Factors Influencing Information Security Policy Compliance Behavior

One of the major concerns of organizations in today's networked world is to unravel how employees comply with information security policies (ISPs) since the internal employee has been identified as the weakest link in security policy breaches. A number of studies have examined ISP compliance from the perspective of deterrence; however, there have been mixed results. The study seeks to examine information security compliance from the perspective of the general deterrence theory (GDT) and information security climate (ISC). Data was collected from 329 employees drawn from the five top-performing banks in Ghana and analyzed with PLS-SEM. Results from the study show that security education training and awareness, top-management's commitment for information security, and peer non-compliance behavior affect the information security climate in an organization. Information security climate, punishment severity, and certainty of deterrent were also found to influence employees' intention to comply with ISP. The implications, limitations, and directions for future research are discussed.

The effect of perceived organizational culture on employees’ information security compliance

Purpose This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers. Design/methodology/approach The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy. Findings The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance. Research limitations/implications The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance. Practical implications Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations. Originality/value Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

Autonomous Motivation and Information Security Policy Compliance

Many existing studies focus on the effect of external influence mechanisms (e.g., deterrence) impacting information security policy compliance (ISPC). This study explores the formation of ISPC from an autonomous motivation perspective, based on social exchange theory and self-determination theory. Data were gathered by conducting a survey of 261 employees, with hierarchical regression analysis being used to test our hypotheses.The results indicated the following: First, job satisfaction and personal responsibility positively impact ISPC. Second, job satisfaction perceived by employees is positively linked to personal responsibility, where deterrence severity has a negative moderating effect on this relationship. Finally, personal responsibility mediates the relationship between job satisfaction and ISPC. This study suggests that organizational support should focus on promoting perceived self-determination of employees, and that deterrence should be maintained at a moderate level to adapt to the organization's security strategy and information security environment.

Information Security Policy Compliance Culture

Information security policy (ISP) noncompliance is a growing problem that accounts for a significant number of security breaches in organizations. Existing strategies for changing employees' behavior intentions towards compliance have not been effective. It is therefore imperative to identify other effective strategies to address the problem. This article investigates the effect accountability constructs on employees' attitudes and behavior intentions towards establishing ISP compliance as a culture. In addition, the authors validate a testable research model for predicting employees' compliance behavior intentions in a field survey involving 313 employees from selected Ghanaian companies. The overall effect showed that measures of accountability significantly influenced employees' attitudes and behavior intentions to ISP compliance while the establishment of ISP compliance culture largely depended on the existence of a conducive information security culture and positive employee behavior intentions.