Exploring the Drivers of Information Security Policy Compliance Among Contingent Employees: A Social, Deterrent, and Involvement-Based Approach

This study utilizes PLS-SEM analysis of data from Ghanaian universities to demonstrate that subjective norms, deterrence, and involvement mechanisms—particularly knowledge sharing—significantly shape contingent employees' attitudes toward information security policies, thereby driving their compliance intentions.

The Gist

Imagine a university as a giant, high-tech fortress. Inside, there are digital vaults holding everything from student grades to research secrets. To keep these vaults safe, the university has a set of "Security Rules" (like locking your door, not sharing passwords, and spotting suspicious emails).

For a long time, the university assumed that only the permanent staff (the people who have been there for years, with full-time jobs and benefits) needed to worry about these rules. They thought, "If we train the permanent guards, the fortress is safe."

But this paper argues that the university is missing a huge piece of the puzzle: The Contingent Employees. These are the temporary workers—the part-time lecturers, the contract researchers, the short-term admin staff. They are like the "guest workers" who come in for a season. They have keys to the same digital doors as the permanent staff, but they might feel less connected to the fortress.

The researchers wanted to know: What makes these temporary workers actually follow the security rules?

They tested three main "motivation engines" to see what gets the temporary workers to comply:

1. The "Peer Pressure" Engine (Social Norms)

• The Metaphor: Imagine you are at a party. If everyone else is putting their phones away to talk, you probably will too. If your boss and your coworkers are all taking security seriously, you feel a social pull to do the same.
• The Finding: The study found that Subjective Norms (what others expect of you) are a huge driver. If contingent employees see their colleagues and supervisors caring about security, they are much more likely to care too. It's about fitting in with the group.

2. The "Fear of Getting Caught" Engine (Deterrence)

• The Metaphor: This is like a speed camera on a highway. Even if you don't want to speed, you slow down because you know there's a camera (Certainty of Detection) and you know the fine is expensive (Severity of Punishment).
• The Finding: The researchers checked if the fear of punishment works. It does! If temporary staff believe they will definitely get caught if they break the rules, and that the penalty will be harsh, they are more likely to follow the rules. However, the study noted this is a "weak" engine compared to others—it works, but it's not the most powerful motivator.

3. The "Teamwork & Sharing" Engine (Involvement)

• The Metaphor: Imagine you are on a sports team. If your teammates constantly share tips on how to win, and you work together to practice, you feel like you own the game. You aren't just a hired hand; you're part of the squad.
• The Finding: This was the biggest winner. When the university encouraged Knowledge Sharing (telling each other about security tricks) and Collaboration (working together on security tasks), the temporary staff's attitude toward the rules improved the most. They felt included, informed, and valued.

The Result: The "Attitude" Bridge

The study found a clear chain reaction:

1. When you have Peer Pressure, Fear of Punishment, and especially Teamwork, your Attitude toward the security rules changes. You stop seeing them as annoying red tape and start seeing them as something important.
2. Once your Attitude is positive, your Intention to Comply skyrockets. You actually want to follow the rules.

The Big Takeaway

The paper tells universities (and any organization with temporary staff): Stop just yelling "Don't do it!" or relying only on threats.

Instead, treat your temporary workers like part of the family.

• Don't just punish: Make sure they know the rules, but don't rely solely on fear.
• Do include them: Create a culture where security tips are shared like gossip or sports stats. Let them collaborate on safety.
• Use the crowd: Show them that everyone else is doing it.

In short: If you want your temporary workers to guard the digital fortress, don't just give them a rulebook and a threat. Give them a team, a voice, and a reason to care. When they feel like they belong, they will protect the keys.

Technical Summary

Here is a detailed technical summary of the paper "Exploring the Drivers of Information Security Policy Compliance Among Contingent Employees: A Social, Deterrent, and Involvement-Based Approach."

1. Problem Statement

As institutions increasingly rely on Information Systems (IS) for core operations, securing these systems is critical. While technological defenses exist, human behavior remains the primary vulnerability. Existing literature on Information Systems Security Policy (ISSP) compliance suffers from two major gaps:

• Contextual Bias: Most studies focus on permanent employees in developed countries, neglecting the unique psychological contracts and institutional relationships of contingent employees (e.g., part-time lecturers, contract staff, temporary researchers).
• Generalizability: Findings from permanent staff in low power-distance cultures (e.g., Europe) may not apply to contingent workers in high power-distance contexts (e.g., Africa), where cultural norms and employment instability differ significantly.
• Risk: Contingent workers often have similar access levels to permanent staff but may lack the same organizational commitment, making them susceptible to targeting by cybercriminals.

Objective: To empirically assess how Subjective Norms, Deterrence Mechanisms (certainty of detection, severity of punishment), and Involvement Mechanisms (knowledge sharing, collaboration) influence contingent employees' attitudes toward ISSPs and their subsequent compliance intentions within the Ghanaian university context.

2. Methodology

The study employed a quantitative research approach using a survey-based design.

• Participants: A sample of 688 contingent employees from various universities in Ghana. The demographic breakdown included:
  • Roles: Part-time lecturers, teaching/research assistants, and contract administrative staff.
  • Demographics: ~83% male, mean age 27; highly educated (48% PhD, 34% Master's).
  • Criteria: All participants had active affiliation with university ISs (LMS, admin platforms).
• Instrument: An online questionnaire using a 5-point Likert scale (1 = Strongly Disagree to 5 = Strongly Agree).
• Constructs Measured:
  1. Subjective Norm (SN)
  2. Certainty of Detection (CD)
  3. Severity of Punishment (SP)
  4. Knowledge Sharing (KS)
  5. Collaboration (CO)
  6. Attitude Toward ISSPs (ATT)
  7. ISSP Compliance Intentions (CI)
• Theoretical Framework: The study integrated the Theory of Planned Behavior (TPB), Deterrence Theory, and Involvement Theory. It omitted "Perceived Behavioral Control" from the TPB model based on prior literature precedents.
• Data Analysis: Partial Least Squares Structural Equation Modeling (PLS-SEM) was used. This method was chosen for its robustness against non-normal data and its suitability for predictive modeling and theory development.
  • Measurement Model: Assessed via Composite Reliability (CR), Cronbach's Alpha (CA), Average Variance Extracted (AVE), and Fornell-Larcker criterion for discriminant validity.
  • Structural Model: Tested using bootstrapping (5,000 resamples) to determine path coefficients, p-values, and effect sizes ($f^2$).

3. Key Contributions

• Contextual Expansion: It is one of the first studies to specifically target contingent employees in an African context, challenging the generalizability of Western-centric ISSP models.
• Theoretical Integration: The paper successfully synthesizes three distinct theoretical lenses:
  • TPB (Social influence via Subjective Norms).
  • Deterrence Theory (Fear of consequences).
  • Involvement/Social Exchange Theory (Collaboration and knowledge sharing).
• Nuanced Findings on Deterrence: It demonstrates that while deterrence works for contingent staff, social and collaborative factors are significantly more potent drivers of positive attitudes than punitive measures.

4. Results

The analysis confirmed all six hypotheses (H1–H6), revealing the following path coefficients ($\beta$) and significance levels:

Hypothesis	Path	$\beta$ (Coeff)	$p$-value	Effect Size ($f^2$)	Interpretation
H1	Subjective Norm $\rightarrow$ Attitude	0.352	< 0.001	0.078 (Weak-Moderate)	Social pressure significantly shapes attitudes.
H2	Certainty of Detection $\rightarrow$ Attitude	0.287	0.002	0.045 (Weak)	Belief in being caught positively influences attitude.
H3	Severity of Punishment $\rightarrow$ Attitude	0.313	0.001	0.052 (Weak)	Fear of harsh penalties positively influences attitude.
H4	Knowledge Sharing $\rightarrow$ Attitude	0.411	< 0.001	0.123 (Moderate)	Strongest predictor. Sharing info drives positive attitudes.
H5	Collaboration $\rightarrow$ Attitude	0.269	0.004	0.039 (Weak)	Working together improves attitudes.
H6	Attitude $\rightarrow$ Compliance Intention	0.586	< 0.001	0.376 (Strong)	Attitude is the primary driver of compliance intent.

Key Statistical Insights:

• Knowledge Sharing emerged as the strongest antecedent to Attitude ($\beta = 0.411$), surpassing even Subjective Norms.
• Attitude toward ISSPs is the most critical mediator, showing a very strong effect on Compliance Intentions ($\beta = 0.586$, $f^2 = 0.376$).
• Deterrence factors (Detection and Punishment) were statistically significant but had weaker effect sizes compared to social and collaborative factors.

5. Significance and Implications

Theoretical Significance:

• Validates that Deterrence Theory applies to contingent workers, countering the assumption that temporary staff are immune to fear-based mechanisms due to their transient nature.
• Extends TPB by highlighting that in collectivist/high power-distance cultures, Subjective Norms are powerful, but Involvement mechanisms (Knowledge Sharing) are the dominant drivers of attitude formation in security contexts.
• Suggests that future compliance models must move beyond rational choice and fear to include relational and community-based constructs.

Practical Implications:

• Shift from Punitive to Collaborative: Institutions should not rely solely on enforcement. Instead, they must foster knowledge-sharing cultures (workshops, peer forums) and collaborative policy development to engage contingent staff.
• Social Reinforcement: Leveraging "champions" and peer influence (Subjective Norms) is effective. Security culture should be framed as a collective responsibility.
• Balanced Enforcement: While deterrence is less effective than collaboration, it remains necessary. Monitoring and consequences should be visible and fair, but not the sole strategy.
• Targeted Interventions: Security training must specifically address the unique psychological contracts of temporary staff, ensuring they feel included in the institutional security ecosystem rather than marginalized.

Conclusion:
The study concludes that to secure information systems effectively, organizations must adopt a holistic approach that combines social reinforcement, collaborative involvement, and balanced deterrence. For contingent employees, fostering a sense of ownership through knowledge sharing and collaboration is the most effective pathway to compliance.