Information Security Policy Compliance Research Articles

Validating and extending the unified model of information security policy compliance

Purpose The purpose of this study is to further validate and extend the unified model of information security policy compliance (UMISPC) developed by Moody et al. (2018). Design/methodology/approach To be able to compare the results of this study and those reported by Moody et al. (2018) (and followers), the same quantitative data collection method (questionnaire) and variable measurement instruments were used. Specifically, questionnaire data were collected from a department within a Swedish governmental organization comprising 150 employees. Of these, 90 answered the questionnaire which rendered a response rate of 60%. Following Moody et al. (2018), the collected data were analyzed by means of structural equation modeling. Findings This study generally provides empirical support for the original UMISPC as a large majority of the findings are in line with those reported by Moody et al. (2018). However, it also suggests important differences and boundary conditions. Originality/value This study extends the original study of Moody et al. (2018) and subsequent replication studies by testing it in a new national/organizational context. Based on their call for future research, it also develops and empirically tests the effects of a new, socially visible information system security violation scenario. Related to this, this study also revisits the role of the variable subjective norms for better understanding employee non-/compliance to information security policies by suggesting that their effects may be indirect (i.e. running through other variables in the UMISPC) rather than direct.

Factors Influencing Information Security Policy Compliance Behavior “A Case – Study Healthcare Workers in a Private Hospital in Mogadishu – Somalia”

Information security policy compliance is crucial for safeguarding sensitive data in healthcare settings. This study investigates the factors influencing information security policy compliance behavior among healthcare workers at a private hospital in Mogadishu, Somalia. Findings reveal that beliefs in the importance of information security, effectiveness of communication and training programs, usability of security tools, and socio- cultural factors significantly impact compliance behavior. The study provides insights for healthcare administrators and policymakers to enhance compliance strategies in healthcare organizations.

Exploring the factors influencing information security policy compliance and violations: A systematic literature review

Despite advancements in security technology, the prevalence of insider threats has been on the rise in recent years. Organizations implement Information Security Policies (ISPs) that outline the expected security-related behavior and compliance standards for employees. Ensuring and enhancing ISP compliance and reducing violations is crucial for organizations to maintain their security posture. This Systematic Literature Review (SLR) aims to synthesize the existing research on ISP compliance and violations to identify the underlying factors behind employee policy violations and delve into the factors that promote compliance with ISPs. In order to provide a theoretical foundation for understanding these behaviors, this SLR identifies the prominent theories used to explain ISP compliance and violation. A comprehensive search is conducted across different academic databases, applying defined inclusion and exclusion criteria to select the relevant studies between 2012 and 2023. To understand intentional violations, we categorize and analyze studies on ISP violations based on Moral Disengagement, Neutralization and Deterrence, Stress, and Monitoring mechanisms. For ISP compliance, we categorize and analyze studies based on individual-level decision-making and organizational-level factors. We identified forty-seven factors that influence compliance behavior and forty-one factors that determine non-compliance behavior. Fourteen common factors were identified from prior literature, which were determinants of both compliance and violation behaviors, with opposite directions of influence. By considering both compliance and noncompliance simultaneously, organizations can develop more effective strategies for enhancing compliance and mitigating noncompliance.

Factors Influencing Information Security Policy Compliance Behavior in High Education Institutions: Systematic Literature Review

Information security policies and behaviors play a crucial role in organizations, particularly in higher education institutions. These policies outline guidelines and best practices to protect sensitive data, safeguard privacy, and prevent unauthorized access or misuse of information. In higher education institutions, they help secure research findings, intellectual property, and student records. By fostering a culture of security awareness and encouraging responsible behavior, organizations can safeguard their reputation, instill trust, and meet legal and regulatory requirements. This literature review has revealed challenges and highlighted the current trends of information security policy compliance, as well as the theories used for information security compliance from 2013 to 2023. Out of 50 research papers published on the topic of information security policy compliance, three influencing factors were identified through filtration: behavioral intention, awareness and culture, and human with organizational management. The findings show that there is a lack of information security policies in the higher education sector. This review contributes to the information security literature by providing a fully organized systematic review of conducted research in the last decade.

Information Security Research in the Information Systems Discipline: A Thematic Review and Future Research Directions

Information security continues to grow in importance in all aspects of society and therefore evolves as a prevalent research area. The information systems (IS) discipline offers a unique perspective to move this stream of literature forward. Using a semiautomated thematic analysis approach based on the topic modeling technique, we review a broad range of information security literature to investigate how we may integrate and advance our understanding of information security. Our analysis reveals four major themes, including information security policy (ISP) compliance, motivations and susceptibility, software security decisions, and firm security strategy. We also identify a theme of security in broader contexts, in which studies consider the societal impacts of information security and online hacker behavior. This review contributes to IS literature by 1) synthesizing the broad range of information security research published in the top journals of the field, moving beyond prior reviews focusing on a narrower scope such as individual ISP compliance; 2) identifying major themes and proposing an overarching research framework encompassing these themes and their interconnections, allowing us to envision future research directions; and 3) enumerating a semiautomated topic modeling approach that other researchers can employ.

Synthesizing Information Security Policy Compliance And Non-compliance: A Comprehensive Study And Unified Framework

ABSTRACT In today’s organizational landscape, safeguarding information against both intentional and unintentional insider threats has become a paramount concern. To address this challenge, organizations formulate Information Security Policies (ISP) aimed at maximizing compliance regarding sensitive data and information. However, confining the analysis solely to compliance falls short, as even a minor fraction of non-compliant individuals can lead to significant organizational vulnerabilities. In such scenarios, it becomes imperative for organizations to delve into the intricacies that influence both ISP compliance and noncompliance. While numerous literature reviews have explored factors contributing to ISP compliance, they often treated compliance and noncompliance as mere opposites, neglecting their nuanced differences and the need for a combined perspective. Our study bridges this gap by conducting a comprehensive review of 50 peer-reviewed articles published between 2014 and 2022. This unique undertaking yields three crucial contributions: First, it elucidates the characteristics distinguishing ISP compliance and noncompliance within business contexts. Second, it provides an encompassing explication of the variables influencing both ISP compliance and noncompliance. Most notably, our review culminates in the development of a unified framework that amalgamates existing insights and charts a path for future inquiry.

Incorrect compliance and correct noncompliance with information security policies: A framework of rule-related information security behaviour

Information security policy (ISP) compliance is recognized as a key measure for dealing with human errors when protecting information. A considerable and growing body of literature has studied the persuasive, deterrent, and coercive antecedents of compliant and noncompliant behaviour. Simultaneously, research indicates that real life situations are too complex and varied to prescribe in terms of a priori rules of acceptable behaviour, and create situations where compliance is in fact harmful for achieving organisational security and business goals. Thus, regarding ISP compliance as inherently “correct” and noncompliance as inherently “incorrect”, may contribute to creating problems that compliance research seeks to alleviate. In this research perspective, we argue that ISP compliance and noncompliance cannot be universally and invariably determined as “correct” or “incorrect” but that they become meaningful only when evaluated against organisational outcomes. We draw on organisational accident theorists to develop our arguments and propose a framework of rule-related information security behaviour (RISB) in order to conceptualize different types of ISP compliant and noncompliant behaviour and their organisational outcomes. Our research argues that compliance and noncompliance are nor inherently correct or incorrect and that making the judgement on the correctness of these actions requires considering the rule, the action, and the outcome.

Promoting Security Behaviors in Remote Work Environments: Personal Values Shaping Information Security Policy Compliance

Organizations worldwide face critical concerns related to cybersecurity threats and information security policy (ISP) compliance. Even though humans are the weakest link in the cybersecurity chain, information security professionals understand the importance of promoting individual information security behaviors because employees are also the first line of defense against ever-increasing cyber threats. Despite a recent trend of working from home, organizations do not make significant differences in their information security interventions for remote workers, relying mainly on VPNs as the only used tool, essentially making employees follow in-office standard information security policies because they are “virtually in-office.” Our study suggests that organizations need to recognize the unique context of remote work and consider personal motivations when shaping information security practices. Furthermore, our study indicates that in order to motivate remote employees to follow secure information security practices, organizations should consider personal characteristics instead of focusing on generic interventions. For instance, our study compares onsite and remote workers, suggesting that personal values are more relevant in remote work settings. Our findings exemplify just one of the many potential personal characteristics to be considered, highlighting how personal values are important motivators for ISP compliance and how they differ for onsite and remote workers in their importance when following information security rules.

Reducing fraud in organizations through information security policy compliance: An information security controls perspective

As more business processes and information assets are digitized, computer resources are increasingly being misused to perpetrate fraudulent activities. Research shows that fraud committed by (or with) trusted insiders (called occupational fraud or internal organizational fraud) is responsible for significantly more damage than that committed by external actors (for example, cyber fraud). Current fraud research has primarily focused on the person perpetuating the fraud instead of the internal mechanisms organizations can employ in reducing fraud. The study examines the relationship between compliance with organizations' technology controls (primarily focused on information security) and its impact on computer-based occupational fraud. Based on general deterrence and fraud triangle theories, the study proposes information security control proficiency (ISCP) modeled as an integration of the quality of information security policy and its enforcement as a key factor that influences information security policy compliance. We further postulate that compliance with information security policy mediates the relationship between information security control proficiency and computer-based-occupational fraud. Empirical assessment supports the structure of the information security control proficiency construct. Model testing shows that information security control proficiency positively impacts information security policy compliance, which further deters the use of a company's computer systems and resources to conduct fraudulent activities. Thus, if an organization establishes high-quality information security policies and supports the policies with effective enforcement, it correspondingly leads to better compliance. Furthermore, less fraud is committed when compliance with information security controls is high. We offer various managerial implications and future research extension ideas.

A field experiment on ISP training designs for enhancing employee information security compliance

ABSTRACT Information security policy (ISP) training plays an important role in enhancing organisational resilience against cyber threats by providing employees with the necessary knowledge and skills to effectively identify, prevent, and respond to security breaches. This research aims to explore how the use of deterrence arguments and threat arguments can enhance the effectiveness of ISP training. We theorise how ISP training affects employees’ ISP compliance behaviour by arguing for a transfer of training lens to study the effectiveness of ISP training. The results of our field experiment with triangulated data suggest that the effect of argumentative-enhanced ISP training is twofold. First, employees who participated in enhanced training sessions with deterrence and threat arguments demonstrated superior training outputs after the training, which, in turn, translated into a sustained training outcome three weeks after the training. Second, we also find evidence that threat arguments can reinforce the application of training outputs in the maintenance stage of learned behaviours. With this applied research study, we contribute to the research and practice by providing empirical evidence of the effectiveness of ISP training designs.

A Conceptual Model for Promoting Information Security Policy Compliance Behaviour at Workplace

A Conceptual Model for Promoting Information Security Policy Compliance Behaviour at Workplace

From awareness to behaviour: understanding cybersecurity compliance in Vietnam

From awareness to behaviour: understanding cybersecurity compliance in Vietnam

The defining features of a robust information security climate

Data breaches have become a common occurrence with serious consequences, making organizational security management critically important. Nonetheless, the research community has not yet clearly defined the characteristics of a strong organizational security climate. This study conducts a comprehensive literature analysis to identify a collection of research-based and managerially relevant constructs that represent the essential components of a strong security climate. We operationalize the identified measures of the constructs and empirically validate them for reliability, construct validity, and nomological validity in terms of their relationships with employees' security awareness, neutralization, and intention to comply with organizational information security policies (ISPs). The results suggest that these integral elements, when embraced by organizations, discourage employees’ use of neutralization to justify violation of ISPs and improve employees’ security awareness and their ISP compliance intention. Organizations can use the identified subcomponents and their corresponding measures as a diagnostic decision support instrument to make a reliable and valid assessment of the strengths and weaknesses of their security climate, to continuously monitor their security climate, and to develop interventions that contribute to a strong security climate.

The Limits of Empiricism: A Critique of Data-Driven Theory Development

The abundance of data available to researchers has led to increasing interest in data-derived theoretical development. Although this is a valid method of deriving theoretical models, it is subject to numerous limitations and hazards that may threaten the validity and usefulness of the models. The purpose of this paper is to critique empirically driven theoretical development. Our goal is to offer a cautionary tale about the limits of derivation of theory from empirical analysis in the hopes that our analysis and critique can strengthen empirical derivation of theory. In this paper, we use the empirical derivation of the Unified Model of Information Security Policy Compliance (UMISPC) as a research case study to illustrate some of these limitations and risks. For example, we critique the opportunistic dropping of theoretical paths based on statistical results, cautioning that doing so is insufficient for forming new theory. We also report several attempts at validating UMISPC through replication, including our own, which used data from a survey of 525 employed American adults. Comparison of the replications and original model indicates a general failure to replicate substantial portions of the original paper. We discuss five specific pitfalls associated with empirically driven model development and make recommendations for future studies that use inductive, data-driven approaches to derive theoretical models.

Exploring eustress and fear: A new perspective on protection motivation in information security policy compliance within the financial sector

Information security policy (ISP) compliance has emerged as a significant challenge for contemporary businesses. This underscores the crucial role of employing fear appeals to encourage employee compliance with ISP. However, the existing literature is rife with mixed and inconsistent findings regarding the influence of fear appeals on employees' intentions to comply with ISP. In an effort to address this inconsistency and delve into the mechanisms through which fear appeals impact ISP compliance, we expanded the Protection Motivation Theory by incorporating the Transactional Model of Stress and Coping. Notably, we introduced a positive emotion, eustress, into the mediating mechanism alongside fear. Our hypothesis posited that fear appeals not only generate fear but also evoke eustress, subsequently positively influencing ISP compliance. We conducted a study among financial sector employees and validated our hypothesis using structural equation modeling techniques. Our primary theoretical contributions include highlighting the critical role of eustress in enhancing ISP compliance and proposing a parallel mechanism through which fear appeals impact ISP compliance. From a practical standpoint, we demonstrate that eustress plays a more significant role in motivating employees to comply with ISP. Furthermore, we provide insights into how organizations can design fear appeal messages by incorporating the concept of eustress, thereby optimizing their effectiveness in promoting ISP compliance.

Dual Routes of Training on Information Security Policy Compliance

ABSTRACT This study aims to explore the mechanisms by which training influences employees’ information security policy compliance (ISPC) through the mediating roles of compliance knowledge and social pressure. An empirical model is conceptualized on the theoretical basis of the Elaboration Likelihood Model (ELM). Based on a survey conducted in China, a sample of 304 participants was used to test the impact of training on ISPC as well as the mediating effects of compliance knowlgedge (as a central route) and social pressure (as a peripheral route). The results revealed that training had a positive effect on ISPC, and the mediating effects of compliance knowledge and social pressure were both positive and complementary. The results also indicated that the mediating effect of compliance knowledge was stronger than that of social pressure, which was consistent with the judgment of ELM.

Not all information security-related stresses are equal: the effects of challenge and hindrance stresses on employees’ compliance with information security policies

ABSTRACT Information security-related stresses (SRSs) are widely considered to play a negative role in the workplace, motivating employees' violation of information security policies (ISPs). However, researchers have neglected to challenge SRS and its role in promoting positive security actions. Therefore, this study aimed to explore the effect of both challenge and hindrance SRSs on employees' intention to comply with ISPs and the moderating mechanisms of regulatory focus in the relationship between SRSs and ISP compliance. Using survey data from 489 employees in Chinese enterprises, we applied a PLS-SEM method to test hypotheses. Our study found that the hindrance SRS had a negative effect on ISP compliance intention, differently, challenge SRS motivates employees to comply with ISPs. Our study also found prevention focus acted as a positive moderator in the relationship between hindrance SRS and compliance intention, while promotion focus had no effect on this relationship; Promotion focus positively moderated the relationship between challenge SRS and compliance intention, and prevention focus negatively moderated the relationship between challenge SRS and compliance intention. These findings provide new knowledge by examining the different effects and the boundary conditions to understand how two types of SRS influence employees' informaiton security dicisions.

Fostering information security policies compliance with ISA-95-based framework: an empirical study of oil and gas employees

Fostering information security policies compliance with ISA-95-based framework: an empirical study of oil and gas employees

Analysis of the effects of lifism consciousness, digital civic attitude, and information security commitment on information security policy compliance

Analysis of the effects of lifism consciousness, digital civic attitude, and information security commitment on information security policy compliance

Nurse Information Security Policy Compliance, Information Competence, and Information Security Attitudes Predict Information Security Behavior.

Nurses' attitudes toward information security can influence the hospital's information resources management and development. This study investigated the relationships between nurses' information security policy compliance, information competence, and information security attitudes, which are factors that influence information security behavior. Data were collected during September 2020. The participants were 200 clinical nurses from a general hospital in Korea. The self-reported questionnaire included questions on nurses' general characteristics, information security policy compliance, information competence, and information security attitudes. Information security policy compliance (r = 0.554, P < .001) and information competence (r = 0.614, P < .001) were positively associated with information security attitudes. Predictors of nurses' information security attitudes were information competence (β = .439), information security policy compliance (β = .343), prior information security-related education (β = .113), and job position (nurse manager; β = .101). Implications for practice include the need for strategies to develop information security policy compliance and information competence to improve information security behavior, including different approaches tailored to nurses' job positions and previous information security education.