The Role of Information Security Awareness for Promoting Information Security Policy Compliance in Banks

Banks rely heavily on information security (IS) by preserving confidentiality, integrity, and availability of information. A key layer for ensuring information security is the employees, who need to be aware of possible information security issues and behave accordingly. Banks introduce information security policies (ISP) to establish required rules for IS behavior and implement information security awareness (ISA) programs, which are systematically planned ISA interventions such as structured campaigns using intranet messages or posters to educate employees and enhance their ISA. According to previous conceptual research, the most cost-effective method to prevent IS incidents is fostering ISA. The purpose of this dissertation is to explore the role of ISA for promoting employees' ISP compliance. The four stages of this dissertation project focus on organizational efforts such as ISA programs to improve employees' compliant IS behavior and identifying predecessors for explaining employees' ISP compliance based on established scientific theories. A developmental mixed methods approach is conducted through these four stages of analysis. Primary data were collected in each stage to investigate banks operating in countries such as Austria, Germany, Czech Republic, Hungary, Slovakia, and Rumania. In the first research stage, semi-structured expert interviews were conducted with operational risk and IS managers to explore banks' efforts to counteract IS incidents. The considered banks primarily use online methods such as intranet articles and conventional methods such as posters for building ISA. Second, the findings from stage one were incorporated in research stage two, in which a positivistic case study was conducted to test the Theory of Reasoned Action, Neutralization Theory, as well as the Knowledge-Attitude-Behavior model. The data were analyzed by utilizing partial least squares structural equation modeling (PLS-SEM). In addition to several qualitative interviews and an online survey at the headquarters of the case bank, data such as internal ISA materials (e.g., posters or IS intranet messages) were also analyzed. The second research stage provided empirical evidence that ISA program components affect employees' ISA, which further positively affects employees' attitudes and social norms toward compliance with ISPs, but negatively affects the use of neutralization techniques. All of these effects should eventually positively influence IS. This is shown in the chain of subsequent factors. The employees' attitudes and social norms positively affect the intention for compliant IS behavior, which is negatively affected by the use of neutralization techniques. In the third research stage, the influence of employees' perception of ISA programs on the Protection Motivation Theory was examined by conducting an online survey among German bank employees. It is demonstrated that employees' perception of ISA programs positively affects perceived severity as well as their coping mechanisms, which play the most important role in positively affecting the intention for compliant IS behavior. Surprisingly, employees' perception of ISA programs negatively affect perceived vulnerability. Moreover, perceived monitoring has a positive moderation effect on the intention-behavior link. Finally, the fourth research stage consists of a qualitative study to analyze the efforts of IS managers to enhance IS and examine how these efforts are perceived by users. Further, the inductive part of the study uncovers factors that influence the compliant IS behavior of users. Therefore, semi-structured interviews with IS managers were carried out to discover ISA program designs and categorize them according to design recommendations gained from current literature. In addition, this stage shows that individual ISP compliance seems to be connected with individual perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. To conclude, this dissertation provides several practical as well as theoretical contributions. From an academic perspective, the findings highlight the importance of attitudes, social norms, neutralization techniques, as well as coping mechanisms for employees' intentions to comply with their ISP. Future research might extend the findings by establishing and characterizing IS enhancing social norms and exploring methods of counteracting the common use of neutralization techniques. For practitioners, analysis of the design practices of ISA programs provides a better understanding of effectively using ISA interventions in the context of banks. (author's abstract

Security policy compliance: User acceptance perspective

Information security policy compliance is one of the key concerns that face organizations today. Although, technical and procedural security measures help improve information security, there is an increased need to accommodate human, social and organizational factors. While employees are considered the weakest link in information security domain, they also are assets that organizations need to leverage effectively. Employees\u27 compliance with Information Security Policies (ISPs) is critical to the success of an information security program. The purpose of this research is to develop a measurement tool that provides better measures for predicting and explaining employees\u27 compliance with ISPs by examining the role of information security awareness in enhancing employees\u27 compliance with ISPs. The study is the first to address compliance intention from a users\u27 perspective. Overall, analysis results indicate strong support for the proposed instrument and represent an early confirmation for the validation of the underlying theoretical model

Employees\u27 Compliance with ISP: A Socio-Technical Conceptual Model

Employees’ compliance with Information Systems Security Policies (ISP) is critical for protecting organizational data. Both the technical side and the social aspects of IT-use were shown to have significant influence on ISP-compliance. However, they have been mostly studied in isolation, despite the literature’s emphasis on the socio-technical nature of security. Also, while the technical side has been extensively explored, there is a scarcity of research on the social mechanisms that underlie ISP-compliance. Here, we aim at bridging the gap between the technical and social sides of compliance. We also build upon Social Impact Theory to provide a more nuanced understanding of the social influence on ISP-compliance. We suggest that transparency of use is associated with the three pivotal elements of social influence, namely, perceived strength, immediacy, and number of influencing sources, which trigger normative and informational forces towards compliance. The influence of organizational ISP-compliance culture is also discussed

Employees' Compliance with ISP: A Socio-Technical Conceptual Model

Employees’ compliance with Information Systems Security Policies (ISP) is critical for protecting organizational data. Both the technical side and the social aspects of IT-use were shown to have significant influence on ISP-compliance. However, they have been mostly studied in isolation, despite the literature’s emphasis on the socio-technical nature of security. Also, while the technical side has been extensively explored, there is a scarcity of research on the social mechanisms that underlie ISP-compliance. Here, we aim at bridging the gap between the technical and social sides of compliance. We also build upon Social Impact Theory to provide a more nuanced understanding of the social influence on ISP-compliance. We suggest that transparency of use is associated with the three pivotal elements of social influence, namely, perceived strength, immediacy, and number of influencing sources, which trigger normative and informational forces towards compliance. The influence of organizational ISP-compliance culture is also discussed

Trading well-being for ISP compliance: An investigation of the positive and negative effects of SETA programs

This paper attempts to challenge existing assumptions on SETA programs as positive interventions to promote ISP compliance behaviors. Drawing upon the conservation of resources theory, we posit SETA programs have resource enhancing and depleting effects, differentially influencing employees’ ISP compliance. This paper aims to open new avenues of research by highlighting the positive and negative effects of SETA programs from a stress perspective

Addressing Organisational, Individual and Technological Aspects and Challenges in Information Security Management: Applying a Framework for a Case Study

This study investigates information security management challenges in a large organisation. The aim of this study is to apply the Technological-Organisational-Individual (TOI) Framework in this organisation to determine to what extent current security management practices are informed by findings of relevant literature and standards on information security incorporated in the framework. The TOI framework is used to map factors influencing security behavior to current practices applied by the organisation and to analyse them. Conclusions suggest that some factors that play a critical role in information security management are not adequately covered. This study also aims to provide recommendations to security managers on how to address these factors to implement security management practices that can improve ISP compliance, and inform literature on any additional security management practices. Further, this study includes insights into how organisations may exploit key strengths in applying information security management to achieve good security behaviour among their employees and take an adaptive approach to changing conditions, such as teleworking

Exploring the Factors That Contribute Towards Information Security Policy Compliance Culture

There is over-reliance on information systems to run virtually all aspects of modern institutions. This has put more burden on information security managers to come up with more robust and efficient ways to enhance information security policy compliance. Therefore, despite existing efforts in the area of information security management, there remains a critical need for more research to be done. The existing research has also concentrated on hypothesis testing rather than a qualitative approach. So, there is an existential methodology gap that can give another alternative result that still needs to be covered. That is why we embarked on exploring the factors that influence information security compliance in organizations. The research was conducted in two universities with a diverse population. The research design was exploratory, encompassing qualitative in-depth case interviews with grounded theory as the analysis strategy. A total of 20 interviews were conducted and each analysis was done after every few batches of interviews in line with grounded theory principles. A theoretical model was generated and discussed. Implications for the research were also discussed and recommendations made. The study found individual factors, organizational factors, and external influence to be important factors in strategizing how to increase compliance with policies. The results also showed that practitioners need to factor in a combination of elements in their strategies in order to enhance compliance with information security policies. Keywords: Information Security Policy Compliance Culture, Theoretical Model, Grounded Theory, Information systems security DOI: 10.7176/IKM/10-5-05 Publication date:August 31st 202

The impact of an employee's psychological contract breach on compliance with information security policies: intrinsic and extrinsic motivation

Despite the rapid rise in social engineering attacks, not all employees are as compliant with information security policies (ISPs) to the extent that organisations expect them to be. ISP non-compliance is caused by a variety of psychological motivation. This study investigates the effect of psychological contract breach (PCB) of employees on ISP compliance intention (ICI) by dividing them into intrinsic and extrinsic motivation using the theory of planned behaviour (TPB) and the general deterrence theory (GDT). Data analysis from UK employees (\textit{n=206}) showed that the higher the PCB, the lower the ICI. The study also found that PCBs significantly reduced intrinsic motivation (attitude and perceived fairness) for ICI, whereas PCBs did not moderate the relationship between extrinsic motivation (sanction severity and sanctions certainty) and ICI. As a result, this study successfully addresses the risks of PCBs in the field of IS security and proposes effective solutions for employees with high PCBs.Comment: 27 pages, 3 figure

House of Cards: developing KPIs for monitoring cybersecurity awareness (CSA)

Non-malicious insider threats continue to pose a significant concern to an organisation’s cybersecurity defence strategy, yet organisations still struggle to contain such insider threats. A critical pillar for doing so rests on the development and monitoring of Cybersecurity Awareness (CSA) programmes. CSA programmes need to be both prioritised and acknowledged as an important and crucial approach to the reduction of such threats. Although CSA programmes are developed on an ad-hoc basis by many organisations, the effectiveness of such programmes and how their entire lifecycle needs to be reviewed, monitored and managed needs to be further explored. In order to do so, this paper extracts a number of key performance indicators (KPIs) for monitoring CSA programmes. The paper relies on empirical data from an in-depth case study of University X in Saudi Arabia and sensitises the research approach by using Kirkpatrick’s four level model as a theoretical scaffold. Through the combined use of Kirkpatrick’s model that is recognised as a comprehensive model for evaluating the results of training and learning programmes and the empirical data from the case study, we offer a customised CSA-oriented model for managing cybersecurity awareness programmes, reflect on its associated KPIs, and consider broader information security management considerations