Search results

This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security policy compliance culture (ISPCC) in organisations.

Based on factors derived from the organisational culture theory, social bond theory and accountability theory, a testable research model was developed and evaluated in an online survey that involves the use of a questionnaire to collect quantitative data from 313 employees, from ten different organisations in Ghana. The data collected were analysed using the partial least squares-structural equation modelling approach, involving the measurement and structural model tests.

The study reveals that the individual measures of accountability – identifiability (2.4%), expectations of evaluation (38.8%), awareness of monitoring (55.7%) and social presence (−41.2%) – had weak to moderate effects on employees’ attitudes towards information security policy compliance. However, the combined effect showed a significant influence. In addition, organisational factors – supportive organisational culture (15%), security compliance leadership (2%) and user involvement (63%) – showed positive effects on employees’ attitudes. Further, employees’ attitudes had a substantial influence (65%), while behavioural intentions demonstrated a weak effect (24%) on the establishment of an ISPCC in the organisation. The combined effect also had a substantial statistical influence on the establishment of an ISPCC in the organisation.

Given the findings of the study, information security practitioners should implement organisational and behavioural factors that will have an impact on compliance, in tandem, with the organisational effort to build a culture of compliance for information security policies.

The study provides new insights on how to address the problem of non-compliance with regard to the information security policy in organisations through the combined application of organisational and behavioural factors to establish an information security policy compliance culture, which has not been considered in any past research.

Organisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in facilitating compliance. The purpose of this paper is to explain the nature of the combined influence of organisational culture and information security culture on employee information security compliance. This study also aims to explain the influence of organisational culture on information security culture.

A theoretical model was developed showing the relationships between organisational culture, information security culture and employee compliance. Using an online survey, data was collected from a sample of individuals who work in organisations having information security policies. The data was analysed with Partial Least Square Structural Equation Modelling (PLS-SEM) to test the model.

Organisational culture and information security culture have significant, yet similar influences on employee compliance. In addition, organisational culture has a strong causal influence on information security culture.

Control-oriented organisational cultures are conducive to information security compliant behaviour. For an information security subculture to be effectively embedded in an organisation's culture, the dominant organisational culture would have to be considered first.

This research provides empirical evidence that information security subculture is influenced by organisational culture. Compliance is best explained by their joint influence.

The purpose of this paper is to propose a theory of information security intelligence and examine the effects of managers’ information security intelligence (MISI) on employees’ procedural countermeasure awareness and information security policy (ISP) compliance intention.

A survey approach and structural equation modeling is utilized. Partial least squares (WarpPLS 6.0) and nonlinear algorithm are employed to analyze and examine the hypotheses. In total, 324 employees from companies in South Korea participated in the survey, which was conducted by a professional survey service company.

MISI positively affects employees’ awareness of information security procedural countermeasures; information security knowledge and problem-solving skills have positive effects on procedural countermeasures awareness; MISI increases employees’ compliance intention through procedural countermeasure awareness; and information security procedural countermeasures positively affect employees’ ISP compliance intention.

This study proposes a theory of information security intelligence and examines its impacts on employees’ compliance intentions. The study highlights the mediating role of information security procedural countermeasures between information security intelligence and employees’ compliance intentions.

Managers should improve and explicitly demonstrate information security knowledge and problem-solving skills to increase employees’ ISP compliance intention. To protect the organization’s intellectual capital, managers should champion the development and promotion of PCM, rather than leave these functions to the information security group.

This is the first empirical study to propose and validate MISI.

Employees' compliance with information security policies is considered an essential component of information security management. The research aims to illustrate the usefulness of social action theory (SAT) for management of information security.

This research was carried out as a longitudinal case study at a Swedish hospital. Data were collected using a combination of interviews, information security documents, and observations. Data were analysed using a combination of a value-based compliance model and the taxonomy laid out in SAT to determine user rationality.

The paper argues that management of information security and design of countermeasures should be based on an understanding of users' rationale covering both intentional and unintentional non-compliance. The findings are presented in propositions with practical and theoretical implications: P1. Employees' non-compliance is predominantly based on means-end calculations and based on a practical rationality, P2. An information security investigation of employees' rationality should not be based on an a priori assumption about user intent, P3. Information security management and choice of countermeasures should be based on an understanding of the use rationale, and P4. Countermeasures should target intentional as well as unintentional non-compliance.

This work is an extension of Hedström et al. arguing for the importance of addressing user rationale for successful management of information security. The presented propositions can form a basis for information security management, making the objectives underlying the study presented in Hedström et al. more clear.

This paper aims to investigate two different types of compliance measures: the first measure is a value-monistic compliance measure, whereas the second is a value-pluralistic measure, which introduces the idea of competing organisational imperatives.

A survey was developed using two sets of items to measure compliance. The survey was sent to 600 white-collar workers and analysed through ordinary least squares.

The results suggest that when using the value-monistic measure, employees’ compliance was a function of employees’ intentions to comply, their self-efficacy and awareness of information security policies. In addition, compliance was not related to the occurrence of conflicts between information security and other organisational imperatives. However, when the dependent variable was changed to a value-pluralistic measure, the results suggest that employees’ compliance was, to a great extent, a function of the occurrence of conflicts between information security and other organisational imperatives, indirect conflicts with other organisational values.

The results are based on small survey; yet, the findings are interesting and justify further investigation. The results suggest that relevant organisational imperatives and value systems, along with information security values, should be included in measures for employees’ compliance with information security policies.

Practitioners and researchers should be aware that there is a difference in measuring employees’ compliance using value monistic and value pluralism measurements.

Few studies exist that critically compare the two different compliance measures for the same population.

The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset.

Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B.

Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own.

The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings.

In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed.

The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps.

The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.

The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy.

The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance.

The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance.

Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations.

Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

The purpose of this paper is to fill a gap in the literature, by investigating the relationship between users’ perceptions of the value of the information that they are handling, and their resultant level of compliance with their organisation’s information security policies. In so doing, the authors seek to develop a theory of value-driven information security compliance.

An interpretive, grounded theory research approach has been adopted to generate a qualitative data set, based upon the results of 55 interviews with key informants from governmental agencies based within Brunei Darussalam, complemented by the results of seven focus groups. The interviews and focus groups were conducted in two phases, so that the results of the first phase could be used to inform the second phase data collection exercise, and the thematic analysis of the research data was conducted using the NVivo 11-Plus software.

The findings suggest that, when assigning value to their information, users take into account the views of members of their immediate work-group and the espoused views of their organisation, as well as a variety of contextual factors, relating to culture, ethics and education. Perhaps more importantly, it has been demonstrated that the users’ perception of information value has a marked impact upon their willingness to comply with security policies and protocols.

Although the authors have been able to develop a rich model of information value and security compliance, the qualitative nature of this research means that it has not been tested, in the numerical sense. However, this study still has important implications for both research and practice. Specifically, researchers should consider users’ perceptions of information value, when conducting future studies of information security compliance.

Managers and practitioners will be better able to get their colleagues to comply with information security protocols, if they can take active steps to convince them that the information that they are handling is a valuable organisational resource, which needs to be protected.

The central contribution is a novel model of information security compliance that centre stages the role of the users’ perceptions of information value, as this is a factor which has been largely ignored in contemporary accounts of compliance behaviour. This study is also original, in that it fills a methodological gap, by balancing the voices of both user representatives and senior organisational stakeholders, in a single study.

The purpose of this paper is to empirically investigate the negative casual relationships between organizational security factors (security systems, security education, and security visibility) and individual non-compliance causes (work impediment, security system anxiety, and non-compliance behaviors of peers), which have negative influences on compliance intention.

Based on literature review, the authors propose a research model together with hypotheses. The survey questionnaires were developed to collect data, which then validated the measurement model. The authors collected 415 responses from employees at manufacturing and service firms that had already implemented security policies. The hypothesized relationships were tested using the structural equation model approach with AMOS 18.0.

Survey results validate that work impediment, security system anxiety, and non-compliance peer behaviors are the causes of employee non-compliance. In addition, the authors found that security systems, security education, and security visibility decrease instances of non-compliance.

Organizations should establish a mixture of security investment in their systems, education, and visibility in order to effectively reduce employees’ non-compliance. In addition, organizations should recognize the importance of minimizing the particular causes of employees’ non-compliance to positively increase intentions to comply with information security.

An important issue in information security management is employee compliance. Understanding the reasons behind employees’ non-compliance is a critical issue. This paper investigates empirically why employees do not comply, and how organizations can induce employees to comply by a mixture of investments in security systems, education, and visibility.

Information security policies (ISPs) are used by organizations to communicate rules on the use of information systems (IS). Research studies show that compliance with the ISPs is not a straightforward issue and that several factors influence individual behavior toward ISP compliance, such as security awareness or individual perception of security threats. The purpose of this paper is to investigate the competencies associated with users’ ISP compliance behavior.

In order to reveal the competencies that are associated with the users’ ISP compliance behavior, the authors systematically analyze the ISP compliance literature and the authors develop an ISP compliance competency model. The authors then target to explore if IS users are equipped with these competencies; to do so, the authors analyze professional competence models from various industry sectors and compare the competencies that they include with the developed ISP compliance competencies.

The authors identify the competencies associated with ISP compliance and the authors provide evidence on the lack of attention in information security responsibilities demonstrated in professional competence frameworks.

ISP compliance research has focused on identifying the antecedents of ISP compliance behavior. The authors offer an ISP compliance competency model and guide researchers in investigating the issue further by focusing on the professional competencies that are necessary for IS users.

The findings offer new contributions to practitioners by highlighting the lack of attention on the information security responsibilities demonstrated in professional competence frameworks. The paper also provides implications for the design of information security awareness programs and information security management systems in organizations.

To the best of the authors’ knowledge, the paper is the first study that addresses ISP compliance behavior from a professional competence perspective.