Validating A Control-based Model Of Information Security Compliance-A Meta-analysis

In today's big data era,information security plays a crucial role in the sustainable development of organizations.Employees are regarded as the weakest link in organizations' information security management,and their security compliance is crucial in determining organizations' information security success.Prior literature has extensively investigated the influences of formal management controls(i.e.deterrence,rewards,and monitoring)on employees' security compliance;however,other control mechanisms such as social control and self-control have drawn less attention.Therefore,understanding the categories of control mechanisms and which kind of control mechanism is more effective benefits the development of organizations.In this study,we proposed a taxonomy of the formal and informal control mechanisms used in security management,and proposed an integrative,control-based model to understand employees' security compliance behaviors.We further validated the model with a meta-analysis.Our model was largely supported by the meta-analysis results.We found informal social controls and self-control to be more effective in promoting security compliance than formal controls.In addition,we found that the influences of formal and informal controls on security compliance are moderated by the eastern/western culture context,general/specific policy,compliance/non-compliance and behavior/non-behavior context.To be specific,in the eastern culture context,formal control and informal social controls are more effective.In western culture context,self-control is more effective.We also found that informal controls are more effective in persuading employees to comply with ISP(positive behavior),than reducing the non-compliance behavior(negative behavior).Moreover,we concluded that different types of ISP(general or specific)will influence the effectiveness of formal and informal controls.In a general policy context,formal controls are more effective.On the contrary,informal control is a good way to manage employees' ISP compliance behavior for specific ISP.Our study also demonstrated that both of formal controls and informal controls do not significantly influence employees' actual security behaviors;they can only significantly influence on employees' intention or attitudes towards ISP compliance.