Taking promotion and prevention mechanisms matter for information systems security policy in Chinese SMEs

Deterrence and rational choice calculus theories can regulate or motivate employees' compliance with information systems security policy (ISSP). However, the two well-developed theories may not fully induce compliance behavior of ISSP given the growing trend of IS security violation in China. Deterrence and rational choice calculus employ an assumption of general awareness of ISSP to address compliance behavior. However, employees may judge their compliance behavior of ISSP in terms of positive and negative emotions but not the trade-off of benefits and costs (risks) only in the compliance. Grounded in regulatory focus theory (RFT), we propose a research model that addresses the motivational mechanisms for employees to comply with ISSP. We adopt a scenario-based questionnaire to survey employees of Chinese SMEs for model testing. The empirical results indicate that promotion-approach is better than promotion-avoidance in motivating compliance intention when employees are aware of the ISSP in their companies. However, promotion-approach and promotion-avoidance are ineffective in inducing compliance intention when employees are unaware of ISSP in Chinese SMEs. Information security awareness is not a necessary condition of the compliance of ISSP. Additionally, prevention-approach is better than prevention-avoidance in motivating compliance intention regardless of whether employees are aware or unaware of ISSP in the workplace. Our empirical results can provide meaningful implications for academics and practitioners.