Theorizing the Behavioral Effects of Control Complementarity in Security Control Portfolios

Authors

Jeffrey D. Wall, Michigan Technological UniversityFollow
Prashant Palvia, Bryan School of Business and Economics
John D’Arcy, University of Delaware

Document Type

Article

Publication Date

2-9-2021

Department

College of Business

Abstract

Employees are a major cause of information security vulnerabilities and breaches. Organizations implement controls, such as information security policies, fear appeals, and computer monitoring, to manage the security threats that employees pose. Behavioral information security research seeks to understand how these security controls influence employees’ behaviors. In practice, organizations adopt many coexisting security controls in security control portfolios (SCPs). Unfortunately, the complexities of SCPs are not well understood in the information security literature. To assist in studying SCPs, we present a typology and a theoretical model of security control grounded in an extension of control theory. We identify twelve types of security controls that can exist in practice based on three important control dimensions. We develop a number of propositions to explain how the complementarity of security controls in SCPs affect motivation to protect information. Our efforts produce a behaviorally grounded extension of control theory that is well suited for studying individual-level security behavior governed by complex SCPs.

Publication Title

Information Systems Frontiers

Recommended Citation

Wall, J., Palvia, P., & D’Arcy, J. (2021). Theorizing the Behavioral Effects of Control Complementarity in Security Control Portfolios. Information Systems Frontiers. http://doi.org/10.1007/s10796-021-10113-z
Retrieved from: https://digitalcommons.mtu.edu/michigantech-p/14760