The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness

Article

Hsu, Jack Shih-Chieh; Shih, Sheng-Pao; Hung, Yu Wen; Lowry, Paul Benjamin

National Sun Yat Sen University; Tamkang University; City University of Hong Kong

INFORMATION SYSTEMS RESEARCH

1047-7047

10.1287/isre.2015.0569

2015

282-300

Although most behavioral security studies focus on organizational in-role behaviors such as information security policy (ISP) compliance, the role of organizational extra-role behaviors-security behaviors that benefit organizations but are not specified in ISPs-has long been overlooked. This study examines (1) the consequences of organizational in-role and extra-role security behaviors on the effectiveness of ISPs and (2) the role of formal and social controls in enhancing in-role and extra-role security behaviors in organizations. We propose that both in-role security behaviors and extra-role security behaviors contribute to ISP effectiveness. Furthermore, based on social control theory, we hypothesize that social control can boost both in-and extra-role security behaviors. Data collected from practitioners-including information systems (IS) managers and employees at many organizations-confirmed most of our hypotheses. Survey data from IS managers substantiated the importance of extra-role behaviors in improving ISP effectiveness. Paired data, collected from managers and employees in the same organizations, indicated that formal control and social control individually and interactively enhance both in-and extra-role security behaviors. We conclude by discussing the implications of this research for academics and practitioners, along with compelling future research possibilities.