Taking promotion and prevention mechanisms matter for information systems security policy in Chinese SMEs

Hung Pin Shih, Xitong Guo, Kee Hung Lai, Edwin Tai Chiu Cheng

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review

2 Citations (Scopus)


Deterrence and rational choice calculus theories can regulate or motivate employees' compliance with information systems security policy (ISSP). However, the two well-developed theories may not fully induce compliance behavior of ISSP given the growing trend of IS security violation in China. Deterrence and rational choice calculus employ an assumption of general awareness of ISSP to address compliance behavior. However, employees may judge their compliance behavior of ISSP in terms of positive and negative emotions but not the trade-off of benefits and costs (risks) only in the compliance. Grounded in regulatory focus theory (RFT), we propose a research model that addresses the motivational mechanisms for employees to comply with ISSP. We adopt a scenario-based questionnaire to survey employees of Chinese SMEs for model testing. The empirical results indicate that promotion-Approach is better than promotion-Avoidance in motivating compliance intention when employees are aware of the ISSP in their companies. However, promotion-Approach and promotion-Avoidance are ineffective in inducing compliance intention when employees are unaware of ISSP in Chinese SMEs. Information security awareness is not a necessary condition of the compliance of ISSP. Additionally, prevention-Approach is better than prevention-Avoidance in motivating compliance intention regardless of whether employees are aware or unaware of ISSP in the workplace. Our empirical results can provide meaningful implications for academics and practitioners.
Original languageEnglish
Title of host publicationProceedings of 2016 International Conference on Information Management, ICIM 2016
Number of pages6
ISBN (Electronic)9781509014705
Publication statusPublished - 23 May 2016
EventInternational Conference on Information Management, ICIM 2016 - London, United Kingdom
Duration: 7 May 20168 May 2016


ConferenceInternational Conference on Information Management, ICIM 2016
Country/TerritoryUnited Kingdom


  • compliance
  • information systems security policy (ISSP)
  • prevention
  • promotion
  • regulatory focus theory (RFT)

ASJC Scopus subject areas

  • Information Systems
  • Computer Networks and Communications
  • Information Systems and Management

Cite this