Compliance with computer security policies and legislation is critical to educational institutions today. Universities offer Internet services to users, store personal information of learners, staff, conference and attendees. which exposes them to potential risks and legal liabilities. Failure to ensure compliance with information security laws poses significant financial and reputation risk and may invite serious scrutiny of university activities by law enforcement bodies [24]. While universities have sought various measures to achieve compliance (e.g. self-regulations, security policies, staff/student handbooks, public relation campaigns, Web and email reminders and audits.), these have had limited success in influencing user behaviours. The rate of electronic abuse and lack of compliance with policies is simply on the rise. The August 2009 EDUCAUSE Review indicates that security remains one of the top strategic issues facing higher education institutions [2]. [20] claims that half of all personal identity breaches occur in higher education. The recording industry and motion picture associations are increasingly holding institutions liable for illegal downloading of copyright materials [11] and students have also been accused of privacy violations [8]. So, what makes compliance with policies and regulations in universities difficult and how can compliance be measured and achieved effectively? This study examines the factors that influence compliance with security policies and regulations in universities. First, some key regulations governing information security in South Africa are introduced, followed by a review of the security environment and compliance behaviours in universities. A framework aligning regulatory requirements with control standards is developed to guide compliance behaviours in universities.
[1]
Tim Lane.
Information security management in Australian universities : an exploratory analysis
,
2007
.
[2]
Tejaswini Herath,et al.
Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness
,
2009,
Decis. Support Syst..
[3]
Sizwe Lindelo Snail,et al.
Cyber Crime in South Africa - Hacking, cracking, and other unlawful online activities
,
2009,
J. Inf. Law Technol..
[4]
Scott E. Schimkowitsch.
Key Components of an Information Security Metrics Program Plan
,
2009
.
[5]
A. Arko-Cobbah.
The Right of Access to Information: opportunities and challenges for civil society and good governance in South Africa
,
2008
.
[6]
J. Pfeffer,et al.
A social information processing approach to job attitudes and task design.
,
1978,
Administrative science quarterly.
[7]
William L. Simon,et al.
The Art of Deception: Controlling the Human Element of Security
,
2001
.
[8]
Irene M. Y. Woon,et al.
Forthcoming: Journal of Information Privacy and Security
,
2022
.
[9]
S. Thompson.
Social Learning Theory
,
2008
.
[10]
Brian L. Hawkins,et al.
The Myth about IT Security
,
2006
.
[11]
Kerry-Lynn Thomson.
Corporate Governance: Information security the weakest link?
,
2002,
ISSA.
[12]
J. Watkins,et al.
GOVERNMENT GAZETTE
,
2001
.
[13]
D. Talay,et al.
Numerical Methods in Finance: Introduction
,
1997
.
[14]
M. Peter Adler.
A Unified Approach to Information Security Compliance.
,
2006
.