THREE ESSAYS ON INFORMATION SECURITY POLICY COMPLIANCE: THE ROLE OF SOCIAL INFLUENCE

Abstract

Motivating employees to comply with information security policies (ISP) is a major challenge for organizations. Employees who do not comply with these policies can impose a serious threat to the safety of organizational information assets. Information security scholars drawing upon several theories have investigated various factors that can help motivate employees to comply with the ISP. Among many factors, social influence proved to be an effective force in motivating employee compliance behavior. However, its role and various effects on employee ISP compliance as well as its utilization mechanisms have not been deeply investigated. This dissertation is a collection of three papers addressing a series of related questions including (1) through which psychological processes social influence may be internalized and then affect employee compliance; (2) how social influence, at both organizational micro and macro level, alter the effectiveness of well-established motivational rule-following models; and finally (3) how we can utilize social influence to successfully motivate employees to comply. Accordingly, the first essay focuses on how personal norms regarding ISP affect employee compliance. In particular, it examines how such norms are shaped and activated to motivate employee compliance. In addition, the second essay introduces a social contingency model proposing that the well-established rule-following approaches of command-and-control and self- 5 regulatory are contingent upon organizational rules ethical climate as well as employee susceptibility to interpersonal influence. Finally, the third essay discusses the role of collective responsibility and peer monitoring in motivating ISP compliance.