To read this content please select one of the options below:

The determinants of an information security policy compliance culture in organisations: the combined effects of organisational and behavioural factors

Eric Amankwa (Department of Information and Communication Technology, Presbyterian University College Ghana, Abetifi, Ghana)
Marianne Loock (School of Computing, University of South Africa, Pretoria, South Africa)
Elmarie Kritzinger (School of Computing, University of South Africa, Pretoria, South Africa)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 23 March 2022

Issue publication date: 20 October 2022

1

Abstract

Purpose

This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security policy compliance culture (ISPCC) in organisations.

Design/methodology/approach

Based on factors derived from the organisational culture theory, social bond theory and accountability theory, a testable research model was developed and evaluated in an online survey that involves the use of a questionnaire to collect quantitative data from 313 employees, from ten different organisations in Ghana. The data collected were analysed using the partial least squares-structural equation modelling approach, involving the measurement and structural model tests.

Findings

The study reveals that the individual measures of accountability – identifiability (2.4%), expectations of evaluation (38.8%), awareness of monitoring (55.7%) and social presence (−41.2%) – had weak to moderate effects on employees’ attitudes towards information security policy compliance. However, the combined effect showed a significant influence. In addition, organisational factors – supportive organisational culture (15%), security compliance leadership (2%) and user involvement (63%) – showed positive effects on employees’ attitudes. Further, employees’ attitudes had a substantial influence (65%), while behavioural intentions demonstrated a weak effect (24%) on the establishment of an ISPCC in the organisation. The combined effect also had a substantial statistical influence on the establishment of an ISPCC in the organisation.

Practical implications

Given the findings of the study, information security practitioners should implement organisational and behavioural factors that will have an impact on compliance, in tandem, with the organisational effort to build a culture of compliance for information security policies.

Originality/value

The study provides new insights on how to address the problem of non-compliance with regard to the information security policy in organisations through the combined application of organisational and behavioural factors to establish an information security policy compliance culture, which has not been considered in any past research.

Keywords

Citation

Amankwa, E., Loock, M. and Kritzinger, E. (2022), "The determinants of an information security policy compliance culture in organisations: the combined effects of organisational and behavioural factors", Information and Computer Security, Vol. 30 No. 4, pp. 583-614. https://doi.org/10.1108/ICS-10-2021-0169

Publisher

:

Emerald Publishing Limited

Copyright © 2022, Emerald Publishing Limited

Related articles