Dissertation: Informal Controls Outperform Formal Controls in Organizational Information Security Management – but Formal Controls Still Matter

Jing Liu’s doctoral dissertation investigated how organizations can improve employees’ desirable security behaviors (i.e., in-role and extra-role security behaviors) by applying control-based and threat-based strategies.
Dissertation Event
Jing Liu studied how organizations can improve employees’ desirable security behaviors.
Published
23.4.2026

What did you study?

I applied a meta-analysis approach to examine the overall effects of formal and informal controls (i.e., clan controls and self-controls) on employee information security policy (ISP) compliance, and the boundary conditions under which formal and informal controls are more effective. I also used the meta-analytic structural equation modeling (MASEM) to examine how formal controls may influence employee ISP compliance through informal controls. In addition, I examined how deterrence threat to employees (DTE), as a commonly studied formal control, and security threat to organizations (STO) affect employees’ ISP compliance and extra-role security behaviors through the psychological mechanisms of motivational postures.

What were the results of your study?

The dissertation found that informal controls are effective in motivating employee ISP compliance, and informal controls are generally more effective than formal controls. Besides, the effects of formal controls are susceptible to various cultural and methodological factors, such as national cultures, behavioral measurement types, and security policy types; however, the effects of informal controls (e.g., clan controls) remain relatively stable across these cultural and methodological contexts. Formal controls can also strengthen informal controls, which in turn motivate employee ISP compliance.

In addition, as a kind of formal control, DTE can promote an employee’s postures of capitulation and resistance, while decreasing the posture of disengagement. In contrast, STO can increase an employee’s posture of commitment and decrease the posture of disengagement. When employees perceive ISP legitimacy as high (vs. low), the positive effect of DTE on the posture of capitulation and its negative effect on the posture of disengagement are more pronounced, while simultaneously weakening the positive effects of DTE on the posture of resistance. Furthermore, for employees with low (vs. high) value congruence with organizational authorities, the positive effect of STO on the posture of commitment and its negative effect on the posture of disengagement are more salient. The commitment posture is positively related to employee ISP compliance and extra-role security behaviors, while the disengagement posture is negatively related to both types of security behaviors. The capitulation posture is positively associated with ISP compliance, whereas the resistance posture is negatively associated with it.

How can the results be applied? What new insights did the research contribute to the topic?

The dissertation contributes to information security literature by confirming the overall effectiveness of informal controls in motivating employee ISP compliance, revealing that informal controls are more effective than formal controls in enhancing ISP compliance, demonstrating the stronger stability of effects of informal controls (vs. formal controls) across various cultural and methodological contexts, and confirming informal controls as underlying mechanisms through which formal controls influence employee ISP compliance. Furthermore, this dissertation offers insight into information security research by confirming motivational postures as underlying mechanisms through which DTE and STO affect employee ISP compliance, extending the focus of previous research on DTE and STO from ISP compliance to extra-role security behavior, and identifying key boundary conditions (i.e., ISP legitimacy and value congruence) that influence the effectiveness of DTE and STO, thereby deepening our understanding of when the two tactics work better. Overall, the findings provide practical guidance on how to use controls and threats-based strategies to manage employees’ security behaviors in organizations.

Jing Liu will defend her doctoral dissertation “Understanding the Roles of Formal and Informal Controls in Organizational Information security: Behavioral Consequences and Psychological Mechanisms” on Friday, 8 May 2026 at 12:00 in Liikunta Building, auditorium L303.

The opponent is Professor Xin (Robert) Luo (University of New Mexico), and the custos is Professor Mikko Siponen (University of Jyväskylä).

The language of the event is English. 

Further information

Jing Liu
liuj@jyu.fi

Read Jing Liu's dissertation online
Follow the public defence online