Ensuring employees' information security policy compliance by carrot and stick: the moderating roles of organizational commitment and gender

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Chenhui Liu ◽  
Huigang Liang ◽  
Nengmin Wang ◽  
Yajiong Xue
Keyword(s):  
Organizational Commitment ◽  
Information Security ◽  
Security Policy ◽  
Partial Least Square ◽  
Least Square ◽  
Information Security Policy ◽  
Content Type ◽  
Reward Expectancy ◽  
And Gender ◽  
Reward And Punishment

PurposeEmployees’ information security policy (ISP) compliance exerts a significant strain on information security management. Drawing upon the compliance theory and control theory, this study attempts to examine the moderating roles of organizational commitment and gender in the relationships between reward/punishment expectancy and employees' ISP compliance.Design/methodology/approachUsing survey data collected from 310 employees in Chinese organizations that have formally adopted information security policies, the authors applied the partial least square method to test hypotheses.FindingsPunishment expectancy positively affects ISP compliance, but reward expectancy has no significant impact on ISP compliance. Compared with committed employees, both reward expectancy and punishment expectancy have stronger impacts on low-commitment employees' ISP compliance. As for gender differences, punishment expectancy exerts a stronger effect on females' ISP compliance than it does on males.Originality/valueBy investigating the moderating roles of organizational commitment and gender, this paper offers a deeper understanding of reward and punishment in the context of ISP compliance. The findings reveal that efforts in building organizational commitment will reduce the reliance on reward and punishment, and further controls rather than the carrot and stick should be applied to ensure male employees' ISP compliance.

scholarly journals Examining the Relationship between Information Security Effectiveness and Information Security Threats

2021 ◽  
Vol 21 (3) ◽  
pp. 1203-1214
Author(s):  
Mohamad Noorman Masrek ◽  
Tri Soesantari ◽  
Asad Khan ◽  
Aang Kisnu Dermawan
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Partial Least Square ◽  
Least Square ◽  
Equation Modeling ◽  
Security Threats ◽  
Policy Effectiveness ◽  
Information Security Policy ◽  
The Relationship ◽  
Policy And Procedure

Information is the most critical asset of any organizations and business. It is considered as the lifeblood of the organization or business. Because of its importance, information needs to be protected and safeguarded from any forms of threats and this is termed as information security. Information security policy and procedure has been regarded as one of the most important controls and measures for information security. A well-developed information security policy and procedure will ensure that information is kept safe form any harms and threats. The aim of this study is to examine the relationship between information security policy effectiveness and information security threats. 292 federal government agencies were surveyed in terms of their and information security practices and the threats that they had experienced. Based on the collected, an analysis using partial least square structural equation modeling (PLS-SEM) was performed and the results showed that there is a significant relationship between information security policy effectiveness and information security threats. The finding provides empirical evidence on the importance of developing an effective information security policy and procedure.

Exploring the Impact of Security Policy on Compliance

2018 ◽  
pp. 256-274 ◽  
Author(s):  
Winfred Yaokumah ◽  
Peace Kumah
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Structural Equation ◽  
Partial Least Square ◽  
Least Square ◽  
Security Monitoring ◽  
Roles And Responsibilities ◽  
Security Compliance ◽  
Security Operations ◽  
The Impact

Extant studies on compliance with security policies have largely ignored the impact of monitoring, security operations, and roles and responsibilities on employees' compliance. This chapter proposes a theoretical model that integrates security policy, monitoring, security operations, and security roles to examine employees' security compliance. Data were collected from 233 IT security and management professionals. Using partial least square structural equation modelling and testing hypotheses, the study finds that information security policy has significant indirect influence on information security compliance. The effect of security policy is fully mediated by security roles, operations security activities, and security monitoring activities. Security policy strongly influences operations security activities and has the greatest effect on security roles and responsibilities. Among the three mediating variables, monitoring has the most significant influence on security compliance. Conversely, the direct impact of security policy on compliance is not significant.

The hunt for computerized support in information security policy management

2020 ◽  
Vol 28 (2) ◽  
pp. 215-259 ◽  
Author(s):  
Elham Rostami ◽  
Fredrik Karlsson ◽  
Ella Kolkowska
Keyword(s):  
Information Security ◽  
Research Methods ◽  
Security Policy ◽  
Critical Discussion ◽  
Future Research ◽  
Management Process ◽  
Management Research ◽  
Information Security Policy ◽  
Content Type ◽  
Literature Reviews

Purpose The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about. Design/methodology/approach The results are based on a literature review of ISP management research published between 1990 and 2017. Findings Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare. Research limitations/implications Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process. Practical implications The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners. Originality/value Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.

scholarly journals Comparing the information security culture of employees who had read the information security policy and those who had not

2016 ◽  
Vol 24 (2) ◽  
pp. 139-151 ◽  
Author(s):  
Adéle Da Veiga
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Positive Influence ◽  
Theoretical Research ◽  
Information Security Policy ◽  
Content Type ◽  
Security Culture ◽  
Targeted Interventions ◽  
Information Security Culture ◽  
Over Time

Purpose This study aims, firstly, to determine what influence the information security policy has on the information security culture by comparing the culture of employees who read the policy to those who do not, and, secondly, whether a stronger information security culture is embedded over time if more employees have read the information security policy. Design/methodology/approach An empirical study is conducted at four intervals over eight years across 12 countries using a validated information security culture assessment (ISCA) questionnaire. Findings The overall information security culture average scores as well as individual statements for all four survey assessments were significantly more positive for employees who had read the information security policy compared with employees who had not. The overall information security culture also improved from one assessment to the next. Research limitations/implications The information security culture should be measured and benchmarked over time to monitor change and identify and prioritise actions to improve the information security culture. If employees read the information security policy, it has a positive influence on the information security culture of an organisation. Practical implications Organisations should ensure that employees have read the information security policy to aid in minimising the human risk, related errors and incidents and, ultimately, to instil a stronger information security culture with a higher level of compliant behaviour. Originality/value This research confirms theoretical research indicating that the information security policy could influence the information security culture positively. It provides novel and statistical evidence illustrating that if employees read the information security policy, they have a stronger information security culture and that the culture can be improved through targeted interventions using an ISCA.

Building an awareness-centered information security policy compliance model

2019 ◽  
Vol 120 (1) ◽  
pp. 231-247 ◽  
Author(s):  
Alex Koohang ◽  
Jonathan Anderson ◽  
Jeretta Horn Nord ◽  
Joanna Paliszkiewicz
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Path Modeling ◽  
Information Security Policy ◽  
Content Type ◽  
Security Issues ◽  
Compliance Model ◽  
Security Compliance ◽  
Trusting Beliefs ◽  
Practical Implications

Purpose The purpose of this paper is to build an awareness-centered information security policy (ISP) compliance model, asserting that awareness is the key to ISP compliance and that awareness depends upon several variables that influence successful ISP compliance. Design/methodology/approach The authors built a model with seven constructs, i.e., leadership, trusting beliefs, information security issues awareness (ISIA), ISP awareness, understanding resource vulnerability, self-efficacy (SE) and intention to comply. Seven hypotheses were stated. A sample of 285 non-management employees was used from various organizations in the USA. The authors used path modeling to analyze the data. Findings The findings indicated that IS awareness depends on effective organizational leadership and elevated employees’ trusting beliefs. The understanding of resource vulnerability (URV) and SE are influenced by IS awareness resulting from effective leadership and elevated employees’ trusting beliefs which guide employees to comply with ISP requirements. Practical implications Practical implications were aimed at organizations embracing an awareness-centered information security compliance program to secure organizations’ assets against threats by implementing various security education and training awareness programs. Originality/value This paper asserts that awareness is central to ISP compliance. Leadership and trusting beliefs variables play significant roles in the information security awareness which in turn positively affect employees’ URV and SE variables leading employees to comply with the ISP requirements.

Exploring the Impact of Security Policy on Compliance

2021 ◽  
pp. 339-357
Author(s):  
Winfred Yaokumah ◽  
Peace Kumah
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Structural Equation ◽  
Partial Least Square ◽  
Least Square ◽  
Security Monitoring ◽  
Roles And Responsibilities ◽  
Security Compliance ◽  
Security Operations ◽  
The Impact

Extant studies on compliance with security policies have largely ignored the impact of monitoring, security operations, and roles and responsibilities on employees' compliance. This chapter proposes a theoretical model that integrates security policy, monitoring, security operations, and security roles to examine employees' security compliance. Data were collected from 233 IT security and management professionals. Using partial least square structural equation modelling and testing hypotheses, the study finds that information security policy has significant indirect influence on information security compliance. The effect of security policy is fully mediated by security roles, operations security activities, and security monitoring activities. Security policy strongly influences operations security activities and has the greatest effect on security roles and responsibilities. Among the three mediating variables, monitoring has the most significant influence on security compliance. Conversely, the direct impact of security policy on compliance is not significant.

Escalation of commitment as an antecedent to noncompliance with information security policy

2018 ◽  
Vol 26 (2) ◽  
pp. 171-193 ◽  
Author(s):  
Miranda Kajtazi ◽  
Hasan Cavusoglu ◽  
Izak Benbasat ◽  
Darek Haftor
Keyword(s):  
Information Security ◽  
Risk Perceptions ◽  
Security Policy ◽  
Sunk Costs ◽  
Survey Method ◽  
Task Completion ◽  
Escalation Of Commitment ◽  
Value Conflicts ◽  
Information Security Policy ◽  
Content Type

PurposeThis study aims to identify antecedents to noncompliance behavior influenced by decision contexts where investments in time, effort and resources are devoted to a task – referred to as a task unlikely to be completed without violating the organization’s information security policy (ISP).Design/methodology/approachAn empirical test of the suggested relationships in the proposed model was conducted through a field study using the survey method for data collection. Pre-tests, pre-study, main study and a follow-up study compose the frame of our methodology where more than 500 respondents are involved across different organizations.FindingsThe results confirm that the antecedents that explain the escalation of commitment behavior in terms of the effect of lost assets, such as time, effort and other resources, give us a new lens to understand noncompliance behavior; employees seem to escalate their commitments to the completion of their tasks at the expense of becoming noncompliant with ISP.Research limitations/implicationsOne of the key areas that requires further attention from this study is to better understand the role of risk perceptions on employee behavior when dealing with value conflicts. Depending on how risk-averse or risk seeking an employee is, the model showed no significant support in either case to influence their noncompliance behavior. The authors therefore argue that employees' noncompliance may be influenced by more powerful beliefs, such as self-justification and sunk costs.Practical implicationsThe results show that when employees are caught in tasks undergoing difficulties, they are more likely to increase noncompliance behavior. By understanding better how project obstacles result in such tasks, security managers can define new mechanisms to counter employees’ shift from compliance to noncompliance.Social implicationsApart from encouraging compliance with enforcement mechanisms (using direct behavioral controls like sanctions or rewards), indirect behavior controls may also encourage compliance. The authors suggest that the ISPs should state that the organization would take positive actions toward task completion and help their employees to resolve their problems quickly.Originality/valueThis study is the first to tackle escalation of commitment theories and use antecedents that explain the effect of lost assets, such as time, effort and other resources can also explain noncompliance with ISP in terms of the value conflicts, where employees would often choose to forego compliance at the expense of finishing their tasks.

scholarly journals The effect of perceived organizational culture on employees’ information security compliance

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Martin Karlsson ◽  
Fredrik Karlsson ◽  
Joachim Åström ◽  
Thomas Denk
Keyword(s):  
Organizational Culture ◽  
Information Security ◽  
Security Policy ◽  
Organizational Cultures ◽  
Policy Compliance ◽  
Information Security Policy ◽  
Content Type ◽  
Security Compliance ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance

Purpose This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers. Design/methodology/approach The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy. Findings The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance. Research limitations/implications The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance. Practical implications Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations. Originality/value Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

Do employees in a “good” company comply better with information security policy? A corporate social responsibility perspective

2019 ◽  
Vol 32 (4) ◽  
pp. 858-875 ◽  
Author(s):  
Hyungjin Lukas Kim ◽  
Jinyoung Han
Keyword(s):  
Corporate Social Responsibility ◽  
Information Security ◽  
Social Responsibility ◽  
Security Policy ◽  
Rational Choice Theory ◽  
Information Security Policy ◽  
Content Type ◽  
Corporate Social ◽  
The Impact ◽  
The Relationship

Purpose The purpose of this paper is to investigate the impact of corporate social responsibility (CSR) on employees’ compliance behavior concerning information security policy (ISP). A research model includes CSR activities as an antecedent of ISP compliance and as a mediator of the relationship between ISP compliance intention and the perceived costs of compliance. Design/methodology/approach In total, 162 respondents were surveyed from organizations with more than 500 employees. This study used partial least squares (SmartPLS 3.0) to analyze and examine hypotheses. Findings The results show CSR’s influence as a mediator in the context of ISP compliance. In particular, moral CSR can affect employees’ ISP compliance intention positively and fully mediate the relationship between the costs of compliance and ISP compliance intention. Employees would like to comply with ISP when they recognize the benefits of ISP compliance and the costs of ISP noncompliance. Originality/value This study examines influential factors on ISP compliance considering cost-benefit factors from rational choice theory. Moreover, the study contributes to ISP compliance research by being the first attempt to consider CSR in an ISP compliance research context. The results provide insights on how to strategically implement CSR activities in terms of organizational information security.

Sign in / Sign up

Export Citation Format

Share Document