Information policy security compliance in Dutch local government

Abstract

This paper focuses on explaining employees' compliance with information security guidelines in Dutch local government. Information security has been given ample attention in government organizations in the Netherlands since the implementation of GDPR legislation in May 2018, and government organizations are, in general, an interesting context for information security research as government organization gather, process and disseminate large volumes of personal data, and therefore are in principal vulnerable to security risks. Using results from existing literate reviews, hypotheses are developed that suggest compliance is associated with individual employees' risk aversion, risk awareness, sanctions, peer pressure and management style. In order to test the hypotheses, three vignettes of security breaches (using unencrypted personal data, not logging out of unattended workstations, USB media lying around in the workplace) were developed and included in a questionnaire that was filled out by 153 public sector employees working for various local governments in the Netherlands. Multiple hierarchical regression analyses were used to test the hypotheses; risk awareness was found to have a significant impact on security policy compliance for two of the three vignettes, whereas hypotheses relating risk aversion, sanctions and management style to security policy compliance received no empirical support. Low levels of explained variance in the statistical analyses indicate that future models should incorporate other variables than those included in this study to better explain information security policy compliance.