Search results
1 – 10 of over 20000Harrison Stewart and Jan Jürjens
The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be…
Abstract
Purpose
The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset.
Design/methodology/approach
Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B.
Findings
Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own.
Research limitations/implications
The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings.
Practical implications
In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed.
Social implications
The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps.
Originality/value
The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.
Details
Keywords
Eric Amankwa, Marianne Loock and Elmarie Kritzinger
This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security…
Abstract
Purpose
This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security policy compliance culture (ISPCC) in organisations.
Design/methodology/approach
Based on factors derived from the organisational culture theory, social bond theory and accountability theory, a testable research model was developed and evaluated in an online survey that involves the use of a questionnaire to collect quantitative data from 313 employees, from ten different organisations in Ghana. The data collected were analysed using the partial least squares-structural equation modelling approach, involving the measurement and structural model tests.
Findings
The study reveals that the individual measures of accountability – identifiability (2.4%), expectations of evaluation (38.8%), awareness of monitoring (55.7%) and social presence (−41.2%) – had weak to moderate effects on employees’ attitudes towards information security policy compliance. However, the combined effect showed a significant influence. In addition, organisational factors – supportive organisational culture (15%), security compliance leadership (2%) and user involvement (63%) – showed positive effects on employees’ attitudes. Further, employees’ attitudes had a substantial influence (65%), while behavioural intentions demonstrated a weak effect (24%) on the establishment of an ISPCC in the organisation. The combined effect also had a substantial statistical influence on the establishment of an ISPCC in the organisation.
Practical implications
Given the findings of the study, information security practitioners should implement organisational and behavioural factors that will have an impact on compliance, in tandem, with the organisational effort to build a culture of compliance for information security policies.
Originality/value
The study provides new insights on how to address the problem of non-compliance with regard to the information security policy in organisations through the combined application of organisational and behavioural factors to establish an information security policy compliance culture, which has not been considered in any past research.
Details
Keywords
Martin Karlsson, Fredrik Karlsson, Joachim Åström and Thomas Denk
This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.
Abstract
Purpose
This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.
Design/methodology/approach
The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy.
Findings
The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance.
Research limitations/implications
The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance.
Practical implications
Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations.
Originality/value
Few information security policy compliance studies exist on the consequences of different organizational/information cultures.
Details
Keywords
Mutlaq Jalimid Alotaibi, Steven Furnell and Nathan Clarke
It is widely acknowledged that non-compliance of employees with information security polices is one of the major challenges facing organisations. This paper aims to propose a…
Abstract
Purpose
It is widely acknowledged that non-compliance of employees with information security polices is one of the major challenges facing organisations. This paper aims to propose a model that is intended to provide a comprehensive framework for raising the level of compliance amongst end-users, with the aim of monitoring, measuring and responding to users’ behaviour with an information security policy.
Design/methodology/approach
The proposed model is based on two main concepts: a taxonomy of the response strategy to non-compliant behaviour and a compliance points system. The response taxonomy comprises two categories: awareness raising and enforcement of the security policy. The compliance points system is used to reward compliant behaviour and penalise non-compliant behaviour.
Findings
A prototype system has been developed to simulate the proposed model and work as a real system that responds to the behaviour of users (reflecting both violations and compliance behaviour). In addition, the model has been evaluated by interviewing experts from academic and industry. They considered the proposed model to offers a novel approach for managing end users’ behaviour with the information security policies.
Research limitations/implications
Psychological factors were out of the research scope at this stage. The proposed model may have some psychological impacts upon users; therefore, this issue needs to be considered by studying the potential impacts and the best solutions.
Originality/value
Users being compliant with the information security policies of their organisation is the key to strengthen information security. Therefore, when employees have a good level of compliance with security policies, this positively affects the overall security of an organisation.
Details
Keywords
Eric Amankwa, Marianne Loock and Elmarie Kritzinger
This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of…
Abstract
Purpose
This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of factors such as supportive organizational culture, end-user involvement and compliance leadership to influence employees’ attitudes and behaviour intentions towards ISP in organizations. This paper also aims to develop a testable research model that might be useful for future researchers in predicting employees’ behavioural intentions.
Design/methodology/approach
In view of the study’s aim, a research model to show how three key constructs can influence the attitudes and behaviours of employees towards the establishment of security policy compliance culture (ISPCC) was developed and validated in an empirical field survey.
Findings
The study found that factors such as supportive organizational culture and end-user involvement significantly influenced employees’ attitudes towards compliance with ISP. However, leadership showed the weakest influence on attitudes towards compliance. The overall results showed that employees’ attitudes and behavioural intentions towards ISP compliance together influenced the establishment of ISPCC for ISP compliance in organizations.
Practical implications
Organizations should influence employees’ attitudes towards compliance with ISP by providing effective ISP leadership, encouraging end-user involvement during the draft and update of ISP and nurturing a culture that is conducive for ISP compliance.
Originality/value
The study provides some insights on how to effectively address the problem of non-compliance with ISP in organizations through the establishment of ISPCC, which has not been considered in any past research.
Details
Keywords
Elham Rostami, Fredrik Karlsson and Ella Kolkowska
The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been…
Abstract
Purpose
The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about.
Design/methodology/approach
The results are based on a literature review of ISP management research published between 1990 and 2017.
Findings
Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare.
Research limitations/implications
Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process.
Practical implications
The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners.
Originality/value
Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.
Details
Keywords
Inho Hwang, Daejin Kim, Taeha Kim and Sanghyun Kim
The purpose of this paper is to empirically investigate the negative casual relationships between organizational security factors (security systems, security education, and…
Abstract
Purpose
The purpose of this paper is to empirically investigate the negative casual relationships between organizational security factors (security systems, security education, and security visibility) and individual non-compliance causes (work impediment, security system anxiety, and non-compliance behaviors of peers), which have negative influences on compliance intention.
Design/methodology/approach
Based on literature review, the authors propose a research model together with hypotheses. The survey questionnaires were developed to collect data, which then validated the measurement model. The authors collected 415 responses from employees at manufacturing and service firms that had already implemented security policies. The hypothesized relationships were tested using the structural equation model approach with AMOS 18.0.
Findings
Survey results validate that work impediment, security system anxiety, and non-compliance peer behaviors are the causes of employee non-compliance. In addition, the authors found that security systems, security education, and security visibility decrease instances of non-compliance.
Research limitations/implications
Organizations should establish a mixture of security investment in their systems, education, and visibility in order to effectively reduce employees’ non-compliance. In addition, organizations should recognize the importance of minimizing the particular causes of employees’ non-compliance to positively increase intentions to comply with information security.
Originality/value
An important issue in information security management is employee compliance. Understanding the reasons behind employees’ non-compliance is a critical issue. This paper investigates empirically why employees do not comply, and how organizations can induce employees to comply by a mixture of investments in security systems, education, and visibility.
Details
Keywords
Neil F. Doherty and Sharul T. Tajuddin
The purpose of this paper is to fill a gap in the literature, by investigating the relationship between users’ perceptions of the value of the information that they are handling…
Abstract
Purpose
The purpose of this paper is to fill a gap in the literature, by investigating the relationship between users’ perceptions of the value of the information that they are handling, and their resultant level of compliance with their organisation’s information security policies. In so doing, the authors seek to develop a theory of value-driven information security compliance.
Design/methodology/approach
An interpretive, grounded theory research approach has been adopted to generate a qualitative data set, based upon the results of 55 interviews with key informants from governmental agencies based within Brunei Darussalam, complemented by the results of seven focus groups. The interviews and focus groups were conducted in two phases, so that the results of the first phase could be used to inform the second phase data collection exercise, and the thematic analysis of the research data was conducted using the NVivo 11-Plus software.
Findings
The findings suggest that, when assigning value to their information, users take into account the views of members of their immediate work-group and the espoused views of their organisation, as well as a variety of contextual factors, relating to culture, ethics and education. Perhaps more importantly, it has been demonstrated that the users’ perception of information value has a marked impact upon their willingness to comply with security policies and protocols.
Research limitations/implications
Although the authors have been able to develop a rich model of information value and security compliance, the qualitative nature of this research means that it has not been tested, in the numerical sense. However, this study still has important implications for both research and practice. Specifically, researchers should consider users’ perceptions of information value, when conducting future studies of information security compliance.
Practical implications
Managers and practitioners will be better able to get their colleagues to comply with information security protocols, if they can take active steps to convince them that the information that they are handling is a valuable organisational resource, which needs to be protected.
Originality/value
The central contribution is a novel model of information security compliance that centre stages the role of the users’ perceptions of information value, as this is a factor which has been largely ignored in contemporary accounts of compliance behaviour. This study is also original, in that it fills a methodological gap, by balancing the voices of both user representatives and senior organisational stakeholders, in a single study.
Details
Keywords
Fredrik Karlsson, Martin Karlsson and Joachim Åström
This paper aims to investigate two different types of compliance measures: the first measure is a value-monistic compliance measure, whereas the second is a value-pluralistic…
Abstract
Purpose
This paper aims to investigate two different types of compliance measures: the first measure is a value-monistic compliance measure, whereas the second is a value-pluralistic measure, which introduces the idea of competing organisational imperatives.
Design/methodology/approach
A survey was developed using two sets of items to measure compliance. The survey was sent to 600 white-collar workers and analysed through ordinary least squares.
Findings
The results suggest that when using the value-monistic measure, employees’ compliance was a function of employees’ intentions to comply, their self-efficacy and awareness of information security policies. In addition, compliance was not related to the occurrence of conflicts between information security and other organisational imperatives. However, when the dependent variable was changed to a value-pluralistic measure, the results suggest that employees’ compliance was, to a great extent, a function of the occurrence of conflicts between information security and other organisational imperatives, indirect conflicts with other organisational values.
Research limitations/implications
The results are based on small survey; yet, the findings are interesting and justify further investigation. The results suggest that relevant organisational imperatives and value systems, along with information security values, should be included in measures for employees’ compliance with information security policies.
Practical implications
Practitioners and researchers should be aware that there is a difference in measuring employees’ compliance using value monistic and value pluralism measurements.
Originality/value
Few studies exist that critically compare the two different compliance measures for the same population.
Details
Keywords
Teodor Sommestad, Jonas Hallberg, Kristoffer Lundholm and Johan Bengtsson
The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are…
Abstract
Purpose
The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are.
Design/methodology/approach
A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated variables in these studies and the effect size reported for them were extracted and analysed.
Findings
In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in people's behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation.
Research limitations/implications
It is possible that the disparate findings of the reviewed studies can be explained by the sampling methods used in the studies, the treatment/control of extraneous variables and interplay between variables. These aspects ought to be addressed in future research efforts.
Practical implications
For decision makers who seek guidance on how to best achieve compliance with their information security policies should recognize that a large number of variables probably influence employees' compliance. In addition, both their influence strength and interplay are uncertain and largely unknown.
Originality/value
This is the first systematic review of research on variables that influence compliance with information security policies of organizations.
Details