Information Security Culture for Guiding Employee’s Security Behaviour: A Pilot Study

Experts and scholars have suggested that cultivation of a positive Information Security Culture (ISC) could improve employee’s security behaviour in organization. However, specific ISC model for employee’s security behaviour is limited. This paper discusses a pilot study of our research-in-progress that proposes a holistic ISC model to be used as guidance for employee’s security behaviour in organization. ISC concept model developed in the study is represented by seven comprehensive dimensions formulated based on widely accepted concepts of Organizational Culture and ISC. These dimensions embody various aspects of ISC cultivation. The model was tested in a Malaysian public university. This study employed Partial Least Square Structural Equation Modelling (PLS SEM) using Smart PLS 3 software to analyze and validate the model. The findings proved that the ISC model is significant in influencing security compliance behaviour. Hence, this study contributes to ISC literature in terms of conceptualization and empirical validation of a new ISC model based on seven comprehensive dimensions in relation with ISP compliance behaviour.

[1]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[2]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[3]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[4]  H. Ting,et al.  A review of the methodological misconceptions and guidelines related to the application of structural equation modeling: A Malaysian scenario , 2017 .

[5]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[6]  D. Straub,et al.  Editor's comments: a critical look at the use of PLS-SEM in MIS quarterly , 2012 .

[7]  Jacob Cohen,et al.  A power primer. , 1992, Psychological bulletin.

[8]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[9]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[10]  Richard P. Bagozzi,et al.  Assessing Construct Validity in Organizational Research , 1991 .

[11]  Izak Benbasat,et al.  Quality and Fairness of an Information Security Policy As Antecedents of Employees' Security Engagement in the Workplace: An Empirical Investigation , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[12]  Anat Hovav,et al.  This is my device! Why should I follow your rules? Employees' compliance with BYOD security policy , 2016, Pervasive Mob. Comput..

[13]  Mathias Ekstedt,et al.  Shaping intention to resist social engineering through transformational leadership, information security culture and awareness , 2016, Comput. Secur..

[14]  Icek Ajzen,et al.  Attitudes, personality, and behavior / Icek Ajzen , 1988 .

[15]  Marko Sarstedt,et al.  Advanced Issues in Partial Least Squares Structural Equation Modeling , 2017 .

[16]  M. Sarstedt,et al.  A new criterion for assessing discriminant validity in variance-based structural equation modeling , 2015 .

[17]  Sang hoon Kim,et al.  An Integrative Behavioral Model of Information Security Policy Compliance , 2014, TheScientificWorldJournal.

[18]  Ella Kolkowska,et al.  Security subcultures in an organization - exploring value conflicts , 2011, ECIS.

[19]  Marko Sarstedt,et al.  PLS-SEM: Indeed a Silver Bullet , 2011 .

[20]  Mohd Rashid Ab Hamid,et al.  An analysis on the dimensions of information security culture concept: A review , 2019, J. Inf. Secur. Appl..

[21]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[22]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[23]  Princely Ifinedo,et al.  The effects of national culture on the assessment of information security threats and controls in financial services industry , 2014, Int. J. Electron. Bus. Manag..

[24]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[25]  J. D'Arcy,et al.  Security culture and the employment relationship as drivers of employees' security compliance , 2014, Inf. Manag. Comput. Secur..

[26]  Kuang-Wei Wen,et al.  Impacts of Comprehensive Information Security Programs on Information Security Culture , 2015, J. Comput. Inf. Syst..

[27]  Johann Kranz,et al.  Why Deterrence is not enough: The Role of Endogenous Motivations on Employees' Information Security Behavior , 2014, ICIS.

[28]  T. Atchison,et al.  What is corporate culture? , 2002, Trustee : the journal for hospital governing boards.

[29]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[30]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[31]  A DaVeiga,et al.  Cultivating and assessing information security culture , 2016 .

[32]  Detmar W. Straub,et al.  Validation in Information Systems Research: A State-of-the-Art Assessment , 2001, MIS Q..

[33]  I. Ajzen The theory of planned behavior , 1991 .

[34]  Rossouw von Solms,et al.  Understanding Information Security Culture: A Conceptual Framework , 2006, ISSA.

[35]  Abdullah Arshah Ruzaini,et al.  Conceptualizing and Validating Information Security Culture as a Multidimensional Second-Order Formative Construct , 2018 .

[36]  Wanlei Zhou,et al.  Assessing the level of I.T. security culture improvement: Results from three Australian SMEs , 2009, 2009 35th Annual Conference of IEEE Industrial Electronics.

[37]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[38]  Maslin Masrom,et al.  Framework to Manage Information Security for Malaysian Academic Environment , 2010 .

[39]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[40]  Wynne W. Chin How to Write Up and Report PLS Analyses , 2010 .

[41]  Christopher M. Harris,et al.  Work-life benefits and organizational attachment: Self-interest utility and signaling theory models , 2008 .

[42]  Theodore Tryfonas,et al.  Security by Compliance? A Study of Insider Threat Implications for Nigerian Banks , 2016, HCI.

[43]  M. Breitner,et al.  Information security awareness and behavior: a theory-based literature review , 2014 .

[44]  E. Schein The Corporate Culture Survival Guide , 1999 .

[45]  Jason Bennett Thatcher,et al.  Conceptualizing models using multidimensional constructs: a review and guidelines for their use , 2012, Eur. J. Inf. Syst..

[46]  Shehnaz Tehseen,et al.  Assessing Cultural Orientation as a Reflective- Formative Second Order Construct-A Recent PLS-SEM Approach , 2017 .

[47]  Rossouw von Solms,et al.  Information security culture: A management perspective , 2010, Comput. Secur..