Why deterrence is not enough: The role of endogenous motivations on employees’ information security behavior

Information systems security (ISS) is an increasingly critical issue for companies worldwide. In 2013 cybercrime has caused losses worth US $113 billion affecting 378m victims (Norton Symantec Cybercrime Report 2013). Besides criminal attacks and system malfunctions, human error is the major reason for information security incidents. Hence, refining our understanding how employees’ behavior regarding information security can be explained and influenced is a top priority in academia and business practice (D’Arcy et al. 2009; Siponen and Vance 2010). In this respect, numerous studies have examined the role of deterrence mechanisms such as monitoring or sanctioning on individual security compliance. A perspective largely neglected by prior research is the role of endogenous motivations (Siponen and Oinas-Kukkonen 2007), although studies in adjacent fields have shown the effectiveness of motivational intervention strategies (Wunderlich et al. 2013). Our study seeks to close this gap by examining how endogenous motivations influence individual ISS-related behavior. Our proposed model integrates the theory of planned behavior (TPB) and the organismic integration theory (OIT) – a sub-theory of the self-determination theory (SDT). We empirically test the model using a sample of 444 employees from different organizations. The results show that when employees’ personal values and principles are congruent with their employer’s ISS-related prescriptions and goals their intention to comply with security policies significantly increases. On the contrary, we find no impact on compliance intention when employees perceive their actions as a result of external pressures and coercion. The study’s findings advance our understanding of the motivational processes underlying security compliant behavior and provide numerous implications for researchers and practitioners.