Organizational Governance, Social Bonds and Information Security Policy Compliance: A Perspective towards Oil and Gas Employees

Information security attacks on oil and gas (O&G) organizations have increased since the last decade. From 2015 to 2019, almost 70 percent of O&G organizations faced at least one significant security breach worldwide. Research has shown that 43 percent of security attacks on O&G organizations occur due to the non-compliant behavior of O&G employees towards information security policy. The existing literature provides multiple solutions for technical security controls of O&G organizations. However, there are very few studies available that address behavioral security controls, specifically for O&G organizations of developing countries. The purpose of this study is to provide a comprehensive framework for information security policy compliance (ISPC) for the O&G sector. A mixed-method approach is used to develop the research framework. Semi-structured interviews from O&G specialists refined the developed framework. Based on qualitative study a survey questionnaire was developed. To evaluate the research framework, structural equation modeling was applied to a sample of 254 managers/executives from 150 Malaysian O&G organizations. The obtained test results confirmed the proposed research model, according to which good social bonding among employees plays a critical role in improving ISPC. However, there was less support for the notion that all organizational governance factors significantly improve the social bonding of Malaysian O&G organizations employees. This paper contributes to the current information system (IS) literature by exploring the interrelationships among organizational governance, social bonding, and information security policy compliance (ISPC) in Malaysian O&G organizations.

[1]  Ravi Samikannu,et al.  Cybersecurity and cyber terrorism - in energy sector – a review , 2018, Journal of Cyber Security Technology.

[2]  M. Sarstedt,et al.  A new criterion for assessing discriminant validity in variance-based structural equation modeling , 2015 .

[3]  Alfred Benedikt Brendel,et al.  A Meta-Analysis of Deterrence Theory in Information Security Policy Compliance Research , 2019, Information Systems Frontiers.

[4]  Detmar W. Straub,et al.  Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures , 2020, Inf. Manag..

[5]  Ricky W. Griffin,et al.  The power of social information in the workplace , 1989 .

[6]  Kathleen M. Sutcliffe,et al.  Special Issue: Frontiers of Organization Science, Part 1 of 2: Organizing and the Process of Sensemaking , 2005, Organ. Sci..

[7]  Eirik Albrechtsen,et al.  Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study , 2010, Comput. Secur..

[8]  Travis Hirschi,et al.  Hellfire and Delinquency , 1969 .

[9]  James Cox,et al.  Information systems user security: A structured model of the knowing-doing gap , 2012, Comput. Hum. Behav..

[10]  Jing Wang,et al.  Information security policy noncompliance: An integrative social influence model , 2019, Inf. Syst. J..

[11]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[12]  Pei-Lee Teh,et al.  Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization , 2019, Inf. Manag..

[13]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[14]  Tom L. Roberts,et al.  The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets , 2015, J. Manag. Inf. Syst..

[15]  R. V. Krejcie,et al.  Determining Sample Size for Research Activities , 1970 .

[16]  W. Chapple,et al.  Corporate Social Responsibility (CSR) in Asia , 2005 .

[17]  Marko Sarstedt,et al.  Editorial - Partial Least Squares Structural Equation Modeling: Rigorous Applications, Better Results and Higher Acceptance , 2013 .

[18]  Ezutah Udoncy Olugu,et al.  Factors affecting safety of processes in the Malaysian oil and gas industry , 2017 .

[19]  A. O'Leary-Kelly,et al.  Monkey See, Monkey Do: The Influence of Work Groups on the Antisocial Behavior of Employees , 1998 .

[20]  S. Lankford,et al.  Response Bias and Wave Analysis of Mailed Questionnaires in Tourism Impact Assessments , 1995 .

[21]  Albert L. Harris,et al.  The impact of information richness on information security awareness training effectiveness , 2009, Comput. Educ..

[22]  Merrill Warkentin,et al.  Examining employee computer abuse intentions: insights from justice, deterrence and neutralization perspectives , 2018, Inf. Syst. J..

[23]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[24]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[25]  Tom L. Roberts,et al.  Examining the Relationship of Organizational Insiders' Psychological Capital with Information Security Threat and Coping Appraisals , 2017, Comput. Hum. Behav..

[26]  J. Slocum,et al.  Collective climate: Agreement as a basis for defining aggregate climates in organizations. , 1984 .

[27]  Paul Benjamin Lowry,et al.  security and privacy research lies , 2017 .

[28]  Tae Kyun Kim,et al.  Understanding one-way ANOVA using conceptual figures , 2017, Korean journal of anesthesiology.

[29]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[30]  Carl Colwill,et al.  Human factors in information security: The insider threat - Who can you trust these days? , 2009, Inf. Secur. Tech. Rep..

[31]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[32]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[33]  Eirik Albrechtsen,et al.  Implementation and effectiveness of organizational information security measures , 2008, Inf. Manag. Comput. Secur..

[34]  Steven Furnell,et al.  Information security policy compliance model in organizations , 2016, Comput. Secur..

[35]  Ahmad Abu-Musa Information security governance in Saudi organizations: an empirical study , 2010, Inf. Manag. Comput. Secur..

[36]  Gustavo S. Mesch Parental Mediation, Online Activities, and Cyberbullying , 2009, Cyberpsychology Behav. Soc. Netw..

[37]  Hongfang Lu,et al.  Oil and Gas 4.0 era: A systematic review and outlook , 2019, Comput. Ind..

[38]  Vimala Balakrishnan,et al.  Exploratory Factor Analysis of UserâÂÂs Compliance Behaviour towards Health Information SystemâÂÂs Security , 2013 .

[39]  Gregory A Aarons,et al.  Assessing the organizational context for EBP implementation: the development and validity testing of the Implementation Climate Scale (ICS) , 2014, Implementation Science.

[40]  Paul Benjamin Lowry,et al.  The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness , 2015, Inf. Syst. Res..

[41]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[42]  José F. Molina-Azorín,et al.  The use of mixed methods research in the field of behavioural sciences , 2011 .

[43]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[44]  Marwan Albahar,et al.  Cyber Attacks and Terrorism: A Twenty-First Century Conundrum , 2019, Sci. Eng. Ethics.

[45]  Paul Benjamin Lowry,et al.  Institutional governance and protection motivation: Theoretical insights into shaping employees' security compliance behavior in higher education institutions in the developing world , 2019, Comput. Secur..

[46]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[47]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[48]  Ying Li,et al.  Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory , 2013, Comput. Secur..

[49]  Martin Gilje Jaatun,et al.  A framework for incident response management in the petroleum industry , 2009, Int. J. Crit. Infrastructure Prot..

[50]  Kuang-Wei Wen,et al.  Impacts of Comprehensive Information Security Programs on Information Security Culture , 2015, J. Comput. Inf. Syst..

[51]  C. T. Kwantes,et al.  Perceptions of organizational culture, leadership effectiveness and personal effectiveness across six countries , 2007 .

[52]  P. Delfabbro,et al.  Juvenile Recidivism: Criminal Propensity, Social Control and Social Learning Theories , 2004 .

[53]  Richard M. Steers Antecedents and outcomes of organizational commitment. , 1977, Administrative science quarterly.

[54]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[55]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[56]  Patrick Y. K. Chau,et al.  Explaining the Misuse of Information Systems Resources in the Workplace: A Dual-Process Approach , 2014, Journal of Business Ethics.

[57]  Thomas K. Burdenski Evaluating Univariate, Bivariate, and Multivariate Normality Using Graphical Procedures. , 2000 .

[58]  Nico Martins,et al.  Defining and identifying dominant information security cultures and subcultures , 2017, Comput. Secur..

[59]  Jingguo Wang,et al.  Employees' information security policy compliance: A norm activation perspective , 2016, Decis. Support Syst..

[60]  R. Taormina,et al.  The Organizational Socialization Inventory. , 1994 .