An optimal coupling incentive mechanism concerning insider’s compliance behavior towards marine information security policy

Xiaolong Wang ,Changlin Wang ,Zaiguan Sun,Chunhui Wang

School of Economics and Management, Binzhou University, Binzhou 256600, China

Keywords:Marine information Information security policy Compliance behavior Incentive mechanism

ABSTRACT It is widely agreed that the insider’s noncompliance to the marine information security policies has brought about a major security problem in the organizational context.Previous research has stressed the potential of remunerative control,i.e.,reward,to better understand this problem.Few studies have been devoted to the exploration of the coupling incentive mechanism of tangible and intangible rewards that would induce insider’s compliance behavior towards the marine information security policy.In the present study,we address this research gap by proposing a theoretical model that explains the optimal coupling incentive mechanism of these two different types of remunerative control.Our findings have delivered insightful implications for practice and research on how to improve the marine information security policy compliance in a more subtle way.

1.Introduction

Marine information available within computer-based systems is the vital asset in the organizational context [1].Security-related tasks towards marine information are especially arduous to the insiders in their workplaces [2-3].However,these insiders frequently lack effort appreciation in these tasks from the organization.In extant literature,there has been consensus that insiders are the weakest link in information security policy compliance within an organization [4-9].Even if marine information security policy is stated clearly and insider’s policy compliance is well evaluated,compliance could be deficient in the absence of proper incentive of rewards [10].Hence,effective incentive mechanism design concerning the effort appreciation is necessarily needed and particularly important.

There exists sound evidence that rewards can motivate insiders to improve compliance [11-13].Gerhart et al.pointed out that the proper use of rewards as a means of controlling insiders’ behaviors can benefit organizations in various ways,such as promoting their excellence,and increasing job satisfaction [11,14-16].Sims emphasized that reward tends to have a much stronger effect on insider’s performance [17].Andreoni et al.illustrated that reward can boost self-esteem and encourage cooperation [18].Eisenhardt and Kirsch suggested that it would be effective to tie rewards to desired behaviors [19,20].Fisher and Ackerman noted that,in order to promote the compliance in organizations,the use of rewards is to recognize the desirable behaviors of the insiders,which would create a security compliance culture,and thus improve greatly the compliance [21].

It has been recommended in the information security society that reward can act as one of the behavioral antecedents for insiders’ compliance,for reward can send explicit signals to insiders that their compliance with information security policy is mandatory.Boss et al.deemed that reward signals to insiders that their compliance meets the expectation of their organization,and pointed out that reward provides incentiverequired by the compliance [22].Bulgurcu et al.noted that rewards were found to significantly influence an insider’s belief in the benefit of information security policy compliance [23].Young et al.found that rewards affect intentions and attitudes of information security policy compliance significantly [24].Chen et al.proposed that reward could be an alternative for organizations in the cases that sanctions do not successfully prevent violation,and the control signal for compliance to information security policies could be weak without reward,as a consequence,desirable compliance behaviors are not reinforced [11].

Following the principal-agent theory,the insiders as the agents are rational and self-interested,therefore,they may act to maximize their own outcomes without extensive effort towards achieving the organization’s (i.e.,the principal’s) information security goals [25-30].The structure of rewards,when properly designed,could facilitate harmonizing the goals of insiders and their organization,that is,rewards can be useful for altering the insiders’behaviors to realize the organization’s goals.An organization can implement its remunerative control through tangible rewards,such as bonus,vacation,and intangible rewards,such as effort appreciation,written or oral commendation [11,19].Herath and Rao have proposed that the principal-agent paradigm can provide insight in developing effective controls towards information security compliance behaviors [31].To our knowledge,few studies have been carried out on the incentive mechanism for information security compliance by design of the optimal coupling of tangible and intangible rewards.In what follows,an optimal coupling incentive mechanism concerning insider’s compliance towards the marine information security policy has been designed and analyzed,with which the insider’s compliance is expected to be more precisely controlled.

2.Modelling the optimal coupling incentive

Assumptions are firstly made to keep our analysis tractable: (i)An insider (the agent) and an organization of marine engineering(the principal) are independent individuals,and the task,namely,strict compliance with the marine information security policy,is delegated to the insider.(ii) This insider is risk-averse.Let the constant Arrow-Pratt measure of absolute risk aversion of the insider beρ,ρ >0.Suppose this organization is risk-neutral.(iii) The organization will stick to its promise,and will offer both tangible and intangible rewards to the insider.(iv) Suppose that both the insider and the organization prefer to maximize their expected utilities,respectively.(v) LetB0 be the set of insider’s compliance effort levels,andb∈B0.The insider is aware of her own compliance effort level,but this is unobservable by the organization.θis used to denote the state of nature,which is an unobservable exogenous variable.The values ofθobey a normal distribution with a zero mathematical expectation and a varianceσ2,π(b,θ) is the insider’s compliance performance outcome,which is belonging to the organization,and is determined by bothbandθ.Supposeπ(b,θ)=b+θ,hereπacting as an observable variable,whose values also obey a normal distribution with a mathematical expectationband a varianceσ2.The distribution ofπ(b,θ) satisfies the first-order stochastic dominance condition.Hence,a larger value ofπ(b,θ) implies that a higher effort level has been selected by the insider,and a largerθrepresents a more favorable state of nature.(vi)c(b) is used to denote the cost of a specific compliance effort level.Its first-order derivativec′(b)>0,which means that the compliance cost gets larger at a higher level of compliance effort.Therewith,the insider would not like to select a higher effort level.(vii) The distribution ofθ,π(b,θ),and the Neumann-Morgenstern utility functions are the common knowledge shared by both the insider and the organization of marine engineering.[28].

The organization of marine engineering can design such an incentive contract:C(π)=w0+απ+βπ,wherew0stands for the fixed-wage paid to the insider,and is irrelevant toπ;αandβare the sharing coefficients ofπ,0≤α≤1,0≤β≤1.In order to write an optimal incentive contract,the organization needs to determineαandβwith the observableπ.

For the organization,the intangible reward can be set to zero financial expenditure,i.e.,βπ=0.Then,the expected payoff of the organization is

3.Model analysis

4.Conclusions

For understanding the marine information security policy compliance of the insider in the organizational setting,we have proposed an optimal incentive mechanism coupling tangible and intangible rewards for the marine information security policy compliance management.The optimization model presents the following results: (i) The intangible reward at any level will deliver a positive effect on the compliance effort of the insider when the tangible reward is fixed by the organization.(ii) The tangible reward can be reduced when a higher intangible reward is offered to the insider.(iii) A higher compliance effort level will be selected by the insider in the case that she gets a larger intangible reward.In the future,these results are expected to be investigated with the empirical study in the context of marine information security policy compliance management.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.