Document Type



Doctor of Business Administration


<--Please Select Department-->

First Advisor's Name

George Marakas

First Advisor's Committee Title

Committee Chair

Second Advisor's Name

Yan Chen

Second Advisor's Committee Title

Committee Member

Third Advisor's Name

Shen Guo

Third Advisor's Committee Title

Committee Member

Fourth Advisor's Name

Min Chen

Fourth Advisor's Committee Title

Committee Member


Control Theory, Formal Control, Informal Control, Input Control, Outcome Control, Behavior Control, Clan Control, Self-Control, Information Security Policy Compliance Intentions, Structure Equation Modeling

Date of Defense



With the continued advancement in computer and digital technologies, companies, institutions, and organizations worldwide have leveraged new information technology to increase efficiency and effectiveness for all aspects of their business functions. Oftentimes, the information processed and stored on information systems poses an information security risk to the organization, employees, and clients alike. Therefore, a comprehensive and effective information security management program is essential to protecting data from accidental or intentional exposure to actors who wish to gain access to data to make a profit by selling the information to the highest bidder, utilize the stolen data for their own internal research and development, or use the data to damage a targeted institution for nefarious motives. Employees’ compliance with corporate information security policies is a necessary component to the success of the corporate information security management program. In this study, I adopted the control theory and developed a research model to explain how formal and informal organizational controls affect employees’ intentions to comply with information security policies. To test the model, I collected data from 303 respondents about their perceptions of their organizations’ formal and informal control modes along with their respective intentions to comply with information security policies. SEM-PLS analysis provided results that were only partially in consonance with previous studies and showed some additive effects when control modes were combined into a single model. I found clan control (informal) to have a significant and positive effect. I also found that adding the informal control modes into the model resulted in a different effect by rendering input control (formal) and self-control (informal) insignificant and changing the direction of the relationship of outcome control (formal) and behavior control (formal). In turn, these findings can help organizations set up proper controls to protect themselves from cyber threats and establish the most effective methods of control based on organizational context and control theory to ensure employees’ compliance with the established information security policies of their organizations.





Rights Statement

Rights Statement

In Copyright. URI:
This Item is protected by copyright and/or related rights. You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s).