Establishing information security policy compliance culture in organizations

Purpose This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of factors such as supportive organizational culture, end-user involvement and compliance leadership to influence employees’ attitudes and behaviour intentions towards ISP in organizations. This paper also aims to develop a testable research model that might be useful for future researchers in predicting employees’ behavioural intentions. Design/methodology/approach In view of the study’s aim, a research model to show how three key constructs can influence the attitudes and behaviours of employees towards the establishment of security policy compliance culture (ISPCC) was developed and validated in an empirical field survey. Findings The study found that factors such as supportive organizational culture and end-user involvement significantly influenced employees’ attitudes towards compliance with ISP. However, leadership showed the weakest influence on attitudes towards compliance. The overall results showed that employees’ attitudes and behavioural intentions towards ISP compliance together influenced the establishment of ISPCC for ISP compliance in organizations. Practical implications Organizations should influence employees’ attitudes towards compliance with ISP by providing effective ISP leadership, encouraging end-user involvement during the draft and update of ISP and nurturing a culture that is conducive for ISP compliance. Originality/value The study provides some insights on how to effectively address the problem of non-compliance with ISP in organizations through the establishment of ISPCC, which has not been considered in any past research.

[1]  P. M. Podsakoff,et al.  Self-Reports in Organizational Research: Problems and Prospects , 1986 .

[2]  Wayne D. Kearney,et al.  Theorising on risk homeostasis in the context of information security behaviour , 2016, Inf. Comput. Secur..

[3]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[4]  Peter Korovessis Establishing an information security awareness and culture , 2015 .

[5]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[6]  Daejin Kim,et al.  Why not comply with information security? An empirical approach for the causes of non-compliance , 2017, Online Inf. Rev..

[7]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[8]  E. Schein Organizational Culture and Leadership , 1991 .

[9]  A. B. Ruighaver,et al.  Organisational security culture: Extending the end-user perspective , 2007, Comput. Secur..

[10]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[11]  Wynne W. Chin,et al.  A Partial Least Squares Latent Variable Modeling Approach for Measuring Interaction Effects: Results from a Monte Carlo Simulation Study and an Electronic - Mail Emotion/Adoption Study , 2003, Inf. Syst. Res..

[12]  Marko Sarstedt,et al.  PLS-SEM: Indeed a Silver Bullet , 2011 .

[13]  B. Avolio,et al.  Effects of Leadership Style and Followers' Cultural Orientation on Performance in Group and Individual Task Conditions , 1999 .

[14]  Steven Furnell,et al.  Information security policies: A review of challenges and influencing factors , 2016, 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST).

[15]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[16]  Rossouw von Solms,et al.  Human aspects of information security in organisations , 2016 .

[17]  R. Deshpandé,et al.  Organizational Culture and Marketing: Defining the Research Agenda , 1989 .

[18]  Marko Sarstedt,et al.  Partial least squares structural equation modeling (PLS-SEM): An emerging tool in business research , 2014 .

[19]  Atif Ahmad,et al.  Exploring the relationship between organizational culture and information security culture , 2009 .

[20]  Justin Hepler A good thing isn’t always a good thing: Dispositional attitudes predict non-normative judgments , 2015 .

[21]  Malcolm Robert Pattinson,et al.  Individual differences and Information Security Awareness , 2017, Comput. Hum. Behav..

[22]  M. Angela Sasse,et al.  "Shadow security" as a tool for the learning organization , 2015, CSOC.

[23]  Badrinarayan Shankar Pawar,et al.  THE NATURE AND IMPLICATIONS OF CONTEXTUAL INFLUENCES ON TRANSFORMATIONAL LEADERSHIP: A CONCEPTUAL EXAMINATION , 1997 .

[24]  R. J. House,et al.  Does Leadership Matter? CEO Leadership Attributes and Profitability under Conditions of Perceived Environmental Uncertainty. , 2001 .

[25]  Terry Anthony Byrd,et al.  Information security policy: An organizational-level process model , 2009, Comput. Secur..

[26]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[27]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[28]  Shuchih Ernest Chang,et al.  Exploring organizational culture for information security management , 2007, Ind. Manag. Data Syst..

[29]  M. Butavicius,et al.  The Influence of Organizational Information Security Culture on Information Security Decision Making , 2015 .

[30]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[31]  Areej AlHogail,et al.  Design and validation of information security culture framework , 2015, Comput. Hum. Behav..

[32]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[33]  Joseph F. Hair,et al.  On the Emancipation of PLS-SEM: A Commentary on Rigdon (2012) , 2014 .

[34]  Mohammed Alnatheer A Conceptual Model to Understand Information Security Culture , 2014 .

[35]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[36]  Ken Kwong-Kay Wong,et al.  Partial Least Squares Structural Equation Modeling (PLS-SEM) Techniques Using SmartPLS , 2013 .

[37]  M. Sarstedt,et al.  A new criterion for assessing discriminant validity in variance-based structural equation modeling , 2015 .

[38]  R. Solms,et al.  Cultivating an organizational information security culture , 2006 .

[39]  Adéle da Veiga,et al.  Comparing the information security culture of employees who had read the information security policy and those who had not: Illustrated through an empirical study , 2016, Inf. Comput. Secur..

[40]  Muneera Bano,et al.  User involvement in software development and system success: a systematic literature review , 2013, EASE '13.