survey. We examine elements of control and introduce the concept of `mandatoriness,' which we define as the degree to which individuals perceive that compliance with existing security policies and procedures is compulsory or expected by organizational management. We find that the acts of specifying policies and evaluating behaviors are effective in convincing individuals that security policies are mandatory. The perception of mandatoriness is effective in motivating individuals to take security precautions, thus if individuals believe that management watches, they will comply.},
author = {Boss, Scott R. and Kirsch, Laurie J. and Angermeier, Ingo and Shingler, Raymond A. and Boss, R. Wayne},
doi = {10.1057/ejis.2009.8},
issn = {0960-085X, 1476-9344},
journal = {European Journal of Information Systems},
language = {en},
month = {April},
number = {2},
pages = {151-164},
shorttitle = {If Someone Is Watching, {{I}}'ll Do What {{I}}'m Asked},
title = {If Someone Is Watching, {{I}}'ll Do What {{I}}'m Asked: Mandatoriness, Control, and Information Security},
volume = {18},
year = {2009}
}