Work-related groups and information security policy compliance

Purpose It is widely acknowledged that norms and culture influence decisions related to information security. The purpose of this paper is to investigate how work-related groups influence information security policy compliance intentions and to what extent this influence is captured by the Theory of Planned Behavior, an established model over individual decision-making. Design/methodology/approach A multilevel model is used to test the influence of work-related groups using a cluster sample of responses from 2,291 employees from 203 worksites, 119 organizations, 6 industries and 38 professions. Findings The results suggest that work-related groups influence individuals’ decision-making in the manner in which contemporary theories of information security culture posit. However, the influence is weak to modest and overshadowed by individual perceptions that are straightforward to measure. Research limitations/implications This paper is limited to one national culture and four types of work-related groups. However, the results suggest that the Theory of Planned Behavior captures most of the influence that work-related groups have on decision-making. Future research on security culture and similar phenomena should take this into account. Practical implications Information security perceptions in work-related groups are diverse and information security decisions appear to be based on individual perceptions and priorities rather than groupthink or peer-pressure. Security management interventions may be more effective if they target individuals rather than groups. Originality/value This paper tests some of the basic ideas related to information security culture and its influence on individuals’ decision-making.

[1]  Harry C. Triandis,et al.  Odysseus Wandered for 10, I Wondered for 50 Years , 2002, Merging Past, Present, and Future in Cross-Cultural Psychology.

[2]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[3]  Jim Gee Fraud 2009 bad, 2010 better? , 2010 .

[4]  Mikko T. Siponen,et al.  Six Design Theories for IS Security Policies and Guidelines , 2006, J. Assoc. Inf. Syst..

[5]  Amine Boudia,et al.  A New Meta-Heuristic based on Human Renal Function for Detection and Filtering of SPAM , 2015, Int. J. Inf. Secur. Priv..

[6]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[7]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[8]  Matthias Goeken,et al.  Systematic Review and Meta-Analysis of IS Security Policy Compliance Research. First Steps towards Evidence-Based Structuring of the IS Security Domain , 2013, Wirtschaftsinformatik.

[9]  J. Gibbs Crime, punishment, and deterrence , 1975 .

[10]  Shuchih Ernest Chang,et al.  Exploring organizational culture for information security management , 2007, Ind. Manag. Data Syst..

[11]  I. Ajzen The theory of planned behavior , 1991 .

[12]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[13]  Steven Furnell,et al.  From security policy to practice: Sending the right messages , 2010 .

[14]  Frank Mueller,et al.  Preface , 2009, 2009 IEEE International Symposium on Parallel & Distributed Processing.

[15]  F. Guldenmund The nature of safety culture: a review of theory and research , 2000 .

[16]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[17]  William N. Robinson A Roadmap for Comprehensive Requirements Modeling , 2010, Computer.

[18]  Teodor Sommestad,et al.  A Meta-Analysis of Studies on Protection Motivation Theory and Information Security Behaviour , 2015, Int. J. Inf. Secur. Priv..

[19]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[20]  R. Peterson A Meta-analysis of Cronbach's Coefficient Alpha , 1994 .

[21]  Detmar W. Straub,et al.  Institutional Influences on Information Systems Security Innovations , 2012, Inf. Syst. Res..

[22]  R. Bennett,et al.  Is Your Banker Leaking Your Personal Information? The Roles of Ethics and Individual-Level Cultural Characteristics in Predicting Organizational Computer Abuse , 2013, Journal of Business Ethics.

[23]  G. Hofstede Dimensionalizing cultures: The Hofstede model in context , 2011 .

[24]  Dustin Ormond,et al.  Don't make excuses! Discouraging neutralization to reduce IT policy violation , 2013, Comput. Secur..

[25]  Teodor Sommestad,et al.  A Review of the Theory of Planned Behaviour in the Context of Information Security Policy Compliance , 2013, SEC.

[26]  Benjamin Schneider,et al.  The ASA framework: An update. , 1995 .

[27]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[28]  Neal M. Ashkanasy,et al.  Organizational culture and climate , 2002 .

[29]  Teodor Sommestad,et al.  The Theory of Planned Behavior and Information Security Policy Compliance , 2019, J. Comput. Inf. Syst..

[30]  Dan Jong Kim,et al.  A Path Way to Successful Management of Individual Intention to Security Compliance: A Role of Organizational Security Climate , 2013, 2013 46th Hawaii International Conference on System Sciences.

[31]  Ken Stevens,et al.  An Investigation of the Impact of Corporate Culture on Employee Information Systems Security Behaviour , 2009 .

[32]  Alexandra Durcikova,et al.  What, I Shouldn't Have Done That? : The Influence of Training and Just-in-Time Reminders on Secure Behavior , 2013, ICIS.

[33]  D. Campbell,et al.  Convergent and discriminant validation by the multitrait-multimethod matrix. , 1959, Psychological bulletin.

[34]  Kathryn Mearns,et al.  Assessing the state of organizational safety—culture or climate? , 1999 .

[35]  Steven Furnell,et al.  From culture to disobedience: Recognising the varying user acceptance of IT security , 2009 .

[36]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[37]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[38]  G. David Garson,et al.  Fundamentals of Hierarchical Linear and Multilevel Modeling , 2012 .

[39]  W. Alec Cram,et al.  Seeing the forest and the trees: A meta-analysis of information security policy compliance literature , 2017, HICSS.

[40]  G. Hofstede Masculinity and Femininity: The Taboo Dimension of National Cultures , 1998 .

[41]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[42]  Mo Adam Mahmood,et al.  Compliance with Information Security Policies: An Empirical Investigation , 2010, Computer.

[43]  H. Tohidi,et al.  Organizational culture and leadership , 2012 .

[44]  Qing Hu,et al.  User behaviour towards protective information technologies: the role of national cultural differences , 2009, Inf. Syst. J..

[45]  Dorothy E. Leidner,et al.  Review: A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict , 2006, MIS Q..

[46]  Thomas Griffiths,et al.  Seeing the forest and the trees , 2013 .

[47]  Louise M. Hassan,et al.  Addressing the cross-country applicability of the theory of planned behaviour (TPB): A structured review of multi-country TPB studies , 2016 .

[48]  I. Ajzen,et al.  Predicting and Changing Behavior: The Reasoned Action Approach , 2009 .

[49]  France Bélanger,et al.  Multilevel Research in Information Systems: Concepts, Strategies, Problems, and Pitfalls , 2014, J. Assoc. Inf. Syst..

[50]  Teodor Sommestad,et al.  Social Groupings and Information Security Obedience Within Organizations , 2015, SEC.

[51]  Fredrik Karlsson,et al.  Information security culture - state-of-the-art review between 2000 and 2013 , 2015, Inf. Comput. Secur..

[52]  Gurpreet Dhillon,et al.  Variations in Information Security Cultures across Professions: A Qualitative Study , 2013, Commun. Assoc. Inf. Syst..

[53]  Francis J. Yammarino,et al.  Multilevel Issues in Organizational Culture and Climate Research , 2011 .