Information security policies and value conflict in multinational companies

2018 ◽  
Vol 26 (2) ◽  
pp. 230-245 ◽  
Author(s):  
Alper Yayla ◽  
Yu Lei
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Cultural Distance ◽  
Multinational Companies ◽  
Security Policies ◽  
Security Risk ◽  
Value Conflict ◽  
Value Conflicts ◽  
Content Type ◽  
Parent Companies

PurposeThe purpose of this paper is to examine challenges multinational companies face during the diffusion of their information security policies. Parent companies use these policies as their discourse for legitimization of their practices in subsidiaries, which leads to value conflicts in subsidiaries. The authors postulate that, when properly crafted, information security policies can also be used to reduce the very conflicts they are creating.Design/methodology/approachThe proposed framework is conceptualized based on the review of literatures on multinational companies, information security policies and value conflict.FindingsThe authors identified three factors that may lead to value conflict in subsidiary companies: cultural distance, institutional distance and stickiness of knowledge. They offer three recommendations based on organizational discourse, ambidexterity and resource allocation to reduce value conflict.Research limitations/implicationsThe authors postulate that information security policies are the sources of value conflict in subsidiary companies. Yet, when crafted properly, these policies can also offer solutions to minimize value conflict.Practical implicationsThe proposed framework can be used to increase policy diffusion success, minimize value conflict and, in turn, decrease information security risk.Originality/valueThe growing literature on information security policy literature is yet to examine the diffusion of policies within multinational companies. The authors argue that information security policies are the source of, and solution to, value conflict in multinational companies.

scholarly journals A framework for reporting and dealing with end-user security policy compliance

2019 ◽  
Vol 27 (1) ◽  
pp. 2-25 ◽  
Author(s):  
Mutlaq Jalimid Alotaibi ◽  
Steven Furnell ◽  
Nathan Clarke
Keyword(s):  
Information Security ◽  
Security Policy ◽  
End Users ◽  
Response Strategy ◽  
Security Policies ◽  
Prototype System ◽  
Content Type ◽  
Novel Approach ◽  
Proposed Model ◽  
Security Policy Compliance

Purpose It is widely acknowledged that non-compliance of employees with information security polices is one of the major challenges facing organisations. This paper aims to propose a model that is intended to provide a comprehensive framework for raising the level of compliance amongst end-users, with the aim of monitoring, measuring and responding to users’ behaviour with an information security policy. Design/methodology/approach The proposed model is based on two main concepts: a taxonomy of the response strategy to non-compliant behaviour and a compliance points system. The response taxonomy comprises two categories: awareness raising and enforcement of the security policy. The compliance points system is used to reward compliant behaviour and penalise non-compliant behaviour. Findings A prototype system has been developed to simulate the proposed model and work as a real system that responds to the behaviour of users (reflecting both violations and compliance behaviour). In addition, the model has been evaluated by interviewing experts from academic and industry. They considered the proposed model to offers a novel approach for managing end users’ behaviour with the information security policies. Research limitations/implications Psychological factors were out of the research scope at this stage. The proposed model may have some psychological impacts upon users; therefore, this issue needs to be considered by studying the potential impacts and the best solutions. Originality/value Users being compliant with the information security policies of their organisation is the key to strengthen information security. Therefore, when employees have a good level of compliance with security policies, this positively affects the overall security of an organisation.

scholarly journals It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs

2020 ◽  
Vol 28 (3) ◽  
pp. 467-483 ◽  
Author(s):  
Moufida Sadok ◽  
Steven Alter ◽  
Peter Bednar
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Small And Medium Enterprises ◽  
Security Policies ◽  
Sensitive Information ◽  
Work Practices ◽  
Content Type ◽  
Empirical Results ◽  
Corporate Security ◽  
Security Practices

Purpose This paper aims to present empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work system theory (WST) to frame the results, thereby illustrating why the mere existence of corporate security policies or general security training often is insufficient for establishing and maintaining information security. Design/methodology/approach This research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees’ point of view. Findings Corporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real-world contexts. Research limitations/implications This paper focuses only on closed-ended questions related to the following topics: awareness of existing security policy; information security practices and management and information security involvement. Practical implications The empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. The interpretation based on WST provides guidelines for enhancing information system security. Originality/value Beyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers.

Escalation of commitment as an antecedent to noncompliance with information security policy

2018 ◽  
Vol 26 (2) ◽  
pp. 171-193 ◽  
Author(s):  
Miranda Kajtazi ◽  
Hasan Cavusoglu ◽  
Izak Benbasat ◽  
Darek Haftor
Keyword(s):  
Information Security ◽  
Risk Perceptions ◽  
Security Policy ◽  
Sunk Costs ◽  
Survey Method ◽  
Task Completion ◽  
Escalation Of Commitment ◽  
Value Conflicts ◽  
Information Security Policy ◽  
Content Type

PurposeThis study aims to identify antecedents to noncompliance behavior influenced by decision contexts where investments in time, effort and resources are devoted to a task – referred to as a task unlikely to be completed without violating the organization’s information security policy (ISP).Design/methodology/approachAn empirical test of the suggested relationships in the proposed model was conducted through a field study using the survey method for data collection. Pre-tests, pre-study, main study and a follow-up study compose the frame of our methodology where more than 500 respondents are involved across different organizations.FindingsThe results confirm that the antecedents that explain the escalation of commitment behavior in terms of the effect of lost assets, such as time, effort and other resources, give us a new lens to understand noncompliance behavior; employees seem to escalate their commitments to the completion of their tasks at the expense of becoming noncompliant with ISP.Research limitations/implicationsOne of the key areas that requires further attention from this study is to better understand the role of risk perceptions on employee behavior when dealing with value conflicts. Depending on how risk-averse or risk seeking an employee is, the model showed no significant support in either case to influence their noncompliance behavior. The authors therefore argue that employees' noncompliance may be influenced by more powerful beliefs, such as self-justification and sunk costs.Practical implicationsThe results show that when employees are caught in tasks undergoing difficulties, they are more likely to increase noncompliance behavior. By understanding better how project obstacles result in such tasks, security managers can define new mechanisms to counter employees’ shift from compliance to noncompliance.Social implicationsApart from encouraging compliance with enforcement mechanisms (using direct behavioral controls like sanctions or rewards), indirect behavior controls may also encourage compliance. The authors suggest that the ISPs should state that the organization would take positive actions toward task completion and help their employees to resolve their problems quickly.Originality/valueThis study is the first to tackle escalation of commitment theories and use antecedents that explain the effect of lost assets, such as time, effort and other resources can also explain noncompliance with ISP in terms of the value conflicts, where employees would often choose to forego compliance at the expense of finishing their tasks.

Variables influencing information security policy compliance

2014 ◽  
Vol 22 (1) ◽  
pp. 42-75 ◽  
Author(s):  
Teodor Sommestad ◽  
Jonas Hallberg ◽  
Kristoffer Lundholm ◽  
Johan Bengtsson
Keyword(s):  
Systematic Review ◽  
Information Security ◽  
Security Policy ◽  
Empirical Studies ◽  
Security Policies ◽  
Future Research ◽  
Policy Compliance ◽  
Content Type ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance

Purpose – The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are. Design/methodology/approach – A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated variables in these studies and the effect size reported for them were extracted and analysed. Findings – In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in people's behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation. Research limitations/implications – It is possible that the disparate findings of the reviewed studies can be explained by the sampling methods used in the studies, the treatment/control of extraneous variables and interplay between variables. These aspects ought to be addressed in future research efforts. Practical implications – For decision makers who seek guidance on how to best achieve compliance with their information security policies should recognize that a large number of variables probably influence employees' compliance. In addition, both their influence strength and interplay are uncertain and largely unknown. Originality/value – This is the first systematic review of research on variables that influence compliance with information security policies of organizations.

Identifying core control items of information security management and improvement strategies by applying fuzzy DEMATEL

2015 ◽  
Vol 23 (2) ◽  
pp. 161-177 ◽  
Author(s):  
Li-Hsing Ho ◽  
Ming-Tsai Hsu ◽  
Tieh-Min Yen
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Security Management ◽  
Fuzzy Dematel ◽  
Information Security Management ◽  
Content Type ◽  
Cause And Effect ◽  
Information Security Management System ◽  
Security Control ◽  
Improvement Strategies

Purpose – The purpose of this paper is to analyze the cause-and-effect relationship and the mutually influential level among information security control items, as well as to provide organizations with a method for analyzing and making systematic decisions for improvement. Design/methodology/approach – This study utilized the Fuzzy DEMATEL to analyze cause-and-effect relationships and mutual influence of the 11 control items of the International Organization for Standardization (ISO) 27001 Information Security Management System (ISMS), which are discussed by seven experts in Taiwan to identify the core control items for developing the improvement strategies. Findings – The study has found that the three core control items of the ISMS are security policy (SC1), access control (SC7) and human resource security (SC4). This study provides organizations with a direction to develop improvement strategies and effectively manage the ISMS of the organization. Originality/value – The value of this study is for an organization to effectively dedicate resources to core control items, such that other control items are driven toward positive change by analyzing the cause-and-effect relation and the mutual influential level among information security control items, through a cause-and-effect matrix and a systematic diagram.

E-waste information security protection motivation: the role of optimism bias

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Hao Chen ◽  
Ofir Turel ◽  
Yufei Yuan
Keyword(s):  
Information Security ◽  
Risk Behavior ◽  
Equation Modeling ◽  
Perceived Threat ◽  
Protection Motivation ◽  
Security Risk ◽  
Content Type ◽  
Optimism Bias ◽  
Information Security Risk

PurposeElectronic waste (e-waste) such as discarded computers and smartphones may contain large amounts of confidential data. Improper handling of remaining information in e-waste can, therefore, drive information security risk. This risk, however, is not always properly assessed and managed. The authors take the protection motivation theory (PMT) lens of analysis to understand intentions to protect one's discarded electronic assets.Design/methodology/approachBy applying structural equation modeling, the authors empirically tested the proposed model with survey data from 348 e-waste handling users.FindingsResults highlight that (1) protection intention is influenced by the perceived threat of discarding untreated e-waste (a threat appraisal) and self-efficacy to treat the discarded e-waste (a coping appraisal) and (2) optimism bias plays a dual-role in a direct and moderating way to reduce the perceived threat of untreated e-waste and its effect on protection intentions.Originality/valueResults support the assertions and portray a unique theoretical account of the processes that underline people's motivation to protect their data when discarding e-waste. As such, this study explains a relatively understudied information security risk behavior in the e-waste context, points to the role of optimism bias in such decisions and highlights potential interventions that can help to alleviate this information security risk behavior.

Cultural distance and inter-organizational knowledge transfer: a case study of a multinational company

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Dasun Bhagya Sapuarachchi
Keyword(s):  
Knowledge Management ◽  
Sri Lanka ◽  
Knowledge Transfer ◽  
Cultural Distance ◽  
Organizational Knowledge ◽  
Multinational Companies ◽  
Cultural Dimensions ◽  
Business World ◽  
Content Type ◽  
The Usa

Purpose The purpose of this study is to explore a phenomenon in knowledge management that has been given scant attention: the influence of cultural distance on inter-organizational knowledge transfer in the context of multinational companies involving headquarters in the USA and a subsidiary in Sri Lanka. Design/methodology/approach Designed as a qualitative exploratory study, data was collected through in-depth interviews of 15 participants and documents review. Findings The findings of this study implied that the theoretically introduced cultural dimensions shall be relevant to analyze the phenomenon of this study. Consequently, through the findings of this study, it is argued that inter-organizational knowledge transfer in multinational companies is influenced by cultural distance. Research limitations/implications This study theoretically and empirically contributes to the debates on knowledge transfer in knowledge management research in general and, inter-organizational knowledge transfer in multinational companies between headquarters and subsidiaries with respect to the influence of cultural distance in particular, through the light of Trompenaars’ (1993) cultural dimensions theory. Practical implications The findings of this study could motivate the practitioners to take into account: the influence of cultural distance on inter-organizational knowledge transfer, if inter-organizational knowledge transfer happens in similar contexts: multinational companies with a headquarters in the USA (a western context) and a subsidiary in Sri Lanka (a non-western context) in the practical business world. Originality/value This study provides theoretical and empirical insights into the influence of cultural distance on inter-organizational knowledge transfer in multinational companies between headquarters and subsidiaries in the selected context while suggesting various avenues for further research toward the influence of cultural distance on such phenomenon in similar/dissimilar contexts.

Information security policy compliance: a higher education case study

2018 ◽  
Vol 26 (1) ◽  
pp. 91-108 ◽  
Author(s):  
Khaled A. Alshare ◽  
Peggy L. Lane ◽  
Michael R. Lane
Keyword(s):  
Higher Education ◽  
Information Security ◽  
Security Policy ◽  
Past Research ◽  
Faculty Members ◽  
Research Model ◽  
Security Measures ◽  
Timely Manner ◽  
Content Type

Purpose The purpose of this case study is to examine the factors that impact higher education employees’ violations of information security policy by developing a research model based on grounded theories such as deterrence theory, neutralization theory and justice theory. Design/methodology/approach The research model was tested using 195 usable responses. After conducting model validation, the hypotheses were tested using multiple linear regression. Findings The results of the study revealed that procedural justice, distributive justice, severity and celerity of sanction, privacy, responsibility and organizational security culture were significant predictors of violations of information security measures. Only interactional justice was not significant. Research limitations/implications As with any exploratory case study, this research has limitations such as the self-reported information and the method of measuring the violation of information security measures. The method of measuring information security violations has been a challenge for researchers. Of course, the best method is to capture the actual behavior. Another limitation to this case study which might have affected the results is the significant number of faculty members in the respondent pool. The shared governance culture of faculty members on a US university campus might bias the results more than in a company environment. Caution should be applied when generalizing the results of this case study. Practical implications The findings validate past research and should encourage managers to ensure employees are involved with developing and implementing information security measures. Additionally, the information security measures should be applied consistently and in a timely manner. Past research has focused more on the certainty and severity of sanctions and not as much on the celerity or swiftness of applying sanctions. The results of this research indicate there is a need to be timely (swift) in applying sanctions. The importance of information security should be grounded in company culture. Employees should have a strong sense of treating company data as they would want their own data to be treated. Social implications Engaging employees in developing and implementing information security measures will reduce employees’ violations. Additionally, giving employees the assurance that all are given the same treatment when it comes to applying sanctions will reduce the violations. Originality/value Setting and enforcing in a timely manner a solid sanction system will help in preventing information security violations. Moreover, creating a culture that fosters information security will help in positively affecting the employees’ perceptions toward privacy and responsibility, which in turn, impacts information security violations. This case study applies some existing theories in the context of the US higher education environment. The results of this case study contributed to the extension of existing theories by including new factors, on one hand, and confirming previous findings, on the other hand.

Impact of Deterrence and Inertia on Information Security Policy Changes

2019 ◽  
Vol 34 (1) ◽  
pp. 123-134
Author(s):  
Kalana Malimage ◽  
Nirmalee Raddatz ◽  
Brad S. Trinkle ◽  
Robert E. Crossler ◽  
Rebecca Baaske
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Online Survey ◽  
Security Policies ◽  
Security Measures ◽  
Policy Changes ◽  
Information Security Policy ◽  
Improve Compliance ◽  
The Impact

ABSTRACT This study examines the impact of deterrence and inertia on information security policy changes. Corporations recognize the need to prioritize information security, which sometimes involves designing and implementing new security measures or policies. Using an online survey, we investigate the effect of deterrent sanctions and inertia on respondents' intentions to comply with modifications to company information security policies. We find that certainty and celerity associated with deterrent sanctions increase compliance intentions, while inertia decreases respondents' compliance intentions related to modified information security policies. Therefore, organizations must work to overcome employees' reluctance to change in order to improve compliance with security policy modifications. They may also consider implementing certain and timely sanctions for noncompliance.

Information Security Policies and Procedures Guidance for Agencies

2020 ◽  
pp. 47-62
Author(s):  
Dasari Kalyani
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Large Scale ◽  
Management Strategies ◽  
Security Policies ◽  
Risk Levels ◽  
Security Models ◽  
Policies And Procedures ◽  
Good Policy ◽  
The Right

In today's digital e-commerce and m-commerce world, the information itself acts as an asset and exists in the form of hardware, software, procedure, or a person. So the security of these information systems and management is a big challenging issue for small and large-scale agencies. So this chapter discusses the major role and responsibility of the organization's management in identifying the need for information security policy in today's world of changing security principles and controls. It focuses on various policy types suitable for all kinds of security models and procedures with the background details such as security policy making, functionality, and its impact on an agency culture. Information security policies are helpful to identify and assess risk levels with the available set of technological security tools. The chapter describes the management strategies to write a good policy and selection of the right policy public announcement. The agencies must also ensure that the designed policies are properly implemented and ensure compliance through frequent intermediate revisions.

Sign in / Sign up

Export Citation Format

Share Document