A Composite Framework for Behavioral Compliance with Information Security Policies

Salvatore Aurigemma

doi:10.4018/joeuc.2013070103

A Composite Framework for Behavioral Compliance with Information Security Policies

Journal of Organizational and End User Computing ◽

10.4018/joeuc.2013070103 ◽

2013 ◽

Vol 25 (3) ◽

pp. 32-51 ◽

Cited By ~ 9

Author(s):

Salvatore Aurigemma

Keyword(s):

Information Security ◽

Theory Of Planned Behavior ◽

Theoretical Framework ◽

Composite Model ◽

Security Policies ◽

Future Research ◽

Security Threats ◽

Behavioral Compliance ◽

Weakest Link ◽

Organizational Information

To combat potential security threats, organizations rely upon information security policies to guide employee actions. Unfortunately, employee violations of such policies are common and costly enough that users are often considered the weakest link in information security. This paper presents a composite theoretical framework for understanding employee behavioral compliance with organizational information security policies. Building off of the theory of planned behavior, a composite model is presented that incorporates the strengths of previous studies while minimizing theoretical gaps present in other behavioral compliance models. In building the framework, related operational constructs are examined and normalized to allow better comparison of past studies and help focus future research efforts.

Download Full-text

Analisis Tingkat Keamanan Aplikasi SIMAK Menggunakan Standard ISO/IEC 27002:2013 (Studi Kasus: UPTTIK Universitas Siliwangi)

Jurnal Serambi Engineering ◽

10.32672/jse.v6i2.2879 ◽

2021 ◽

Vol 6 (2) ◽

Author(s):

Iyos Rosidin Pajar

Keyword(s):

Information Technology ◽

Information Security ◽

Data Security ◽

Security Policies ◽

Management Processes ◽

Organizational Information ◽

Iec 27002 ◽

The University ◽

Level 2 ◽

Security Concern

The issue of data security seems to be one of the most intriguing topics to observe in the development of information technology in recent time/. The information technology related to the management processes, one of which is the SIMAK application at the University of Siliwangi needs a higher security concern. This study aims to determine the level of security of the SIMAK application in which the researchers can provide recommendations to SIMAK managers. This could be the basis for the future improvements. Researchers used 4 domains from ISO / IEC 27002: 2013, namely domain 5, it contains information security policies. Domain 6, it contains organizational information security. Domain 9, it contains access control. Lastly, Domain 11, it contains physical and environmental security. When they are specified from the four domains, 38 controls are obtained. Security, from the results of the questionnaire and weighting, the result of the 5 domains maturity value is= 1.49, the result of the domain 6 maturity value is= 1.52, while domain 9 maturity value is= 1.32 and domain 11 maturity value constitute to 1.97. If it is averaged, the Siliwangi University SIMAK application is at level 2 or repeatable.

Download Full-text

The Social Side of Security

Social Information Technology ◽

10.4018/978-1-59904-774-4.ch010 ◽

2011 ◽

pp. 140-150 ◽

Cited By ~ 2

Author(s):

Richard G. Taylor

Keyword(s):

Social Issue ◽

Information Systems ◽

Information Security ◽

New Technologies ◽

Security Threats ◽

Current Information ◽

New Methods ◽

The Social ◽

Organizational Information ◽

Social Side

The introduction of new technologies to accumulate large amounts of data has resulted in the need for new methods to secure organizational information. Current information security strategies tend to focus on a technology-based approach to securing information. However, this technology-based approach can leave an organization vulnerable to information security threats. Organizations must realize that information security is not necessarily a technology issue, but rather a social issue. Humans operate, maintain, and use information systems. Their actions, whether intentional or accidental, are the real threat to organizations. Information security strategies must be developed to address the social issue.

Download Full-text

A THEORETICAL FRAMEWORK FOR UTILIZING DATA WAREHOUSING TO PREDICT INFORMATION SECURITY THREATS

Issues In Information Systems ◽

10.48009/2_iis_2009_113-120 ◽

2009 ◽

Keyword(s):

Information Security ◽

Data Warehousing ◽

Theoretical Framework ◽

Security Threats

Download Full-text

Coping Strategies and Paradoxes Related to BYOD Information Security Threats in France

Journal of Global Information Management ◽

10.4018/jgim.2020040101 ◽

2020 ◽

Vol 28 (2) ◽

pp. 1-28 ◽

Cited By ~ 1

Author(s):

Paméla Baillette ◽

Yves Barlette

Keyword(s):

Information Security ◽

Coping Strategies ◽

Behavioral Control ◽

Personal Information ◽

Bring Your Own Device ◽

Future Research ◽

Perceived Behavioral Control ◽

Security Threats ◽

Personal Mobile Devices ◽

Professional Context

Bring Your Own Device (BYOD) refers to the provision and use of personal mobile devices by employees for both private and business purposes. Although there has been research on BYOD, little attention has been paid to employees' perception of threats to their personal information security (ISS) when using a BYOD, especially in a professional context. This article investigates employee coping strategies related to BYOD ISS threats in France. The results of a survey of 223 employees indicate that while perceived behavioral control exerts only direct effects on problem-focused (i.e., disturbance handling) and emotion-focused (i.e., self-preservation) coping strategies, ISS concern exhibits significant direct and moderating influences. Several security paradoxes could be identified, namely, discrepancies between the respondents' ISS concern and the adopted coping strategies. This article offers the first insights into the French context and can serve as a basis for comparisons in future research and to help improve employees' personal ISS in the professional context.

Download Full-text

Organizational information security policies: a review and research framework

European Journal of Information Systems ◽

10.1057/s41303-017-0059-9 ◽

2017 ◽

Vol 26 (6) ◽

pp. 605-641 ◽

Cited By ~ 37

Author(s):

W. Alec Cram ◽

Jeffrey G. Proudfoot ◽

John D’Arcy

Keyword(s):

Information Security ◽

Security Policies ◽

Research Framework ◽

Organizational Information

Download Full-text

An Investigation Of Organizational Information Security Risk Analysis

Journal of Service Science (JSS) ◽

10.19030/jss.v3i2.368 ◽

2010 ◽

Vol 3 (2) ◽

Cited By ~ 1

Author(s):

Zack Jourdan ◽

R. Kelly Rainer, Jr. ◽

Thomas E. Marshall ◽

F. Nelson Ford

Keyword(s):

Information Systems ◽

Information Security ◽

Risk Analysis ◽

Security Threats ◽

Security Risk ◽

Current State ◽

Policies And Procedures ◽

Organizational Information ◽

Quantitative Results ◽

Information Security Risk

Despite a growing number and variety of information security threats, many organizations continue to neglect implementing information security policies and procedures. The likelihood that an organization’s information systems can fall victim to these threats is known as information systems risk (Straub & Welke, 1998). To combat these threats, an organization must undergo a rigorous process of self-analysis. To better understand the current state of this information security risk analysis (ISRA) process, this study deployed a questionnaire using both open-ended and closed ended questions administered to a group of information security professionals (N=32). The qualitative and quantitative results of this study show that organizations are beginning to conduct regularly scheduled ISRA processes. However, the results also show that organizations still have room for improvement to create idyllic ISRA processes.

Download Full-text

Factors Influencing Information Security Policy Compliance Behavior

10.4018/978-1-6684-3698-1.ch010 ◽

2022 ◽

pp. 213-232

Author(s):

Kwame Simpe Ofori ◽

Hod Anyigba ◽

George Oppong Appiagyei Ampong ◽

Osaretin Kayode Omoregie ◽

Makafui Nyamadi ◽

...

Keyword(s):

Information Security ◽

Security Policy ◽

Future Research ◽

General Deterrence ◽

Security Education ◽

Weakest Link ◽

Compliance Behavior ◽

Security Compliance ◽

Information Security Policy Compliance ◽

Security Policy Compliance

One of the major concerns of organizations in today's networked world is to unravel how employees comply with information security policies (ISPs) since the internal employee has been identified as the weakest link in security policy breaches. A number of studies have examined ISP compliance from the perspective of deterrence; however, there have been mixed results. The study seeks to examine information security compliance from the perspective of the general deterrence theory (GDT) and information security climate (ISC). Data was collected from 329 employees drawn from the five top-performing banks in Ghana and analyzed with PLS-SEM. Results from the study show that security education training and awareness, top-management's commitment for information security, and peer non-compliance behavior affect the information security climate in an organization. Information security climate, punishment severity, and certainty of deterrent were also found to influence employees' intention to comply with ISP. The implications, limitations, and directions for future research are discussed.

Download Full-text

Smart City Development in Taiwan: From the Perspective of the Information Security Policy

Sustainability ◽

10.3390/su12072916 ◽

2020 ◽

Vol 12 (7) ◽

pp. 2916 ◽

Cited By ~ 1

Author(s):

Yung Chang Wu ◽

Rui Sun ◽

Yenchun Jim Wu

Keyword(s):

Information Security ◽

Smart City ◽

Security Policy ◽

Smart Cities ◽

Mobile Internet ◽

Security Policies ◽

Information Security Policy ◽

Organizational Information ◽

The Impact ◽

The Relationship

A smart city is developed through the Internet of Things (IoT), cloud computing, big data, mobile Internet, and other new generation technologies regarding information and communication, and data resources in various fields are integrated and applied. The issue of information security in the network era is the strategic focus, as well as the focus of people’s attention, during Taiwan’s smart city construction. Information security policies are the information security guidelines for organizations, and are key to the organization’s information security performance; moreover, such policies show the organization’s support and commitment to the information security of smart cities. This paper discusses the model of information security policy in Taiwan’s smart cities, uses Path Analysis to explore the characteristics of information security policy in smart cities, and examines the relationship between the formulation, implementation, maintenance, and effectiveness of information security policies. Furthermore, this study examines the impact on the effectiveness of organizational information security policies and information security performance from the following aspects: The length of information security policy publication time, policy review, policy advocacy, employee compliance, fair law enforcement, etc., which are all concrete manifestations of the formulation, implementation, and maintenance of information security policy models. Through a questionnaire survey, the correlation between various assumptions, as well as the relationship between organizational information security characteristics, information security policies, and the effectiveness of information security, are verified one by one during the implementation of information security policies. Finally, conclusions and implications are put forward.

Download Full-text