Abstract
In organizations, users' compliance with information security policies (ISP) is crucial for minimizing information security (IS) incidents. To improve users' compliance, IS managers have implemented IS awareness (ISA) programs, which are systematically planned interventions to continuously transport security information to a target audience. The underlying research analyzes IS managers' efforts to design effective ISA programs by comparing current design recommendations suggested by scientific literature with actual design practices of ISA programs in three banks. Moreover, this study addresses how users perceive ISA programs and related implications for compliant IS behavior. Empirically, we utilize a multiple case design to investigate three banks from Central and Eastern Europe. In total, 33 semi-structured interviews with IS managers and users were conducted and internal materials of ISA programs such as intranet messages and posters were also considered. The paper contributes to IS compliance research by offering a comparative and holistic view on ISA program design practices. Moreover, we identified influences on users' perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. Finally, the study raises propositions regarding the relationship of ISA program designs and factors, which are likely to influence users' ISP compliance.
Highlights
Banks have been in desperate need of improving information security (IS) for decades (Baskerville et al, 2014; Goel and Shawky, 2009; Kjaerland, 2005)
We develop propositions to enhance our understanding of information security policies (ISP) compliance and design recommendations for IS awareness (ISA) programs (Eisenhardt, 1989)
We present which ISA program designs are considered by the case banks
Summary
Banks have been in desperate need of improving information security (IS) for decades (Baskerville et al, 2014; Goel and Shawky, 2009; Kjaerland, 2005). They operate in a complex, regulated and rapidly evolving global environment in which constantly changing or new emerging technologies are needed for conducting their operations (Goldstein et al, 2011). Financial service institutions are prime targets for crime and fraud (Norton and Walker, 2014) As a result they are increasingly threatened by data- and function-related IS risks leading to growing level of IS breaches worldwide (ORX, 2014; PricewaterhouseCoopers, 2014). The Federal Deposit Insurance Corporation (FDIC) reported to US Congress about five major bank related incidents each involving more than 10,000 data records, and previously an incident caused by a departing employee accidentally breaching the data of roughly 44,000 FDIC customers (Davidson, 2016)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
