Information security policies’ compliance: a perspective for higher education institutions

ABSTRACT This paper provides a systematic literature review in the information security policies’ compliance (ISPC) field, with respect to information security culture, information security awareness, and information security management exploring in various settings the research designs, methodologies, and frameworks that have evolved over the last decade. Studies conducted from 2006 to 2016 reporting results from data collected through diverse means have been explored; however, only a few studies have focused primarily on a sensitive infrastructure under risk, as is the case with higher education institutions (HEIs). This study reports that ISPC in HEIs remains scarce, as is the realization of security threats and dissemination of information security policies to end users (employees). This research makes a novel contribution to the body of knowledge as a unique study that has reviewed the influence of institutional governance in HEIs on protection motivation leading towards ISPC.

[1]  Steven Furnell,et al.  Information security conscious care behaviour formation in organizations , 2015, Comput. Secur..

[2]  Christopher Bronk,et al.  Cyber Security and Critical Energy Infrastructure , 2014 .

[3]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[4]  I. Ajzen The theory of planned behavior , 1991 .

[5]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[6]  Indira R. Guzman,et al.  Factors Affecting Individual Information Security Practices , 2015, CPR.

[7]  Albert L. Harris,et al.  The impact of information richness on information security awareness training effectiveness , 2009, Comput. Educ..

[8]  Areej AlHogail,et al.  Design and validation of information security culture framework , 2015, Comput. Hum. Behav..

[9]  Abdul Rahman Ahlan,et al.  Information security awareness in university: Maintaining learnability, performance and adaptability through roles of responsibility , 2011, 2011 7th International Conference on Information Assurance and Security (IAS).

[10]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[11]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[12]  Vimala Balakrishnan,et al.  Leadership Styles and Information Security Compliance Behavior: The Mediator Effect of Information Security Awareness , 2015 .

[13]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[14]  Omar F. El-Gayar,et al.  Security Policy Compliance: User Acceptance Perspective , 2012, 2012 45th Hawaii International Conference on System Sciences.

[15]  Yufei Yuan,et al.  Critical Success Factors Analysis on Effective Information Security Management: A Literature Review , 2014, AMCIS.

[16]  Soongoo Hong,et al.  Information Security Policy Compliance in Higher Education: A Neo-Institutional Perspective , 2013, PACIS.

[17]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[18]  J. D'Arcy,et al.  Security culture and the employment relationship as drivers of employees' security compliance , 2014, Inf. Manag. Comput. Secur..

[19]  N. Doherty,et al.  Aligning the information security policy with the strategic information systems plan , 2006, Comput. Secur..

[20]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[21]  Steven Furnell,et al.  Awareness, behaviour and culture: The ABC in cultivating security compliance , 2015, 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST).

[22]  Yacine Rezgui,et al.  Information security awareness in higher education: An exploratory study , 2008, Comput. Secur..

[23]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[24]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[25]  Mahmood Hussain Shah,et al.  Information security management needs more holistic approach: A literature review , 2016, Int. J. Inf. Manag..

[26]  Adéle da Veiga,et al.  The Influence of Information Security Policies on Information Security Culture: Illustrated through a Case Study , 2015, HAISA.

[27]  Kuang-Wei Wen,et al.  Impacts of Comprehensive Information Security Programs on Information Security Culture , 2015, J. Comput. Inf. Syst..

[28]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[29]  Sameera Mubarak,et al.  Significance of Information Security Awareness in the Higher Education Sector , 2012 .

[30]  Elmarie Kritzinger,et al.  A conceptual analysis of information security education, information security training and information security awareness definitions , 2014, The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014).

[31]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[32]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[33]  Eirik Albrechtsen,et al.  Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study , 2010, Comput. Secur..

[34]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[35]  Shuchih Ernest Chang,et al.  Organizational factors to the effectiveness of implementing information security management , 2006, Ind. Manag. Data Syst..

[36]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[37]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[38]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[39]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[40]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[41]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[42]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[43]  Malcolm Robert Pattinson,et al.  A study of information security awareness in Australian government organisations , 2014, Inf. Manag. Comput. Secur..

[44]  Norizan Mohd Yasin,et al.  Information Systems Security Management (ISSM) Success Factor: Retrospection From the Scholars. , 2012 .

[45]  Maslin Masrom,et al.  Framework to Manage Information Security for Malaysian Academic Environment , 2010 .

[46]  Brandis Phillips,et al.  Information Technology Management Practice: Impacts upon Effectiveness , 2013, J. Organ. End User Comput..

[47]  S. Furnell,et al.  Understanding the influences on information security behaviour , 2012 .

[48]  Johann Kranz,et al.  Information Security Awareness: Its Antecedents and Mediating Effects on Security Compliant Behavior , 2013, ICIS.