Bridging the Gap between Organisational Practices and Cyber Security Compliance: Can Cooperation Promote Compliance in Organisations?

Drawing on public goods and institutional theory, this study examines the mediation effect of cooperation on the relationship between organisational practices, namely, top management commitment (TMC), structured security processes (SSP) and security investment (SI) and cyber security compliance in organisations. Using data from Malaysia’s critical sectors, ordinal regression was used to establish the odds of security compliance with security practices adjusted for job portfolio, security responsibility and educational levels. The results show that cooperation mediates TMC and SSP in achieving security compliance. The indirect effect of cooperation on these practices shows its subtle influence, which was not demonstrated in previous studies. These results also support the non-excludable characteristic of cyber security as a public good where cooperation overrides freeriding when security aspects are involved.

[1]  Yu Lu,et al.  Improving the exchange of lessons learned in security incident reports: case studies in the privacy of electronic patient records , 2015, Journal of Trust Management.

[2]  Juhee Kwon,et al.  Health-Care Security Strategies for Data Protection and Regulatory Compliance , 2013, J. Manag. Inf. Syst..

[3]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[4]  Hepu Deng,et al.  Investigating the Impact of Institutional Pressures on Information Security Compliance in Organizations , 2016, ACIS.

[5]  James C. Anderson,et al.  STRUCTURAL EQUATION MODELING IN PRACTICE: A REVIEW AND RECOMMENDED TWO-STEP APPROACH , 1988 .

[6]  Izak Benbasat,et al.  Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources , 2015, Inf. Manag..

[7]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[8]  J. Rossiter,et al.  The Predictive Validity of Multiple-Item versus Single-Item Measures of the Same Constructs , 2007 .

[9]  D. De Cremer,et al.  When sanctions that can be evaded still work: The role of trust in leaders , 2009 .

[10]  Wei Liu,et al.  Empirical-Analysis Methodology for Information-Security Investment and Its Application to Reliable Survey of Japanese Firms , 2007 .

[11]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[12]  D. Cremer,et al.  How do leaders promote cooperation? The effects of charisma and procedural fairness. , 2002 .

[13]  Hideshi Itoh,et al.  Cooperation in Hierarchical Organizations: An Incentive Perspective , 1992, The Journal of Law, Economics, and Organization.

[14]  Ken G. Smith,et al.  Intra-and Interorganizational Cooperation : Toward a Research Agenda , 2007 .

[15]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[16]  Jongwoo Kim,et al.  Incident-centered information security: Managing a strategic balance between prevention and response , 2014, Inf. Manag..

[17]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[18]  Chris W. Johnson Inadequate Legal, Regulatory and Technical Guidance for the Forensic Analysis of Cyber-Attacks on Safety- Critical Software , 2013 .

[19]  Martin Gilje Jaatun,et al.  A Structured Approach to Incident Response Management in the Oil and Gas Industry , 2008, CRITIS.

[20]  D. North,et al.  Economic performance through time , 2012 .

[21]  Juan Antonio Trespalacios Gutiérrez,et al.  Can a good organizational climate compensate for a lack of top management commitment to new product development , 2008 .

[22]  Qing Hu,et al.  The role of external and internal influences on information systems security - a neo-institutional perspective , 2007, J. Strateg. Inf. Syst..

[23]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[24]  Azizan Ramli,et al.  The development of an initial framework for multi-firm industrial safety management based on cooperative relationship: A Malaysia case study , 2014 .

[25]  Dan Jong Kim,et al.  A Path to Successful Management of Employee Security Compliance: An Empirical Study of Information Security Climate , 2014, IEEE Transactions on Professional Communication.

[26]  Martin Gilje Jaatun,et al.  Information security incident management: Current practice as reported in the literature , 2014, Comput. Secur..

[27]  Charles Cresson Wood,et al.  Policies alone do not constitute a sufficient awareness effort , 1997 .

[28]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[29]  J. Vieira,et al.  Water safety plans : methodologies for risk assessment and risk management in drinking-water systems , 2007 .

[30]  Harold B. Allen Principles of Informant Selection , 1971 .

[31]  J. Nunnally Psychometric Theory (2nd ed), New York: McGraw-Hill. , 1978 .

[32]  C. Hatton,et al.  Reliability and validity of the PAS-ADD Checklist for detecting psychiatric disorders in adults with intellectual disability. , 1998, Journal of intellectual disability research : JIDR.

[33]  Graeme G. Shanks,et al.  A case analysis of information systems and security incident responses , 2015, Int. J. Inf. Manag..

[34]  W. Hamilton,et al.  The evolution of cooperation. , 1984, Science.

[35]  William N. Dilla,et al.  The relationship between internal audit and information security: An exploratory investigation , 2012, Int. J. Account. Inf. Syst..

[36]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[37]  John O. Wylder,et al.  Improving Security from the Ground Up , 2003, Inf. Secur. J. A Glob. Perspect..

[38]  P. Curșeu,et al.  Cooperation in organizations , 2010 .

[39]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[40]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[41]  A. Falileyev,et al.  Institution , 1965, Current Anthropology.

[42]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[43]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[44]  M. Setbon,et al.  Factors in vaccination intention against the pandemic influenza A/H1N1 , 2010, European journal of public health.

[45]  G. Hardin,et al.  The Tragedy of the Commons , 1968, Green Planet Blues.

[46]  Irving L. Janis,et al.  Effects of Fear Arousal on Attitude Change: Recent Developments in Theory and Experimental Research1 , 1967 .

[47]  M. Woerkom,et al.  Can conflict management be an antidote to subordinate absenteeism , 2010 .

[48]  Gilbert A. Churchill A Paradigm for Developing Better Measures of Marketing Constructs , 1979 .

[49]  Mathias Ekstedt,et al.  Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture , 2014, Comput. Secur..

[50]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[51]  J. Waljee,et al.  Validity and responsiveness of the Michigan hand questionnaire in patients with rheumatoid arthritis: A multicenter, international study , 2010, Arthritis care & research.

[52]  Inge Kaul,et al.  Defining Global Public Goods , 1999 .

[53]  George J. Stigler,et al.  Free Riders and Collective Action: An Appendix to Theories of Economic Regulation , 1974 .

[54]  Elmarie Kritzinger,et al.  Five Non-Technical Pillars of Network Information Security Management , 2004, Communications and Multimedia Security.

[55]  A Neal,et al.  Perceptions of safety at work: a framework for linking safety climate to safety performance, knowledge, and motivation. , 2000, Journal of occupational health psychology.

[56]  Mohamed Khalifa,et al.  Developing Strategic Health Care Key Performance Indicators: A Case Study on a Tertiary Care Hospital , 2015, EUSPN/ICTH.

[57]  Jeremy Pais Cumulative Structural Disadvantage and Racial Health Disparities: The Pathways of Childhood Socioeconomic Influence , 2014, Demography.

[58]  E. Thomas Effects of Facilitative Role Interdependence on Group Functioning , 1957 .

[59]  Jane Burdett,et al.  Making Groups Work: University Students' Perceptions , 2003 .

[60]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[61]  R. Trivers The Evolution of Reciprocal Altruism , 1971, The Quarterly Review of Biology.

[62]  Séverine Deneulin,et al.  Public Goods, Global Public Goods and the Common Good , 2007 .

[63]  Jackie Rees Ulmer,et al.  The Association between Top Management Involvement and Compensation and Information Security Breaches , 2013, J. Inf. Syst..

[64]  Matthew S. Fritz,et al.  Mediation analysis. , 2019, Annual review of psychology.

[65]  K. Karlson,et al.  Decomposing primary and secondary effects: A new decomposition method☆ , 2011 .

[66]  Richard A. Guzzo,et al.  Group performance and intergroup relations in organizations. , 1992 .

[67]  J. Gliem,et al.  Calculating, Interpreting, And Reporting Cronbach’s Alpha Reliability Coefficient For Likert-Type Scales , 2003 .

[68]  R. Breen,et al.  Total, Direct, and Indirect Effects in Logit and Probit Models , 2013 .

[69]  Nadianatra Musa,et al.  Role of the boards and senior management within formal, technical and informal components: IS/IT security governance in the Malaysian publicly listed companies , 2012 .

[70]  Jean-Robert Tyran,et al.  Achieving Compliance When Legal Sanctions are Non-Deterrent , 2006 .

[71]  Donald W. Marquaridt Generalized Inverses, Ridge Regression, Biased Linear Estimation, and Nonlinear Estimation , 1970 .

[72]  A. B. Ruighaver,et al.  Incident response teams - Challenges in supporting the organisational security function , 2012, Comput. Secur..

[73]  Robert Albanese,et al.  Rational Behavior in Groups: The Free-Riding Tendency , 1985 .

[74]  Ali Hussein Saleh Zolait,et al.  Assessment of Information Security Maturity: An Exploration Study of Malaysian Public Service Organizations , 2012, J. Syst. Inf. Technol..

[75]  A. Diamantopoulos,et al.  Guidelines for choosing between multi-item and single-item scales for construct measurement: a predictive validity perspective , 2012 .

[76]  Alain Pinsonneault,et al.  Survey Research Methodology in Management Information Systems: An Assessment , 1993, J. Manag. Inf. Syst..

[77]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[78]  Patricia A. H. Williams In a 'trusting' environment, everyone is responsible for information security , 2008, Inf. Secur. Tech. Rep..

[79]  D. Batra THE APPLICATION OF COGNITIVE COMPLExITY PRINCIPLES FOR RECONCILING THE AGILE AND THE DISCIPLINE APPROACHES , 2022 .

[80]  B. Bradač,et al.  Cooperation and opportunistic behaviour in transformational outsourcing , 2006 .

[81]  M. Doebeli,et al.  The Continuous Prisoner’s Dilemma and the Evolution of Cooperation through Reciprocal Altruism with Variable Investment , 2002, The American Naturalist.

[82]  Juhee Kwon,et al.  Proactive Versus Reactive Security Investments in the Healthcare Sector , 2014, MIS Q..

[83]  K. Karlson,et al.  Comparing Coefficients of Nested Nonlinear Probability Models , 2011 .

[84]  Yehuda Baruch,et al.  Response Rate in Academic Studies — A Comparative Analysis , 1999 .

[85]  P. Flood,et al.  Individualism/Collectivism, Perceived Task Interdependence and Teamwork Attitudes among Irish Blue-Collar Employees: a Test of the Main and Moderating Effects? , 2004 .

[86]  Jonna Järveläinen,et al.  IT incidents and business impacts: Validating a framework for continuity management in information systems , 2013, Int. J. Inf. Manag..

[87]  W. Powell,et al.  THE IRON CAGE REVISITED: , 1983, The New Economic Sociology.

[88]  Neil Hare-Brown Information Security Incident Management: A Methodology , 2007 .

[89]  T. Kostova Transnational Transfer of Strategic Organizational Practices: A Contextual Perspective , 1999 .

[90]  Iveta Šimberová,et al.  Modelling of Corporate Governance Performance Indicators , 2013 .