Security by Compliance? A Study of Insider Threat Implications for Nigerian Banks

This work explores the behavioural dimension of compliance to information security standards. We review past literature, building on different models of human behaviour, based on relevant theories like deterrence theory and the theory of planned behaviour. We conduct a survey of IT professionals, managers and employees of selected banks from Nigeria as part of a sector case study focussed in this region. Our findings suggest that security by compliance as a campaign to secure information assets in the Nigerian financial institution is a farfetched approach. In addition to standards, banking regulators should promote holistic change of security culture across the sector. Based on an established model of Information Security Governance Framework, we propose how information security may be embedded into organisation security culture in that context.

[1]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[2]  Raymond R. Panko,et al.  A Composite Framework for Behavioral Compliance with Information Security Policies , 2012, HICSS.

[3]  Laura Corriss Information security governance: integrating security into the organizational culture , 2010, GTIP '10.

[4]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[5]  S. Flowerday,et al.  Ignorance to Awareness: Towards an Information Security Awareness Process , 2013 .

[6]  Sean B. Maynard,et al.  Embedding Information Security Culture Emerging Concerns and Challenges , 2010, PACIS.

[7]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[8]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[9]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[10]  Raphael C.-W. Phan Review of Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Edition by Ross J. Anderson , 2009, Cryptologia.

[11]  Wendy Goucher,et al.  The Curious Incidence of Security Breaches by Knowledgeable Employees and the Pivotal Role a of Security Culture , 2014, HCI.

[12]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[13]  A. B. Ruighaver,et al.  Towards Understanding Deterrence: Information Security Managers' Perspective , 2011, ICITCS.

[14]  Nesren Waly,et al.  Measures for improving information security management in organisations: the impact of training and awareness programmes , 2012, UKAIS.

[15]  Haralambos Mouratidis,et al.  A Conceptual Framework to Analyze Human Factors of Information Security Management System (ISMS) in Organizations , 2014, HCI.

[16]  Evangelos A. Kiountouzis,et al.  The insider threat to information systems and the effectiveness of ISO17799 , 2005, Comput. Secur..

[17]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[18]  A. B. Ruighaver,et al.  Organisational security culture: Extending the end-user perspective , 2007, Comput. Secur..

[19]  Suprateek Sarker,et al.  One Size Does Not Fit All: Different Cultures Require Different Information Systems Security Interventions , 2013, PACIS.

[20]  Eirik Albrechtsen,et al.  Implementation and effectiveness of organizational information security measures , 2008, Inf. Manag. Comput. Secur..

[21]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[22]  T. Tyler,et al.  Why Do People Comply with the Law? Legitimacy and the Influence of Legal Institutions , 2012 .

[23]  Jan H. P. Eloff,et al.  An Information Security Governance Framework , 2007, Inf. Syst. Manag..

[24]  Jan H. P. Eloff,et al.  Information security culture - validation of an assessment instrument , 2007 .