Information security policy compliance: a higher education case study

2018 ◽  
Vol 26 (1) ◽  
pp. 91-108 ◽  
Author(s):  
Khaled A. Alshare ◽  
Peggy L. Lane ◽  
Michael R. Lane
Keyword(s):  
Higher Education ◽  
Information Security ◽  
Security Policy ◽  
Past Research ◽  
Faculty Members ◽  
Research Model ◽  
Security Measures ◽  
Timely Manner ◽  
Content Type

Purpose The purpose of this case study is to examine the factors that impact higher education employees’ violations of information security policy by developing a research model based on grounded theories such as deterrence theory, neutralization theory and justice theory. Design/methodology/approach The research model was tested using 195 usable responses. After conducting model validation, the hypotheses were tested using multiple linear regression. Findings The results of the study revealed that procedural justice, distributive justice, severity and celerity of sanction, privacy, responsibility and organizational security culture were significant predictors of violations of information security measures. Only interactional justice was not significant. Research limitations/implications As with any exploratory case study, this research has limitations such as the self-reported information and the method of measuring the violation of information security measures. The method of measuring information security violations has been a challenge for researchers. Of course, the best method is to capture the actual behavior. Another limitation to this case study which might have affected the results is the significant number of faculty members in the respondent pool. The shared governance culture of faculty members on a US university campus might bias the results more than in a company environment. Caution should be applied when generalizing the results of this case study. Practical implications The findings validate past research and should encourage managers to ensure employees are involved with developing and implementing information security measures. Additionally, the information security measures should be applied consistently and in a timely manner. Past research has focused more on the certainty and severity of sanctions and not as much on the celerity or swiftness of applying sanctions. The results of this research indicate there is a need to be timely (swift) in applying sanctions. The importance of information security should be grounded in company culture. Employees should have a strong sense of treating company data as they would want their own data to be treated. Social implications Engaging employees in developing and implementing information security measures will reduce employees’ violations. Additionally, giving employees the assurance that all are given the same treatment when it comes to applying sanctions will reduce the violations. Originality/value Setting and enforcing in a timely manner a solid sanction system will help in preventing information security violations. Moreover, creating a culture that fosters information security will help in positively affecting the employees’ perceptions toward privacy and responsibility, which in turn, impacts information security violations. This case study applies some existing theories in the context of the US higher education environment. The results of this case study contributed to the extension of existing theories by including new factors, on one hand, and confirming previous findings, on the other hand.

Information security governance for e-services in southern African developing countries e-Government projects

2016 ◽  
Vol 7 (1) ◽  
pp. 26-42 ◽  
Author(s):  
Avinash Ramtohul ◽  
K.M.S. Soyjaudah
Keyword(s):  
Information Security ◽  
Emerging Economies ◽  
Security Policy ◽  
Software Integration ◽  
Security Measures ◽  
Content Type ◽  
Security Governance ◽  
Single Sign On ◽  
Information Security Governance ◽  
The Government

Purpose – Highly sensitive information pertaining to citizens and government transactions is processed in an electronic format, making information security a critical part of e-Government applications and architectures. Information security measures should ideally span from authentication to authorisation and from logical/physical access control to auditing of electronic transactions and log books. The lack of such measures compromises confidentiality, integrity and availability of information. Today, most e-Government projects in developing countries in Southern Africa Developing Community (SADC) face challenges in two main areas, namely, information security and application software integration. This paper aims to discuss and analyse the information security requirements for e-Government projects and proposes an information security governance model for service-based architectures (SBAs). Design/methodology/approach – The current state of information security in emerging economies in SADC countries was researched. The main problems identified were the lack of software integration and information security governance, policy and administration. The design consists of three basic layers: information security governance defined at the strategic level of the government; information security policy/management defined at the management/operational level; and information security measures, implemented at the technical level. This section also proposes a policy for implementing public key infrastructures to protect information, transactions and e-services. A Token-Ring-based mechanism for implementing Single-Sign-On has also been developed as part of this study. Findings – The main problems identified were the lack of software integration and information security governance, policy and administration. These challenges are causing e-government projects to stagnate. Practical implications – The proposed approach for implementing information security in e-Government systems will ensure a holistic approach to ensuring confidentiality, integrity and non-repudiation, allowing e-Government maturity to progress from “interaction” to “online transaction” stage in emerging economies. Originality/value – Research has not focused on developing a solution for emerging economies which are facing difficulties in integration software applications to deploy end-to-end e-services and to produce an underlying identity management architecture and information security governance to secure the e-services developed and deployed using an SBA. The work produced in this paper is specific to SBAs in e-government environments where legacy systems already exist. The work includes: information security governance defined at the strategic level of the government; information security policy/management defined at the management/operational level; and information security measures implemented at the technical level. This section also proposes a policy for implementing public key infrastructures to protect information, transactions and e-services. A Token-Ring-based mechanism for implementing Single-Sign-On has also been developed as part of this study.

scholarly journals Mind the gap: identifying barriers to students engaging in creative practices in higher education

2020 ◽  
Vol 12 (2) ◽  
pp. 207-220
Author(s):  
Lluís Solé ◽  
Laia Sole-Coromina ◽  
Simon Ellis Poole
Keyword(s):  
Higher Education ◽  
Design Methodology ◽  
Methodological Approach ◽  
Initial Study ◽  
Faculty Members ◽  
Intercultural Understanding ◽  
Content Type ◽  
Creative Processes ◽  
Insight Into

PurposeCreativity is nowadays seen as a desirable goal in higher education. In artistic disciplines, creative processes are frequently employed to assess or evaluate different students' skills. The purpose of this study is to identify potential pitfalls for students involved in artistic practices in which being creative is essential.Design/methodology/approachThree focus groups involving Education Faculty members from different artistic disciplines allowed for the identification of several constraints when creativity was invoked. This initial study used a quantitative approach and took place in the “Universitat de Vic” (Catalonia, Spain).FindingsFindings suggest a correlation with existing literature and simultaneously point at some nuances that require consideration: emerging aspects embedded in creative processes that may help decrease some limiting effects that being creative can generate.Research limitations/implicationsThe main limitations of this research derive from the very nature of the methodological approach. Focus group has been the single used source. Other means of collecting data, such as the analysis of programs, could be used in the future.Originality/valueThis case study, while culturally specific, offers a useful insight into the potential of further work in non-artistic disciplines but crucially across disciplines. It has tremendous value for the development of intercultural understanding in the higher education sector, specifically in terms of assessment.

Establishing information security policy compliance culture in organizations

2018 ◽  
Vol 26 (4) ◽  
pp. 420-436 ◽  
Author(s):  
Eric Amankwa ◽  
Marianne Loock ◽  
Elmarie Kritzinger
Keyword(s):  
Information Security ◽  
Security Policy ◽  
User Involvement ◽  
Research Model ◽  
End User ◽  
Policy Compliance ◽  
Content Type ◽  
Behavioural Intentions ◽  
End User Involvement ◽  
Security Policy Compliance

Purpose This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of factors such as supportive organizational culture, end-user involvement and compliance leadership to influence employees’ attitudes and behaviour intentions towards ISP in organizations. This paper also aims to develop a testable research model that might be useful for future researchers in predicting employees’ behavioural intentions. Design/methodology/approach In view of the study’s aim, a research model to show how three key constructs can influence the attitudes and behaviours of employees towards the establishment of security policy compliance culture (ISPCC) was developed and validated in an empirical field survey. Findings The study found that factors such as supportive organizational culture and end-user involvement significantly influenced employees’ attitudes towards compliance with ISP. However, leadership showed the weakest influence on attitudes towards compliance. The overall results showed that employees’ attitudes and behavioural intentions towards ISP compliance together influenced the establishment of ISPCC for ISP compliance in organizations. Practical implications Organizations should influence employees’ attitudes towards compliance with ISP by providing effective ISP leadership, encouraging end-user involvement during the draft and update of ISP and nurturing a culture that is conducive for ISP compliance. Originality/value The study provides some insights on how to effectively address the problem of non-compliance with ISP in organizations through the establishment of ISPCC, which has not been considered in any past research.

scholarly journals Applying lean methodology to curriculum revision and internship placement process – a case study

2020 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Jitendra Singh
Keyword(s):  
Higher Education ◽  
Academic Program ◽  
Faculty Members ◽  
Curriculum Revision ◽  
Content Type ◽  
Lean Principles ◽  
Program Leaders ◽  
Value Stream ◽  
Academic Settings

PurposeThe purpose of this paper is to study, examine and apply lean management principles to the curriculum revision and internship placement process in an academic program at an institution of higher education.Design/methodology/approachThis paper consists of two sections. The first section reviews the literature on lean principles, lean tools, nonvalue-added activities and the application of lean methodology to academic settings. The second section presents a case study, where a team of faculty members applied lean principles to the process of curriculum revision and internship placement at an academic institution.FindingsLean principles can be successfully applied to curricular revision and the internship placement process. By applying the concepts of value, identification of value stream, removal of wasteful activities to achieve flow and creation of a pull-based system, faculty and program leaders can streamline processes at academic institutions. Furthermore, ongoing data collection helps to foster the culture of continuous improvement and ensure that processes are revisited and adapted to meet the needs of customers.Practical implicationsThis paper is of value to faculty members and college administrators interested in applying lean principles to academic processes. Usage of lean methodology may lead to the identification and elimination of waste in curriculum and the field placement process.Originality/valueThis manuscript can provide a structure for the application of lean in academic processes at institutions of higher education.

Learning outcomes’ role in higher education teaching

2014 ◽  
Vol 7 (4) ◽  
pp. 257-276 ◽  
Author(s):  
Rita Nasrallah
Keyword(s):  
Higher Education ◽  
Learning Outcomes ◽  
Multiple Case Study ◽  
Learning Model ◽  
Faculty Members ◽  
Content Type ◽  
Constructive Alignment ◽  
Multiple Case ◽  
Teaching Learning

Purpose – The purpose of this multiple-case study was to examine the ambiguity surrounding course learning outcomes and how they are perceived by faculty members in four private universities, while simultaneously investigating the dominant teaching perspectives, practices and assessment techniques. In parallel, theory of constructive alignment was shared with faculty members and students as a possible teaching-learning model. Design/methodology/approach – This study is a qualitative multiple-case study designed based on Yin’s (2009) case study protocol and Stake’s (2006) cross-case analysis report. In the process, 52 faculty members were interviewed, and 38 of the 52 were observed teaching, plus 15 of 52, faculty members participated in separate focus groups about constructive alignment. Further, 18 students were interviewed in separate focus groups to find out how they perceive effective teaching and constructive alignment. Findings – The findings showed why faculty members misunderstood the course learning outcomes. Both faculty members and students withheld similar perceptions when it came to efficient teaching; however, they disagreed regarding the utility of constructive alignment as a proposed teaching-learning model. The 52 faculty members were mainly knowledge transmitters and this contradicts with the notion of the learning outcomes, which is student-centered. In addition, they are not familiar with the teaching-learning theories or with the various pedagogical tools that may render learning constructive. Research limitations/implications – The fact that this study is a multiple-case study automatically implies that the results cannot be generalized within the larger higher education context. Nevertheless, the research findings can help to clarify the reasons hindering the proper implementation of the learning outcomes in other institutions, as it can serve as a guide to improve all the detected weaknesses, which may be applicable in other contexts. It can also aid administrative bodies at the different institutions in dealing with the obstacles that restrict the workability of the learning outcomes. Practical implications – Teaching in higher education must be nurtured through continuously investing time and effort in supporting faculty members to develop their teaching-learning skills to suit the changing profiles of students to render learning a durable experience. Originality/value – The study is unique in how it combined Yin’s protocol with Stake’s cross-case analysis report. Additionally, the classroom observation instrument was, to an extent, a precedent in terms of higher education research in the Lebanese context. Further, the results obtained added to the results of previous research, i.e. the reasons why the learning outcomes were not functional. Plus, a cyclical/retrograding motion learning model emerged in the process, and the practicality of the theory of constructive alignment in the Lebanese context was questioned.

Information security practice in Saudi Arabia: case study on Saudi organizations

2018 ◽  
Vol 26 (5) ◽  
pp. 568-583 ◽  
Author(s):  
Zakarya A. Alzamil
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Middle Eastern ◽  
Information Security Policy ◽  
Content Type ◽  
Governmental Organizations ◽  
Non Governmental Organizations ◽  
It Employees ◽  
The Status

Purpose Information security of an organization is influenced by the deployed policy and procedures. Information security policy reflects the organization’s attitude to the protection of its information assets. The purpose of this paper is to investigate the status of the information security policy at a subset of Saudi’s organizations by understanding the perceptions of their information technology’s employees. Design/methodology/approach A descriptive and statistical approach has been used to describe the collected data and characteristics of the IT employees and managers to understand the information security policy at the surveyed organizations. The author believes that understanding the IT employees’ views gives a better understanding of the organization’s status of information security policy. Findings It has been found that most of the surveyed organizations have established information security policy and deployed fair technology; however, many of such policies are not enforced and publicized effectively and efficiently which degraded the deployed technology for such protection. In addition, the clarity and the comprehensibility of such policies are questionable as indicated by most of the IT employees’ responses. A comparison with similar studies at Middle Eastern and European countries has shown similar findings and shares the same concerns. Originality/value The findings of this research suggest that the Saudi Communications and Information Technology Commission should develop a national framework for information security to guide the governmental and non-governmental organizations as well as the information security practitioners on the good information security practices in terms of policy and procedures to help the organizations to avoid any vulnerability that may lead to violations on the security of their information.

Technostress and its influence on employee information security policy compliance

2020 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Forough Nasirpouri Shadbad ◽  
David Biros
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Negative Impact ◽  
Equation Modeling ◽  
Research Model ◽  
Negative Consequences ◽  
It Use ◽  
Information Security Policy ◽  
Content Type ◽  
Employee Information

PurposeThis study focuses on unintended negative consequences of IT, called technostress. Given that employees are recognized as a major information security threat, it makes sense to investigate how technostress resulting from employees' constant interaction with IT influences the likelihood of security incidents. Although past research studied the concept of security-related technostress, the effect of IT use itself on employees’ extra-role activities such as security-related behaviors is unanswered. Thus, this paper aims to provide an understanding of the negative impact of technostress on employee information security policy (ISP) compliance.Design/methodology/approachDrawing on technostress literature, this research develops a research model that investigates the effect of technostress on employee intention to violate ISPs. It also extends the dimensionality of technostress construct by adding a new dimension called “techno-unreliability” that shows promising results. The authors use online survey data from a sample of 356 employees who have technology-based professions. We apply the structural equation modeling technique to evaluate the proposed research model.FindingsFindings showed that IT use imposes high-level perceptions of a set of technostress creators, which makes users rationalize their ISP violations and engage in non-compliant behaviors. Further analysis of each dimension of technostress showed that techno-complexity, techno-invasion and techno-insecurity account for higher ISP non-compliant behaviors.Originality/valueThis study provides a new understanding of technostress to the context of information security and emphasizes on its negative impact on employee ISP compliance behaviors.

How different rewards tend to influence employee non-compliance with information security policies

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Rima Khatib ◽  
Henri Barki
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Structural Equation ◽  
Rational Choice Theory ◽  
Interactive Effect ◽  
Past Research ◽  
Interactive Effects ◽  
Equation Modeling ◽  
Content Type ◽  
Compliance Behavior

Purpose To help reduce the increasing number of information security breaches that are caused by insiders, past research has examined employee non-compliance with information security policy. However, existent studies have observed mixed results, which suggest that an interaction is likely to exist among the variables that explain employee non-compliance. In an effort to provide evidence for this possibility, this paper aims to better explain why employees routinely engage in non-compliant behaviors by examining the direct and interactive effects of employees’ perceived costs and rewards of compliance and non-compliance on their routinized non-compliant behaviors. Design/methodology/approach Based on rational choice theory, this study used 16 hypothetical scenarios in an experimental survey, collecting data from 326 respondents and analyzing them via structural equation modeling and a four-way factorial experiment. Findings The results suggest that routinized non-compliance of employees is more strongly influenced by the rewards than the costs they perceive in their non-compliance. Further, employees’ routinized non-compliance behavior was found to be positively influenced by an interactive effect of perceived rewards of compliance when their perceptions of their non-compliance costs and rewards were both high and low. Originality/value This paper’s key contribution is to suggest that non-compliance behavior is influenced by direct and interactive effects of perceived rewards of compliance and non-compliance.

scholarly journals Ethical leadership and employee information security policy (ISP) violation: exploring dual-mediation paths

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Botong Xue ◽  
Feng Xu ◽  
Xin Luo ◽  
Merrill Warkentin
Keyword(s):  
Social Learning ◽  
Information Security ◽  
Social Exchange ◽  
Ethical Leadership ◽  
Security Policy ◽  
Affective Commitment ◽  
Research Model ◽  
Content Type ◽  
The Relationship

PurposeA growing number of studies have investigated the effect of ethical leadership on behavioral outcome of employees. However, considering the important role of ethics in IS security, the security literature lacks a theoretical and empirical investigation of the relationship between ethical leadership and employees' security behavior, such as information security policy (ISP) violation. Drawing on social learning and social exchange theories, this paper empirically tests the impact of ethical leadership on employees' ISP violation intention through both information security climate (i.e. from a moral manager's perspective) and affective commitment (i.e. from a moral person's perspective).Design/methodology/approachThe research was developed based on social learning theory and social exchange theory. To measure the variables in the model, the authors used and adapted measurement items from previous studies. The authors conducted a scenario-based survey with 339 valid responses to test and validate the research model.FindingsResults indicated that information security climate fully mediates the relationship between ethical leadership and ISP violation intention. The authors also found that information security climate enhances the negative effect of affective commitment on ISP violation intention.Originality/valueThis research contributes to the literature of information security by introducing the role of ethical leadership and integrating two theories into our research model. This study also calls attention to how information security climate and affective commitment mediate the relationship between ethical leadership and employees' ISP violation intention. The theory-driven study provides important pragmatic guidance for enhancing the understanding of the importance of ethical leadership in information systems security research.

Breaking the code: barriers affecting inclusive thinking-HETL Scotland 2017

2018 ◽  
Vol 10 (2) ◽  
pp. 118-129
Author(s):  
Linda Carol Algozzini ◽  
Valencia Lavon Gabay ◽  
Shannon D. Voyles ◽  
Kimberly Bessolo ◽  
Grady Batchelor
Keyword(s):  
Higher Education ◽  
First Century ◽  
Individual Student ◽  
Change Model ◽  
Participatory Action ◽  
Content Type ◽  
Self Regulated Learning ◽  
Group Coaching ◽  
Regulated Learning

Purpose This case study reviews a group coaching and mentoring (GCM) change model and its significance in dissolving barriers and promoting equity in virtual learning environments. The purpose of this paper is to examine the model’s approach to shifting instructor mindsets to align with institutional core values and initiatives that best serve a twenty-first century adult learner. Design/methodology/approach The change model, grounded in GCM, metacognition, self-regulated learning, and community of practice theory, incorporates participatory action research design focusing on cycles of action, reflection, and evaluation. Findings This study illustrates the change model’s success in moving educators toward deeper understanding of self and individual student differences. It further showcases how professionals adapt and improve practices using self-regulated learning and metacognition to better serve the population they teach. Practical implications The GCM framework improved engagement. The design, while implemented in a higher education arena, is applicable to other entities seeking to bridge gaps using metacognition and self-regulated learning to become adaptable and inclusive. Originality/value The change model, recipient of one of this year’s Effective Practice Awards from the Online Learning Consortium (2017), is recognized for innovation and replicability in and beyond higher education.

Sign in / Sign up

Export Citation Format

Share Document