A framework for reporting and dealing with end-user security policy compliance

It is widely acknowledged that non-compliance of employees with information security polices is one of the major challenges facing organisations. This paper aims to propose a model that is intended to provide a comprehensive framework for raising the level of compliance amongst end-users, with the aim of monitoring, measuring and responding to users’ behaviour with an information security policy.

The proposed model is based on two main concepts: a taxonomy of the response strategy to non-compliant behaviour and a compliance points system. The response taxonomy comprises two categories: awareness raising and enforcement of the security policy. The compliance points system is used to reward compliant behaviour and penalise non-compliant behaviour.

A prototype system has been developed to simulate the proposed model and work as a real system that responds to the behaviour of users (reflecting both violations and compliance behaviour). In addition, the model has been evaluated by interviewing experts from academic and industry. They considered the proposed model to offers a novel approach for managing end users’ behaviour with the information security policies.

Psychological factors were out of the research scope at this stage. The proposed model may have some psychological impacts upon users; therefore, this issue needs to be considered by studying the potential impacts and the best solutions.

Users being compliant with the information security policies of their organisation is the key to strengthen information security. Therefore, when employees have a good level of compliance with security policies, this positively affects the overall security of an organisation.