Towards a Student Security Compliance Model (SSCM)

2020 ◽

pp. 204-216

Author(s):

Felix Nti Koranteng

Keyword(s):

Developing Countries ◽

Information Security ◽

Predictive Factors ◽

Security Policy ◽

Educational Institutions ◽

Qualitative And Quantitative ◽

Weakest Link ◽

Compliance Model ◽

Security Compliance ◽

Behavioural Theories

Users are considered the weakest link in ensuring information security (InfoSec). As a result, users' security behaviour remains crucial in many organizations. In response, InfoSec research has produced many behavioural theories targeted at explaining information security policy (ISP) compliance. Meanwhile, these theories mostly draw samples from employees often in developing countries. Such theories are not applicable to students in educational institutions since their psychological orientation with regards to InfoSec is different when compared with employees. Based on this premise, the chapter presents arguments founded on synthesis from existing literature. It proposes a students' security compliance model (SSCM) that attempts to explain predictive factors of students' ISP compliance intentions. The study encourages further research to confirm the proposed relationships using qualitative and quantitative techniques.

Download Full-text

Building an awareness-centered information security policy compliance model

Industrial Management & Data Systems ◽

10.1108/imds-07-2019-0412 ◽

2019 ◽

Vol 120 (1) ◽

pp. 231-247 ◽

Cited By ~ 1

Author(s):

Alex Koohang ◽

Jonathan Anderson ◽

Jeretta Horn Nord ◽

Joanna Paliszkiewicz

Keyword(s):

Information Security ◽

Security Policy ◽

Path Modeling ◽

Information Security Policy ◽

Content Type ◽

Security Issues ◽

Compliance Model ◽

Security Compliance ◽

Trusting Beliefs ◽

Practical Implications

Purpose The purpose of this paper is to build an awareness-centered information security policy (ISP) compliance model, asserting that awareness is the key to ISP compliance and that awareness depends upon several variables that influence successful ISP compliance. Design/methodology/approach The authors built a model with seven constructs, i.e., leadership, trusting beliefs, information security issues awareness (ISIA), ISP awareness, understanding resource vulnerability, self-efficacy (SE) and intention to comply. Seven hypotheses were stated. A sample of 285 non-management employees was used from various organizations in the USA. The authors used path modeling to analyze the data. Findings The findings indicated that IS awareness depends on effective organizational leadership and elevated employees’ trusting beliefs. The understanding of resource vulnerability (URV) and SE are influenced by IS awareness resulting from effective leadership and elevated employees’ trusting beliefs which guide employees to comply with ISP requirements. Practical implications Practical implications were aimed at organizations embracing an awareness-centered information security compliance program to secure organizations’ assets against threats by implementing various security education and training awareness programs. Originality/value This paper asserts that awareness is central to ISP compliance. Leadership and trusting beliefs variables play significant roles in the information security awareness which in turn positively affect employees’ URV and SE variables leading employees to comply with the ISP requirements.

Download Full-text

Factors Influencing Information Security Policy Compliance Behavior

10.4018/978-1-6684-3698-1.ch010 ◽

2022 ◽

pp. 213-232

Author(s):

Kwame Simpe Ofori ◽

Hod Anyigba ◽

George Oppong Appiagyei Ampong ◽

Osaretin Kayode Omoregie ◽

Makafui Nyamadi ◽

...

Keyword(s):

Information Security ◽

Security Policy ◽

Future Research ◽

General Deterrence ◽

Security Education ◽

Weakest Link ◽

Compliance Behavior ◽

Security Compliance ◽

Information Security Policy Compliance ◽

Security Policy Compliance

One of the major concerns of organizations in today's networked world is to unravel how employees comply with information security policies (ISPs) since the internal employee has been identified as the weakest link in security policy breaches. A number of studies have examined ISP compliance from the perspective of deterrence; however, there have been mixed results. The study seeks to examine information security compliance from the perspective of the general deterrence theory (GDT) and information security climate (ISC). Data was collected from 329 employees drawn from the five top-performing banks in Ghana and analyzed with PLS-SEM. Results from the study show that security education training and awareness, top-management's commitment for information security, and peer non-compliance behavior affect the information security climate in an organization. Information security climate, punishment severity, and certainty of deterrent were also found to influence employees' intention to comply with ISP. The implications, limitations, and directions for future research are discussed.

Download Full-text

Factors Influencing Information Security Policy Compliance Behavior

Modern Theories and Practices for Cyber Ethics and Security Compliance - Advances in Information Security, Privacy, and Ethics ◽

10.4018/978-1-7998-3149-5.ch010 ◽

2020 ◽

pp. 152-171

Author(s):

Kwame Simpe Ofori ◽

Hod Anyigba ◽

George Oppong Appiagyei Ampong ◽

Osaretin Kayode Omoregie ◽

Makafui Nyamadi ◽

...

Keyword(s):

Information Security ◽

Security Policy ◽

Future Research ◽

General Deterrence ◽

Security Education ◽

Weakest Link ◽

Compliance Behavior ◽

Security Compliance ◽

Information Security Policy Compliance ◽

Security Policy Compliance

One of the major concerns of organizations in today's networked world is to unravel how employees comply with information security policies (ISPs) since the internal employee has been identified as the weakest link in security policy breaches. A number of studies have examined ISP compliance from the perspective of deterrence; however, there have been mixed results. The study seeks to examine information security compliance from the perspective of the general deterrence theory (GDT) and information security climate (ISC). Data was collected from 329 employees drawn from the five top-performing banks in Ghana and analyzed with PLS-SEM. Results from the study show that security education training and awareness, top-management's commitment for information security, and peer non-compliance behavior affect the information security climate in an organization. Information security climate, punishment severity, and certainty of deterrent were also found to influence employees' intention to comply with ISP. The implications, limitations, and directions for future research are discussed.

Download Full-text

Exploring the Impact of Security Policy on Compliance

Global Implications of Emerging Technology Trends - Advances in IT Standards and Standardization Research ◽

10.4018/978-1-5225-4944-4.ch014 ◽

2018 ◽

pp. 256-274 ◽

Cited By ~ 2

Author(s):

Winfred Yaokumah ◽

Peace Kumah

Keyword(s):

Information Security ◽

Security Policy ◽

Structural Equation ◽

Partial Least Square ◽

Least Square ◽

Security Monitoring ◽

Roles And Responsibilities ◽

Security Compliance ◽

Security Operations ◽

The Impact

Extant studies on compliance with security policies have largely ignored the impact of monitoring, security operations, and roles and responsibilities on employees' compliance. This chapter proposes a theoretical model that integrates security policy, monitoring, security operations, and security roles to examine employees' security compliance. Data were collected from 233 IT security and management professionals. Using partial least square structural equation modelling and testing hypotheses, the study finds that information security policy has significant indirect influence on information security compliance. The effect of security policy is fully mediated by security roles, operations security activities, and security monitoring activities. Security policy strongly influences operations security activities and has the greatest effect on security roles and responsibilities. Among the three mediating variables, monitoring has the most significant influence on security compliance. Conversely, the direct impact of security policy on compliance is not significant.

Download Full-text

Escalation of commitment and information security: theories and implications

Information and Computer Security ◽

10.1108/ics-02-2016-0015 ◽

2017 ◽

Vol 25 (5) ◽

pp. 580-592 ◽

Cited By ~ 3

Author(s):

Dmitriy V. Chulkov

Keyword(s):

Information Security ◽

Security Policy ◽

Decision Makers ◽

Future Research ◽

Escalation Of Commitment ◽

Content Type ◽

Economic Theories ◽

Course Of Action ◽

Security Compliance ◽

Information Security Investment

Purpose This study aims to explore the challenges that the escalation of commitment poses to information security. Design/methodology/approach Two distinct scenarios of escalation behavior are presented based on literature review. Psychological, organizational and economic theories on escalation of commitment are reviewed and applied to the area of information security. Findings Escalation of commitment involves continuation of a course of action after receiving negative information about it. In the information security compliance context, escalation affects a firm when an employee decides to break the firm’s information security policy to complete a failing task. In the information security investment context, escalation occurs if a manager continues investment in policies and solutions that are ineffective because of psychological, organizational or economic factors. Both of these types of escalation may be prevented with de-escalation techniques including a change in management or rotation of duties, monitoring, auditing and governance mechanisms. Practical implications Implications of escalation of commitment behavior for information security decision-makers and for future research are discussed. Originality/value This study complements the literature by establishing the context of escalation of commitment in decisions related to information security and reviewing managerial and economic theories on escalation of commitment.

Download Full-text

Exploring the Impact of Security Policy on Compliance

Research Anthology on Artificial Intelligence Applications in Security ◽

10.4018/978-1-7998-7705-9.ch017 ◽

2021 ◽

pp. 339-357

Author(s):

Winfred Yaokumah ◽

Peace Kumah

Keyword(s):

Information Security ◽

Security Policy ◽

Structural Equation ◽

Partial Least Square ◽

Least Square ◽

Security Monitoring ◽

Roles And Responsibilities ◽

Security Compliance ◽

Security Operations ◽

The Impact

Extant studies on compliance with security policies have largely ignored the impact of monitoring, security operations, and roles and responsibilities on employees' compliance. This chapter proposes a theoretical model that integrates security policy, monitoring, security operations, and security roles to examine employees' security compliance. Data were collected from 233 IT security and management professionals. Using partial least square structural equation modelling and testing hypotheses, the study finds that information security policy has significant indirect influence on information security compliance. The effect of security policy is fully mediated by security roles, operations security activities, and security monitoring activities. Security policy strongly influences operations security activities and has the greatest effect on security roles and responsibilities. Among the three mediating variables, monitoring has the most significant influence on security compliance. Conversely, the direct impact of security policy on compliance is not significant.

Download Full-text

Productivity vs security: mitigating conflicting goals in organizations

Information and Computer Security ◽

10.1108/ics-03-2017-0014 ◽

2017 ◽

Vol 25 (2) ◽

pp. 137-151 ◽

Cited By ~ 1

Author(s):

Peter Mayer ◽

Nina Gerber ◽

Ronja McDermott ◽

Melanie Volkamer ◽

Joachim Vogt

Keyword(s):

Information Security ◽

Goal Setting ◽

Security Policy ◽

Negative Effects ◽

Content Type ◽

Factors Affecting ◽

Positive Effects ◽

Survey Results ◽

Security Compliance ◽

Reported Data

Purpose This paper aims to contribute to the understanding of goal setting in organizations, especially regarding the mitigation of conflicting productivity and security goals. Design/methodology/approach This paper describes the results of a survey with 200 German employees regarding the effects of goal setting on employees’ security compliance. Based on the survey results, a concept for setting information security goals in organizations building on actionable behavioral recommendations from information security awareness materials is developed. This concept was evaluated in three small- to medium-sized organizations (SMEs) with overall 90 employees. Findings The survey results revealed that the presence of rewards for productivity goal achievement is strongly associated with a decrease in security compliance. The evaluation of the goal setting concept indicates that setting their own information security goals is welcomed by employees. Research limitations/implications Both studies rely on self-reported data and are, therefore, likely to contain some kind of bias. Practical implications Goal setting in organizations has to accommodate for situations, where productivity goals constrain security policy compliance. Introducing the proposed goal setting concept based on relevant actionable behavioral recommendations can help mitigate issues in such situations. Originality/value This work furthers the understanding of the factors affecting employee security compliance. Furthermore, the proposed concept can help maximizing the positive effects of goal setting in organizations by mitigating the negative effects through the introduction of meaningful and actionable information security goals.

Download Full-text

Information Security Compliance in Organizations: An Institutional Perspective

Data and Information Management ◽

10.1515/dim-2017-0006 ◽

2017 ◽

Vol 1 (2) ◽

pp. 104-114 ◽

Cited By ~ 1

Author(s):

Ahmed AlKalbani ◽

Hepu Deng ◽

Booi Kam ◽

Xiaojuan Zhang

Keyword(s):

Information Security ◽

Security Policy ◽

Structural Equation ◽

Online Survey ◽

Institutional Pressures ◽

Institutional Perspective ◽

Security Research ◽

Security Compliance ◽

Security Standards ◽

The Impact

Abstract The increasing recognition of the importance of information security has created institutional pressures on organizations to comply with information security standards and policies for protecting their information. How such pressures influence information security compliance in organisations, however, is unclear. This paper presents an empirical study to investigate the impact of institutional pressures on information security compliance in organizations. With the use of structural equation modelling for analysing the data collected through an online survey, the study shows that coercive pressures, normative pressures, and mimetic pressures positively influence information security compliance in organizations. It reveals that the benefits of information security compliance motivate management to strengthen their commitments at information security compliance. Furthermore, the study finds out that social pressures do not have a significant impact on management commitments towards information security compliance. Theoretically this study contributes to the information security research by better understanding how institutional pressures can be used for enhancing information security compliance in organizations. Practically this study informs information security policy makers of the major institutional drivers for information security compliance.

Download Full-text

The effect of perceived organizational culture on employees’ information security compliance

Information and Computer Security ◽

10.1108/ics-06-2021-0073 ◽

2021 ◽

Vol ahead-of-print (ahead-of-print) ◽

Author(s):

Martin Karlsson ◽

Fredrik Karlsson ◽

Joachim Åström ◽

Thomas Denk

Keyword(s):

Organizational Culture ◽

Information Security ◽

Security Policy ◽

Organizational Cultures ◽

Policy Compliance ◽

Information Security Policy ◽

Content Type ◽

Security Compliance ◽

Information Security Policy Compliance ◽

Security Policy Compliance

Purpose This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers. Design/methodology/approach The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy. Findings The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance. Research limitations/implications The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance. Practical implications Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations. Originality/value Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

Download Full-text