Information Systems Research, 2015, Volume 26,
Issue 2, Page 282-300.
Although most behavioral security studies focus on organizational in-role behaviors such as information security policy (ISP) compliance, the role of organizational extra-role behaviorsÑsecurity behaviors that benefit organizations but are not specified in ISPsÑhas long been overlooked. This study examines (1) the consequences of organizational in-role and extra-role security behaviors on the effectiveness of ISPs and (2) the role of formal and social controls in enhancing in-role and extra-role security behaviors in organizations. We propose that both in-role security behaviors and extra-role security behaviors contribute to ISP effectiveness. Furthermore, based on social control theory, we hypothesize that social control can boost both in- and extra-role security behaviors. Data collected from practitionersÑincluding information systems (IS) managers and employees at many organizationsÑconfirmed most of our hypotheses. Survey data from IS managers substantiated the importance of extra-role behaviors in improving ISP effectiveness. Paired data, collected from managers and employees in the same organizations, indicated that formal control and social control individually and interactively enhance both in- and extra-role security behaviors. We conclude by discussing the implications of this research for academics and practitioners, along with compelling future research possibilities.
Keywords: IS security ; behavioral security ; in-role behaviors ; extra-role behaviors ; social control theory ; SCT ; security management ; information security policy ; ISP ; formal control ; social control ; organizations