Towards analysing the rationale of information security non-compliance: Devising a Value-Based Compliance analysis method

We develop a method for Value Based Compliance analysis of information security.We develop a set of design principles for a Value Based Compliance analysis method.We analyse value conflicts behind information security non-compliance.We provide a hands-on guide to Value Based Compliance analysis. Employees poor compliance with information security policies is a perennial problem. Current information security analysis methods do not allow information security managers to capture the rationalities behind employees compliance and non-compliance. To address this shortcoming, this design science research paper suggests: (a) a Value-Based Compliance analysis method and (b) a set of design principles for methods that analyse different rationalities for information security. Our empirical demonstration shows that the method supports a systematic analysis of why employees comply/do not comply with policies. Thus we provide managers with a tool to make them more knowledgeable about employees information security behaviours.

[1]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[2]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[3]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[4]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[5]  Linda G. Wallace,et al.  Is Information Security Under Control?: Investigating Quality in Information Security Management , 2007, IEEE Security & Privacy.

[6]  Donald A. Schön,et al.  Organizational Learning II: Theory, Method, and Practice , 1995 .

[7]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[8]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[9]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[10]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[11]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[12]  P. Bowen,et al.  Information Security Handbook: A Guide for Managers , 2006 .

[13]  Gurpreet Dhillon,et al.  Principles of information systems security - text and cases , 2006 .

[14]  Jie Zhang,et al.  Impact of perceived technical protection on security behaviors , 2009, Inf. Manag. Comput. Secur..

[15]  Richard Baskerville,et al.  A Design Theory for Secure Information Systems Design Methods , 2006, J. Assoc. Inf. Syst..

[16]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[17]  Ralph Spencer Poore Generally Accepted System Security Principles Release for Public Comment , 1999 .

[18]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[19]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[20]  Mo Adam Mahmood,et al.  Compliance with Information Security Policies: An Empirical Investigation , 2010, Computer.

[21]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[22]  K. Renaud,et al.  Health service employees and information security policies: an uneasy partnership? , 2012 .

[23]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[24]  Jean-Noël Ezingeard,et al.  Anchoring information security governance research: sociological groundings and future directions , 2006 .

[25]  Yunjie Calvin Xu,et al.  Studying Users' Computer Security Behavior Using the Health Belief Model , 2007, PACIS.

[26]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[27]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[28]  Bart De Decker,et al.  Analyzing Value Conflicts for a Work-Friendly ISS Policy Implementation , 2012, SEC.

[29]  E. Schein The Corporate Culture Survival Guide , 1999 .

[30]  J HarringtonSusan The effect of codes of ethics and personal denial of responsibility on computer abuse judgements and intentions , 1996 .

[31]  Gurpreet Dhillon,et al.  Information Systems Security Governance Research : A Behavioral Perspective , 2006 .

[32]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[33]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[34]  Karin Hedström,et al.  Exploring the conceptual structure of security rationale , 2008 .

[35]  D. Parker Computer Security Management , 1981 .

[36]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティ管理策の実践のための規範 : ISO/IEC 27002 = Information technology-Security techniques-Code of practice for information security controls : ISO/IEC 27002 , 2013 .

[37]  Steven Furnell,et al.  Malicious or misinformed? Exploring a contributor to the insider threat , 2006 .

[38]  Mari Karjalainen,et al.  Improving employees’ information systems (IS) security behavior : toward a meta-theory of IS security training and a new framework for understanding employees' IS security behavior , 2011 .

[39]  Jonathan P. Allen,et al.  Value conflicts for information security management , 2011, J. Strateg. Inf. Syst..

[40]  Richard A. Huebner,et al.  Analyzing Enterprise Security Using Social Networks and Structuration Theory , 2006 .

[41]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[42]  Ella Kolkowska Value sensitive approach to information system security , 2005 .

[43]  Heather M. Rinkenbaugh Annual Security Report , 2014 .

[44]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[45]  Samir Chatterjee,et al.  A Design Science Research Methodology for Information Systems Research , 2008 .

[46]  M. Angela Sasse,et al.  "Comply or Die" Is Dead: Long Live Security-Aware Principal Agents , 2013, Financial Cryptography Workshops.

[47]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[48]  A. Hovav,et al.  Towards a Best Fit Between Organizational Security Countermeasures and Information Systems Misuse Behaviors , 2007 .

[49]  Emmanuelle Vaast,et al.  Danger is in the eye of the beholders: Social representations of Information Systems security in healthcare , 2007, J. Strateg. Inf. Syst..

[50]  Agata Sawicka,et al.  A Framework for Human Factors in Information Security , 2002 .

[51]  R. Solms,et al.  Cultivating an organizational information security culture , 2006 .

[52]  R. Yin Case Study Research: Design and Methods , 1984 .

[53]  Rossouw von Solms,et al.  Information security culture: A management perspective , 2010, Comput. Secur..

[54]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[55]  Sebastiaan H. von Solms,et al.  Information Security - The Fourth Wave , 2006, Comput. Secur..

[56]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[57]  Jordan Shropshire,et al.  The influence of the informal social learning environment on information privacy policy compliance efficacy and intention , 2011, Eur. J. Inf. Syst..

[58]  Mikko T. Siponen,et al.  Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods , 2005, Inf. Organ..

[59]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[60]  Karin Hedström,et al.  Social action theory for understanding information security non-compliance in hospitals: The importance of user rationale , 2013, Inf. Manag. Comput. Secur..

[61]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[62]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[63]  drikkes Comply or die. , 2016 .

[64]  Gurpreet Dhillon,et al.  Variations in Information Security Cultures across Professions: A Qualitative Study , 2013, Commun. Assoc. Inf. Syst..

[65]  J. Fitzmaurice Economy and Society , 1998 .

[66]  Mark Christopher Shaw,et al.  Information security policies in the UK healthcare sector: a critical evaluation , 2012, Inf. Syst. J..

[67]  Anat Hovav,et al.  Deterring internal information systems misuse , 2007, CACM.

[68]  Steven Furnell,et al.  From culture to disobedience: Recognising the varying user acceptance of IT security , 2009 .

[69]  Ella Kolkowska,et al.  Security subcultures in an organization - exploring value conflicts , 2011, ECIS.

[70]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[71]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[72]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[73]  Christine Nadel,et al.  Case Study Research Design And Methods , 2016 .

[74]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[75]  B. Galliers,et al.  The Journal of Strategic Information Systems , 1996 .

[76]  Rune Gustavsson,et al.  Agents with power , 1999, CACM.

[77]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[78]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[79]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[80]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[81]  Mikko T. Siponen,et al.  An analysis of the traditional IS security approaches: implications for research and practice , 2005, Eur. J. Inf. Syst..

[82]  Irene M. Y. Woon,et al.  Forthcoming: Journal of Information Privacy and Security , 2022 .

[83]  Massimo Marraffa,et al.  Organizational learning II: Theory, method and practice , 1998 .

[84]  Izak Benbasat,et al.  The Case Research Strategy in Studies of Information Systems , 1987, MIS Q..

[85]  Rossouw von Solms,et al.  Towards an Information Security Competence Maturity Model , 2006 .

[86]  Budi Arief,et al.  Computer security impaired by legitimate users , 2004, Comput. Secur..

[87]  Sjaak Brinkkemper,et al.  Method engineering: engineering of information systems development methods and tools , 1996, Inf. Softw. Technol..

[88]  Ella Kolkowska A Value Perspective on Information System Security : Exploring IS security objectives, problems and value conflicts , 2009 .

[89]  Stephen Kalberg,et al.  Max Weber's Types of Rationality: Cornerstones for the Analysis of Rationalization Processes in History , 1980, American Journal of Sociology.

[90]  Charles Cresson Wood,et al.  Computer Security: A Comprehensive Controls Checklist , 1987 .

[91]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[92]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[93]  Jan H. P. Eloff,et al.  A taxonomy for information security technologies , 2003, Comput. Secur..

[94]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[95]  Mikko T. Siponen,et al.  Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations , 2014, Eur. J. Inf. Syst..

[96]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[97]  M. Polanyi Chapter 7 – The Tacit Dimension , 1997 .

[98]  Ken Friedman,et al.  Theory construction in design research: criteria: approaches, and methods , 2003 .

[99]  Gurpreet Dhillon,et al.  Applying double loop learning to interpret implications for information systems security design , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[100]  Richard T. Watson,et al.  Analyzing the Past to Prepare for the Future: Writing a Literature Review , 2002, MIS Q..

[101]  Rolf T. Moulton,et al.  Electronic communications risk management: A checklist for business managers , 1996, Comput. Secur..