Managerial Control Effects on Information Security Policy Compliance Intentions: Considerations of Formal and Informal Modes of Control

With the continued advancement in computer and digital technologies, companies, institutions, and organizations worldwide have leveraged new information technology to increase efficiency and effectiveness for all aspects of their business functions. Oftentimes, the information processed and stored on information systems poses an information security risk to the organization, employees, and clients alike. Therefore, a comprehensive and effective information security management program is essential to protecting data from accidental or intentional exposure to actors who wish to gain access to data to make a profit by selling the information to the highest bidder, utilize the stolen data for their own internal research and development, or use the data to damage a targeted institution for nefarious motives. Employees’ compliance with corporate information security policies is a necessary component to the success of the corporate information security management program. In this study, I adopted the control theory and developed a research model to explain how formal and informal organizational controls affect employees’ intentions to comply with information security policies. To test the model, I collected data from 303 respondents about their perceptions of their organizations’ formal and informal control modes along with their respective intentions to comply with information security policies. SEM-PLS analysis provided results that were only partially in consonance with previous studies and showed some additive effects when control modes were combined into a single model. I found clan control (informal) to have a significant and positive effect. I also found that adding the informal control modes into the model resulted in a different effect by rendering input control (formal) and self-control (informal) insignificant and changing the direction of the relationship of outcome control (formal) and behavior control (formal). In turn, these findings can help organizations set up proper controls to protect themselves from cyber threats and establish the most effective methods of control based on organizational context and control theory to ensure employees’ compliance with the established information security policies of their organizations.