New Insights into the Justifiability of Organizational Information Security Policy Noncompliance: A Case Study

Despite the significant resources organizations devote to information security policies, the policies rarely produce intended outcome. Prior research has sought to explain motivations for non-compliance and suggested approaches for motivating employees for compliance using theories largely derived from psychology. However, the socio-cognitive structures that shape employees' perceptions of the policies and how they influence policy outcomes have received only modest attention. In this study, the authors draw on the socio-cognitive theory of frames and on literature on information security policies in order to suggest a theoretical and analytical concept of Information Security Policy Frames of Reference (ISPFOR). The concept is applied as a sensitizing device, in order to systematically analyze and interpret how the perceptions of policies are shaped by the frames and how they influence policy outcomes. The authors apply the sensitizing device in an interpretive case study conducted at a large multinational internet service provider. The authors’ findings suggest the frames shape the perceptions and can provide a socio-cognitive explanation for unanticipated policy outcomes. Implications for research and practice are discussed.

Download Full-text

Smart City Development in Taiwan: From the Perspective of the Information Security Policy

Sustainability ◽

10.3390/su12072916 ◽

2020 ◽

Vol 12 (7) ◽

pp. 2916 ◽

Cited By ~ 1

Author(s):

Yung Chang Wu ◽

Rui Sun ◽

Yenchun Jim Wu

Keyword(s):

Information Security ◽

Smart City ◽

Security Policy ◽

Smart Cities ◽

Mobile Internet ◽

Security Policies ◽

Information Security Policy ◽

Organizational Information ◽

The Impact ◽

The Relationship

A smart city is developed through the Internet of Things (IoT), cloud computing, big data, mobile Internet, and other new generation technologies regarding information and communication, and data resources in various fields are integrated and applied. The issue of information security in the network era is the strategic focus, as well as the focus of people’s attention, during Taiwan’s smart city construction. Information security policies are the information security guidelines for organizations, and are key to the organization’s information security performance; moreover, such policies show the organization’s support and commitment to the information security of smart cities. This paper discusses the model of information security policy in Taiwan’s smart cities, uses Path Analysis to explore the characteristics of information security policy in smart cities, and examines the relationship between the formulation, implementation, maintenance, and effectiveness of information security policies. Furthermore, this study examines the impact on the effectiveness of organizational information security policies and information security performance from the following aspects: The length of information security policy publication time, policy review, policy advocacy, employee compliance, fair law enforcement, etc., which are all concrete manifestations of the formulation, implementation, and maintenance of information security policy models. Through a questionnaire survey, the correlation between various assumptions, as well as the relationship between organizational information security characteristics, information security policies, and the effectiveness of information security, are verified one by one during the implementation of information security policies. Finally, conclusions and implications are put forward.

Download Full-text

The Effect of Organizational Information Security Climate on Information Security Policy Compliance: The Mediating Effect of Social Bonding towards Healthcare Nurses

Sustainability ◽

10.3390/su13052800 ◽

2021 ◽

Vol 13 (5) ◽

pp. 2800

Author(s):

Ke Dong ◽

Rao Faizan Ali ◽

P. D. D. Dominic ◽

Syed Emad Azhar Ali

Keyword(s):

Information Security ◽

Security Policy ◽

Mediating Effect ◽

Social Bond ◽

Policy Compliance ◽

Information Security Policy ◽

Security Breaches ◽

Organizational Information ◽

Information Security Policy Compliance ◽

Security Policy Compliance

The advancement of information communication technology in healthcare institutions has increased information security breaches. Scholars and industry practitioners have reported that most security breaches are due to negligence towards organizational information security policy compliance (ISPC) by healthcare employees such as nurses. There is, however, a lack of understanding of the factors that ensure ISPC among nurses, especially in developing countries such as Malaysia. This paper develops and examines a research framework that draws upon the factors of organizational climate of information security (OCIS) and social bond theory to enhance ISPC among nurses. A questionnaire was adopted in which responses were obtained from 241 nurses employed in 30 hospitals in Malaysia. The findings from the study demonstrated that the ISPC among nurses is enhanced through OCIS factors. The influence on ISPC was even more significant when examined by the mediating effect of the social bond. It implies that influential OCIS factors reinforce social bonds among nurses and eventually increase the ISPC. For information security practitioners, the study findings emphasize the prevalence of socio-active information security culture in healthcare organizations to enhance ISP compliance among nurses.

Download Full-text

Information security practice in Saudi Arabia: case study on Saudi organizations

Information and Computer Security ◽

10.1108/ics-01-2018-0006 ◽

2018 ◽

Vol 26 (5) ◽

pp. 568-583 ◽

Cited By ~ 2

Author(s):

Zakarya A. Alzamil

Keyword(s):

Information Security ◽

Security Policy ◽

Middle Eastern ◽

Information Security Policy ◽

Content Type ◽

Governmental Organizations ◽

Non Governmental Organizations ◽

It Employees ◽

The Status

Purpose Information security of an organization is influenced by the deployed policy and procedures. Information security policy reflects the organization’s attitude to the protection of its information assets. The purpose of this paper is to investigate the status of the information security policy at a subset of Saudi’s organizations by understanding the perceptions of their information technology’s employees. Design/methodology/approach A descriptive and statistical approach has been used to describe the collected data and characteristics of the IT employees and managers to understand the information security policy at the surveyed organizations. The author believes that understanding the IT employees’ views gives a better understanding of the organization’s status of information security policy. Findings It has been found that most of the surveyed organizations have established information security policy and deployed fair technology; however, many of such policies are not enforced and publicized effectively and efficiently which degraded the deployed technology for such protection. In addition, the clarity and the comprehensibility of such policies are questionable as indicated by most of the IT employees’ responses. A comparison with similar studies at Middle Eastern and European countries has shown similar findings and shares the same concerns. Originality/value The findings of this research suggest that the Saudi Communications and Information Technology Commission should develop a national framework for information security to guide the governmental and non-governmental organizations as well as the information security practitioners on the good information security practices in terms of policy and procedures to help the organizations to avoid any vulnerability that may lead to violations on the security of their information.

Download Full-text