Voluntary and instrumental information security policy compliance: an integrated view of prosocial motivation, self-regulation and deterrence

Understanding employees’ motivations and behaviors toward compliance with information security policies (ISPs) remains a theoretical and practical challenge. Although previous information security researchers have investigated different motivational factors related to ISP compliance, most have not recognized different forms of ISP compliance behaviors characterized by their levels of willingness and persistence, nor have they noted the importance of adopting an other-oriented lens to examine such behaviors. In this paper, we propose and test an integrated model that investigates how various motivational factors affect different ISP compliance behaviors. Specifically, the model anchors on the prosocial motivational perspective in addition to the instrumental and self-regulatory motivational perspectives and investigates two types of compliance behaviors (voluntary ISP compliance and instrumental ISP compliance). We tested our model using survey data collected from 407 employee respondents. Our results show that the three sets of motivational factors have different effects on the two types of ISP compliance behaviors. Prosocial motivation and self-regulatory motivation positively affect voluntary ISP compliance behavior. Deterrence as an instrumental control leads to instrumental ISP compliance behavior but undermines voluntary ISP compliance behavior. Our study highlights that, to foster employees’ voluntary ISP compliance, organizations need to take a more holistic approach by integrating the prosocial approach with the instrumental and self-regulatory approaches in managing voluntary compliance behaviors, while being mindful of the negative effects of instrumental controls (e.g., deterrence) on such behaviors.