Factors Influencing Information Security Policy Compliance Behavior

2022 ◽  
pp. 213-232
Author(s):  
Kwame Simpe Ofori ◽  
Hod Anyigba ◽  
George Oppong Appiagyei Ampong ◽  
Osaretin Kayode Omoregie ◽  
Makafui Nyamadi ◽  
...  
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Future Research ◽  
General Deterrence ◽  
Security Education ◽  
Weakest Link ◽  
Compliance Behavior ◽  
Security Compliance ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance

One of the major concerns of organizations in today's networked world is to unravel how employees comply with information security policies (ISPs) since the internal employee has been identified as the weakest link in security policy breaches. A number of studies have examined ISP compliance from the perspective of deterrence; however, there have been mixed results. The study seeks to examine information security compliance from the perspective of the general deterrence theory (GDT) and information security climate (ISC). Data was collected from 329 employees drawn from the five top-performing banks in Ghana and analyzed with PLS-SEM. Results from the study show that security education training and awareness, top-management's commitment for information security, and peer non-compliance behavior affect the information security climate in an organization. Information security climate, punishment severity, and certainty of deterrent were also found to influence employees' intention to comply with ISP. The implications, limitations, and directions for future research are discussed.

Factors Influencing Information Security Policy Compliance Behavior

2020 ◽  
pp. 152-171
Author(s):  
Kwame Simpe Ofori ◽  
Hod Anyigba ◽  
George Oppong Appiagyei Ampong ◽  
Osaretin Kayode Omoregie ◽  
Makafui Nyamadi ◽  
...  
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Future Research ◽  
General Deterrence ◽  
Security Education ◽  
Weakest Link ◽  
Compliance Behavior ◽  
Security Compliance ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance

One of the major concerns of organizations in today's networked world is to unravel how employees comply with information security policies (ISPs) since the internal employee has been identified as the weakest link in security policy breaches. A number of studies have examined ISP compliance from the perspective of deterrence; however, there have been mixed results. The study seeks to examine information security compliance from the perspective of the general deterrence theory (GDT) and information security climate (ISC). Data was collected from 329 employees drawn from the five top-performing banks in Ghana and analyzed with PLS-SEM. Results from the study show that security education training and awareness, top-management's commitment for information security, and peer non-compliance behavior affect the information security climate in an organization. Information security climate, punishment severity, and certainty of deterrent were also found to influence employees' intention to comply with ISP. The implications, limitations, and directions for future research are discussed.

scholarly journals The effect of perceived organizational culture on employees’ information security compliance

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Martin Karlsson ◽  
Fredrik Karlsson ◽  
Joachim Åström ◽  
Thomas Denk
Keyword(s):  
Organizational Culture ◽  
Information Security ◽  
Security Policy ◽  
Organizational Cultures ◽  
Policy Compliance ◽  
Information Security Policy ◽  
Content Type ◽  
Security Compliance ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance

Purpose This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers. Design/methodology/approach The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy. Findings The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance. Research limitations/implications The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance. Practical implications Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations. Originality/value Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

Variables influencing information security policy compliance

2014 ◽  
Vol 22 (1) ◽  
pp. 42-75 ◽  
Author(s):  
Teodor Sommestad ◽  
Jonas Hallberg ◽  
Kristoffer Lundholm ◽  
Johan Bengtsson
Keyword(s):  
Systematic Review ◽  
Information Security ◽  
Security Policy ◽  
Empirical Studies ◽  
Security Policies ◽  
Future Research ◽  
Policy Compliance ◽  
Content Type ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance

Purpose – The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are. Design/methodology/approach – A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated variables in these studies and the effect size reported for them were extracted and analysed. Findings – In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in people's behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation. Research limitations/implications – It is possible that the disparate findings of the reviewed studies can be explained by the sampling methods used in the studies, the treatment/control of extraneous variables and interplay between variables. These aspects ought to be addressed in future research efforts. Practical implications – For decision makers who seek guidance on how to best achieve compliance with their information security policies should recognize that a large number of variables probably influence employees' compliance. In addition, both their influence strength and interplay are uncertain and largely unknown. Originality/value – This is the first systematic review of research on variables that influence compliance with information security policies of organizations.

Towards a Student Security Compliance Model (SSCM)

2020 ◽  
pp. 204-216
Author(s):  
Felix Nti Koranteng
Keyword(s):  
Developing Countries ◽  
Information Security ◽  
Predictive Factors ◽  
Security Policy ◽  
Educational Institutions ◽  
Qualitative And Quantitative ◽  
Weakest Link ◽  
Compliance Model ◽  
Security Compliance ◽  
Behavioural Theories

Users are considered the weakest link in ensuring information security (InfoSec). As a result, users' security behaviour remains crucial in many organizations. In response, InfoSec research has produced many behavioural theories targeted at explaining information security policy (ISP) compliance. Meanwhile, these theories mostly draw samples from employees often in developing countries. Such theories are not applicable to students in educational institutions since their psychological orientation with regards to InfoSec is different when compared with employees. Based on this premise, the chapter presents arguments founded on synthesis from existing literature. It proposes a students' security compliance model (SSCM) that attempts to explain predictive factors of students' ISP compliance intentions. The study encourages further research to confirm the proposed relationships using qualitative and quantitative techniques.

The Cultural Foundation of Information Security Behavior

2021 ◽  
pp. 522-545
Author(s):  
Canchu Lin ◽  
Anand S. Kunnathur ◽  
Long Li
Keyword(s):  
Organizational Culture ◽  
Information Security ◽  
Security Policy ◽  
Behavior Control ◽  
Policy Compliance ◽  
Information Security Policy ◽  
Information Security Behavior ◽  
Security Behavior ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance

Past behavior research overwhelmingly focused on information security policy compliance and under explored the role of organizational context in shaping information security behaviors. To address this research gap, this study integrated two threads of literature: organizational culture, and information security behavior control, and proposed a framework that integrates mid-range theories used in empirical research, connects them to organizational culture, and predicts its role in information security behavior control. Consistent with the cultural-fit perspective, this framework shows that information security policy compliance fits hierarchical culture and the approach of promoting positive, proactive, and emerging information security behaviors fits participative culture. Contributions and practical implications of this framework, together with future research directions, are discussed.

Sign in / Sign up

Export Citation Format

Share Document