To Follow The Rules Or Break Them: An Individual Rule-Following Perspective

Most security breaches are caused by human error, and employees are perceived as the last line of defense against threats that have evaded technological controls by network administrators. Accordingly, organizations invest in information security policy (ISP) creation, implementation, and training initiatives to train employees to recognize and evade security threats. Generally, ISPs are meant to clarify employees' information security decisions and take time to develop and implement. However, many policies are slow to adapt and guide employees as work conditions change or new technologies are introduced to increase productivity and gather and share data to perform work-related activities. Despite much research on what motivates employee security policy behavior, we have yet to determine why employees continue to fail to prevent malicious actions against organizational information systems. Many ISP compliance studies articulate an ‘all or nothing’ approach to ISPs, which assumes the policies are written to cover all possible decisions employees may perform concerning information security. Unfortunately, we argue this is not justified as employees face new and novel approaches from malicious actors and technologies meant to undermine the rules put in place through the ISP. We also argue that it is not enough to study the motivations behind ISP compliance since motivations can be nuanced and different for adaptive behavior (ISP compliance) as opposed to maladaptive behaviors (avoidance and non-compliance). Therefore, we take a rule-following perspective to study both. We argue that when the requirements of ISP disrupt their work, employees face rule tension. In response to rule tension, they are less likely to exhibit adaptive behaviors and more likely to exhibit maladaptive behaviors. In addition, we propose that two common governance approaches- (1) command-and-control and (2) self-regulatory moderate the relationship between rule tension and adaptive and maladaptive behaviors in the context of ISP rule-following.