Factors influencing information security compliance: an institutional perspective

2021 ◽  
Vol 44 (1) ◽  
pp. 108-118
Author(s):  
Temtim Assefa ◽  
Alpha Tensaye
Keyword(s):  
Information System ◽  
Information Security ◽  
Security Policy ◽  
System Security ◽  
Organizational Factors ◽  
Business Environment ◽  
Survey Method ◽  
Information Security Policy ◽  
Information System Security ◽  
External Threats

Information is the critical resource of modern organization that needs to be protected from both internal and external threats so as to sustain in this competitive business environment. In order to do so, comprehensive security policy must be formulated and implemented. Every employee of the organization must comply with the organization’s security policy. Although organizations implement information security policy, it is commonly observed that employees do not comply with the organization information security policy. The purpose of this research was to identify organizational factors that shape employees behavior to comply with information system security policy in Ethio-telecom. Data were collected via using survey method. Multiple linear regression was used as data analysis method. The study result showed that management support, awareness and training, and accountability are leading organizational factors that shape employees behavior to comply with the existing information system security policy. This is a single case study; it cannot be generalized for other organizations. Other researchers can replicate this research for generalizability of the research findings across different contexts.

scholarly journals An Integrative Behavioral Model of Information Security Policy Compliance

2014 ◽  
Vol 2014 ◽  
pp. 1-12 ◽  
Author(s):  
Sang Hoon Kim ◽  
Kyung Hoon Yang ◽  
Sunyoung Park
Keyword(s):  
Information System ◽  
Information Security ◽  
Security Policy ◽  
System Security ◽  
Behavioral Model ◽  
Information Security Policy ◽  
Information System Security ◽  
Neutralization Theory ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance

The authors found the behavioral factors that influence the organization members’ compliance with the information security policy in organizations on the basis of neutralization theory, Theory of planned behavior, and protection motivation theory. Depending on the theory of planned behavior, members’ attitudes towards compliance, as well as normative belief and self-efficacy, were believed to determine the intention to comply with the information security policy. Neutralization theory, a prominent theory in criminology, could be expected to provide the explanation for information system security policy violations. Based on the protection motivation theory, it was inferred that the expected efficacy could have an impact on intentions of compliance. By the above logical reasoning, the integrative behavioral model and eight hypotheses could be derived. Data were collected by conducting a survey; 194 out of 207 questionnaires were available. The test of the causal model was conducted by PLS. The reliability, validity, and model fit were found to be statistically significant. The results of the hypotheses tests showed that seven of the eight hypotheses were acceptable. The theoretical implications of this study are as follows: (1) the study is expected to play a role of the baseline for future research about organization members’ compliance with the information security policy, (2) the study attempted an interdisciplinary approach by combining psychology and information system security research, and (3) the study suggested concrete operational definitions of influencing factors for information security policy compliance through a comprehensive theoretical review. Also, the study has some practical implications. First, it can provide the guideline to support the successful execution of the strategic establishment for the implement of information system security policies in organizations. Second, it proves that the need of education and training programs suppressing members’ neutralization intention to violate information security policy should be emphasized.

scholarly journals Information Security Policy

2016 ◽  
pp. 38-59
Author(s):  
Edison Fontes ◽  
Antonio José Balloni
Keyword(s):  
Information System ◽  
Information Security ◽  
Security Policy ◽  
System Security ◽  
Information Security Policy ◽  
System Protection ◽  
Effective System ◽  
Definition Of ◽  
The Right ◽  
Iec 27002

In this chapter, the reader finds a structured definition to develop, implement, and keep the needed regulatory rules or principles for an Information System Security (ISS). In addition, the reader finds how to ensure the right use of this ISS, as well as in authorization and protection against disaster situations such as an effective system protection when accessing, storing, using, and retrieving the information in normal or contingency situations. This compound is the structure of information security policy that is based on a set of controls as described in NBR ISO/IEC 27002 (ABNT, 2005). The definition of this structure for the information security policy is important because the Norm ABNT (2005) does not indicate nor define—nor explain—how the structure of this policy should be (i.e., which are the fundamental elements and functions, which are the standards of rules for the controls and other practical issues) so that the policy could be effective for the organization. The structure shown in this chapter represents a practical and useful architecture regarding the elements of the information security policy of the organization.

The role of norms in information security policy compliance

2020 ◽  
Vol 28 (5) ◽  
pp. 743-761
Author(s):  
Isaac Wiafe ◽  
Felix Nti Koranteng ◽  
Abigail Wiafe ◽  
Emmanuel Nyarko Obeng ◽  
Winfred Yaokumah
Keyword(s):  
Information System ◽  
Information Security ◽  
Security Policy ◽  
System Security ◽  
Policy Compliance ◽  
Content Type ◽  
Information System Security ◽  
Personal Norms ◽  
Security Policy Compliance

Purpose The purpose of this paper is to determine which factors influence information system security policy compliance. It examines how different norms influence compliance intention. Design/methodology/approach Based on relevant literature on information system security policy compliance, a research model was developed and validated. An online questionnaire was used to gather data from respondents and partial least square structural equation modelling (PLS-SEM) was used to analyse 432 responses received. Findings The results indicated that attitude towards information security compliance mediates the effects of personal norms on compliance intention. In addition, descriptive and subjective norms are significant predictors of personal norms. Originality/value Though advancement in technology has reached significant heights, it is still inadequate to guaranteed information systems’ security. Researchers have identified humans to be central in ensuring information security. To this effect, this study provides empirical evidence of the role of norms in influence information security behaviour.

scholarly journals Information Security Policy

2015 ◽  
pp. 95-117
Author(s):  
Edison Fontes ◽  
Antonio José Balloni
Keyword(s):  
Information System ◽  
Information Security ◽  
Security Policy ◽  
System Security ◽  
Information Security Policy ◽  
System Protection ◽  
Effective System ◽  
Definition Of ◽  
The Right ◽  
Iec 27002

In this chapter, the reader finds a structured definition to develop, implement, and keep the needed regulatory rules or principles for an Information System Security (ISS). In addition, the reader finds how to ensure the right use of this ISS, as well as in authorization and protection against disaster situations such as an effective system protection when accessing, storing, using, and retrieving the information in normal or contingency situations. This compound is the structure of information security policy that is based on a set of controls as described in NBR ISO/IEC 27002 (ABNT, 2005). The definition of this structure for the information security policy is important because the Norm ABNT (2005) does not indicate nor define—nor explain—how the structure of this policy should be (i.e., which are the fundamental elements and functions, which are the standards of rules for the controls and other practical issues) so that the policy could be effective for the organization. The structure shown in this chapter represents a practical and useful architecture regarding the elements of the information security policy of the organization.

Enterprise Information System Security

2011 ◽  
pp. 154-168
Author(s):  
Chandan Mazumdar
Keyword(s):  
Information System ◽  
Life Cycle ◽  
Security Policy ◽  
System Security ◽  
Policy Formulation ◽  
Life Cycle Approach ◽  
Security Testing ◽  
Enterprise Information System ◽  
Enterprise Information ◽  
Information System Security

There has been an unprecedented thrust in employing Computers and Communication technologies in all walks of life. The systems enabled by Information Technology are becoming more and more complex resulting in various threats and vulnerabilities. The security properties, like confidentiality, integrity, and availability, are becoming more and more difficult to protect. In this chapter, a life-cycle approach to achieve and maintain security of enterprises has been proposed. First, enterprise information systems are looked at in detail. Then, the need for enterprise information system security and problems associated with security implementation are discussed. The authors consider enterprise information system security as a management issue and detail the information security parameters. Finally, the proposed security engineering life-cycle is described in detail, which includes, Security Requirement Analysis, Security Policy Formulation, Security Infrastructure Advisory Generation, Security Testing and Validation, and Review and Monitoring phases.

scholarly journals Safeguarding the Information Systems in an Organization through Different Technologies, Policies, and Actions

2019 ◽  
Vol 12 (2) ◽  
pp. 117
Author(s):  
Hend K. Alkahtani
Keyword(s):  
Information System ◽  
Information Security ◽  
Security Policy ◽  
Background Information ◽  
Security Threats ◽  
Security Threat ◽  
Information Security Policy ◽  
Study Results ◽  
Improved Performance ◽  
Awareness Level

Background: Information system use has substantially increased among the organization based on its effective integration of the resources and improved performance. The increasing reliance on the information system serves as a great security threat for the firms. Objective: The study intends to evaluate the security of the information system in the organization located in the region of Saudi Arabia, concerning the user’s awareness level. Methods: The quantitative design of the study is adopted which uses the survey approach. A close-ended questionnaire is used for evaluating the awareness level among the individuals. A total of 109 participants (males and females) in the Saudi Company were recruited for the study. Results: Despite the implementation of the policy, employees were unaware of it. The study highlights that the development of the firm’s information security policy requires the firm to make employees aware of the significance of the information security. Conclusion: The study concludes that the organization needs to educate the workforce of the information security policy and develop their necessary understanding of the information security system. This allows the employees to identify and report security threats and risks which helps in the improvement of information security awareness.

scholarly journals ANALISIS TINGKAT KESIAPAN PENGAMANAN SISTEM INFORMASI

2019 ◽  
Vol 12 (1) ◽  
pp. 51-55
Author(s):  
Nurhafifah Matondang ◽  
Bayu Hananto ◽  
Catur Nugrahaeni
Keyword(s):  
Information System ◽  
Information Security ◽  
National Development ◽  
System Security ◽  
Security Risk ◽  
Information System Security ◽  
Security Technologies ◽  
Secure Information ◽  
Iec 27001 ◽  
The University

The University has a number of data relating to Academic and Higher Education Governance. The large amount of data that requires security, especially in terms of readiness to secure information systems. Maintaining information system security in the university environment aims to maintain confidentiality, fulfill the availability of the system for those who have authority for those who use it and the integrity of the system. The University of National Development "Veteran" Jakarta has work units such as the Faculty, UPT and Bureau where each has the task and function to manage data. The problem is the need to measure the level of information system security to see the maturity of an information system at UPN Veteran Jakarta. OUR Index stands for Information Security Index which is used as a tool to analyze and measure and evaluate the maturity level of information security with the application of SNI ISO / IEC 27001: 2009 standards that can be applied within government agencies. As for the KAMi index version used, namely version 3.1. The method used to solve the problems in OUR index is through six stages, namely the first stage of electronic systems, both information security governance, third information security risk management, the four information security management frameworks, the five asset information management and the six information security technologies. The results obtained after taking measurements using the US Index need improvement in system security in managing information security risks and governance.

Escalation of commitment as an antecedent to noncompliance with information security policy

2018 ◽  
Vol 26 (2) ◽  
pp. 171-193 ◽  
Author(s):  
Miranda Kajtazi ◽  
Hasan Cavusoglu ◽  
Izak Benbasat ◽  
Darek Haftor
Keyword(s):  
Information Security ◽  
Risk Perceptions ◽  
Security Policy ◽  
Sunk Costs ◽  
Survey Method ◽  
Task Completion ◽  
Escalation Of Commitment ◽  
Value Conflicts ◽  
Information Security Policy ◽  
Content Type

PurposeThis study aims to identify antecedents to noncompliance behavior influenced by decision contexts where investments in time, effort and resources are devoted to a task – referred to as a task unlikely to be completed without violating the organization’s information security policy (ISP).Design/methodology/approachAn empirical test of the suggested relationships in the proposed model was conducted through a field study using the survey method for data collection. Pre-tests, pre-study, main study and a follow-up study compose the frame of our methodology where more than 500 respondents are involved across different organizations.FindingsThe results confirm that the antecedents that explain the escalation of commitment behavior in terms of the effect of lost assets, such as time, effort and other resources, give us a new lens to understand noncompliance behavior; employees seem to escalate their commitments to the completion of their tasks at the expense of becoming noncompliant with ISP.Research limitations/implicationsOne of the key areas that requires further attention from this study is to better understand the role of risk perceptions on employee behavior when dealing with value conflicts. Depending on how risk-averse or risk seeking an employee is, the model showed no significant support in either case to influence their noncompliance behavior. The authors therefore argue that employees' noncompliance may be influenced by more powerful beliefs, such as self-justification and sunk costs.Practical implicationsThe results show that when employees are caught in tasks undergoing difficulties, they are more likely to increase noncompliance behavior. By understanding better how project obstacles result in such tasks, security managers can define new mechanisms to counter employees’ shift from compliance to noncompliance.Social implicationsApart from encouraging compliance with enforcement mechanisms (using direct behavioral controls like sanctions or rewards), indirect behavior controls may also encourage compliance. The authors suggest that the ISPs should state that the organization would take positive actions toward task completion and help their employees to resolve their problems quickly.Originality/valueThis study is the first to tackle escalation of commitment theories and use antecedents that explain the effect of lost assets, such as time, effort and other resources can also explain noncompliance with ISP in terms of the value conflicts, where employees would often choose to forego compliance at the expense of finishing their tasks.

Sign in / Sign up

Export Citation Format

Share Document