Information Security Policy Compliance Research Articles

From awareness to behaviour: understanding cybersecurity compliance in Vietnam

From awareness to behaviour: understanding cybersecurity compliance in Vietnam

The defining features of a robust information security climate

Data breaches have become a common occurrence with serious consequences, making organizational security management critically important. Nonetheless, the research community has not yet clearly defined the characteristics of a strong organizational security climate. This study conducts a comprehensive literature analysis to identify a collection of research-based and managerially relevant constructs that represent the essential components of a strong security climate. We operationalize the identified measures of the constructs and empirically validate them for reliability, construct validity, and nomological validity in terms of their relationships with employees' security awareness, neutralization, and intention to comply with organizational information security policies (ISPs). The results suggest that these integral elements, when embraced by organizations, discourage employees’ use of neutralization to justify violation of ISPs and improve employees’ security awareness and their ISP compliance intention. Organizations can use the identified subcomponents and their corresponding measures as a diagnostic decision support instrument to make a reliable and valid assessment of the strengths and weaknesses of their security climate, to continuously monitor their security climate, and to develop interventions that contribute to a strong security climate.

The Limits of Empiricism: A Critique of Data-Driven Theory Development

The abundance of data available to researchers has led to increasing interest in data-derived theoretical development. Although this is a valid method of deriving theoretical models, it is subject to numerous limitations and hazards that may threaten the validity and usefulness of the models. The purpose of this paper is to critique empirically driven theoretical development. Our goal is to offer a cautionary tale about the limits of derivation of theory from empirical analysis in the hopes that our analysis and critique can strengthen empirical derivation of theory. In this paper, we use the empirical derivation of the Unified Model of Information Security Policy Compliance (UMISPC) as a research case study to illustrate some of these limitations and risks. For example, we critique the opportunistic dropping of theoretical paths based on statistical results, cautioning that doing so is insufficient for forming new theory. We also report several attempts at validating UMISPC through replication, including our own, which used data from a survey of 525 employed American adults. Comparison of the replications and original model indicates a general failure to replicate substantial portions of the original paper. We discuss five specific pitfalls associated with empirically driven model development and make recommendations for future studies that use inductive, data-driven approaches to derive theoretical models.

Exploring eustress and fear: A new perspective on protection motivation in information security policy compliance within the financial sector

Information security policy (ISP) compliance has emerged as a significant challenge for contemporary businesses. This underscores the crucial role of employing fear appeals to encourage employee compliance with ISP. However, the existing literature is rife with mixed and inconsistent findings regarding the influence of fear appeals on employees' intentions to comply with ISP. In an effort to address this inconsistency and delve into the mechanisms through which fear appeals impact ISP compliance, we expanded the Protection Motivation Theory by incorporating the Transactional Model of Stress and Coping. Notably, we introduced a positive emotion, eustress, into the mediating mechanism alongside fear. Our hypothesis posited that fear appeals not only generate fear but also evoke eustress, subsequently positively influencing ISP compliance. We conducted a study among financial sector employees and validated our hypothesis using structural equation modeling techniques. Our primary theoretical contributions include highlighting the critical role of eustress in enhancing ISP compliance and proposing a parallel mechanism through which fear appeals impact ISP compliance. From a practical standpoint, we demonstrate that eustress plays a more significant role in motivating employees to comply with ISP. Furthermore, we provide insights into how organizations can design fear appeal messages by incorporating the concept of eustress, thereby optimizing their effectiveness in promoting ISP compliance.

Dual Routes of Training on Information Security Policy Compliance

ABSTRACT This study aims to explore the mechanisms by which training influences employees’ information security policy compliance (ISPC) through the mediating roles of compliance knowledge and social pressure. An empirical model is conceptualized on the theoretical basis of the Elaboration Likelihood Model (ELM). Based on a survey conducted in China, a sample of 304 participants was used to test the impact of training on ISPC as well as the mediating effects of compliance knowlgedge (as a central route) and social pressure (as a peripheral route). The results revealed that training had a positive effect on ISPC, and the mediating effects of compliance knowledge and social pressure were both positive and complementary. The results also indicated that the mediating effect of compliance knowledge was stronger than that of social pressure, which was consistent with the judgment of ELM.

Not all information security-related stresses are equal: the effects of challenge and hindrance stresses on employees’ compliance with information security policies

ABSTRACT Information security-related stresses (SRSs) are widely considered to play a negative role in the workplace, motivating employees' violation of information security policies (ISPs). However, researchers have neglected to challenge SRS and its role in promoting positive security actions. Therefore, this study aimed to explore the effect of both challenge and hindrance SRSs on employees' intention to comply with ISPs and the moderating mechanisms of regulatory focus in the relationship between SRSs and ISP compliance. Using survey data from 489 employees in Chinese enterprises, we applied a PLS-SEM method to test hypotheses. Our study found that the hindrance SRS had a negative effect on ISP compliance intention, differently, challenge SRS motivates employees to comply with ISPs. Our study also found prevention focus acted as a positive moderator in the relationship between hindrance SRS and compliance intention, while promotion focus had no effect on this relationship; Promotion focus positively moderated the relationship between challenge SRS and compliance intention, and prevention focus negatively moderated the relationship between challenge SRS and compliance intention. These findings provide new knowledge by examining the different effects and the boundary conditions to understand how two types of SRS influence employees' informaiton security dicisions.

Fostering information security policies compliance with ISA-95-based framework: an empirical study of oil and gas employees

Fostering information security policies compliance with ISA-95-based framework: an empirical study of oil and gas employees

Analysis of the effects of lifism consciousness, digital civic attitude, and information security commitment on information security policy compliance

Analysis of the effects of lifism consciousness, digital civic attitude, and information security commitment on information security policy compliance

Nurse Information Security Policy Compliance, Information Competence, and Information Security Attitudes Predict Information Security Behavior.

Nurses' attitudes toward information security can influence the hospital's information resources management and development. This study investigated the relationships between nurses' information security policy compliance, information competence, and information security attitudes, which are factors that influence information security behavior. Data were collected during September 2020. The participants were 200 clinical nurses from a general hospital in Korea. The self-reported questionnaire included questions on nurses' general characteristics, information security policy compliance, information competence, and information security attitudes. Information security policy compliance (r = 0.554, P < .001) and information competence (r = 0.614, P < .001) were positively associated with information security attitudes. Predictors of nurses' information security attitudes were information competence (β = .439), information security policy compliance (β = .343), prior information security-related education (β = .113), and job position (nurse manager; β = .101). Implications for practice include the need for strategies to develop information security policy compliance and information competence to improve information security behavior, including different approaches tailored to nurses' job positions and previous information security education.

Predicting Compliance of Security Policies: Norms and Sanctions

ABSTRACT This paper is motivated by the need to find reasons for the divergent findings reported in many studies that assessed the effects of social norms on IS security policy compliance, and answers multiple calls for additional research on this subject. In doing so, this paper contributes to the existing information security literature by presenting an integrated model that draws from the General Deterrence Theory, the Social Norms, and the Normality perspective. Specifically, this study investigates the effect of formal sanctions on information security policies compliance mediated by subjective, descriptive, and moral norms. The data were collected from the employees of five organizations in the Southern United States using the survey method. Quantitative analysis of the sampled data was conducted by using PLS to assess the various hypotheses. This study shows that descriptive and moral norms mediate the relationships between formal sanctions and information security compliance. The paper highlights the influence of moral norms on how IT users respond to IS security policies.

Inconsistencies Between Information Security Policy Compliance and Shadow IT Usage

ABSTRACT This study investigates the effects of self-efficacy on intentions toward information security policy compliance and behaviors in shadow information technology, with self-efficacy being divided into information technology self-efficacy and information security self-efficacy. An experiment was conducted and a total of 83 valid subjects were recruited in this study. Data were collected on the subjects’ behaviors during the experiment, and quantitative data were also collected using a posttest questionnaire. The findings indicated that ITSE and ISSE positively correlated with information security policy (ISP) compliance, suggesting that improving self-efficacy in either aspect will improve ISP compliance intention. However, ISP compliance did not correlate significantly with shadow IT usage, as subjects with high ISP compliance still used shadow IT. Therefore, there was a discrepancy between intention and actual behavior. In practical terms, organizations can use training and education to improve their employees’ self-efficacy in the technically challenging or unfamiliar aspects of IT and ISP compliance, improve their ISP compliance intention, and reduce the possibility of ISP violations, such as shadow IT usage.

Should i really do that? Using quantile regression to examine the impact of sanctions on information security policy compliance behavior

Deterrence theory is one of the most commonly used theories to study information security policy non-compliance behavior. However, the results of studies in the information security field are ambiguous. To further address this heterogeneity, various influencing factors have been considered in the context of deterrence theory. However, a current challenge with these findings is that recent studies that quantitatively assess the effectiveness of deterrence have relied predominantly on methods that analyze the underlying data, starting from a regression-based approach. By applying quantile regression, we estimate the overall effect of deterrents, and uncover how their effect differs among employees with different inclinations toward ISP compliance behavior – a critical insight for determining security measures for specific employee groups. Based on longitudinal data gathered in the U.S., our findings show significantly different effects in the analyzed quantiles for both aspects of sanctions, namely certainty and severity.

Designing an incentive mechanism for information security policy compliance: An experiment

Much information security research focuses on policies firms could adopt to reduce or eliminate employees’ violation behavior. However, current information security policies are based on increasingly outmoded models of compliance behavior. This paper proposes a novel behavioral-based mechanism that offers rewards and punishments to incentivize employees to take the time to protect a company's information assets. This new mechanism is grounded in insights from externality taxes and subsidies, as well as from behavioral economics, that specific incentives operationalized as monetary rewards and punishments effectively improve information security compliance. We also consider the importance of detection in implementing our mechanism. We conduct a set of laboratory experiments to study the impact of the rewards and punishments, as well as the importance of the probability of detection.Our results show clearly that rewards alone or a combination of rewards and punishments are effective in improving information security policy compliance in both high and low-detection environments, but punishments alone are not effective in either of our environments. In addition, a company's information security compensation plan is more likely to be effective in improving compliance if the company can more reliably detect violations. Overall, our study suggests that a compensation structure based on small and predictable financial rewards and punishments is likely more effective than the current punishment-focused approach.

Remote vigilance: The roles of cyber awareness and cybersecurity policies among remote workers

The convergence of increased remote working and rising cybersecurity threats have created a severe challenge for organizations. As firms continue to embrace remote working, the challenges of cybersecurity threats and risks remain unresolved. This study draws upon the Peltzman Effect and the complacency framework to explore how remote working may trigger a moral hazard regarding employee cybersecurity awareness and security-based precaution-taking.Data collected from 203 remote workers across the US provide strong support for the research model. Contrary to widely held beliefs about remote working, the results indicate that remote working is positively associated with cybersecurity awareness and security-based precaution-taking. The findings further show that information security policy compliance moderates the effect of remote working on cybersecurity awareness. In addition, the study reveals that as remote workers gain cybersecurity awareness, they are more likely to apply security-based precaution measures. The study complements current theoretical frameworks on security-precaution behaviors and provides insights to managers grappling with remote working in the face of burgeoning cybersecurity threats.

The direct and indirect effect of organizational justice on employee intention to comply with information security policy: The case of Ethiopian banks

Organizations today are greatly challenged by information security threats, which is often due to employee non-compliance with the information security policies (ISPs). By drawing on the organizational justice and citizenship behavior theories, this study develops a theoretical model that examines how each dimension of organizational justice such as perceived distributive justice, perceived procedural justice, perceived informational justice, and perceived interpersonal justice and citizenship behavior affect employees’ ISP compliance intention. We empirically tested the proposed theoretical model with 276 survey responses collected from IS users in governmental and private banks in Ethiopia. Employees’ perceived fairness of security policy compliance outcome, procedures used to design and implement security policies, adequacy of information regarding security policies and interpersonal treatment employees received during ISPs enforcement are found to directly influence employee ISP compliance intention. The study results also suggest that security related citizenship behavior partially mediates the effects of procedural justice, informational justice, and interpersonal justice on ISP compliance intention. This study contributes to the behavioral information security literature by showing the significance of perceived organizational justice and citizenship behavior on employee ISP compliance behaviors. Our results are also helpful for organizations seeking to improve their employees ISP compliance behavior.

Information security policies compliance in a global setting: An employee's perspective

Information security threats have a severe negative impact on enterprises. Organizations rely on employee compliance with information security policies to eliminate or reduce these hazards. The Unified Model of Information Security Policies Compliance (UMISPC) is employed to identify the factors that may affect employees' intention towards compliance with information systems security policy and reactance in a global setting. The study was assessed in two phases. The model's validity and measurement reliability were evaluated in the first phase, while in the second phase, all preliminary model relationships were appraised. This was achieved utilizing structural equation modelling to establish whether the proposed constructs, i.e. neutralization, response efficacy, fear, threat, habit and role values were good predictors for intention or reactance towards compliance with information systems security policy. Participants included 348 employees from 7 nations, i.e. the USA, the UK, Oman, India, Pakistan, Malaysia, and the Philippines. SmartPLS v. 3.3.9 was used for data analysis. The models' measurement reliability and validity were affirmed. Fear and role values have a significant influence on intention toward ISPC. RE significantly predicted threat which in turn significantly predicted fear, and the latter demonstrated a significant effect on reactance as well as Neutralization predicted reactance. In contrast, habit failed to reach a significant influence on intention towards ISPC. The implications are presented, together with proposals for further studies. Our findings are helpful for ISS literature and application by supporting the crucial functions of role values in encouraging employees to behave in a compliant manner. Additionally, it is regarded as the first empirical attempt to estimate intended compliance concerning ISPs in higher education from a worldwide viewpoint.

Personal and Contextual Predictors of Information Security Policy Compliance: Evidence from a Low-Fidelity Simulation

Personal and Contextual Predictors of Information Security Policy Compliance: Evidence from a Low-Fidelity Simulation

A Framework for Analyzing and Improving ISP Compliance

ABSTRACT Even though abundant research has been done on the factors that may impact employee information security policy (ISP) compliance intention, the results are mixed. To more fully capture the dimensions which may influence employee ISP compliance, this paper introduces a framework that is based on the synthesis of the theories of motivation and behavior. The framework was tested with survey data. Key findings of the study are 1) employee ISP compliance intention is influenced by factors involving four distinct dimensions of action: awareness, motivation, capability, and organizational culture; and 2) The factors from the capability and organizational culture dimension may significantly moderate the strength of the relationship between motivation and ISP compliance intention. The implications of the study regarding the theoretical and practical contributions of this study are discussed.

A Neutrosophic Model for Identifying and Analyzing the Effect of Relational Leadership on Information Security Policy Compliance: A Case Study of the Hotel Industry

Leaders at hotels are keen to learn how to improve staff adherence to their newly implemented information security rules in the wake of a spate of events involving the compromise of sensitive customer data. In this research, we analyze the relationship between workers' compliance intentions and their perceptions of deterrence, and the leadership styles of their bosses. Gender, education, role, tenure based on ethical leadership, and information security policy compliance intention were some of the particular leadership aspects connected to the information security policy that were evaluated in our research. The overall relevance of the standards may be calculated using the average method, which is used in decision-making. The suggested novel version of the MULTIMOORA (Multi-objective Optimization by Ratio Analysis Plus Full Multiplicative Form) approach uses a single-valued neutrosophic set to handle directly with the uncertainty of the starting point. Developing a decision-support system that takes into account the new conceptual composite framework we offer for selecting criteria, alternatives, and other aspects of leadership and information security policy in hotels is a feasible next step.

Identifying Factors of Non-Compliance, Compliance with Information Security Policy, and Behavior Change to Compliance: Literature Review

This paper aims to build a process model that converts employees' non-compliance into compliance. The authors evaluated articles that studied the association between information security behavior and information security policy compliance (ISPC). The authors used grounded theory in this comprehensive literature review. The idea helps researchers study issues in depth and breadth, using the five main approach steps (to define, search, select, analyze, and display). The ISPC analysis placed a greater emphasis on compliance than on non-compliance. Value conflicts, stress due to security issues, and neutralization cause the lack of compliance. This review identified 22 studies that met its criterion for inclusion. Compliance increased for both internal and external causes, as well as for protection. Social circle, management, and company culture motivate employees to be security-aware. Deterrence strategies, managerial practices, culture, and awareness of information security help staff adhere to the rules. Information security is jeopardized when employees do not value ISPC. ISPC studies usually distinguish compliance and non-compliance. The literature lacks a complete grasp of the elements that change employees' Non-compliance to compliance. We conducted a systematic literature review on information security behavior toward ISPC in various settings: research frameworks, research designs, and research methodologies throughout the last decade. This systematic review has implications for information security behavior. This research details a behavior-change technique. The conversion helps security professionals comprehend employee non-compliance and helps them comply. According to research, most security professionals develop information security policies generically, which leads to non-compliance. Most researchers agree that information security policies should be organization-specific. This study explored significant compliance/non-compliance characteristics to help design information security policies.