With the rapid development of computer-based information systems in China, securing organizational systems as information assets is central to achieving a strategic advantage. Because information security (IS) experts with database access are the weakest link in the IS chain, scholarly contributions are needed in this important area. The interpretations of widespread data breaches committed by organizations’ information security experts have significant grounding. Drawing on social control theory, we propose a research framework to examine formal control, informal control, and self-control systems that can affect IS professionals’ perceptions and IS behaviors in Chinese IT organizations. We use in-depth interviews with IS professionals in Wuhan, Beijing, and Shenzhen to answer research questions relating to the research framework. The study’s primary contribution is to go beyond the extant IS research, which concentrates on sanction-based deterrence, and identify multiple dimensions rooted in social control perspectives. Based on interviews with practitioners and researchers, this study further advances our understanding of IS control deviance using information management and communication-related approaches.