A Study Of The Formal Organizational Control Mechanisms For Information Security Compliance Behaviors

It is known that employees’failure to comply with the information security policy (ISP) has resulted in a large number of information security incidents in the organizational setting. The ISP compliance behaviors have been drawing much attention in recent studies. The empirical methods have been most used to study the influences of the various factors on the ISP compliance intention, i.e., the behavioral antecedent. Formal organizational control mechanisms, i.e., the incentive and evaluation mechanisms, are desireable for the effective management of the ISP compliance behaivors. Such mechanisms would provide useful reference for the managers to understand the ISP compliance behaviors, and then to counter the threats originated from employees’ISP non-compliance.In the present study, we first consider the situation that the outcomes of the ISP compliance behaviors can be observed with low-cost. Under this situation, there exists a principal-agent problem with moral hazard concerning employee’s selection of the compliance effort levels. To stimulate an employee individual to comply with the ISP with the effort level expected by her employer, three incentive mechanisms are proposed by taking into account the influence of the penalty, psychic income or emplyee’s emphasis on scheduling, etc., involved in an optimal incentive contract.1) An ISP compliance game model has been proposed to analyze the incentive effect of the certainty and appropriateness of penalty. In a no-penalty contract, the employee will decline to comply with the ISP if the expected payoff obtained from her non-compliance is larger than that from her outside options; In a penalty contract, an appropriate penalty will motivate her to exert a compliance effort level expected by her employer, and the employer will get the optimal revenue from the ISP compliance behavior of the employee.2) An optimal incentive contract model has been made to discuss the combined incentive effects of both the psychic income and the monetary reward. Their influences on the selection of the compliance effort level by an employee individual has been clarified by solving the principal-agent problem with moral hazard. This leads to several valuable points:(ⅰ) any psychic income potentially delivers a positive incentive on the employee’s ISP compliance effort when the monetary reward is fixed; (ⅱ) the monetary reward can be reduced if the employee perceives more psychic income; (ⅲ) the employee will select a higher ISP compliance effort level if she perceives more psychic income; (ⅳ) both the monetary reward and the psychic income should be reduced if the external conditions are favorable, otherwise these incentives should be increased.3) An employee prefers to carry out her day-to-day routine job with a higher effort level when performing the ISP compliance task at the same time. ISP non-compliance frequently occurs in such a two-task organizational setting. The optimal incentive mechanism for both the ISP compliance and routine job behaviors is then designed based on the multi-task principal-agent theory and the organizational theory. In particular, two temporal sense variables of emplyee’s emphasis on scheduling corresponding to the two different tasks are introduced into the multi-task principal-agent model to reach an optimal incentive contract. With the contract, the correlated influences of the temporal sense variables on both the optimal incentive intensity and the corresponding incentive tactic are discussed. The relationships between the incentive intensity coefficients and the two temporal sense variables have been revealed, which are illustrated by numerical simulation. The optimal contract model can be used by the employer to select appropriate incentive intensity and tactic for an employee to perform both the ISP compliance and routine job with the effort levels expected by the employer.Under the situation that small-scale sample data of the ISP compliance behaviors can be collected, three different evaluation mechanisms along with the evaluation methods are proposed for characterization and assessment of the compliance patterns, the incompetence, and the holistic states of employees’ ISP compliance behaviors, respectively.1) An ISP compliance Galois lattice diagram is constructed for visual representation of the employees" compliance patterns. In the diagram, six kinds of compliance patterns, namely, the compliance outlier, the compliance core or the boundary point, the compliance subgroup, partition and equivalence, and the multiple compliance containment can be identified. Comparison of these patterns with the network structure features obtained from the social network analysis has been made to show the effectiveness of the ISP compliance Galois lattice diagram.2) The ISP compliance incompetence of employee individual has been treated as a grey system. A grey incompetence model has been proposed to assess the degree of compliance incompetence. Therewith, two grey contextual indicators, four grey basic incompetence indicators and nine grey identification indicators are put forth for evaluating the ISP compliance incompetence. The individual employee’s incompetence level is then calculated. In the calculation process, the combined use of the grey incompetence model and the analytic hierarchy process gives rise to reasonable weight values of these indicators, and appropriate values are given to the grey regulation coefficient in order to reduce the negative influence of the maximum values of these indicatiors. The validity of the evaluation mechanism has been verified by the computed results.3) A holistic state of the ISP compliance within an organization is defined to be a global description of employees’compliance performance. An entropy model based on the information entropy theory is firstly proposed to describe the holistic states. The calculation results indicate that the holistic states cannot be distinctly specified by this model. The grey entropy method does not work, either. A discrete entropy model takeing into account both the probability values of observables and their magnitudes is then proposed to evaluate the holistic states. Our calculation indicates that the holistic states can be well spcified with the modified model. The information concerning the holistic states of the ISP compliance behaviors within an organization is also useful for the employer to understand and control employees’ISP compliance.The formal organizational control mechanisms obtained in this study, along with the qualitative and quantative principles, can be adopted by the information security managers to control effectively the information security compliance or non-compliance behaviors of employees in the organizational setting.