Control-Related Motivations and Information Security Policy Compliance: The Role of Autonomy and Efficacy

Abstract

Employees' failures to follow information security policy can be costly to organizations, causing organizations to implement security controls to motivate secure behavior. Information security research has explored many control-related motivations (e.g., self-efficacy, response efficacy, and behavioral control) in the context of ISP compliance; however, the behavioral effects of perceptions of autonomous functioning are not well understood in security contexts. This paper examines employee autonomy as a control-related motivation from the lens of self-determination theory and psychological reactance theory. Self-determination theory is widely used in other disciplines to explain intrinsically driven behavior, but has not been applied to security research. Psychological reactance theory is also widely used, but is only beginning to receive attention in security research. Self-determination and psychological reactance offer complementary yet opposite conceptualizations of trait-based autonomy. This paper posits that perceptions of trait-based autonomy influence self-efficacy and response efficacy. Through a survey of government employees, we provide support for several hypotheses. We also discuss important directions for the use of self-determination theory and psychological reactance theory in future research.