Information Systems Security Policies Research Articles

Keeping the gates closed: the effect of conflict management styles, anxiety, and technical skills on security noncompliance intention among smartphone users

ABSTRACT Using personal mobile phones for work-related purposes is an increasingly common trend in organisations yet adding to cyber security concerns. It is vital to identify employees’ characteristics that impact security noncompliance behaviours when using mobile phones at work, as it could open a channel for cyber-attacks in the enterprise's IT systems. Using the unique context of personal smartphones and building on the theoretical framework of the Dual-Concern Model, this study identifies key characteristics of employees’ intention to engage in security noncompliance activities. Through a scenario-based survey of 391 mobile phone users in the United States, we examined the impact of personal characteristics (specifically conflict management style, context-specific anxiety, and technological skills) in explaining people’s intention to demonstrate security noncompliance behaviours. Younger individuals, those with higher conflict approach tendencies, and those with online communication apprehension tend to show higher noncompliance with information system security policies. Also, technical skills were found to moderate the association of online communication apprehension with increased noncompliance with security policies. The findings offer a range of theoretical implications and practical insights for strengthening organisations’ cyber security.

Examining the effects of cognitive load on information systems security policy compliance

PurposeEnforcing employee compliance with information systems security policies (ISSP) is a herculean task for organizations as security breaches due to non-compliance continue to soar. To improve this situation, researchers have employed fear appeals that are based on protection motivation theory (PMT) to induce compliance behavior. However, extant research on fear appeals has yielded mixed findings. To help explain these mixed findings, the authors contend that efficacy formation is a cognitive process that is impacted by the cognitive load exerted by the design of fear appeal messages.Design/methodology/approachThe study draws on cognitive load theory (CLT) to examine the effects of intrinsic cognitive load, extraneous cognitive load and germane cognitive load on stimulating an individual’s efficacy and coping appraisals. The authors designed a survey to collect data from 359 respondents and tested the model using partial least squares.FindingsThe analysis showed significant relationships between cognitive load (intrinsic, extraneous, and germane) and fear, maladaptive rewards, response costs, self-efficacy and response efficacy.Originality/valueThis provides support for the assertion that fear appeals impact the cognitive processes of individuals that then in turn can potentially affect the efficacy of fear and coping appraisals. These findings demonstrate the need to further investigate how individual cognition is impacted by fear appeal design and the resulting effects on compliance intention and behavior.

Predicting Compliance of Security Policies: Norms and Sanctions

ABSTRACT This paper is motivated by the need to find reasons for the divergent findings reported in many studies that assessed the effects of social norms on IS security policy compliance, and answers multiple calls for additional research on this subject. In doing so, this paper contributes to the existing information security literature by presenting an integrated model that draws from the General Deterrence Theory, the Social Norms, and the Normality perspective. Specifically, this study investigates the effect of formal sanctions on information security policies compliance mediated by subjective, descriptive, and moral norms. The data were collected from the employees of five organizations in the Southern United States using the survey method. Quantitative analysis of the sampled data was conducted by using PLS to assess the various hypotheses. This study shows that descriptive and moral norms mediate the relationships between formal sanctions and information security compliance. The paper highlights the influence of moral norms on how IT users respond to IS security policies.

Information security policies compliance in a global setting: An employee's perspective

Information security threats have a severe negative impact on enterprises. Organizations rely on employee compliance with information security policies to eliminate or reduce these hazards. The Unified Model of Information Security Policies Compliance (UMISPC) is employed to identify the factors that may affect employees' intention towards compliance with information systems security policy and reactance in a global setting. The study was assessed in two phases. The model's validity and measurement reliability were evaluated in the first phase, while in the second phase, all preliminary model relationships were appraised. This was achieved utilizing structural equation modelling to establish whether the proposed constructs, i.e. neutralization, response efficacy, fear, threat, habit and role values were good predictors for intention or reactance towards compliance with information systems security policy. Participants included 348 employees from 7 nations, i.e. the USA, the UK, Oman, India, Pakistan, Malaysia, and the Philippines. SmartPLS v. 3.3.9 was used for data analysis. The models' measurement reliability and validity were affirmed. Fear and role values have a significant influence on intention toward ISPC. RE significantly predicted threat which in turn significantly predicted fear, and the latter demonstrated a significant effect on reactance as well as Neutralization predicted reactance. In contrast, habit failed to reach a significant influence on intention towards ISPC. The implications are presented, together with proposals for further studies. Our findings are helpful for ISS literature and application by supporting the crucial functions of role values in encouraging employees to behave in a compliant manner. Additionally, it is regarded as the first empirical attempt to estimate intended compliance concerning ISPs in higher education from a worldwide viewpoint.

Bad Employees: Examining Deviant Security Behaviors

ABSTRACT Control balance theory (CBT) is a control-based theory of deviant behavior When imbalances in control between an individual and their environment exist, deviant behavior can occur. However, sufficient violation motivation and the facilitating conditions must exist. Past research has shown that technology itself often provides the means for deviant behavior among organizational employees. Presently, research on employee deviance using technology is underdeveloped in the field of Information Systems. Further, no work has been done to explore CBT in the context of Information Systems Security Policy violations, which are often a form of technology-facilitated deviant behavior. This study examines, for the first time, Tittle’s full set of proposed constructs, including fear, in the context of technology-based employee security deviance. This research uses CBT to demonstrate the importance of understanding the interplay between technology and employee deviance and the role of organizations in preventing it.

Kajian Kebijakan Keamanan Sistem Informasi Sebagai Bentuk Perlindungan Kerahasiaan Pribadi Karyawan Perusahaan BFI Finance

Technology that connects computers around the world makes it possible to exchange information and data and even communicate with each other in the form of images and videos. The more valuable information is, the more security standards are needed to protect that information. The goal of computer security, among others, is to protect information. The higher the security standards provided, the higher the privacy protection of information. Protection of employee privacy in a company is one of the factors that must be considered in the implementation of information systems. Information system security policies include: System maintenance, risk management, setting access rights and human resources, security and control of information assets and server security policies. The policies that have been reviewed will not only be a form of protection for company information, but also a form of protection for the personal privacy of employees of BFI Finance Company..

Information Systems Security Policy Framework for enhanced ICT Governance in Public Institutions of Tanzania

This study developed an Information Systems Security Policy Framework relevant in governing Information and Communication Technologies (ICT) in public institutions of Tanzania. It used higher learning institutions as the case for study, The framework is to guide professionals on how to secure ICT environment. Operationally, this study used a qualitative approach. It began with a review of the literature, followed by a focus group discussion to formulate new themes for the proposed Information System Security policy framework. The output of the study suggests a policy framework with the following themes: Data and information handling, Internet and network Services Governance, the use of company-owned devices, physical security, guidelines on how to acquire new hardware and software, incident handling and reporting, monitoring and compliance, and policy administration. This study recommends the use of a new comprehensive and harmonised Information Systems Security policy framework for all public higher education institutions, for a more secure environment. In addition, the study recommends additional studies including other types of organisations for comparison.

Understanding employee's emotional reactions to ISSP compliance: focus on frustration from security requirements

ABSTRACT As the importance of information assets increases, employees are increasingly required to comply with organisational policies for information security (InfoSec). Since security-related demands lead to stressful situations, employees are likely to bypass security policies to perform their tasks. Extant literature does not sufficiently address the detrimental factors of information system security policies (ISSP). This study investigates employees’ emotional reactions to ISSP compliance from the perspectives of technostress and coping. The aim of this study is to identify behaviour antecedents of frustration in the context of InfoSec and provide factors for mitigating the negative effects of frustration on ISSP compliance intentions. This study followed a survey approach and conducted structural equation modelling using the WarpPLS program to examine its research model and hypotheses. The survey respondents comprised employees who used an enterprise digital rights management system. The results demonstrated that frustration negatively affected employees’ intentions to comply with ISSP, but these negative effects of frustration decreased when autonomy was granted. Further, this study provides critical new insights on ISSP compliance from an emotional perspective.

The Impact of Challenge Information Security Stress on Information Security Policy Compliance: The Mediating Roles of Emotions.

IntroductionInformation security policy (ISP) compliance of employees has a profound impact on organization. In the context of information technology innovation and information systems upgrade, employees’ information security behavior is one of the most crucial elements in the information security management of organizations. Based on the two-dimensional model of challenge−hindrance stressor theory and affective events theory, this study explores the mediating effects of emotions on the relationship between challenge information security stress and ISP compliance.MethodsA field quasi-experimental method was used in this study. Materials include the Challenge Information Security Stress Scale, Information System Security Policy Compliance Scale, and Emotions Scale, which were used to form the two-stage questionnaire surveys. Data of 217 employees from three Chinese companies in Shanghai and Beijing that had passed certifications for information security management system (GB/t22080-2008/ISO/IEC 27001:2005) were collected. Bootstrapping method for multiple mediation models and the Process 3.0 plug-in of SPSS 20.0 were used for data analysis.ResultsThe findings indicate that challenge information security stress has a positive effect on ISP compliance. Challenge information security stress has a positive effect on positive emotions and a negative effect on negative emotions. Positive emotions have mediating effect between challenge information security stress and ISP compliance, but negative emotions have no mediating effect.ConclusionThe research results expand the research scope of challenging stress in the two-dimensional model of challenge−hindrance stressor theory in the context of organizational information security. The findings reveal the mediating effect of positive emotions in challenge information security stress and ISP compliance relationship, which provides empirical support for the application of positive psychology in the field of management.

Exploring Employees’ Computer Fraud Behaviors using the Fraud Triangle Theory

Background: Employee computer fraud is a costly and significant problem for firms. Using the fraud triangle theory, this study explores the extent to which an employee’s perception of opportunity, rationalization, and work pressure will contribute to their likelihood of committing computer fraud (i.e., intentional, malicious, or while motivated through a self-interest gain of information systems (IS) security policy non-compliance behaviors). Method: A model is proposed and empirically validated through survey data collected from various industries from 213 computer-using employees with financial responsibilities within their organizations in the U.S. Results: This study’s findings suggest when individual employees experience high levels of work pressure, they may be more likely to commit computer fraud. Organizations can guard against this behavior by monitoring their employees’ assigned workload and performance expectations to prevent these unwanted behaviors. This study demonstrates a need for future research to investigate further the motivations employees may have besides financial greed when committing different types of computer abuse behaviors. Conclusion: This study, based upon the fraud triangle theory, empirically reveals the importance of monitoring general work pressure to guard against employees committing computer fraud behaviors. Computer fraud behaviors should be considered a distinct type of information security violation behavior.

Information Systems Security Threats and Vulnerabilities: A Case of the Institute of Accountancy Arusha (IAA)

All modern computer users need to be concerned about information system security (individuals and organisations). Many businesses established various security structures to protect information system security from harmful occurrences by implementing security procedures, processes, policies, and information system security organisational structures to ensure data security. Despite all the precautions, information security remains a disaster in Tanzania’s learning institutions. The fundamental issue appears to be a lack of awareness of crucial information security factors. Various companies have different security issues due to differences in ICT infrastructure, implementations, and usage. The study focuses on identifying information system security threats and vulnerabilities in public higher learning institutions in Tanzania, particularly the Institute of Accountancy Arusha (IAA). The study involved all employees of IAA, academics, and other supporting staff, which totalled 302, and the sample size was 170. The study utilised a descriptive research design, where the quantitative methodology was used through a five-point Likert scale questionnaire, and found that key factors that affect the security of information systems at IAA include human factors, policy-related issues, work environment and demographic factors. The study proposed regular awareness and training programs; an increase in women’s awareness of information system security; proper policy creation and reviews every 4 years; promote actions that lessen information system security threats and vulnerabilities, and the creation of information system security policy documents independently from ICT policy.

Exploring information systems security implications posed by BYOD for a financial services firm

This study explores information systems security implications posed by Bring Your Own Device concept in financial services firms. Thus, the findings and recommendations from this study will help financial services and other organisations to be cognisant of the importance of BYOD policy formulation. The use of BYOD has become prevalent in the workplace due to the increased dependence on the Internet and advancements in technologies. It is beneficial to the organisation in that employees buy, use and insure their own devices, thus, the organisation does not bear these costs. However, there is a huge cost to the company if the use and connection of BYODs to the company’s Information Technology infrastructure is not regulated and monitored. BYODs expose information and information systems assets to threat actors. Financial institutions handle very sensitive information, making them a target for data breach and the adoption of BYODs more hazardous. A qualitative research method was conducted with eight (8) purposefully selected participants working in the Risk, IT and Information Systems Security departments of the financial institution. Telephonic interviews were conducted in line with the national protocols of the global Corona Virus Disease-2019 (COVID-19) pandemic. The study revealed the absence of a BYOD policy and employees could use any number of personal devices without restrictions. Users were aware of information systems security policies and protocols because of the annual training and awareness programmes.

Factors influencing information security compliance: an institutional perspective

Information is the critical resource of modern organization that needs to be protected from both internal and external threats so as to sustain in this competitive business environment. In order to do so, comprehensive security policy must be formulated and implemented. Every employee of the organization must comply with the organization’s security policy. Although organizations implement information security policy, it is commonly observed that employees do not comply with the organization information security policy. The purpose of this research was to identify organizational factors that shape employees behavior to comply with information system security policy in Ethio-telecom. Data were collected via using survey method. Multiple linear regression was used as data analysis method. The study result showed that management support, awareness and training, and accountability are leading organizational factors that shape employees behavior to comply with the existing information system security policy. This is a single case study; it cannot be generalized for other organizations. Other researchers can replicate this research for generalizability of the research findings across different contexts.

A PRACTICAL MATURITY FOR INFORMATION SECURITY POLICY IN ORGANIZATIONS

ABSTRACT The Information Systems Security Policy reflects the Management’s expectations and requirements concerning the Information System. It shall take account, at a minimum, of the needs relating to the availability, confidentiality, and privacy of the software and data used and exchanged on networks and systems and shall consolidate a collection of scientific, operational, legal and human security rules and standards to ensure an efficient and homogeneous level of security. The paper aims to examine what controls are widely used and how they are implemented in the Middle East and North Africa MENA area to apply a realistic information management strategy in large public organizations. The finding will assist in adopting an efficient information security policy.

High-Risk Deviant Decisions: Does Neutralization Still Play a Role?

Extant research has shown that neutralization processes can enable potential IS security policy violators to justify their behavior and overcome the deterrence effect of sanctions in order to engage in unethical behaviors. However, such sanctions are typically moderate and not career ending. We test the boundary conditions of this theory by evaluating whether neutralization plays a role in overcoming the impact of extreme levels of deterrence. We extend the Siponen and Vance (2010) framework within a professional context that assigns extreme sanctions to violators. Using the scenario-based factorial survey method common in IS security research, we collected data from future auditors who understand these extreme sanctions. We test the reasons that auditors may use to form intentions to falsify information concerning an information security issue with a company’s accounting information system, thereby jeopardizing data integrity and security by modifying working papers to hide irregularities and, by doing so, violating their professional standards, which could result in career-ending sanctions. We empirically validated and tested the theoretical model. Our results show that sanctions play an important role in reducing employees’ intentions to violate policy but that, even under extreme boundary conditions, employees might seek to rationalize their unethical behavior by denying responsibility for their actions through, for example, arguing that their supervisors pressured them into performing the violations. We also establish that messages heightening the awareness and perceptions of the certainty and severity of organizational punishment are likely to attenuate such deviant behaviors. We discuss the implications of these findings and suggest future avenues for research.

Exploring IS security themes: a literature analysis

ABSTRACT This study presents a literature review of the Information Systems (IS) security field. The purpose of this review is to identify IS 'security themes'. Articulating IS 'security themes' can assist in making effective decisions and reducing risks faced by organisations. This review analyses 87 journal articles from the AIS Senior Scholars' Basket of Journals, and journals recommended by the AIS Special Interest Group in Information Security and Privacy (SIGSEC). An inductive approach to open coding was followed which led to the emergence of twelve IS 'security themes'. Based on our analysis, we found significant research focus on certain 'security themes' (e.g. IS Security Policy, IS Security Behaviour, IS Security Management, and IS Security Awareness) over others (e.g. IS Security Knowledge, IS Security Ethics, and IS Security Investment). We also examine the role of Security Education, Training, and Awareness (SETA) programmes across the IS 'security themes' and provide some initial observations.

The role of norms in information security policy compliance

PurposeThe purpose of this paper is to determine which factors influence information system security policy compliance. It examines how different norms influence compliance intention.Design/methodology/approachBased on relevant literature on information system security policy compliance, a research model was developed and validated. An online questionnaire was used to gather data from respondents and partial least square structural equation modelling (PLS-SEM) was used to analyse 432 responses received.FindingsThe results indicated that attitude towards information security compliance mediates the effects of personal norms on compliance intention. In addition, descriptive and subjective norms are significant predictors of personal norms.Originality/valueThough advancement in technology has reached significant heights, it is still inadequate to guaranteed information systems’ security. Researchers have identified humans to be central in ensuring information security. To this effect, this study provides empirical evidence of the role of norms in influence information security behaviour.

Exploring the role of intrinsic motivation in ISSP compliance: enterprise digital rights management system case

PurposeEmployee compliance with information system security policies (ISSPs) has been emphasized as a key factor in protecting information assets against insider threats. Even though previous studies have identified extrinsic factors (in the form of external pressure, rewards and social norms) influencing employee compliance, the functioning of employees' intrinsic motivation has not been clearly analyzed. Thus, the aim of this study is to explore the influence of intrinsic motivations on employees' ISSP compliance.Design/methodology/approachThis study follows a survey approach and conducts structural equation modeling using WarpPLS 5.0 to test the research model and hypotheses. The survey respondents are users of an enterprise digital rights management (EDRM) system.FindingsThe analysis results demonstrate that work impediments, perceived responsibility and self-efficacy significantly influence the intention to comply with ISSP. Additionally, autonomy significantly affects self-efficacy and perceived responsibility. Furthermore, autonomy plays a moderating role in the relationship between work impediment and ISSP compliance intentions.Originality/valueThis study initiatively explores the effect of intrinsic motivations on ISSP compliance intention of employees for a specific information security system (i.e. the EDRM system). This study clarifies the enabling role of intrinsic motivations in ISSP compliance and helps organizations to understand that employee's self-motivated intention, i.e. autonomy, is an essential factor that achieves a higher level of ISSP compliance in the workplace.

Information system security policy noncompliance: the role of situation-specific ethical orientation

PurposeThis study examines how neutralization strategies affect the efficacy of information system security policies. This paper proposes that neutralization strategies used to rationalize security policy noncompliance range across ethical orientations, extending from those helping the greatest number of people (ethics of care) to those damaging the fewest (ethics of justice). The results show how noncompliance differs between genders based on those ethical orientations.Design/methodology/approachA survey was used to measure information system security policy noncompliance intentions across six different hypothetical scenarios involving neutralization techniques used to justify noncompliance. Data was gathered from students at a mid-western, comprehensive university in the United States.FindingsThe empirical analysis suggests that gender does play a role in information system security policy noncompliance. However, its significance is dependent upon the underlying neutralization method used to justify noncompliance. The role of reward and punishment is contingent on the situation-specific ethical orientation (SSEO) which in turn is a combination of internal ethical positioning based on one's gender and external ethical reasoning based on neutralization technique.Originality/valueThis study extends ethical decision-making theory by examining how the use of punishments and rewards might be more effective in security policy compliance based upon gender. Importantly, the study emphasizes the interplay between ethics, gender and neutralization techniques, as different ethical perspectives appeal differently based on gender.

A Common Description and Measures for Attitude in Information Security for Organizations

Understanding employee's security behavior is required before effective security policies and training materials can be developed. The Anti-virus software, secure systems design methods, information management standards, and information systems security policies; which have been developed and implemented by many organizations; have not been successfully adopted. Information systems research is encompassing social aspects of systems research more and more in order to explain user behavior and improve technology acceptance. Theory of planned behavior (TPB) based on attitude, subjective norm, and perceived behavioral control constructs, considers intentions as cognitive antecedents of actions or behavior. This study reviews various research on attitude and finds the most common measures for attitude, which can be used in organizations to develop a method to influence employees' attitude positively with the goal of inducing positive security behavior. Further, a conceptual model for operationalizing the obtained measures for enhancing information security in organizations is presented.