Search results

It is widely acknowledged that non-compliance of employees with information security polices is one of the major challenges facing organisations. This paper aims to propose a model that is intended to provide a comprehensive framework for raising the level of compliance amongst end-users, with the aim of monitoring, measuring and responding to users’ behaviour with an information security policy.

The proposed model is based on two main concepts: a taxonomy of the response strategy to non-compliant behaviour and a compliance points system. The response taxonomy comprises two categories: awareness raising and enforcement of the security policy. The compliance points system is used to reward compliant behaviour and penalise non-compliant behaviour.

A prototype system has been developed to simulate the proposed model and work as a real system that responds to the behaviour of users (reflecting both violations and compliance behaviour). In addition, the model has been evaluated by interviewing experts from academic and industry. They considered the proposed model to offers a novel approach for managing end users’ behaviour with the information security policies.

Psychological factors were out of the research scope at this stage. The proposed model may have some psychological impacts upon users; therefore, this issue needs to be considered by studying the potential impacts and the best solutions.

Users being compliant with the information security policies of their organisation is the key to strengthen information security. Therefore, when employees have a good level of compliance with security policies, this positively affects the overall security of an organisation.

The purpose of this paper is to fill a gap in the literature, by investigating the relationship between users’ perceptions of the value of the information that they are handling, and their resultant level of compliance with their organisation’s information security policies. In so doing, the authors seek to develop a theory of value-driven information security compliance.

An interpretive, grounded theory research approach has been adopted to generate a qualitative data set, based upon the results of 55 interviews with key informants from governmental agencies based within Brunei Darussalam, complemented by the results of seven focus groups. The interviews and focus groups were conducted in two phases, so that the results of the first phase could be used to inform the second phase data collection exercise, and the thematic analysis of the research data was conducted using the NVivo 11-Plus software.

The findings suggest that, when assigning value to their information, users take into account the views of members of their immediate work-group and the espoused views of their organisation, as well as a variety of contextual factors, relating to culture, ethics and education. Perhaps more importantly, it has been demonstrated that the users’ perception of information value has a marked impact upon their willingness to comply with security policies and protocols.

Although the authors have been able to develop a rich model of information value and security compliance, the qualitative nature of this research means that it has not been tested, in the numerical sense. However, this study still has important implications for both research and practice. Specifically, researchers should consider users’ perceptions of information value, when conducting future studies of information security compliance.

Managers and practitioners will be better able to get their colleagues to comply with information security protocols, if they can take active steps to convince them that the information that they are handling is a valuable organisational resource, which needs to be protected.

The central contribution is a novel model of information security compliance that centre stages the role of the users’ perceptions of information value, as this is a factor which has been largely ignored in contemporary accounts of compliance behaviour. This study is also original, in that it fills a methodological gap, by balancing the voices of both user representatives and senior organisational stakeholders, in a single study.

Information security policies (ISPs) are used by organizations to communicate rules on the use of information systems (IS). Research studies show that compliance with the ISPs is not a straightforward issue and that several factors influence individual behavior toward ISP compliance, such as security awareness or individual perception of security threats. The purpose of this paper is to investigate the competencies associated with users’ ISP compliance behavior.

In order to reveal the competencies that are associated with the users’ ISP compliance behavior, the authors systematically analyze the ISP compliance literature and the authors develop an ISP compliance competency model. The authors then target to explore if IS users are equipped with these competencies; to do so, the authors analyze professional competence models from various industry sectors and compare the competencies that they include with the developed ISP compliance competencies.

The authors identify the competencies associated with ISP compliance and the authors provide evidence on the lack of attention in information security responsibilities demonstrated in professional competence frameworks.

ISP compliance research has focused on identifying the antecedents of ISP compliance behavior. The authors offer an ISP compliance competency model and guide researchers in investigating the issue further by focusing on the professional competencies that are necessary for IS users.

The findings offer new contributions to practitioners by highlighting the lack of attention on the information security responsibilities demonstrated in professional competence frameworks. The paper also provides implications for the design of information security awareness programs and information security management systems in organizations.

To the best of the authors’ knowledge, the paper is the first study that addresses ISP compliance behavior from a professional competence perspective.

In organizations, individual user’s compliance with business processes is important from a regulatory and efficiency point of view. The restriction of users’ choices by implementing a restrictive information system is a typical approach in many organizations. However, restrictions and mandated compliance may affect employees’ performance negatively. Especially when users need a certain degree of flexibility in completing their work activity. The purpose of this paper is to introduce the concept of directive explanations (DEs). DEs provide context-dependent feedback to users, but do not force users to comply.

The experimental study used in this paper aims at investigating how DEs influence users’ process compliance. The authors used a laboratory experiment to test the proposed hypotheses. Every participant underwent four trials for which business process compliance was measured. Two trial blocks were used to cluster the four trials. Diagrammatic DEs were provided in one of the trial blocks, while textual DEs were provided in the other. Trial blocks were counterbalanced.

The results of the experiment show that DEs influence a user’s compliance, but the effect varies for different types of DEs. The authors believe this study is significant as it empirically examines design characteristics of explanations from knowledge-based systems in the context of business processes.

This study is certainly not without limitations. The sample used for this study was drawn from undergraduate information systems management students. The sample is thus not representative of the general population of organizations’ IT users. However, a student sample adequately represents novice IT users, who are not very familiar with a business process. They are particularly suitable to study how users react to first-time contact with a DE.

The findings of this study are important to designers and implementers of systems that guide users to follow business processes. As the authors have illustrated with a real-world scenario, an ERP system’s explanation can lack details on how a user can resolve a blocked activity. In situations in which users bypass restricted systems, DEs can guide them to comply with a business process. Particularly diagrammatic explanations, which depict actors, activities, and constraints for a business process, have been found to increase the probability that users’ behavior is business process compliant. Less time may be needed to resolve a situation, which can result in very efficient user-system cooperation.

This study makes several important contributions to research on explanations, which are provided by knowledge-based systems. First, the authors conceptualized, designed, and investigated a novel type of explanations, namely, DEs. The results of this study show how dramatic the difference in process compliance performance is when exposed to certain types of DEs (in one group from 57 percent on the initial trial to 82 percent on the fourth trial). This insight is important to derive design guidelines for DE, particularly when multimedia material is used.

The purpose of this study is to examine the determinants of online community user participation from a social influence perspective.

Based on 450 valid responses collected from a survey questionnaire, structural equation modeling (SEM) technology was employed to examine the research model.

The results show that both social identity and group norm have significant effects on user participation. In addition, group norm affects social identity. It was not possible to find the effect of subjective norm on participation intention.

This research is limited to a particular sample: students. Thus the results need to be generalized to other samples, such as working professionals.

Extant research has mainly focused on the effects of user motivations such as perceived usefulness, trust and commitment on online community user behavior, and seldom considered the effects of social processes including compliance, identification and internalization on user behavior. This research tries to fill the gap.

A compliance support system (CSS) aims to support employees' voluntary compliance activities, however, it requires a different approach from the continuous usage of other general information systems. This study first set up a research model based on information system (IS) continuance model to investigate the mechanism of continuance intention to use CSS. Then, this study aims to propose that the surveillance concern will undermine the process of forming beliefs and attitudes toward using CSS, consequently hindering continuance intention to use the system.

A questionnaire survey was conducted for the employees of a major Korean energy company that has run their own CSS for about three years. A total of 720 valid responses were analyzed by using partial least squares-based structural model technique. The respondents are classified into two groups: a high level and a low level of surveillance concern group.

The findings showed that continuance intention of using CSS is basically consistent with the IS continuance model. However, the relationship between satisfaction and continuance intention was found to be insignificant in a high surveillance concern group. In addition, multigroup analysis showed that surveillance concern negatively moderates certain relationships among variables, especially weakening the beliefs and attitudes toward using CSS.

This study has academic significance of broadening the domain of factors affecting continuance intention of using CSS by deeply delving into factors discouraging continuous use of a system. Furthermore, the findings of this study may serve as a practical guideline of alleviating surveillance concern, thereby encouraging employees to use CSS more actively and voluntarily.

This study focuses on unintended negative consequences of IT, called technostress. Given that employees are recognized as a major information security threat, it makes sense to investigate how technostress resulting from employees' constant interaction with IT influences the likelihood of security incidents. Although past research studied the concept of security-related technostress, the effect of IT use itself on employees’ extra-role activities such as security-related behaviors is unanswered. Thus, this paper aims to provide an understanding of the negative impact of technostress on employee information security policy (ISP) compliance.

Drawing on technostress literature, this research develops a research model that investigates the effect of technostress on employee intention to violate ISPs. It also extends the dimensionality of technostress construct by adding a new dimension called “techno-unreliability” that shows promising results. The authors use online survey data from a sample of 356 employees who have technology-based professions. We apply the structural equation modeling technique to evaluate the proposed research model.

Findings showed that IT use imposes high-level perceptions of a set of technostress creators, which makes users rationalize their ISP violations and engage in non-compliant behaviors. Further analysis of each dimension of technostress showed that techno-complexity, techno-invasion and techno-insecurity account for higher ISP non-compliant behaviors.

This study provides a new understanding of technostress to the context of information security and emphasizes on its negative impact on employee ISP compliance behaviors.

The purpose of this paper based on compensation theory, is to incorporate perceived technical security protection into the theory of planned behavior and examined factors affecting end‐user security behaviors, specifically, compliance with security policies.

An online survey is conducted to validate the proposed research model. The survey is sent out to an industrial panel. A total of 176 usable responses are received and used in the data analysis.

The results show that both perceived behavioral control (PBC) and attitude have significant impact on intention to comply with security policy. Perceived technical protection affects behavioral intentions both indirectly, through PBC, and directly. The negative direct effect (i.e. perceived high technical protection leads to low intention to comply with security policy) suggests possible risk compensation effects in the information security context.

This result should be of interest to practitioners. In practice (e.g. during security training), the power and capability of technical protection mechanisms should not be exaggerated. Instead, its limitations and drawbacks should be emphasized, so that end‐users will adopt more cautious security practices and adhere to the requirements of the organization's security policies.

This paper embeds risk compensation theory within the security policy compliance context and offers a useful starting point for further empirical examination of this theory in information security context.

This study examines how neutralization strategies affect the efficacy of information system security policies. This paper proposes that neutralization strategies used to rationalize security policy noncompliance range across ethical orientations, extending from those helping the greatest number of people (ethics of care) to those damaging the fewest (ethics of justice). The results show how noncompliance differs between genders based on those ethical orientations.

A survey was used to measure information system security policy noncompliance intentions across six different hypothetical scenarios involving neutralization techniques used to justify noncompliance. Data was gathered from students at a mid-western, comprehensive university in the United States.

The empirical analysis suggests that gender does play a role in information system security policy noncompliance. However, its significance is dependent upon the underlying neutralization method used to justify noncompliance. The role of reward and punishment is contingent on the situation-specific ethical orientation (SSEO) which in turn is a combination of internal ethical positioning based on one's gender and external ethical reasoning based on neutralization technique.

This study extends ethical decision-making theory by examining how the use of punishments and rewards might be more effective in security policy compliance based upon gender. Importantly, the study emphasizes the interplay between ethics, gender and neutralization techniques, as different ethical perspectives appeal differently based on gender.

This paper outlines the development of a validated questionnaire for assessing information security behaviour. The purpose of this paper is to present data from the questionnaire validation process and the quantitative study results.

Data obtained through a quantitative survey (N = 263) at a South African university were used to validate the questionnaire.

Exploratory factor analysis produced 11 factors. Cronbach’s alpha for the 11 factors were all above 0.7, suggesting that the questionnaire is valid and reliable. The responses show that autonomy questions received positive perception, followed by competence questions and lastly relatedness questions. The correlation analysis results show that there was a statistically significant relationship between competence factors and autonomy factors. There was a partial significant relationship between autonomy and relatedness factors, and between competence and relatedness factors. The study results suggest that competence and autonomy could be more important than relatedness in fostering information security behaviour among employees.

This study used a convenience sampling, a cross-sectional design, and was carried out in a single organisation. This could pose limitations when generalising the study results. Future studies could use random sampling and consider other universities for further validation.

Universities can use the questionnaire to identify developmental areas to improve information security from a behaviour perspective.

This paper provides a research instrument for assessing information security behaviour from the perspective of the self-determination theory.