Investigating the Role of Socio-organizational Factors in the Information Security Compliance in Organizations

The increase reliance on information systems has created unprecedented challenges for organizations to protect their critical information from different security threats that have direct consequences on the corporate liability, loss of credibility, and monetary damage. As a result, the security of information has become a top priority in many organizations. This study investigates the role of socio-organizational factors by drawing the insights from the organizational theory literature in the adoption of information security compliance in organizations. Based on the analysis of the survey data collected from 294 employees from different organizations, the study indicates management commitment, awareness and training, accountability, technology capability, technology compatibility, processes integration, and audit and monitoring have a significant positive impact on the adoption of information security compliance in organizations. The study contributes to the information security compliance research by exploring the criticality of socio-organizational factors at the organizational level for information security compliance.

[1]  David Miller Strategy Making and Structure: Analysis and Implications for Performance , 1987 .

[2]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[3]  S. Benabdallah,et al.  Security issues in e-government models: what governments should do ? , 2002, IEEE International Conference on Systems, Man and Cybernetics.

[4]  Mo Adam Mahmood,et al.  Compliance with Information Security Policies: An Empirical Investigation , 2010, Computer.

[5]  Sam Ransbotham,et al.  Choice and Chance: A Conceptual Model of Paths to Information Security Compromise , 2009, Inf. Syst. Res..

[6]  Angus Mcilwraith Information Security and Employee Behaviour: How to Reduce Risk Through Employee Education, Training and Awareness , 2006 .

[7]  Information Systems Security Policy Compliance: an Empirical Study of the Effects of Socialization, Influence, and Cognition the Research Model and Hypotheses , 2022 .

[8]  Alexandros Kaliontzoglou,et al.  A secure e-Government platform architecture for small to medium sized public organizations , 2005, Electron. Commer. Res. Appl..

[9]  M. Fleischer,et al.  processes of technological innovation , 1990 .

[10]  I. Ajzen The theory of planned behavior , 1991 .

[11]  David F. Larcker,et al.  Structural Equation Models with Unobservable Variables and Measurement Error: Algebra and Statistics: , 1981 .

[12]  Julie J. C. H. Ryan Information security tools and practices: what works? , 2004, IEEE Transactions on Computers.

[13]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[14]  M. Angela Sasse,et al.  The compliance budget: managing security behaviour in organisations , 2009, NSPW '08.

[15]  Donald P. Moynihan,et al.  Building Secure Elections: E-Voting, Security, and Systems Theory , 2004 .

[16]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[17]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[18]  Jan H. P. Eloff,et al.  A taxonomy for information security technologies , 2003, Comput. Secur..

[19]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[20]  Maria Wimmer,et al.  A holistic approach for providing security solutions in e-government , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[21]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[22]  Birgit Pfitzmann,et al.  Security in Business Process Engineering , 2003, Business Process Management.

[23]  Costas Lambrinoudakis,et al.  Security requirements for e-government services: a methodological approach for developing a common PKI-based security policy , 2003, Comput. Commun..

[24]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[25]  Hepu Deng,et al.  A Conceptual Framework for Information Security in Public Organizations for E-Government Development , 2014 .

[26]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[27]  Jukka Ylitalo,et al.  Towards Building an Automated Security Compliance Tool for the Cloud , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[28]  Sebastiaan H. von Solms,et al.  Information Security - A Multidimensional Discipline , 2001, Comput. Secur..

[29]  A. Bandura Self-Efficacy: The Exercise of Control , 1997, Journal of Cognitive Psychotherapy.

[30]  P. Bentler,et al.  Cutoff criteria for fit indexes in covariance structure analysis : Conventional criteria versus new alternatives , 1999 .

[31]  Rossouw von Solms,et al.  A framework for the governance of information security , 2004, Comput. Secur..

[32]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[33]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[34]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[35]  Hepu Deng,et al.  Organisational Security Culture and Information Security Compliance for E-Government Development: The Moderating Effect of Social Pressure , 2015, PACIS.

[36]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[37]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[38]  Stefan Biffl,et al.  Secure business process management: a roadmap , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[39]  Jennifer Attride-Stirling Thematic networks: an analytic tool for qualitative research , 2001 .

[40]  Richard P. Bagozzi,et al.  Assessing Construct Validity in Organizational Research , 1991 .

[41]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[42]  Diana K. Smetters,et al.  Moving from the design of usable security technologies to the design of useful secure applications , 2002, NSPW '02.

[43]  Gurpreet Dhillon,et al.  Organizational power and information security rule compliance , 2013, Comput. Secur..

[44]  Konstantin Knorr,et al.  Security Requirements of E-Business Processes , 2001, I3E.

[45]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[46]  Jordan Shropshire,et al.  The influence of the informal social learning environment on information privacy policy compliance efficacy and intention , 2011, Eur. J. Inf. Syst..

[47]  Sebastiaan H. von Solms,et al.  Information Security Governance - Compliance management vs operational management , 2005, Comput. Secur..

[48]  M. Eric Johnson,et al.  HIPAA Compliance: An Institutional Theory Perspective , 2009, AMCIS.

[49]  Evangelos A. Kiountouzis,et al.  Investigating Information Security Awareness: Research and Practice Gaps , 2008, Inf. Secur. J. A Glob. Perspect..

[50]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[51]  Rodger Jamieson,et al.  Determining Key Factors in E-Government Information System Security , 2006, Bled eConference.

[52]  William N. Dilla,et al.  The relationship between internal audit and information security: An exploratory investigation , 2012, Int. J. Account. Inf. Syst..

[53]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[54]  Laurie J. Kirsch,et al.  The Last Line of Defense: Motivating Employees to Follow Corporate Security Guidelines , 2007, ICIS.