Assessing the Moderating Effect of Security Technologies on Employees Compliance with Cybersecurity Control Procedures

The increase in cybersecurity threats and the challenges for organisations to protect their information technology assets has made adherence to organisational security control processes and procedures a critical issue that needs to be adequately addressed. Drawing insight from organisational theory literature, we develop a multi-theory model, combining the elements of the theory of planned behaviour, competing value framework, and technology—organisational and environmental theory to examine how the organisational mechanisms interact with espoused cultural values and employee cognitive belief to influence cybersecurity control procedures. Using a structured questionnaire, we deployed structural equation modelling (SEM) to analyse the survey data obtained from public sector information technology organisations in Nigeria to test the hypothesis on the relationship of socio-organisational mechanisms and techno-cultural factors with other key determinants of employee security behaviour. The results showed that knowledge of cybersecurity and employee cognitive belief significantly influence the employees’ intentions to comply with organisational cybersecurity control mechanisms. The research further noted that the influence of organisational elements such as leadership on employee security behaviour is mediated by espoused cultural values while the impact of employee cognitive belief is moderated by security technologies. For effective cybersecurity compliance, leaders and policymakers are therefore to promote organisational security initiatives that ensure incorporation of cybersecurity principles and practices into job descriptions, routines, and processes. This study contributes to behavioural security research by highlighting the critical role of leadership and cultural values in fostering organisational adherence to prescribed security control mechanisms.

[1]  S. Shapiro,et al.  An Analysis of Variance Test for Normality (Complete Samples) , 1965 .

[2]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[3]  D. Mcclelland,et al.  Leadership motive pattern and long-term success in management. , 1982 .

[4]  T. Kamarck,et al.  A global measure of perceived stress. , 1983, Journal of health and social behavior.

[5]  L. Smircich Concepts of Culture and Organizational Analysis. , 1983 .

[6]  John Rohrbaugh,et al.  A Spatial Model of Effectiveness Criteria: Towards a Competing Values Approach to Organizational Analysis , 1983 .

[7]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[8]  B. Bass,et al.  Transformational Leadership And Organizational Culture , 1993 .

[9]  Olive Lundy From personnel management to strategic human resource management , 1994 .

[10]  野中 郁次郎,et al.  The Knowledge-Creating Company: How , 1995 .

[11]  Alfonso Reyes,et al.  The process of embodying distinctions - a re-construction of the process of learning , 1998, Cybern. Hum. Knowing.

[12]  Faculteit der Psychologie en Pedagogiek,et al.  Organizational Culture: The Focus Questionnaire , 1999 .

[13]  B. Gates Business @ the Speed of Thought , 1999 .

[14]  John Hulland,et al.  Use of partial least squares (PLS) in strategic management research: a review of four recent studies , 1999 .

[15]  Varun Grover,et al.  Profiles of Strategic Information Systems Planning , 1999, Inf. Syst. Res..

[16]  Thomas H. Davenport,et al.  Book review:Working knowledge: How organizations manage what they know. Thomas H. Davenport and Laurence Prusak. Harvard Business School Press, 1998. $29.95US. ISBN 0‐87584‐655‐6 , 1998 .

[17]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[18]  H. Tsoukas,et al.  What is Organizational Knowledge , 2001 .

[19]  Kenneth A. Wallston,et al.  Control Beliefs: Health Perspectives , 2001 .

[20]  Diana K. Smetters,et al.  Moving from the design of usable security technologies to the design of useful secure applications , 2002, NSPW '02.

[21]  Stephanie Teufel,et al.  Information security culture - from analysis to change , 2003, South Afr. Comput. J..

[22]  Jan H. P. Eloff,et al.  A taxonomy for information security technologies , 2003, Comput. Secur..

[23]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[24]  Kristopher J Preacher,et al.  SPSS and SAS procedures for estimating indirect effects in simple mediation models , 2004, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[25]  Michel Tenenhaus,et al.  PLS path modeling , 2005, Comput. Stat. Data Anal..

[26]  Alexandros Kaliontzoglou,et al.  A secure e-Government platform architecture for small to medium sized public organizations , 2005, Electron. Commer. Res. Appl..

[27]  Tom R. Tyler,et al.  Can Businesses Effectively Regulate Employee Conduct? The Antecedents of Rule Following in Work Settings , 2005 .

[28]  E LeidnerDorothy,et al.  Review: a review of culture in information systems research , 2006 .

[29]  Dorothy E. Leidner,et al.  Review: A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict , 2006, MIS Q..

[30]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[31]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[32]  Shuchih Ernest Chang,et al.  Exploring organizational culture for information security management , 2007, Ind. Manag. Data Syst..

[33]  Moez Limayem,et al.  How Habit Limits the Predictive Power of Intention: The Case of Information Systems Continuance , 2007, MIS Q..

[34]  Kwok Kee Wei,et al.  Organizational culture and leadership in ERP implementation , 2008, Decis. Support Syst..

[35]  Ned Kock,et al.  Information Systems Theorizing Based on Evolutionary Psychology: An Interdisciplinary Review and Theory Integration Framework , 2009, MIS Q..

[36]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[37]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[38]  Ronald J. Deibert,et al.  Risking Security: Policies and Paradoxes of Cyberspace Security , 2010 .

[39]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[40]  BulgurcuBurcu,et al.  Information security policy compliance , 2010 .

[41]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[42]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[43]  Nils Urbach,et al.  Structural Equation Modeling in Information Systems Research Using Partial Least Squares , 2010 .

[44]  Steven Furnell,et al.  Establishing A Personalized Information Security Culture , 2011, Int. J. Mob. Comput. Multim. Commun..

[45]  Bilal Khan,et al.  Effectiveness of information security awareness methods based on psychological theories , 2011 .

[46]  Ismail Khalil,et al.  Contemporary Challenges and Solutions for Mobile and Multimedia Technologies , 2012 .

[47]  William R. Claycomb,et al.  Chronological Examination of Insider Threat Sabotage: Preliminary Observations , 2012, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[48]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[49]  Rebecca A. Grier Military Cognitive Readiness at the Operational and Strategic Levels , 2012 .

[50]  A. Ghasemi,et al.  Normality Tests for Statistical Analysis: A Guide for Non-Statisticians , 2012, International journal of endocrinology and metabolism.

[51]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[52]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[53]  V. Balakrishnan,et al.  Exploratory Factor Analysis of User’s Compliance Behaviour towards Health Information System’s Security , 2013 .

[54]  Eric A. M. Luiijf,et al.  Nineteen national cyber security strategies , 2013, Int. J. Crit. Infrastructures.

[55]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[56]  Delroy A. Chevers,et al.  SMEs' adoption of enterprise applications: A technology-organisation-environment model , 2013 .

[57]  Rossouw von Solms,et al.  From information security to cyber security , 2013, Comput. Secur..

[58]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[59]  Rui Chen,et al.  Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service , 2014, Inf. Syst. J..

[60]  Doug Jacobson,et al.  Utilizing Structural Equation Modeling and Social Cognitive Career Theory to Identify Factors in Choice of IT as a Major , 2014, TOCE.

[61]  Mathias Ekstedt,et al.  Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture , 2014, Comput. Secur..

[62]  Joseph F. Hair,et al.  On the Emancipation of PLS-SEM: A Commentary on Rigdon (2012) , 2014 .

[63]  Hepu Deng,et al.  A multidimensional and integrative approach to study global digital divide and e-government development , 2014, Inf. Technol. People.

[64]  Maria Karyda,et al.  Identifying Factors that Influence Employees' Security Behavior for Enhancing ISP Compliance , 2015, TrustBus.

[65]  Adrian Leguina,et al.  A primer on partial least squares structural equation modeling (PLS-SEM) , 2015 .

[66]  M. Butavicius,et al.  The Influence of Organizational Information Security Culture on Information Security Decision Making , 2015 .

[67]  Steven Furnell,et al.  Information security conscious care behaviour formation in organizations , 2015, Comput. Secur..

[68]  A. Veiga,et al.  A cybersecurity culture research philosophy and approach to develop a valid and reliable measuring instrument , 2016 .

[69]  P. Northouse,et al.  Introduction to Leadership: Concepts and Practice , 2017 .

[70]  Kai R. Larsen,et al.  Modes of Theory Integration , 2017, HICSS.

[71]  Irfan-Ullah Awan,et al.  An Empirical Study of Cultural Dimensions and Cybersecurity Development , 2017, 2017 IEEE 5th International Conference on Future Internet of Things and Cloud (FiCloud).

[72]  J. Doug Tygar,et al.  Organisational culture, procedural countermeasures, and employee security behaviour: A qualitative study , 2017, Inf. Comput. Secur..

[73]  L. Fabrigar,et al.  The counterintuitive influence of vocal affect on the efficacy of affectively-based persuasive messages , 2018 .

[74]  Vimala Balakrishnan,et al.  Indirect effect of management support on users’ compliance behaviour towards information security policies , 2018, Health information management : journal of the Health Information Management Association of Australia.

[75]  Ned Kock,et al.  Minimum sample size estimation in PLS‐SEM: The inverse square root and gamma‐exponential methods , 2018, Inf. Syst. J..

[76]  Nadine Guhr,et al.  The impact of leadership on employees' intended information security behaviour: An examination of the full‐range leadership theory , 2019, Inf. Syst. J..

[77]  Emily Matta ,,,Kansans at Risk: Strengthened Data Breach Notification Laws as a Deterrent to Reckless Data Storage , 2019, Kansas Law Review.

[78]  신애자,et al.  1998 , 2001, The Winning Cars of the Indianapolis 500.