Investigating the factors influencing information security compliance in a financial services firm

Management of information security is a major challenge for financial institutions today. Corporate Social responsibility is imperative sighting the ever escalating crime and abuse of information. As a result managers' fiduciary duty to protect information is increasingly under scrutiny by national and international regulators. While measures have been put in place to ensure security and compliance, recent evidence suggests organisations still struggle to comply with regulations. A review of previous studies indicates fragmented work on compliance and the significance of the influencing factors has not been determined. This paper aims to create awareness of the regulatory frameworks governing the use of IT, and the factors influencing compliance with information security regulations in the financial sector in South Africa. A conceptual framework explaining the nature of factors influencing compliance was developed and tested in a case study of one financial institution. Mixed methods were used to collect and analyse the data. The results show that compliance is mainly influenced by culture and the influence of mimetic pressure insignificant. In addition, there appears to be much focus on international than national regulations. In particular, there is limited concern or awareness of the stringent ECT Act which regulates the use of electronic technology in South Africa.

[1]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[2]  Gary Hardy,et al.  Using IT governance and COBIT to deliver value with IT and respond to legal, regulatory and compliance challenges , 2006, Inf. Secur. Tech. Rep..

[3]  Jason W. Osborne,et al.  Best practices in exploratory factor analysis: four recommendations for getting the most from your analysis. , 2005 .

[4]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[5]  Atif Ahmad,et al.  Exploring the relationship between organizational culture and information security culture , 2009 .

[6]  Petter Gottschalk Categories of financial crime , 2010 .

[7]  Richard Baskerville,et al.  Managing culture creep: Toward a strategic model of user IT culture , 2010, J. Strateg. Inf. Syst..

[8]  John J. Trinckes Information Security Requirements , 2009 .

[9]  R. MacCallum,et al.  Sample size in factor analysis. , 1999 .

[10]  Louis de Koker Money laundering trends in South Africa , 2003 .

[11]  Emmanuel Okechukwu Ogbonna,et al.  Managing Organizational Culture: Compliance or Genuine Change? , 1998 .

[12]  Johan Van Niekerk,et al.  Combating Information Security Apathy By Encouraging Prosocial Organisational Behaviour , 2011, HAISA.

[13]  Karen A. Forcht,et al.  Laws and regulations affecting information management and frameworks for assessing compliance , 2006, Inf. Manag. Comput. Secur..

[14]  B. Hinings Connections Between Institutional Logics and Organizational Culture , 2012 .

[15]  Jeffrey C. Morton The development of a compliance culture , 2005 .

[16]  Andrew West The ethics of corporate governance: A (South) African perspective , 2009 .

[17]  Dorothy E. Leidner,et al.  Review: A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict , 2006, MIS Q..

[18]  Michael Kyobe Towards a framework to guide compliance with IS security policies and regulations in a university , 2010, 2010 Information Security for South Africa.

[19]  Qing Hu,et al.  The role of external and internal influences on information systems security - a neo-institutional perspective , 2007, J. Strateg. Inf. Syst..

[20]  Jim Q. Chen,et al.  A Cross-Cultural Comparison of U.S. and Chinese Computer Security Awareness , 2008, J. Glob. Inf. Manag..

[21]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[22]  William Lucyshyn,et al.  The Impact of the Sarbanes-Oxley Act on the Corporate Disclosures of Information Security Activities , 2006 .

[23]  T. Zilber The Relevance of Institutional Theory for the Study of Organizational Culture , 2012 .

[24]  Kristopher J Preacher,et al.  Sample Size in Factor Analysis: The Role of Model Error , 2001, Multivariate behavioral research.