Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies

Abstract

AbstractOrganisations increasingly rely on information and related systems, which are also a source of risk. Unfortunately, employees represent the greatest risk to organisational information because they are the most frequent source of information security breaches. To address this ‘weak link’ in organisational security, most organisations have strict information security policies (ISPs) designed to thwart employee information abuses. Regrettably, these ISPs are only partially effective because employees often ignore them, circumvent them or even do the opposite of what management desires. Research on attempts to increase ISP compliance has produced similarly mixed results. Lack of compliance with ISPs is a widespread organisational issue that increasingly bears disproportionately large direct and qualitative costs that undermine strategy.Consequently, the purpose of our study was to contribute to the understanding of both motivations to comply with new ISPs and motivations to react negatively against them. To do so, we proposed an innovative model, the control‐reactance compliance model (CRCM), which combines organisational control theory – a model that explains ISP compliance – with reactance theory – a model used to explain ISP noncompliance. To test CRCM, we used a sample of 320 working professionals in a variety of industries to examine the likely organisational outcomes of the delivery of a new ISP to employees in the form of a typical memo sent throughout an organisation. We largely found support for CRCM, and this study concludes with an explanation of the model's contributions to research and practice related to organisational ISP compliance.