Reviewing influence of UTAUT2 factors on cyber security compliance: A literature review

Evidence suggests that, regardless of the number of technical controls in place, organizations will still experience security breaches. Organizations spend millions of dollars on their cyber security infrastructure that includes technical and non-technical measures but mostly disregarded the most important asset and vulnerability the human. Therefore, despite their investments, companies are not able to reap the exact benefits from their security investments because of the human/employee's non-compliance with cyber security policies and measures. Cyber Security compliance is the most effective way to prevent cyber security issues and improve cyber resiliency. To effectively comply with cyber security practices and human acceptance of cyber security technologies, it is important to identify, study and analyze the factors that contribute to their compliance and implementation. This study combines and integrates contemporary literature on the factors of UTAUT2 model related to cyber security compliance. The rationale of this study is to fill the gap of assessing the effect of factors of UTAUT2 model on cyber security compliance. Based on this study, it can be tentatively concluded that the factors influencing technology adoption also affect users' behavior towards cyber security compliance as well as the actual cyber security compliance. This study provides a basic level idea to organizations to formulate a fully functional and useful security compliance framework for their organizations based on factors that influence their employees' intentions and behavior towards cyber security. Consequently, the study is an exciting endeavor to prevent significant security weaknesses and reduce the security breaches in the information systems by explaining different factors that strengthen the users' behavior and intentions to comply with the security. This is an ongoing study, and more information will emerge as it progresses. This is also an ongoing investigation, and further results and findings will be published as the investigation progresses

A descriptive review and classification of organizational information security awareness research

Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding

The economics of user effort in information security

A significant number of security breaches result from employees' failures to comply with security policies. The cause is often an honest mistake, such as when an employee enters their password in a phishing website, believing it to be a legitimate one.1 It can also be a workaround when faced with an impossible task, such as when an employee has so many different passwords that they must be written down

Exploring the Influence of National Cultures on Non-Compliance Behavior

IT organizations and CEO’s are, and should be, worried these days about the (lack of) data confidentiality and the usage of “shadow” IT systems by employees. In addition to the company’s risk of monetary loss or public embarrassment, the senior management themselves increasingly risk personal fines or even imprisonment. Several trends reinforce the attention for these subjects, including the fact that an increasing number of employees perform parts of their work tasks from home (RSA, 2007) and the increasing bandwidth available to users which makes them rely on the Internet for satisfying their business and personal computing needs (Desisto, Plummer, & Smith, 2008). Employees’ complying with the existing IT security policies is therefore essential. This paper presents a study on one of the factors that influence non-compliance behavior of insiders or employees in organizations: National Culture. The expected influence derived from researching literature has been tested in a survey study amongst employees of a big-5 accountancy firm in the Netherlands and Belgium. The study concludes that cultural aspects are indeed important factors influencing non-compliance behavior, but that not all expectations were confirmed

The Role of Membership Rules in Regional Organizations

This paper argues that success in the struggle for regional integration hinges foremost on the degree of heterogeneity among regional states. Regional organizations therefore must consider how to optimize their leverage to forge convergence that will foster agreement and cooperation. To do so, regional organizations can rely on inclusive designs that admit member states and then seek to mold their behavior ex post, or they can use exclusive designs that condition membership on ex ante changes in state behavior. This paper examines the success of these designs in using various ex ante versus ex post tools in soliciting cooperative behavior among regional states, arguing that ex ante tools generally have greater advantages. However, because the advantages vary by issue areas, regions may benefit from creating layers of institutions with different designs. Finally, even after admitting states, regional organizations have options for varying membership rules across different areas of cooperation. Drawing especially on the European experience, the paper considers these various forms of differentiated rules that organizations can use to forge cooperation among different groups of member states despite remaining differences.Regional integration; international cooperation; membership rules

End-users Compliance to the Information Security Policy: A Comparison of Motivational Factors

Business information, held within information systems, is critical for most organizations. To protect these critical information assets, security controls should be deployed which might come as a hindrance for the end-users. The Information Security Policies (ISP) give direction to their behaviors. Organizations can focus on conditions likely to promote so-called motivational factors influencing the end-users intentions to perform the desired behavior of compliance to ISP in order to protect these information assets. In total, six motivational factors, applicable to intentions on compliance, are found during research and are measured within five organizational contexts. From the measurements and analysis is learned, that the degree to which these factors relate differs per factor and per context. Two of these factors were found to always relate in such degree to compliance intentions that even without measuring the degree for a particular organization, applying these factors can be very effective for any organization or context. The other four factors have shown to be effective within particular context(s) meaning measurement of the context is needed before utilizing these factors within an organization to optimize the effect of efforts

Factors that Affect the Success of Security Education, Training, and Awareness Programs: A Literature Review

Preventing IT security incidents poses a great challenge for organizations. Today, senior managers allocate more resources to IT security programs (especially those programs that focus on educating and training employees) in order to reduce human misbehavior—a significant cause of IT security incidents. Building on the results of a literature review, we identify factors that affect the success of security education, training, and awareness (SETA) programs and organize them in a conceptual classification. The classification contains human influencing factors derived from different behavioral, decision making, and criminology theories that lead to IT security compliance and noncompliance. The classification comprehensively summarizes these factors and shows the correlations between them. The classification can help one to design and develop SETA programs and to establish suitable conditions for integrating them into organizations

Creating an information systems security culture through an integrated model of employees compliance

Employees’ non-compliance with information systems security policies has been identified as a major threat to organizational data and information systems. This dissertation investigates the process underlying information systems security compliance in organizations with the focus on employees. The process model is complex, comprising many normative, attitudinal, psychological, environmental, and organizational factors. Therefore, the study of information security compliance requires a holistic assessment of all these factors. This dissertation seeks to achieve this objective by offering a comprehensive and integrated model of employee behavior especially focused towards information security compliance. The research framework is influenced by the Reciprocal Determinism Theory which explains individuals psycho-social functioning in terms of triadic reciprocal causation. Several theories explain the role of various factors forming the intellectual puzzle. These are: General Deterrence Theory, Social-Exchange Theory, Social Learning Theory, Expectation-Disconfirmation Theory, Rational Choice Theory, Cognitive Dissonance Theory, Reactance Theory, and Status-Quo Bias Theory. This dissertation makes several significant contributions to literature and to practitioners. Several new factors that influence compliance decisions by employees have been proposed, namely task dissonance, self-policing, word-of-mouth, and habit. For the first time, top management support has been examined as a multi-dimensional construct which provides a better understanding of the phenomenon. Also for the first time, this dissertation constructs a process model to examine the interactions between punishment severity and certainty and top management support and normative factors. It also investigates the interactions between normative and psychological factors, namely resistance and self-policing on information security compliance. This dissertation emphasizes that the practitioners should consider all the relevant factors in order to manage the information security compliance problem. Therefore, it is more useful to think in terms of establishing a security culture that embodies all the relevant factors prevalent in an organization. The dissertation is guided by positivist paradigm. Hypotheses are tested and validated using established quantitative approaches, namely data collection using survey and structural equation modeling. Major findings were derived and most of the dissertation’s hypotheses were supported. The findings are discussed, and the conclusions, significant theoretical and practical implications of the findings, limitations, and recommendations for future research are presented