Search results
1 – 10 of over 19000Harrison Stewart and Jan Jürjens
The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be…
Abstract
Purpose
The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset.
Design/methodology/approach
Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B.
Findings
Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own.
Research limitations/implications
The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings.
Practical implications
In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed.
Social implications
The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps.
Originality/value
The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.
Details
Keywords
Eric Amankwa, Marianne Loock and Elmarie Kritzinger
This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security…
Abstract
Purpose
This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security policy compliance culture (ISPCC) in organisations.
Design/methodology/approach
Based on factors derived from the organisational culture theory, social bond theory and accountability theory, a testable research model was developed and evaluated in an online survey that involves the use of a questionnaire to collect quantitative data from 313 employees, from ten different organisations in Ghana. The data collected were analysed using the partial least squares-structural equation modelling approach, involving the measurement and structural model tests.
Findings
The study reveals that the individual measures of accountability – identifiability (2.4%), expectations of evaluation (38.8%), awareness of monitoring (55.7%) and social presence (−41.2%) – had weak to moderate effects on employees’ attitudes towards information security policy compliance. However, the combined effect showed a significant influence. In addition, organisational factors – supportive organisational culture (15%), security compliance leadership (2%) and user involvement (63%) – showed positive effects on employees’ attitudes. Further, employees’ attitudes had a substantial influence (65%), while behavioural intentions demonstrated a weak effect (24%) on the establishment of an ISPCC in the organisation. The combined effect also had a substantial statistical influence on the establishment of an ISPCC in the organisation.
Practical implications
Given the findings of the study, information security practitioners should implement organisational and behavioural factors that will have an impact on compliance, in tandem, with the organisational effort to build a culture of compliance for information security policies.
Originality/value
The study provides new insights on how to address the problem of non-compliance with regard to the information security policy in organisations through the combined application of organisational and behavioural factors to establish an information security policy compliance culture, which has not been considered in any past research.
Details
Keywords
Martin Karlsson, Fredrik Karlsson, Joachim Åström and Thomas Denk
This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.
Abstract
Purpose
This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.
Design/methodology/approach
The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy.
Findings
The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance.
Research limitations/implications
The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance.
Practical implications
Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations.
Originality/value
Few information security policy compliance studies exist on the consequences of different organizational/information cultures.
Details
Keywords
Elham Rostami, Fredrik Karlsson and Ella Kolkowska
The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been…
Abstract
Purpose
The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about.
Design/methodology/approach
The results are based on a literature review of ISP management research published between 1990 and 2017.
Findings
Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare.
Research limitations/implications
Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process.
Practical implications
The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners.
Originality/value
Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.
Details
Keywords
Eric Amankwa, Marianne Loock and Elmarie Kritzinger
This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of…
Abstract
Purpose
This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of factors such as supportive organizational culture, end-user involvement and compliance leadership to influence employees’ attitudes and behaviour intentions towards ISP in organizations. This paper also aims to develop a testable research model that might be useful for future researchers in predicting employees’ behavioural intentions.
Design/methodology/approach
In view of the study’s aim, a research model to show how three key constructs can influence the attitudes and behaviours of employees towards the establishment of security policy compliance culture (ISPCC) was developed and validated in an empirical field survey.
Findings
The study found that factors such as supportive organizational culture and end-user involvement significantly influenced employees’ attitudes towards compliance with ISP. However, leadership showed the weakest influence on attitudes towards compliance. The overall results showed that employees’ attitudes and behavioural intentions towards ISP compliance together influenced the establishment of ISPCC for ISP compliance in organizations.
Practical implications
Organizations should influence employees’ attitudes towards compliance with ISP by providing effective ISP leadership, encouraging end-user involvement during the draft and update of ISP and nurturing a culture that is conducive for ISP compliance.
Originality/value
The study provides some insights on how to effectively address the problem of non-compliance with ISP in organizations through the establishment of ISPCC, which has not been considered in any past research.
Details
Keywords
Inho Hwang, Daejin Kim, Taeha Kim and Sanghyun Kim
The purpose of this paper is to empirically investigate the negative casual relationships between organizational security factors (security systems, security education, and…
Abstract
Purpose
The purpose of this paper is to empirically investigate the negative casual relationships between organizational security factors (security systems, security education, and security visibility) and individual non-compliance causes (work impediment, security system anxiety, and non-compliance behaviors of peers), which have negative influences on compliance intention.
Design/methodology/approach
Based on literature review, the authors propose a research model together with hypotheses. The survey questionnaires were developed to collect data, which then validated the measurement model. The authors collected 415 responses from employees at manufacturing and service firms that had already implemented security policies. The hypothesized relationships were tested using the structural equation model approach with AMOS 18.0.
Findings
Survey results validate that work impediment, security system anxiety, and non-compliance peer behaviors are the causes of employee non-compliance. In addition, the authors found that security systems, security education, and security visibility decrease instances of non-compliance.
Research limitations/implications
Organizations should establish a mixture of security investment in their systems, education, and visibility in order to effectively reduce employees’ non-compliance. In addition, organizations should recognize the importance of minimizing the particular causes of employees’ non-compliance to positively increase intentions to comply with information security.
Originality/value
An important issue in information security management is employee compliance. Understanding the reasons behind employees’ non-compliance is a critical issue. This paper investigates empirically why employees do not comply, and how organizations can induce employees to comply by a mixture of investments in security systems, education, and visibility.
Details
Keywords
Neil F. Doherty and Sharul T. Tajuddin
The purpose of this paper is to fill a gap in the literature, by investigating the relationship between users’ perceptions of the value of the information that they are handling…
Abstract
Purpose
The purpose of this paper is to fill a gap in the literature, by investigating the relationship between users’ perceptions of the value of the information that they are handling, and their resultant level of compliance with their organisation’s information security policies. In so doing, the authors seek to develop a theory of value-driven information security compliance.
Design/methodology/approach
An interpretive, grounded theory research approach has been adopted to generate a qualitative data set, based upon the results of 55 interviews with key informants from governmental agencies based within Brunei Darussalam, complemented by the results of seven focus groups. The interviews and focus groups were conducted in two phases, so that the results of the first phase could be used to inform the second phase data collection exercise, and the thematic analysis of the research data was conducted using the NVivo 11-Plus software.
Findings
The findings suggest that, when assigning value to their information, users take into account the views of members of their immediate work-group and the espoused views of their organisation, as well as a variety of contextual factors, relating to culture, ethics and education. Perhaps more importantly, it has been demonstrated that the users’ perception of information value has a marked impact upon their willingness to comply with security policies and protocols.
Research limitations/implications
Although the authors have been able to develop a rich model of information value and security compliance, the qualitative nature of this research means that it has not been tested, in the numerical sense. However, this study still has important implications for both research and practice. Specifically, researchers should consider users’ perceptions of information value, when conducting future studies of information security compliance.
Practical implications
Managers and practitioners will be better able to get their colleagues to comply with information security protocols, if they can take active steps to convince them that the information that they are handling is a valuable organisational resource, which needs to be protected.
Originality/value
The central contribution is a novel model of information security compliance that centre stages the role of the users’ perceptions of information value, as this is a factor which has been largely ignored in contemporary accounts of compliance behaviour. This study is also original, in that it fills a methodological gap, by balancing the voices of both user representatives and senior organisational stakeholders, in a single study.
Details
Keywords
Fredrik Karlsson, Martin Karlsson and Joachim Åström
This paper aims to investigate two different types of compliance measures: the first measure is a value-monistic compliance measure, whereas the second is a value-pluralistic…
Abstract
Purpose
This paper aims to investigate two different types of compliance measures: the first measure is a value-monistic compliance measure, whereas the second is a value-pluralistic measure, which introduces the idea of competing organisational imperatives.
Design/methodology/approach
A survey was developed using two sets of items to measure compliance. The survey was sent to 600 white-collar workers and analysed through ordinary least squares.
Findings
The results suggest that when using the value-monistic measure, employees’ compliance was a function of employees’ intentions to comply, their self-efficacy and awareness of information security policies. In addition, compliance was not related to the occurrence of conflicts between information security and other organisational imperatives. However, when the dependent variable was changed to a value-pluralistic measure, the results suggest that employees’ compliance was, to a great extent, a function of the occurrence of conflicts between information security and other organisational imperatives, indirect conflicts with other organisational values.
Research limitations/implications
The results are based on small survey; yet, the findings are interesting and justify further investigation. The results suggest that relevant organisational imperatives and value systems, along with information security values, should be included in measures for employees’ compliance with information security policies.
Practical implications
Practitioners and researchers should be aware that there is a difference in measuring employees’ compliance using value monistic and value pluralism measurements.
Originality/value
Few studies exist that critically compare the two different compliance measures for the same population.
Details
Keywords
Teodor Sommestad, Henrik Karlzén and Jonas Hallberg
This paper aims to challenge the assumption that the theory of planned behaviour (TPB) includes all constructs that explain information security policy compliance and investigates…
Abstract
Purpose
This paper aims to challenge the assumption that the theory of planned behaviour (TPB) includes all constructs that explain information security policy compliance and investigates if anticipated regret or constructs from the protection motivation theory add explanatory power. The TPB is an established theory that has been found to predict compliance with information security policies well.
Design/methodology/approach
Responses from 306 respondents at a research organization were collected using a questionnaire-based survey. Extensions in terms of anticipated regret and constructs drawn from the protection motivation theory are tested using hierarchical regression analysis.
Findings
Adding anticipated regret and the threat appraisal process results in improvements of the predictions of intentions. The improvements are of sufficient magnitude to warrant adjustments of the model of the TPB when it is used in the area of information security policy compliance.
Originality/value
This study is the first test of anticipated regret as a predictor of information security policy compliance and the first to assess its influence in relation to the TPB and the protection motivation theory.
Details
Keywords
Organisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in…
Abstract
Purpose
Organisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in facilitating compliance. The purpose of this paper is to explain the nature of the combined influence of organisational culture and information security culture on employee information security compliance. This study also aims to explain the influence of organisational culture on information security culture.
Design/methodology/approach
A theoretical model was developed showing the relationships between organisational culture, information security culture and employee compliance. Using an online survey, data was collected from a sample of individuals who work in organisations having information security policies. The data was analysed with Partial Least Square Structural Equation Modelling (PLS-SEM) to test the model.
Findings
Organisational culture and information security culture have significant, yet similar influences on employee compliance. In addition, organisational culture has a strong causal influence on information security culture.
Practical implications
Control-oriented organisational cultures are conducive to information security compliant behaviour. For an information security subculture to be effectively embedded in an organisation's culture, the dominant organisational culture would have to be considered first.
Originality/value
This research provides empirical evidence that information security subculture is influenced by organisational culture. Compliance is best explained by their joint influence.
Details