CFP last date
15 April 2024
Reseach Article

A Theoretical Model for Information Security Policy Compliance Culture

by Erick. O. Otieno, Agnes N. Wausi, Andrew M. Kahonge
International Journal of Applied Information Systems
Foundation of Computer Science (FCS), NY, USA
Volume 12 - Number 33
Year of Publication: 2020
Authors: Erick. O. Otieno, Agnes N. Wausi, Andrew M. Kahonge
10.5120/ijais2020451879

Erick. O. Otieno, Agnes N. Wausi, Andrew M. Kahonge . A Theoretical Model for Information Security Policy Compliance Culture. International Journal of Applied Information Systems. 12, 33 ( September 2020), 6-14. DOI=10.5120/ijais2020451879

@article{ 10.5120/ijais2020451879,
author = { Erick. O. Otieno, Agnes N. Wausi, Andrew M. Kahonge },
title = { A Theoretical Model for Information Security Policy Compliance Culture },
journal = { International Journal of Applied Information Systems },
issue_date = { September 2020 },
volume = { 12 },
number = { 33 },
month = { September },
year = { 2020 },
issn = { 2249-0868 },
pages = { 6-14 },
numpages = {9},
url = { https://www.ijais.org/archives/volume12/number33/1098-2020451879/ },
doi = { 10.5120/ijais2020451879 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2023-07-05T19:10:41.729761+05:30
%A Erick. O. Otieno
%A Agnes N. Wausi
%A Andrew M. Kahonge
%T A Theoretical Model for Information Security Policy Compliance Culture
%J International Journal of Applied Information Systems
%@ 2249-0868
%V 12
%N 33
%P 6-14
%D 2020
%I Foundation of Computer Science (FCS), NY, USA
Abstract

This paper provides a different perspective on information security management by investigating information security policy compliance culture. The results in this paper are drawn from the thesis in which the researchers sought to address the gap by employing a mixed method in developing a theoretical model. The resulting theoretical model was then subjected to a validation process through Confirmatory Factor Analysis using JASP-analytical software. Hypotheses were derived from the emergent model that formed the basis of developing the questionnaire instrument. This paper, therefore, presents the results of the validation process and synthesizes the final theoretical model constructs that explain information security policy compliance culture. The results validated the theoretical model with factor loading all above (0.5) thresholds and significance of (p < 0.001). The resulting model showed that information security managers should consider organizational, behavioral, and external factors while developing information security policy compliance culture strategies.

References
  1. B. Bulgurcu, H. Cavusoglu and I. Benbasat, "Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness," MIS Quarterly, vol. 34, no. 3, pp. 523-548, 2010.
  2. Q. Hu, T. Dinev, P. Hart and D. Cooke, "Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture," Decision Sciences Journal, vol. 43, no. 4, 2012.
  3. H. Kam, P. Katerattanakul, G. Gogolin and S. Hong, "Information Security Policy Compliance in Higher Education: A Neo-Institutional Perspective," in PACIS 2013 Proceedings. 106, 2013.
  4. F. J. Haeussinger and J. J. Kranz, "Information Security Awareness: Its Antecedents and Mediating Effects on Security Compliant Behavior," in International Conference on Information Systems ICIS 2013, Milan, 2013.
  5. S. David, M. Marlys, B. David and W. Mark, "A Theory of Employee Compliance with Information Security," in MWAIS 2014 Proceedings. Paper 1, 2014.
  6. W. G. Cochran, Sampling Techniques, 3rd ed., 1977.
  7. M. Workman, W. H. Bommer and D. Straub, "Security lapses and the omission of information security measures: A threat control model and empirical test," Computers in Human Behavior, p. 2799–2816, 2008.
  8. Q. Hu, Z. Xu, T. Dinev and H. Ling, "Does Deterrence Work in Reducing Information Security Policy Abuse By Employees?," Communications of the ACM, vol. 54, no. 6, pp. 54-60, 2011.
  9. A. C. Johnston and M. Warkentin, "Fear Appeals and Information Security Behaviors: An Empirical Study," MIS Quarterly, vol. 34, no. 3, pp. 549-566, 2010.
  10. T. Herath and H. R. Rao, "Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness," Decision Support Systems, vol. 47, no. 2, pp. 154-165, 2009.
  11. T. Sommestad and J. Hallberg, "The sufficiency of the theory of planned behavior for explaining information security policy compliance," Information and Computer Security, vol. 23, no. 2, pp. 200-217, 2015.
  12. S. Pahnila, M. Siponen and A. Mahmood, "Employees’ Behavior towards IS Security Policy Compliance," in Proceedings of the 40th Hawaii International Conference on System Sciences - 2007, 2007.
  13. P. Ifinedo, "Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition," Information &amp; Management, vol. 51, no. 1, p. 69–79, 2014.
  14. N. S. Safa, R. V. Solms and S. Furnell, "Information security policy compliance model in organizations," Computers &amp; Security, vol. 56, pp. 1-13, 2016.
  15. M. Whitty, J. Doodson, S. Creese and D. Hodges, "Individual Differences in Cyber Security Behaviors: An Examination of Who Is Sharing Passwords," Cyberpsychol Behav Soc Netw, vol. 18, no. 1, p. 3–7, 2015.
  16. T. Herath and R. H. Rao, "Protection motivation and deterrence: a framework for security policy compliance in organisations," European Journal of Information Systems, vol. 18, no. 2, pp. 106-125, 2009.
  17. J. D'Arcy, A. Hovav and D. Galletta, "User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach," Information Systems Research, vol. 20, no. 1, pp. 79-98, 2009.
  18. M. Karydaa, E. Kiountouzisa and S. Kokolakis, "Information systems security policies: a contextual perspective," Computers &amp; Security, vol. 24, no. 3, pp. 246-260, 2005.
  19. P. Puhakainen and M. Siponen, "Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study," MIS Quarterly, vol. 34, no. 4, pp. 757-778, 2010.
  20. M. Siponen and A. Vance, "Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations," MIS Quarterly, vol. 34, no. 3, pp. 487-502, 2010.
  21. Y. Chen, K. Ramamurthy and K. Wen, "Organizations' Information Security Policy Compliance: Stick or Carrot Approach?," Journal of Management Information Systems, vol. 29, no. 3, pp. 157-188, 2014.
  22. T. Virtue and J. Rainey, "Information Risk Assessment," in HCISPP Study Guide, 2015.
  23. M. Chan, I. Woon and A. Kankanhalli, "Perceptions of Information Security at the Workplace: Linking Information Security Climate to Compliant Behavior," Journal of Information Privacy and Security, vol. 1, no. 3, pp. 18-41, 2005.
  24. Q. Hu, T. Dinev, P. Hart and D. Cooke, "Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture," Decision Sciences Journal, vol. 43, no. 4, 2012.
  25. Q. Hu, P. Hart and D. Cooke, "The role of external and internal influences on information systems security – A Neo-Institutional perspective," Journal of Strategic Information Systems, vol. 16, pp. 153-172, 2007.
  26. A. AlKalbani, H. Deng, B. Kam and X. Zhang, "Information Security Compliance in Organizations: An Institutional Perspective," Data and Information Management, vol. 1, no. 2, p. 104–114, 2017.
  27. H. Cavusoglu, H. Cavusoglu, J. Son and I. Benbasat, "Institutional pressures in security management: Direct and indirect influences on organizational investment in information security control resources," Information &amp; Management, vol. 52, no. 4, pp. 385-400, 2015.
  28. M. Chan, I. Woon and A. Kankanhalli, "Perceptions of Information Security at the Workplace: Linking Information Security Climate to Compliant Behavior," Journal of Information Privacy and Security, vol. 1, no. 3, pp. 18-41, 2014.
Index Terms

Computer Science
Information Sciences

Keywords

Confirmatory Factor Analysis information security policy compliance information security management theoretical model and information security policy compliance culture