Explaining Opposing Compliance Motivations towards Organizational Information Security Policies

Lack of compliance with organizational information security policies (ISPOs) is a widespread organizational issue that increasingly bears very large direct and qualitative costs. The purpose of our study was to explain the causes of tensions within organizations to either comply with new ISPOs or react negatively against them. To do so, we proposed an innovative model, which pits organizational control theory, as a force that explains ISPO compliance, against reactance theory, as a force that explains ISPO noncompliance and anger toward organizations. To test the model, we used a sample of 320 working professionals in a variety of industries to examine the likely organizational outcomes when a new ISPO is delivered to employees in the form of a typical memo sent throughout an organization. We found support for our newly proposed model, which is an important contribution to research on organizational security practices.