Loyalty and commitment

“A committed person stays with the organization through thick and thin, puts in a full day and more, protects company assets, shares company’s beliefs and goals” (Meyer & Allen, 1997).

As the above quote from Meyer and Allen (1997) shows, an organization would desire commitment from their employees. The committed employee, not only would complete his/her immediate responsibilities, but would do all that is required, and more. Such an employee would always work in the best interests of the organization, would always strive to protect the organization’s assets and would have the same beliefs as the organization. In the context of information security policies and controls in an organization, it is understandable that commitment to information security is desirable in the end-users. End-users committed to information security in the organization will comply with the information security policies and controls and will exercise due diligence in using and protecting the organization’s information assets. Since end-users frequently, do not comply with information security policies and controls in the organization, commitment to information security becomes a valuable construct.

Meyer and Herscovitch (2001) define commitment as:

“a force that binds an individual to a course of action of relevance to one or more targets. As such, commitment is distinguishable from exchange-based forms of motivation and from target-relevant attitudes, and can influence behaviour even in the absence of intrinsic motivation or positive attitudes.”

Hence, commitment is the force of a psychological bond that causes an individual to continue a course of action. In the context of end-users, commitment to information security policies and

controls in the organization implies a psychological bond that causes end-users to persevere with information security tasks even though such perseverance might lead to personal inconvenience, inefficiency etc.

Meyer and Allen (1991) presented the ‘Three-component’ model of commitment of employees to their organization. According to this model, organizational commitment is a mind-set or psychological state concerning the employee’s relationship with the organization and has implications for the decision to continue or discontinue membership in the organization.

Commitment is seen as being composed of three components – affective, continuance and normative commitment (see Figure 2.2). Affective commitment refers to the employee’s emotional attachment to, identification with, and involvement in the organization. Affective commitment reflects a desire to continue. Employees continue with the relationship because they want to continue. Continuance commitment refers to an awareness of the costs associated with discontinuing the relationship. Employees under continuance commitment, continue because they need to. Normative commitment reflects a feeling of obligation to continue the relationship.

Employees under normative commitment, continue because they feel that they ought to.

In the three-component model, an employee can experience all three forms of commitment in varying degrees. The three components interact to influence behaviour. Meyer and Allen (1991) state that employees’ willingness to contribute to organizational effectiveness will be influenced by the nature of the commitment they experience. Employees under affective commitment might be more likely to exert effort on behalf of the organization. Such employees exert more effort because they want to, rather than because they need to (continual commitment) or because they feel obligated to (normative commitment). Individuals under affective commitment may be more inclined to engage in behaviours that would benefit the organization than those under normative or continuance commitment. Morgan and Hunt (1994) stated that affective commitment is created when an individual internalizes, the values of the organization. Affective commitment reflects a sense of liking and of emotional attachment to the partnership. Calculative commitment (i.e. normative and continuance components) is based on gains and losses, rewards and punishments or plusses and minuses. Normative commitment is derived from a mind-set driven by the obligation to pursue a course of action; continuance commitment is derived from a mind-set driven by the rewards and costs associated with the particular course of action (Meyer &

Herscovitch, 2001).

Loyalty is a concept similar to commitment. Businesses often strive to obtain customer loyalty.

Customer loyalty results in greater repeat purchases by existing customers. Further, loyal customers are less likely to switch to competitors solely because of price (Bowen & Shoemaker, 1998). In the context of information security policies and controls in an organization, end-user loyalty to information security signifies that end-users will regularly comply with their information security tasks. Loyal end-users will have a positive attitude towards the information security policies and controls in the organization, in spite of various difficulties and inconveniences.

Jacoby and Chestnut (1978) state that loyalty is represented by a set of six conditions:

“Loyalty is (1) the biased (i.e. nonrandom), (2) behavioural response (i.e. purchase), (3) expressed over time, (4) by some decision-making unit, (5) with respect to one or more alternative brands out of a set of brands, and (6) is a function of psychological (decision-making evaluative) processes.”

Thus, a loyal individual exhibits the behavioural consistency of repeat purchase driven by psychological evaluative processes. Loyalty is a construct that combines both behavioural consistency and psychological commitment (see Figure 2.3). Behavioural consistency combined with psychological commitment leads to ‘true loyalty’, whereas behavioural consistency without psychological commitment leads to ‘spurious loyalty’ (Day, 1969). ‘True loyalty’ customers exhibit a strong psychological commitment and will exhibit repeat purchasing behaviour. Such customers are also unlikely to switch to competing brands. ‘Spurious loyalty’ customers exhibit a lack of psychological commitment to the brand. Though such customers may exhibit behavioural consistency, these customers are likely to shift to competing brands at the slightest opportunity.

Commitment =

Affective

Continuance

Normative +

+

Figure 2.2: Three-component Model of Commitment (from Meyer and Allen, 1991)

This combined construct of loyalty is useful in not only understanding past behaviour, but also predicting future patronage (Evanschitzky, Iyer, Plassmann, Niessing, & Meffert, 2006).

In the context of information security policies and controls in an organization, end-users are influenced by a multitude of factors that prevent them from complying with the information security policies and controls. Influenced by these factors, end-users find that non-compliance is often easier than compliance. Under these circumstances, commitment and loyalty are useful concepts as they represent a desire to continue with a course of action in spite of any difficulties.

Committed and loyal end-users will be more inclined towards compliance than non-compliance, thereby contributing towards maintaining the effectiveness of information security policies and controls in the organization. End-users who demonstrate both commitment and repeated compliant behaviour are truly loyal to the information security policies and controls in the organization.