Abstract
The success of organizational information security policies depends on employee’s continuous compliance from the time when it was first introduced into the organization. Hence, the purpose of this study is to investigate continuous compliance with information security policy among public organizations. Data were collected from 265 employees working in Tanzania public organizations. Data analysis employed a Structural Equation Modelling (SEM) approach. The study found that the effects of organizational commitment, perceived susceptibility and perceived severity have a positive influence on employee’s continuance intention to comply with security policies, while perceived barriers have a negative influence. Moreover, the effects of perceived benefits, self-efficacy, cues and information security awareness have no significant influence. Based on these findings, recommendations were given. There is a paucity of empirical research which investigates key issues that may influence information security policy continuous compliance in organizations. This study addresses this research gap, by integrating the Health Belief Model (HBM) with employee’s organizational commitment and information security awareness constructs to investigate information security policy continuance compliance in organizations.
Highlights
There is a general consensus among organizations that information is crucial for its operations and it should be protected (Hardy & Williams, 2010; Hong, Yen-Ping, Chao, & Tang, 2003; Posey, Roberts, Lowry, & Bennett, 2013)
Items for measuring organization commitment were adapted from Mowday (1999), perceived benefits, perceived barriers, and cues to action from Claar and Johnson (2011) and Ng et al(2009), perceived susceptibility, perceived severity and self-efficacy from Claar and Johnson (2011), Herath and Rao (2009) and Ng et al(2009), items for security awareness were borrowed from Mahabi (2010), while items for compliance continuance intentions were borrowed from Warkentin et al (2016)
The present study investigates the intention of employees working in public organizations to continue to comply with information security policy
Summary
There is a general consensus among organizations that information is crucial for its operations and it should be protected (Hardy & Williams, 2010; Hong, Yen-Ping, Chao, & Tang, 2003; Posey, Roberts, Lowry, & Bennett, 2013). Protection of information requires investment in both technical and non-technical issues (Hentea, Dhillon, & Dhillon, 2006). Recent trends in information security budgets indicate much of the funds are located on technical aspects of information security (Dignan, 2016). While the focus of many organizations is on technical aspects of information security, a large portion of security incidents is of non-technical nature (Lewis, 2003; PWC, 2015; Wood & Banks, 1993). Previous researchers indicate that majority of security incidents are caused by the intentional or unintentional negligence of employees (Herath & Rao, 2009a). To control employee’s negligence and reduce security incidents, security controls are widely adopted. A good example of security control is information security policy. The adoption of security policies have yet to provide a shield against security
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
