Enacting Information Security Policies in Practice: Three Modes of Policy Compliance

Abstract

Widely reported information security breaches and their high organizational impact have underlined the importance of organizational information security. Based on an international survey in the Harvard Business Review (2013, 2), ‘information security and privacy have become more significant areas of concern in the past three years’. In addition, in a large industry survey that ‘gathered data by surveying 11,340 directors and 1,957 general counsel’ conducted by The Corporate Board Member and FTI Consulting (2012, 2), within corporate America, information security concerns topped the list of concerns of both surveyed groups. To protect their information, organizations devote much time and resources to implement information security policies (hereafter InfoSec policies). These policies form the core of organization’s information security efforts (Baskerville and Siponen, 2002; Doherty et al., 2009) by documenting guidelines for employees’ expected behaviour (Warkentin and Johnston, 2008). However, the potential of the policies arises not from the documents per se, but from employees’ compliance with the implemented policies (Bulgurcu et al., 2010). It is, therefore, no wonder that scholars have devoted much time and effort to study policy compliance.