Be Careful What You Wish For: Proposing the IT Policy Control-Reactance Model (ITPCRM) to Predict Professionals’ Intent to Comply with New IT Security Policies Along with Their Resulting Anger

Lowry, Paul Benjamin; Teh, Noelle; Molyneux, Braden; Bui, Son Ngoc

Be Careful What You Wish For: Proposing the IT Policy Control-Reactance Model (ITPCRM) to Predict Professionals’ Intent to Comply with New IT Security Policies Along with Their Resulting Anger

MIS Quarterly Pre-ICIS Workshop for Authors at the International Conference on System Sciences, St. Louis, Missouri, USA, December 12, pp. 1-40

42 Pages Posted: 30 Jun 2013

See all articles by Paul Benjamin Lowry

Paul Benjamin Lowry

Virginia Tech - Pamplin College of Business

Noelle Teh

Brigham Young University - Department of Information Systems

Braden Molyneux

Brigham Young University - Department of Information Systems

Son Ngoc Bui

Brigham Young University - Department of Information Systems

Date Written: June 30, 2013

Abstract

Because employees are major IT security threats in organizations, recent behavioral IS security research has looked at ways to increase IT security compliance. Unfortunately, many of these approaches — especially those based on deterrence theory and other controlling approaches — can backfire. Accordingly, we introduce psychological reactance theory as an innovative theory to explain why controlling approaches to IT security policies can backfire. The theory explains that, when an individual’s freedoms are threatened, he or she will respond by attempting to reestablish the threatened freedoms. For nomological validity and explanatory power, we combined control theory, mandatoriness, and reactance theory into a comprehensive model — IT Policy Control-Reactance Model (ITPCRM) — to explain and predict, for the first time, the inherent conflicts between increased control and mandatoriness that may increase IT security policy compliance yet threaten personal freedom in a manner that causes reactance as subsequent negative results. Testing ITPCRM with 320 working professionals demonstrated that that while creating mandatoriness helps intent to comply with a new IT security policy, if this sense of mandatoriness is delivered through high levels of control or controlling language, it also creates reactance, anger, and decreased intent to comply with a new IT security policy. From these findings, we propose recommendations for practice, including carefully communicating policy, understanding the importance of freedoms for employees, and establishing an environment of threat awareness.

Keywords: control theory, controls, reactance theory, reactance, IT security policies, policy compliance, mandatoriness, organizational mandatoriness, threat to freedom, boomerang effects, anger

Suggested Citation: Suggested Citation

Lowry, Paul Benjamin and Teh, Noelle and Molyneux, Braden and Bui, Son Ngoc, Be Careful What You Wish For: Proposing the IT Policy Control-Reactance Model (ITPCRM) to Predict Professionals’ Intent to Comply with New IT Security Policies Along with Their Resulting Anger (June 30, 2013). MIS Quarterly Pre-ICIS Workshop for Authors at the International Conference on System Sciences, St. Louis, Missouri, USA, December 12, pp. 1-40, Available at SSRN: https://ssrn.com/abstract=2287450