Search results

This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security policy compliance culture (ISPCC) in organisations.

Based on factors derived from the organisational culture theory, social bond theory and accountability theory, a testable research model was developed and evaluated in an online survey that involves the use of a questionnaire to collect quantitative data from 313 employees, from ten different organisations in Ghana. The data collected were analysed using the partial least squares-structural equation modelling approach, involving the measurement and structural model tests.

The study reveals that the individual measures of accountability – identifiability (2.4%), expectations of evaluation (38.8%), awareness of monitoring (55.7%) and social presence (−41.2%) – had weak to moderate effects on employees’ attitudes towards information security policy compliance. However, the combined effect showed a significant influence. In addition, organisational factors – supportive organisational culture (15%), security compliance leadership (2%) and user involvement (63%) – showed positive effects on employees’ attitudes. Further, employees’ attitudes had a substantial influence (65%), while behavioural intentions demonstrated a weak effect (24%) on the establishment of an ISPCC in the organisation. The combined effect also had a substantial statistical influence on the establishment of an ISPCC in the organisation.

Given the findings of the study, information security practitioners should implement organisational and behavioural factors that will have an impact on compliance, in tandem, with the organisational effort to build a culture of compliance for information security policies.

The study provides new insights on how to address the problem of non-compliance with regard to the information security policy in organisations through the combined application of organisational and behavioural factors to establish an information security policy compliance culture, which has not been considered in any past research.

The purpose of this paper is to examine the use of power tactics by hospital administrators in order to gain employee compliance. It attempts to understand the influence of power bases of hospital administrators on the employee compliance using an analytic hierarchy process (AHP) technique.

The study adopted a mixed method technique and was conducted in two phases. In the first phase, qualitative analysis was carried out through content analysis of the anecdotes collected from the employees working in tertiary hospitals. Content analysis of responses aided in obtaining a list of criteria and sub-criteria affecting employee behavioural compliance. In the second phase, quantitative analysis was carried out using the AHP technique. While applying AHP, the issue pertaining to employee behavioural compliance with hospital’s policies, procedures and related instructions was formulated in form of a hierarchy of one objective, two criteria, six sub-criteria and five alternatives established through literature review and content analysis. Furthermore, the subject matter experts were asked to conduct pairwise comparison wherein priority rankings were achieved.

The results indicated that reward power (25 per cent) is the most significant power style exercised by effective hospital administrators in achieving employee behavioural compliance followed by expert (24 per cent), referent (22 per cent) and legitimate powers (17 per cent). As coercive (12 per cent) came out to be the least preferred power style, it should be cautiously exercised by hospital administrators in the present day scenario.

The major limitation of this study is that the sample was drawn only from three tertiary hospitals in Jammu district that limits the generalizability of the findings in all the hospital settings across different regions. No attempt is made in this study to understand the variations with regard to demographics of the respondents that can be taken as a future research study. This study is cross-sectional in nature and provides the perspective of specific time. A longitudinal study could further provide insights into different time variations and the comparison and henceforth can be more comprehensive, thus supporting the generalizability of this study.

The study empirically identifies the relative importance of exercising power styles in order to gain employee behavioural compliance. The study helps in understanding the complex problem of behavioural compliance in hospital setting by examining the intensity of each factor affecting employee behavioural compliance. This knowledge is very critical in effective hospital management and getting the work done. The priority rankings obtained for power styles can be used for developing selection batteries and performance records of hospital administrators. As the behaviour of the employees is not static, there may exist the inherent limitations of adopted cross-sectional design for the present study. Furthermore, longitudinal study can be conducted at different time periods, to understand the variations in the patterns of employee’s compliance behaviour and associated practiced power styles by hospital administrators.

This is perhaps the first study that has scientifically attempted to integrate the power styles and analyzed their effective use in hospital administration. This research study has attempted to develop an elementary base for academicians, scholars as well as management practitioners on the effective use of power styles for achieving employee behavioural compliance in hospitals.

This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current security management practices, including those following the widely adopted information security standards ISO 27001, 27002, 27003 and 27005.

Based on an exhaustive analysis of related literature, the authors identify critical factors influencing employee security behaviour and ISP compliance. The authors use these factors to perform a gap analysis of widely adopted information security standards ISO 27001, 27002, 27003 and 27005 and identify issues not covered or only partially addressed. Drawing on the implications of security behaviour determinants and the identified gaps, the authors provide guidelines which can enhance security management practices.

The authors uncover the factors shaping security behaviour barely or partly considered in the ISO information security standards ISO 27001, 27002, 27003 and 27005, including top management participation, accommodating individual characteristics, embracing the cultural context, encouraging employees to comply out of habit and considering the cost of compliance. Furthermore, the authors provide guidelines to security managers on enhancing their security management practices when implementing the above ISO Standards.

This study offers guidelines on how to create and design security management practices whilst implementing ISO standards (ISO 27001, ISO 27002, ISO 27003, ISO 27005) so as to enhance ISP compliance.

This study analyses the role and implications of security behaviour determinants, discusses discrepancies and conflicting findings in related literature, provides a gap analysis of commonly used information security standards (ISO 27001, 27002, 27003 and 27005) and proposes guidelines on enhancing security management practices towards improving ISP compliance.

The purpose of this paper is to investigate the impact of corporate social responsibility (CSR) on employees’ compliance behavior concerning information security policy (ISP). A research model includes CSR activities as an antecedent of ISP compliance and as a mediator of the relationship between ISP compliance intention and the perceived costs of compliance.

In total, 162 respondents were surveyed from organizations with more than 500 employees. This study used partial least squares (SmartPLS 3.0) to analyze and examine hypotheses.

The results show CSR’s influence as a mediator in the context of ISP compliance. In particular, moral CSR can affect employees’ ISP compliance intention positively and fully mediate the relationship between the costs of compliance and ISP compliance intention. Employees would like to comply with ISP when they recognize the benefits of ISP compliance and the costs of ISP noncompliance.

This study examines influential factors on ISP compliance considering cost-benefit factors from rational choice theory. Moreover, the study contributes to ISP compliance research by being the first attempt to consider CSR in an ISP compliance research context. The results provide insights on how to strategically implement CSR activities in terms of organizational information security.

Employees’ information security policy (ISP) compliance exerts a significant strain on information security management. Drawing upon the compliance theory and control theory, this study attempts to examine the moderating roles of organizational commitment and gender in the relationships between reward/punishment expectancy and employees' ISP compliance.

Using survey data collected from 310 employees in Chinese organizations that have formally adopted information security policies, the authors applied the partial least square method to test hypotheses.

Punishment expectancy positively affects ISP compliance, but reward expectancy has no significant impact on ISP compliance. Compared with committed employees, both reward expectancy and punishment expectancy have stronger impacts on low-commitment employees' ISP compliance. As for gender differences, punishment expectancy exerts a stronger effect on females' ISP compliance than it does on males.

By investigating the moderating roles of organizational commitment and gender, this paper offers a deeper understanding of reward and punishment in the context of ISP compliance. The findings reveal that efforts in building organizational commitment will reduce the reliance on reward and punishment, and further controls rather than the carrot and stick should be applied to ensure male employees' ISP compliance.

This study aims to investigate how employee and other-consumer safety compliance amid the COVID-19 outbreak influences a focal consumer’s intention to approach a service establishment. The study also examines the three-way interaction effect of employee compliance, other-consumer compliance and perceived threat associated with COVID-19 on approach intentions.

This study uses an experimental approach with a 2 (employee safety compliance: low vs high) × 2 (other-consumer safety compliance: low vs high) × 2 (consumer perceived threat from COVID-19: low vs high) between-subjects design. Students were trained to recruit a convenience sample of 827 consumers in Qatar and data were analyzed using ordinary least squares (OLS) regression.

Employee safety compliance has a positive impact on the consumer’s approach intentions. Employee safety compliance has a bigger impact on approach intentions if other consumers in the service environment are also compliant with safety measures and even a greater effect when the perceived threat from COVID-19 is high. The effect of the interaction between employee and other-consumer safety compliance is significantly different under two levels of perceived threat.

To enhance approach intentions, managers should start by establishing and maintaining safety compliance among employees and then achieving compliance among consumers. Achieving compliance among employees and consumers has a positive impact on approach intentions despite the focal consumer’s perceived risk associated with COVID-19.

This is the first study to investigate how the safety compliance of employees and other consumers jointly affects consumers’ approach intentions during a global pandemic, and it is among very few attempts to manipulate dimensions of the social servicescape.

The purpose of this paper is to propose a theory of information security intelligence and examine the effects of managers’ information security intelligence (MISI) on employees’ procedural countermeasure awareness and information security policy (ISP) compliance intention.

A survey approach and structural equation modeling is utilized. Partial least squares (WarpPLS 6.0) and nonlinear algorithm are employed to analyze and examine the hypotheses. In total, 324 employees from companies in South Korea participated in the survey, which was conducted by a professional survey service company.

MISI positively affects employees’ awareness of information security procedural countermeasures; information security knowledge and problem-solving skills have positive effects on procedural countermeasures awareness; MISI increases employees’ compliance intention through procedural countermeasure awareness; and information security procedural countermeasures positively affect employees’ ISP compliance intention.

This study proposes a theory of information security intelligence and examines its impacts on employees’ compliance intentions. The study highlights the mediating role of information security procedural countermeasures between information security intelligence and employees’ compliance intentions.

Managers should improve and explicitly demonstrate information security knowledge and problem-solving skills to increase employees’ ISP compliance intention. To protect the organization’s intellectual capital, managers should champion the development and promotion of PCM, rather than leave these functions to the information security group.

This is the first empirical study to propose and validate MISI.

The purpose of this paper is to empirically investigate the negative casual relationships between organizational security factors (security systems, security education, and security visibility) and individual non-compliance causes (work impediment, security system anxiety, and non-compliance behaviors of peers), which have negative influences on compliance intention.

Based on literature review, the authors propose a research model together with hypotheses. The survey questionnaires were developed to collect data, which then validated the measurement model. The authors collected 415 responses from employees at manufacturing and service firms that had already implemented security policies. The hypothesized relationships were tested using the structural equation model approach with AMOS 18.0.

Survey results validate that work impediment, security system anxiety, and non-compliance peer behaviors are the causes of employee non-compliance. In addition, the authors found that security systems, security education, and security visibility decrease instances of non-compliance.

Organizations should establish a mixture of security investment in their systems, education, and visibility in order to effectively reduce employees’ non-compliance. In addition, organizations should recognize the importance of minimizing the particular causes of employees’ non-compliance to positively increase intentions to comply with information security.

An important issue in information security management is employee compliance. Understanding the reasons behind employees’ non-compliance is a critical issue. This paper investigates empirically why employees do not comply, and how organizations can induce employees to comply by a mixture of investments in security systems, education, and visibility.

This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.

The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy.

The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance.

The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance.

Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations.

Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of factors such as supportive organizational culture, end-user involvement and compliance leadership to influence employees’ attitudes and behaviour intentions towards ISP in organizations. This paper also aims to develop a testable research model that might be useful for future researchers in predicting employees’ behavioural intentions.

In view of the study’s aim, a research model to show how three key constructs can influence the attitudes and behaviours of employees towards the establishment of security policy compliance culture (ISPCC) was developed and validated in an empirical field survey.

The study found that factors such as supportive organizational culture and end-user involvement significantly influenced employees’ attitudes towards compliance with ISP. However, leadership showed the weakest influence on attitudes towards compliance. The overall results showed that employees’ attitudes and behavioural intentions towards ISP compliance together influenced the establishment of ISPCC for ISP compliance in organizations.

Organizations should influence employees’ attitudes towards compliance with ISP by providing effective ISP leadership, encouraging end-user involvement during the draft and update of ISP and nurturing a culture that is conducive for ISP compliance.

The study provides some insights on how to effectively address the problem of non-compliance with ISP in organizations through the establishment of ISPCC, which has not been considered in any past research.