Exploring the Factors That Contribute Towards Information Security Policy Compliance Culture

There is over-reliance on information systems to run virtually all aspects of modern institutions. This has put more burden on information security managers to come up with more robust and efficient ways to enhance information security policy compliance. Therefore, despite existing efforts in the area of information security management, there remains a critical need for more research to be done. The existing research has also concentrated on hypothesis testing rather than a qualitative approach. So, there is an existential methodology gap that can give another alternative result that still needs to be covered. That is why we embarked on exploring the factors that influence information security compliance in organizations. The research was conducted in two universities with a diverse population. The research design was exploratory, encompassing qualitative in-depth case interviews with grounded theory as the analysis strategy. A total of 20 interviews were conducted and each analysis was done after every few batches of interviews in line with grounded theory principles. A theoretical model was generated and discussed. Implications for the research were also discussed and recommendations made. The study found individual factors, organizational factors, and external influence to be important factors in strategizing how to increase compliance with policies. The results also showed that practitioners need to factor in a combination of elements in their strategies in order to enhance compliance with information security policies. Keywords: Information Security Policy Compliance Culture, Theoretical Model, Grounded Theory, Information systems security DOI: 10.7176/IKM/10-5-05 Publication date:August 31st 202

Relação entre cultura e segurança da informação: como evitar falhas decorrentes do ‘jeitinho brasileiro’?

Diversos pesquisadores têm buscado compreender o que leva os indivíduos a cumprir as Políticas de Segurança da Informação - PSIs instituídas pelas organizações. Uma dessas correntes defende que a cultura representa um importante fator, destacando-se a presença de estudos envolvendo cultura organizacional em detrimento da cultura nacional. Dadas as especificidades culturais do país, estudar a relação entre seus aspectos culturais e o cumprimento das PSIs pode trazer insights sobre a gestão da segurança da informação nas organizações brasileiras. Assim, objetivou-se neste estudo analisar como a cultura de segurança da informação influencia os indivíduos no cumprimento das políticas de segurança da informação e na diminuição da ocorrência de falhas de segurança associadas ao “jeitinho brasileiro”. O estudo caracteriza-se como uma pesquisa survey aplicada a 196 funcionários de diferentes organizações brasileiras. Os resultados indicaram que a consciência de segurança da informação influencia positivamente o comportamento planejado dos indivíduos e negativamente o “jeitinho”, sendo que ambos influenciam o cumprimento das normas de segurança da informação estabelecidas pela organização. Identificou-se, ainda, uma forte relação entre o cumprimento das normas e a diminuição de falhas de segurança associadas ao “jeitinho brasileiro”

Understanding Contextual Factors of Bring Your Own Device and Employee Information Security Behaviors from the Work-Life Domain Perspective

Bring Your Own Device (BYOD) is no longer the exception, but rather the norm. Most prior research on employees’ compliance with organizational security policies has been primarily conducted with the assumption that work takes place in a specified workplace, not remotely. However, due to advances in technology, almost every employee brings his or her own device(s) to work. Further, particularly as a result of the 2020 Covid-19 pandemic, remote working has become very popular, with many employees using their own devices for work- related activities. BYOD brings new challenges in ensuring employees’ compliance with information security rules and policies by creating a gray area between the work and life domains as it diminishes the boundaries that separate them and thus affects employees’ perception of them. As yet, little is known about how BYOD changes individuals’ perception of work-life domains and how such perception may subsequently affect their compliance behavior. Building on prior research on information security behaviors and work-life domain management, this thesis investigates the possible effects of BYOD on employees’ compliance behavior through the changes it brings about in their work-life domain perspective. It extends existing border theory by identifying and empirically validating new border marking factors— namely, device ownership and data sensitivity—in employees’ interpretation of their work and life domains. Subsequently, protection motivation theory, a theory widely used in explaining employees’ compliance behavior, was used to examine why and how the perception of work- life domains is relevant and necessary to consider in examining employees’ intention to comply with information security policies

Moral Obligation and Social Influence Predictors of Compliance Behavior and Organizational Ethical Climate Among Healthcare Leaders

The U.S. Congress has enacted many regulations managed by branches of government such as Medicare to ensure healthcare organizations comply. Organizational leaders who place value on building effective compliance programs seek ways to enhance compliance. Understanding what motivates individuals to behave in a compliant way may help leaders develop programs that enhance those motivations. This nonexperimental, correlational, quantitative research study tested the relationship between the predictor variables, moral obligation, and social influence, with the criterion variable compliance behaviors among healthcare organizational leaders and to determine the mediating effect of ethical climate on the relationship. A total of 186 managers working in U.S. healthcare organizations participated in the study. Data were collected through an online survey and analyzed using multiple linear regression analysis. The analysis showed that both moral obligation and social influence significant impacted compliance behavior, and that ethical climate mediated the interaction between each relationship. Ethical climate strengthened the relationship between the criterion variable and the predictor variables. Understanding the motivators toward compliance may be vital to developing more robust compliance programs and training, which should decrease compliance incidents, potential fraud, waste, and abuse within the healthcare organization. Healthcare organizations are one of the pillars of any community. A breakdown in compliance increases the risk of fraud. Fraud deteriorates trust in those that commit fraud and the organizations that allow it. Strengthening organizational compliance strengthens the trust within the organization and within the community, which may contribute to positive social change

Exploring Industry Cybersecurity Strategy in Protecting Critical Infrastructure

Successful attacks on critical infrastructure have increased in occurrence and sophistication. Many cybersecurity strategies incorporate conventional best practices but often do not consider organizational circumstances and nonstandard critical infrastructure protection needs. The purpose of this qualitative multiple case study was to explore cybersecurity strategies used by information technology (IT) managers and compliance officers to mitigate cyber threats to critical infrastructure. The population for this study comprised IT managers and compliance officers of 4 case organizations in the Pacific Northwest United States. The routine activity theory developed by criminologist Cohen and Felson in 1979 was used as the conceptual framework. Data collection consisted of interviews with 2 IT managers, 3 compliance officers, and 25 documents related to cybersecurity and associated policy governance. A software tool was used in a thematic analysis approach against the data collected from the interviews and documentation. Data triangulation revealed 4 major themes: a robust workforce training program is crucial, make infrastructure resiliency a priority, importance of security awareness, and importance of organizational leadership support and investment. This study revealed key strategies that may help improve cybersecurity strategies used by IT and compliance professionals, which can mitigate successful attacks against critical infrastructure. The study findings will contribute to positive social change through an exploration and contextual analysis of cybersecurity strategy with situational awareness of IT practices to enhance cyber threat mitigation and inform business processes

Exploring Strategies for Enforcing Cybersecurity Policies

Some cybersecurity leaders have not enforced cybersecurity policies in their organizations. The lack of employee cybersecurity policy compliance is a significant threat in organizations because it leads to security risks and breaches. Grounded in the theory of planned behavior, the purpose of this qualitative case study was to explore the strategies cybersecurity leaders utilize to enforce cybersecurity policies. The participants were cybersecurity leaders from 3 large organizations in southwest and northcentral Nigeria responsible for enforcing cybersecurity policies. The data collection included semi-structured interviews of participating cybersecurity leaders (n = 12) and analysis of cybersecurity policy documents (n = 20). Thematic analysis identified 4 primary themes: security awareness and training, communication, management support, and technology control. A key recommendation is that organizations should have a chief information security officer for oversight of cybersecurity. Employee cybersecurity compliance should be reviewed regularly throughout the year for improvement and desired cybersecurity behavior. The implications for positive social change include the potential for cybersecurity leaders to implement cybersecurity measures that could enhance the public’s confidence by assuring them of their data’s safety and confidentiality, the integrity of data, and the availability of their services

A framework to prepare an information security awareness and training programme for a provincial government department in the Eastern Cape, South Africa.

Provincial government departments do not have good audit reports on the information security section. The underlying issues are human factors associated with employee interaction with Information and Communication Technology (ICT). The problem to be addressed is how a provincial government needs to focus on employees’ information security awareness so that there is a residual improvement in information security culture to realise unqualified government audits for information security. A case study approach that focused on the provincial government departments in the Eastern Cape Province was used. The primary data was collected using semi-structured interviews containing questions related to information security awareness. Microsoft Teams was used to conduct online semi-structured interviews with 12 provincial government IT staff from two identified provincial departments. The data was analysed using thematic analysis and MS Excel for coding. The findings then were used to determine the outcome of this study which is the framework for preparing an information security awareness programme. The outcome of the study was achieved by condensing the themes that emerged in both the primary and secondary data. The framework was then explained as a way of recommending the importance of preparing information security awareness and training programmes in changing information security behaviour. The derived artefact of this study is an information security awareness framework that can be utilised in a provincial government department to increase the awareness of information security amongst government employees. The contribution of this study is a framework based on the Protection Motivation Theory and the Organisational Culture, to ascertain employees’ actions in relation to information risks and threats; requirements for preparing an information security awareness program for public sector employees and to determine the requirements to be considered when building information security culture in provincial government departments. The proposed framework can then be used to establish an information security culture within the government departments, which will mitigate security risks and threats. The significance of this study as per the constructs of ISA and training show that it can challenge thinking of how ISA can be prepared for not only provincial government but also for state-owned entities or local government.Thesis (MCom) (Information Systems) -- University of Fort Hare, 202

A framework to prepare an information security awareness and training programme for a provincial government department in the Eastern Cape, South Africa.

Provincial government departments do not have good audit reports on the information security section. The underlying issues are human factors associated with employee interaction with Information and Communication Technology (ICT). The problem to be addressed is how a provincial government needs to focus on employees’ information security awareness so that there is a residual improvement in information security culture to realise unqualified government audits for information security. A case study approach that focused on the provincial government departments in the Eastern Cape Province was used. The primary data was collected using semi-structured interviews containing questions related to information security awareness. Microsoft Teams was used to conduct online semi-structured interviews with 12 provincial government IT staff from two identified provincial departments. The data was analysed using thematic analysis and MS Excel for coding. The findings then were used to determine the outcome of this study which is the framework for preparing an information security awareness programme. The outcome of the study was achieved by condensing the themes that emerged in both the primary and secondary data. The framework was then explained as a way of recommending the importance of preparing information security awareness and training programmes in changing information security behaviour. The derived artefact of this study is an information security awareness framework that can be utilised in a provincial government department to increase the awareness of information security amongst government employees. The contribution of this study is a framework based on the Protection Motivation Theory and the Organisational Culture, to ascertain employees’ actions in relation to information risks and threats; requirements for preparing an information security awareness program for public sector employees and to determine the requirements to be considered when building information security culture in provincial government departments. The proposed framework can then be used to establish an information security culture within the government departments, which will mitigate security risks and threats. The significance of this study as per the constructs of ISA and training show that it can challenge thinking of how ISA can be prepared for not only provincial government but also for state-owned entities or local government.Thesis (MCom) (Information Systems) -- University of Fort Hare, 202