Organizations' Information Security Policy Compliance: Stick or Carrot Approach?

Article

Chen, Yan; Ramamurthy, K. (Ram); Wen, Kuang-Wei

University of Wisconsin System; University of Wisconsin La Crosse; University of Wisconsin System; University of Wisconsin Milwaukee; University of Wisconsin System; University of Wisconsin La Crosse

JOURNAL OF MANAGEMENT INFORMATION SYSTEMS

0742-1222

10.2753/MIS0742-1222290305

2012

157-188

Companies' information security efforts are often threatened by employee negligence and insider breach. To deal with these insider issues, this study draws on the compliance theory and the general deterrence theory to propose a research model in which the relations among coercive control, which has been advocated by scholars and widely practiced by companies; remunerative control, which is generally missing in both research and practice; and certainty of control are studied. A Web-based field experiment involving real-world employees in their natural settings was used to empirically test the model. While lending further support to the general deterrence theory, our findings highlight that reward enforcement, a remunerative control mechanism in the information systems security context, could be an alternative for organizations where sanctions do not successfully prevent violation. The significant interactions between punishment and reward found in the study further indicate a need for a more comprehensive enforcement system that should include a reward enforcement scheme through which the organizational moral standards and values are established or reemphasized. The findings of this study can potentially be used to guide the design of more effective security enforcement systems that encompass remunerative control mechanisms.