Search results

The purpose of this research is to study how compliance evaluation becomes performed in practice. Compliance evaluation is a common practice among organizations that need to evaluate their posture against a set of criteria (e.g. a standard, legislative framework and “best practices”). The results of these evaluations have significant importance for organizations, especially in the context of information security and continuity. The author argues that how these evaluations become performed is not merely a “social” activity but shaped by the materiality of the evaluation criteria

The authors adopt a sociomaterial practice-based view to study the compliance evaluation through in situ participant observations from compliance evaluation workshops to evaluate organizational compliance against a information security and business continuity criteria. The empirical material was analyzed to construct vignettes that serve to illustrate the practice of compliance evaluation.

The research analysis shows how the information security and business continuity criteria themselves partake in the compliance evaluations by operating through (ventriloqually) the evaluators on three strata: the material, the textual and the structural. The author also provides a conceptualization of a hybrid agency.

This research contributes to lack of studies on the organizational-level compliance. Further, the research is an original contribution to information security and business continuity management by focusing on the practices of compliance evaluation. Further, the research has theoretical novelty by adopting the ventriloqual agency as a hybrid agency to study the sociomateriality of a phenomenon.

Organisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in facilitating compliance. The purpose of this paper is to explain the nature of the combined influence of organisational culture and information security culture on employee information security compliance. This study also aims to explain the influence of organisational culture on information security culture.

A theoretical model was developed showing the relationships between organisational culture, information security culture and employee compliance. Using an online survey, data was collected from a sample of individuals who work in organisations having information security policies. The data was analysed with Partial Least Square Structural Equation Modelling (PLS-SEM) to test the model.

Organisational culture and information security culture have significant, yet similar influences on employee compliance. In addition, organisational culture has a strong causal influence on information security culture.

Control-oriented organisational cultures are conducive to information security compliant behaviour. For an information security subculture to be effectively embedded in an organisation's culture, the dominant organisational culture would have to be considered first.

This research provides empirical evidence that information security subculture is influenced by organisational culture. Compliance is best explained by their joint influence.

Employees’ information security policy (ISP) compliance exerts a significant strain on information security management. Drawing upon the compliance theory and control theory, this study attempts to examine the moderating roles of organizational commitment and gender in the relationships between reward/punishment expectancy and employees' ISP compliance.

Using survey data collected from 310 employees in Chinese organizations that have formally adopted information security policies, the authors applied the partial least square method to test hypotheses.

Punishment expectancy positively affects ISP compliance, but reward expectancy has no significant impact on ISP compliance. Compared with committed employees, both reward expectancy and punishment expectancy have stronger impacts on low-commitment employees' ISP compliance. As for gender differences, punishment expectancy exerts a stronger effect on females' ISP compliance than it does on males.

By investigating the moderating roles of organizational commitment and gender, this paper offers a deeper understanding of reward and punishment in the context of ISP compliance. The findings reveal that efforts in building organizational commitment will reduce the reliance on reward and punishment, and further controls rather than the carrot and stick should be applied to ensure male employees' ISP compliance.

This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.

The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy.

The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance.

The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance.

Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations.

Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security policy compliance culture (ISPCC) in organisations.

Based on factors derived from the organisational culture theory, social bond theory and accountability theory, a testable research model was developed and evaluated in an online survey that involves the use of a questionnaire to collect quantitative data from 313 employees, from ten different organisations in Ghana. The data collected were analysed using the partial least squares-structural equation modelling approach, involving the measurement and structural model tests.

The study reveals that the individual measures of accountability – identifiability (2.4%), expectations of evaluation (38.8%), awareness of monitoring (55.7%) and social presence (−41.2%) – had weak to moderate effects on employees’ attitudes towards information security policy compliance. However, the combined effect showed a significant influence. In addition, organisational factors – supportive organisational culture (15%), security compliance leadership (2%) and user involvement (63%) – showed positive effects on employees’ attitudes. Further, employees’ attitudes had a substantial influence (65%), while behavioural intentions demonstrated a weak effect (24%) on the establishment of an ISPCC in the organisation. The combined effect also had a substantial statistical influence on the establishment of an ISPCC in the organisation.

Given the findings of the study, information security practitioners should implement organisational and behavioural factors that will have an impact on compliance, in tandem, with the organisational effort to build a culture of compliance for information security policies.

The study provides new insights on how to address the problem of non-compliance with regard to the information security policy in organisations through the combined application of organisational and behavioural factors to establish an information security policy compliance culture, which has not been considered in any past research.

Organizations invest in information security (IS) technology to be more competitive; however, implementing IS measures creates environmental conditions, such as overload uncertainty, and complexity, which can cause employees technostress, eventually resulting in poor security performance. This study seeks to contribute to the intersection of research on regulatory focus (promotion and prevention) as a type of individual personality traits, technostress, and IS.

A survey questionnaire was developed, collecting 346 responses from various organizations, which were analyzed using the structural equation model approach with AMOS 22.0 to test the proposed hypotheses.

The results indicate support for both the direct and moderating effects of security technostress inhibitors. Moreover, a negative relationship exists between promotion-focused employees and facilitators of security technostress, which negatively affects strains (organizational commitment and compliance intention).

Organizations should develop various programs and establish a highly IS-aware environment to strengthen employees' behavior regarding IS. Furthermore, organizations should consider employees' focus types when engaging in efforts to minimize security technostress, as lowering technostress results in positive outcomes.

IS management at the organizational level is directly related to employees' compliance with security rather than being a technical issue. Using the transaction theory perspective, this study seeks to enhance current research on employees' behavior, particularly focusing on the effect of individuals' personality types on IS. Moreover, this study theorizes the role of security technostress inhibitors for understanding employees' IS behaviors.

The authors' paper aims to examine the organizational issues that come from the recent establishment of the compliance function in Italian banks.

The authors' paper takes as a starting point the Bank of Italy's regulations and the existing literature on compliance, in order to create a theoretical model of an efficient internal control system.

For each organizational structure of compliance, the authors' paper describes strengths and weakness. It also outlines the scopes of compliance and internal audit in order to avoid overlaps. Having regard to the similarities between operational risk and compliance risk, the study identifies cooperation areas so as to achieve synergies, in terms of costs, and a better operational efficiency.

The authors' paper focuses mainly on the relationship between compliance, on one side, and internal audit and risk management on the other. It focuses also on the positioning of compliance within the internal control system, as it has been regulated by the Italian disposals. Further research could concern the relationship with other functions and the regulations of other countries.

The authors' paper identifies cooperation forms between the internal control system functions. This is the way to suggest organizational solutions able to improve banking efficiency.

This subject has not been analyzed in depth to date. This article attempts to obtain an identification of the roles and responsibilities of the main functions involved in the internal controls system, in order to define organizational models characterized by complementarity of interventions and thus oriented towards the objectives of effectiveness and efficiency.

This paper aims to contribute to our understanding of the impact of regulation on management control practices. It explores the processes by which the institutionalised properties of certain management controls are adapted to organisational contexts and underpin organisational routines. The authors are interested in the voluntary adoption of management controls with highly developed institutional logics, how organisations respond initially to the institutional logics of new management controls and by what means those logics become a workable basis for institutionalising controls in the organisation.

The paper explores some of the ways in which the institutional logics of management control come to have organisational effects, studying a seemingly simple organisational response to institutional processes: compliance. The argument is illustrated with examples from university accreditation as a management control institution that combines cultural and administrative controls. The paper is based on participant observation in three universities.

The authors find that compliance requires considerable organisational meaning-making and that organisational work of compliance separates into adaptation and execution. Moreover, the process of compliance produces distinctions between experts of the accreditation logic, users of the accreditation logic, agnostics and sceptics. Rather than passive acquiescence, compliance with regulated management control is a creative process of arranging and translating general prescriptions for use in a specific context.

This is the first study of university accreditation as a management control institution. It adds to a still emerging literature on the effects of institutional logics, and in particular regulatory logics, on organisational management control.

The regulatory landscape surrounding international construction projects presents significant challenges, and contractors are still struggling to pay a painful price for their performance in the project. While existing research has identified various causes of contractor compliance, the intricate interplay of these factors and their impact on compliance remain largely elusive. The motivation-opportunity-ability (MOA) framework may hold the key to determining what factors can foster induced contractor compliance in international projects.

This study collected 124 valid data samples from practitioners involved in large-scale international contracting projects through expert interviews and questionnaire surveys. Fuzzy-set qualitative comparative analysis (fsQCA) was employed to analyze the diverse combinations of contractor compliance factors.

The study identifies seven key factors that contribute to compliance behavior among international construction contractors: economic motivation, social motivation, normative motivation, legal completeness, deterrent sanctions, organizational learning and compliance management ability. The interplay of these factors promotes compliance in the following ways: When international construction contractors are influenced by both social and normative motivations, they exhibit a higher level of compliance. In situations where regulatory systems are relatively weak, the ability to manage compliance becomes the primary driver of compliance behavior for businesses. A comprehensive legal framework creates a conducive environment for contractors to improve their compliance through organizational learning.

The findings offer guidance for international construction contractors in enhancing compliance by considering factors such as motivations, legal frameworks, organizational learning and compliance management. This can lead to improved risk management and performance in international projects.

This research enhances fair and ethical practices in international construction by identifying compliance drivers, fostering positive social impact, mitigating negative consequences and empowering local communities. It informs legal and regulatory reform, encourages improved business practices and contributes to knowledge advancement in the field. Overall, the findings have the potential to positively impact the social fabric of international construction projects.

This study has made an important contribution to the field of compliance theory by integrating theories from multiple disciplinary domains and constructing a new theoretical framework from the perspectives of motivation, opportunity and capability. By elucidating how these factors interact and influence compliance behavior among international construction contractors, this research aids in understanding the complex dynamics of contractor compliance behavior and provides theoretical reference for compliance governance within the construction industry.

This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of factors such as supportive organizational culture, end-user involvement and compliance leadership to influence employees’ attitudes and behaviour intentions towards ISP in organizations. This paper also aims to develop a testable research model that might be useful for future researchers in predicting employees’ behavioural intentions.

In view of the study’s aim, a research model to show how three key constructs can influence the attitudes and behaviours of employees towards the establishment of security policy compliance culture (ISPCC) was developed and validated in an empirical field survey.

The study found that factors such as supportive organizational culture and end-user involvement significantly influenced employees’ attitudes towards compliance with ISP. However, leadership showed the weakest influence on attitudes towards compliance. The overall results showed that employees’ attitudes and behavioural intentions towards ISP compliance together influenced the establishment of ISPCC for ISP compliance in organizations.

Organizations should influence employees’ attitudes towards compliance with ISP by providing effective ISP leadership, encouraging end-user involvement during the draft and update of ISP and nurturing a culture that is conducive for ISP compliance.

The study provides some insights on how to effectively address the problem of non-compliance with ISP in organizations through the establishment of ISPCC, which has not been considered in any past research.