Search results

This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of factors such as supportive organizational culture, end-user involvement and compliance leadership to influence employees’ attitudes and behaviour intentions towards ISP in organizations. This paper also aims to develop a testable research model that might be useful for future researchers in predicting employees’ behavioural intentions.

In view of the study’s aim, a research model to show how three key constructs can influence the attitudes and behaviours of employees towards the establishment of security policy compliance culture (ISPCC) was developed and validated in an empirical field survey.

The study found that factors such as supportive organizational culture and end-user involvement significantly influenced employees’ attitudes towards compliance with ISP. However, leadership showed the weakest influence on attitudes towards compliance. The overall results showed that employees’ attitudes and behavioural intentions towards ISP compliance together influenced the establishment of ISPCC for ISP compliance in organizations.

Organizations should influence employees’ attitudes towards compliance with ISP by providing effective ISP leadership, encouraging end-user involvement during the draft and update of ISP and nurturing a culture that is conducive for ISP compliance.

The study provides some insights on how to effectively address the problem of non-compliance with ISP in organizations through the establishment of ISPCC, which has not been considered in any past research.

The purpose of this paper is to propose a theory of information security intelligence and examine the effects of managers’ information security intelligence (MISI) on employees’ procedural countermeasure awareness and information security policy (ISP) compliance intention.

A survey approach and structural equation modeling is utilized. Partial least squares (WarpPLS 6.0) and nonlinear algorithm are employed to analyze and examine the hypotheses. In total, 324 employees from companies in South Korea participated in the survey, which was conducted by a professional survey service company.

MISI positively affects employees’ awareness of information security procedural countermeasures; information security knowledge and problem-solving skills have positive effects on procedural countermeasures awareness; MISI increases employees’ compliance intention through procedural countermeasure awareness; and information security procedural countermeasures positively affect employees’ ISP compliance intention.

This study proposes a theory of information security intelligence and examines its impacts on employees’ compliance intentions. The study highlights the mediating role of information security procedural countermeasures between information security intelligence and employees’ compliance intentions.

Managers should improve and explicitly demonstrate information security knowledge and problem-solving skills to increase employees’ ISP compliance intention. To protect the organization’s intellectual capital, managers should champion the development and promotion of PCM, rather than leave these functions to the information security group.

This is the first empirical study to propose and validate MISI.

This study examines how neutralization strategies affect the efficacy of information system security policies. This paper proposes that neutralization strategies used to rationalize security policy noncompliance range across ethical orientations, extending from those helping the greatest number of people (ethics of care) to those damaging the fewest (ethics of justice). The results show how noncompliance differs between genders based on those ethical orientations.

A survey was used to measure information system security policy noncompliance intentions across six different hypothetical scenarios involving neutralization techniques used to justify noncompliance. Data was gathered from students at a mid-western, comprehensive university in the United States.

The empirical analysis suggests that gender does play a role in information system security policy noncompliance. However, its significance is dependent upon the underlying neutralization method used to justify noncompliance. The role of reward and punishment is contingent on the situation-specific ethical orientation (SSEO) which in turn is a combination of internal ethical positioning based on one's gender and external ethical reasoning based on neutralization technique.

This study extends ethical decision-making theory by examining how the use of punishments and rewards might be more effective in security policy compliance based upon gender. Importantly, the study emphasizes the interplay between ethics, gender and neutralization techniques, as different ethical perspectives appeal differently based on gender.

The purpose of this paper is to explore the factors affecting the intention of social networking sites (SNS) users to comply with government policy during the COVID-19 pandemic.

Based on the theory of appraisal and coping, the research model is tested using survey data collected from 326 SNS users. Structural equation modeling is used to test the research model.

The results show that social support has a positive effect on outbreak self-efficacy but has no significant effect on perceived avoidability. Government information transparency positively affects outbreak self-efficacy and perceived avoidability. Outbreak self-efficacy and perceived avoidability have a strong positive impact on policy compliance intention through problem-focused coping.

The results suggest that both government and policymakers could deliver reliable pandemic information to the citizens via social media.

This study brings novel insights into citizen coping behavior, showing that policy compliance intention is driven by the ability to cope with problems. Moreover, this study enhances the theoretical understanding of the role of social support, outbreak self-efficacy and problem-focused coping.

In a sharing economy, economically inactive members can serve as providers owing to the low start-up costs. However, such providers may operate without sufficient knowledge of the market and policies, causing significant problems. To prevent illegal sharing, governments encourage providers to register their businesses after meeting certain requirements, but most providers still operate unregistered businesses. The purpose of this paper is to explore the causes of policy non-compliance and suggest measures that can induce compliance.

Based on the rational choice and deterrence theories, this study combines qualitative and quantitative research. The former is used to investigate the antecedent factors affecting compliance. Using the latter, this study assumes that the existence of platform operators can resolve information asymmetries. The qualitative findings provide the variables that can lead to policy compliance, while the quantitative research verifies the causal relationships.

Business registration by providers in the sharing economy arises from their subjective cost-benefit calculations of policy compliance. According to the qualitative research, they believe there is a low risk of detection of policy non-compliance by the government. The quantitative research suggests that interventions by platform operators could resolve information asymmetries between the government and providers.

This study designed a mechanism to guide providers toward policy compliance. To reduce friction with the existing market and ensure efficient growth, it is necessary to cooperate with sharing economy participants. The results suggest that the role of platform operators and the government is important.

The purpose of this paper is to understand from the knowledge management perspective how the mechanism of different voluntary compliance behaviors works and how information technology is used for compliance management in corporate settings where privacy and security issues are getting critical due to the advancement of big data and artificial intelligence.

In this study, the authors propose a structural model based on the theory of planned behavior and the IT relatedness theory that behavioral belief about compliance and social pressure affect compliance knowledge and compliance intention, and compliance knowledge partially mediates the impact of both independent variables on compliance intention. The authors surveyed with a structured questionnaire 975 employees of a major Korean energy company, S-OIL, which deploys a compliance support system. The respondents are classified into two groups: an Active IT Utilization Group and a Passive IT Utilization Group.

The results of our empirical examination show that compliance intention belief and social pressure influence compliance intention, and further, that compliance behavior is mediated by compliance knowledge – in both the active IT utilization group and the passive IT utilization group. However, the significance of each path coefficient, R square and the mediation effect in Model 1 (passive IT utilization group) are obviously a poor contrast to Model 2 (active IT utilization group). Also, the path from behavioral belief to compliance knowledge and social pressure to compliance knowledge show a significant moderating effect of IT utilization level.

This paper aims to promote more effective voluntary compliance behavior by increasing the understanding of the impact differences of the preceding factors, and the ways in which those are related to the knowledge management practice in terms of both knowledge itself and its support systems, i.e. compliance support system.

This paper aims to contribute to the understanding of goal setting in organizations, especially regarding the mitigation of conflicting productivity and security goals.

This paper describes the results of a survey with 200 German employees regarding the effects of goal setting on employees’ security compliance. Based on the survey results, a concept for setting information security goals in organizations building on actionable behavioral recommendations from information security awareness materials is developed. This concept was evaluated in three small- to medium-sized organizations (SMEs) with overall 90 employees.

The survey results revealed that the presence of rewards for productivity goal achievement is strongly associated with a decrease in security compliance. The evaluation of the goal setting concept indicates that setting their own information security goals is welcomed by employees.

Both studies rely on self-reported data and are, therefore, likely to contain some kind of bias.

Goal setting in organizations has to accommodate for situations, where productivity goals constrain security policy compliance. Introducing the proposed goal setting concept based on relevant actionable behavioral recommendations can help mitigate issues in such situations.

This work furthers the understanding of the factors affecting employee security compliance. Furthermore, the proposed concept can help maximizing the positive effects of goal setting in organizations by mitigating the negative effects through the introduction of meaningful and actionable information security goals.

It is widely acknowledged that norms and culture influence decisions related to information security. The purpose of this paper is to investigate how work-related groups influence information security policy compliance intentions and to what extent this influence is captured by the Theory of Planned Behavior, an established model over individual decision-making.

A multilevel model is used to test the influence of work-related groups using a cluster sample of responses from 2,291 employees from 203 worksites, 119 organizations, 6 industries and 38 professions.

The results suggest that work-related groups influence individuals’ decision-making in the manner in which contemporary theories of information security culture posit. However, the influence is weak to modest and overshadowed by individual perceptions that are straightforward to measure.

This paper is limited to one national culture and four types of work-related groups. However, the results suggest that the Theory of Planned Behavior captures most of the influence that work-related groups have on decision-making. Future research on security culture and similar phenomena should take this into account.

Information security perceptions in work-related groups are diverse and information security decisions appear to be based on individual perceptions and priorities rather than groupthink or peer-pressure. Security management interventions may be more effective if they target individuals rather than groups.

This paper tests some of the basic ideas related to information security culture and its influence on individuals’ decision-making.

This study aims to explore the emotion-based mediator of information security fatigue in the relationship between employees’ information security–related stress (SRS) and information security policy (ISP) compliance intention and the effects of psychological capital (PsyCap) on relieving SRS and promoting compliance.

The authors tested a series of hypotheses by applying partial least squares–based structural equation modeling to survey data from 488 employees in Chinese enterprises.

The results suggest that the relationship between SRS and ISP compliance intention is fully mediated by information security fatigue. Employees’ SRS promotes their information security fatigue, which reduces their intention to follow ISPs. In addition, employees with high PsyCap may experience low levels of SRS and information security fatigue, which promotes their willingness to comply with ISPs.

This study extends knowledge by introducing information security fatigue and PsyCap to the field of information security management, and it calls attention to the effects on information security behaviors of employee emotions and positive psychological resources in an organization. The authors reveal the emotion-based mediating effect of information security fatigue and the positive influence of PsyCap in information security management.

The purpose of this paper is to investigate relationships between workarounds (solutions to handling trade-offs between competing or misaligned goals and gaps in policies and procedures), perceived trade-offs, information security (IS) policy compliance, IS expertise/knowledge and IS demands.

The research purpose is addressed using survey data from a nationwide sample of Swedish white-collar workers (N = 156).

Responses reinforce the notion that workarounds partly are something different from IS policy compliance and that workarounds-as-improvisations are used more frequently by employees that see more conflicts between IS and other goals (r = 0.351), and have more IS expertise/knowledge (r = 0.257). Workarounds-as-non-compliance are also used more frequently when IS trade-offs are perceived (r = 0.536). These trade-offs are perceived more by people working in organizations that handle information with high security demands (r = 0.265) and those who perform tasks with high IS demands (r = 0.178).

IS policies are an important part of IS governance. They describe the procedures that are supposed to provide IS. Researchers have primarily investigated how employees’ compliance with IS policies can be predicted and explained. There has been an increased interest in how tradeoffs and conflicts between following policies and other goals lead employees to make workarounds. Workarounds may leave management unaware of how work actually is done within the organization and may besides getting work done lead to new vulnerabilities. This study furthers the understanding of workarounds and trade-offs, which should be subject to further research.