A Conceptual Model for Explaining Violations of the Information Security Policy (ISP): A Cross Cultural Perspective

This paper is an attempt to develop a model that explores the factors that affect the frequency of violations of information security policies (ISPs). Additionally, it examines the moderating effect of cultural attributes on the frequency of ISP violations. Does national culture affect the way managers and employees perceive and practice ISPs? If we understand why ISPs are violated, perhaps we can deter future violations before they occur. We look at three groups of factors and the impact they have on the frequency of violations of ISPs. The factors examined are 1) the individual characteristics and capabilities of employees, 2) the information security policy (ISP) itself and 3) management issues. Finally, the study examines the moderating effect of Hofstede’s cultural dimensions (uncertainty avoidance, individualism/collectivism, and power distance) on the proposed model

Embedding Information Security Culture Emerging Concerns and Challenges

The behaviour of employees has been identified as a key factor in the protection of organizational information. As such, many researchers have called for information security culture (ISC) to be embedded into organizations to positively influence employee behaviour towards protecting organizational information. Despite claims that ISC may influence employee behaviours to protect organizational information, there is little empirical work that examines the embedding of ISC into organizations. This paper argues that embedding ISC should not only focus on employee behaviour, but rather in a holistic manner, involve everyone in the organization. The argument is developed through case studies in two organizations based on semi structured interviews of respondents, observations, and documents analysis from each organization. The results show that the challenges of embedding ISC are not as simple as changing employee behaviour and technical aspects of security. Rather, the more challenging problem is how to embed ISC in a holistic manner that includes senior management support and involvement to instil awareness through mandatory training with a clear assignment of responsibility and constant enforcement of security policies and procedures. We believe that the findings will provide researchers in ISC with a broader view of how ISC can be embedded in organizations

Aligning the information security policy with the strategic information systems plan

Two of the most important documents for ensuring the effective deployment of information systems and technologies within the modern business enterprise are the strategic information systems plan (SISP) and the information security policy. The strategic information systems plan ensures that new systems and technologies are deployed in a way that will support an organisation’s strategic goals whilst the information security policy provides a framework to ensure that systems are developed and operated in a secure manner. To date, the literature with regard to the formulation of the information security policy has tended to ignore its important relationship with the strategic information systems plan, and vice versa. In this paper we argue that these two important policy documents should be explicitly and carefully aligned to ensure that the outcomes of strategically important information system initiatives are not compromised by problems with their security

A Rating Tool for Effective Social Media Policy Development

Social media technologies are increasingly being adopted to support knowledge sharing and collaboration in both the private and public sectors. It has therefore become essential to develop policies guiding the use of social media within organisations. The need to protect an organisation’s interests by guiding employees’ appropriate use of social media is a key issue for senior managers. This issue has to be balanced against the benefits of empowering employees to make use of social media in flexible, innovative ways. This paper highlights the major components of a social media policy, based on the Social Media and Organisation Policy (SOMEOP) Framework. A method is proposed to enable organisations to effectively evaluate each of the components using a rating system. The framework and rating tool can be used to improve the effectiveness of policy development. A preliminary validation of the instrument indicated that the rating system can assist users with identifying and understanding policy strengths and weaknesses

Power Relationships in Information Systems Security Policy Formulation and Implementation

This research argues that organizational power impacts the development and implementation of Information Systems (IS) Security policy. The study was conducted via an in depth case study at the IT department within a large financial organization in the United States. The theoretical foundation for the research was based was Clegg’s (2002) Circuits of Power. A conceptual framework was created utilizing Circuits of Power. This was used to study power relationships and how they might affect the formulation and implementation of IS Security policy in this organization. The case study demonstrated that power relationships have a clear impact on the IS security policy process. Though there is a strong security culture at the organization and a well defined set of processes, an improvement in the process and ensuing security culture is possible by accounting for the effect of power relationships

The information security policy unpacked: A critical study of the content of university policies

Ensuring the security of corporate information, that is increasingly stored, processed and disseminated using information and communications technologies [ICTs], has become an extremely complex and challenging activity. This is a particularly important concern for knowledge-intensive organisations, such as Universities, as the effective conduct of their core teaching and research activities is becoming ever more reliant on the availability, integrity and accuracy of computer-based information resources. One increasingly important mechanism for reducing the occurrence of security breaches, and in so doing, protecting corporate information, is through the formulation and application of a formal information security policy (InSPy). Whilst a great deal has now been written about the importance and role of the information security policy, and approaches to its formulation and dissemination, there is relatively little empirical material that explicitly addresses the structure or content of security policies. The broad aim of the study, reported in this paper, is to fill this gap in the literature by critically examining the structure and content of authentic information security policies, rather than simply making general prescriptions about what they ought to contain. Having established the structure and key features of the reviewed policies, the paper critically explores the underlying conceptualization of information security embedded in the policies. There are two important conclusions to be drawn from this study: 1) the wide diversity of disparate policies and standards in use is unlikely to foster a coherent approach to security management; and 2) the range of specific issues explicitly covered in university policies is surprisingly low, and reflects a highly techno-centric view of information security management

Designing Information Systems Security Policy Methods: A Meta-Theoretical Approach

Information systems security policy (ISP) is the critical foundation of information systems security. Despite the criticality of the ISP, information systems security scholars have expressed concerns about the lack of theory and limited methodological support for the development of ISP. Existing literature on ISP Development (ISPD) is scattered and lack meta-theoretical approach toward designing ISPD Methods (ISPDM). This paper aims to fill the gap by consolidating extant ISPD approaches and put forth a systematic way by adopting a meta-theoretic approach in defining essential principles for designing ISPD method. After presenting the principles we demonstrate that none of the existing methods are based on all the essential principles

The determinant of information security practices towards organizational performance in the banking sector evidence from Nigeria

This study examines the determinant factors of information security practices towards organizational performance among Nigerian banks. To achieve this, a framework that consists of technological, organizational, and environmental (TOE) factors is proposed using information security culture as a mediator of TOE factors. The framework identifies the factors influencing information security practices among Nigerian bankers. Findings using TOE will eventually lead to the improvement of organizational performance through the establishment of information security culture among Nigerian banks. Thus, the use of information security practices will assist in reducing human factors such as errors, failures, internal incidents and social engineering attacks. A questionnaire survey was designed to obtain data on information security culture, organizational performance, organizational, environmental and technological factors. Multiple regression was used to test for the relationship between organizational performance, information security culture, TOE factors and the reliability and validity of the data. The findings indicated that perceived technology advancement, information security policy and procedure, international security standard, information security awareness, perceived training programs, motivation of employee and perceived job roles and responsibilities significantly influence the organizational performance. The remaining variables have no statistically significant influence on organizational performance. Also, this study found that information security culture significantly mediates the relationship between organizational performance and TOE factors. Thus, the result of this study shows that the objectives of this study were achieved

Six Design Theories for IS Security Policies and Guidelines

The unpredictability of the business environment drives organizations to make rapid business decisions with little preparation. Exploiting sudden business opportunities may require a temporary violation of predefined information systems (IS) security policies. Existing research on IS security policies pays little attention to how such exceptional situations should be handled. We argue that normative theories from philosophy offer insights on how such situations can be resolved. Accordingly, this paper advances six design theories (the conservative-deontological, liberal-intuitive, prima-facie, virtue, utilitarian and universalizability theories) and outlines the use of their distinctive application principles in guiding the application of IS security policies. Based on the testable design product hypotheses of the six design theories, we derive a theoretical model to explain the influence of the different normative theories on the ¡°success¡± of IS security policies and guidelines

Measuring the Onlooker Effect in Information Security Violations

Todays’ organizations need to be ensured that their critical information is secure, not leaked, and inadvertently modified. Despite the awareness of organizations and their investment in implementing an information security management plan, information security breaches still cause financial and reputational costs for organizations. A recent report of the Ponemon Institute for 2019 showed that the global cost and frequency of data breach increased, and negligent insiders are the root cause of most incidents. Many insider threats to cybersecurity are not malicious but are intentional. Specifically, more than 60 percent of reported incidents in 2019 were due to negligent or inadvertent employees or contractors (Ponemon Institute 2020). Many behavioral cybersecurity research projects investigate factors that influence mitigating information security violations, but still, there is a need to have a better understanding of behavioral factors. One of these factors is the perception of being overseen by onlookers who are organization members to whom one’s security policy violations are visible, but who are not directly involved in the behavior. This study examines the onlooker effect through the lens of Sociometer Theory and Affective Events Theory, which were used to investigate the impact of the perception of being overseen in a workplace on an intention to violate information security policies. In addition, this study tests the hypothesis that individuals under this situation experience different negative affective responses. Finally, this research tests the hypothesis that perceived onlooker threat intensifies these relationships by examining its moderating influence. An experimental vignette study was conducted with the Qualtrics platform with the currently employed population who are aware of information security policies in their organizations to determine responses to treatment conditions. The results suggested that the interaction of the perceived presence of onlookers and perceived onlooker threat results in experiencing negative affective responses such as shame, guilt, fear, and embarrassment. Moreover, the results showed that employees experiencing fear, guilt, or embarrassment are less intended to violate information security policies. Overall, this research the understanding of the onlooker effect and the essential role of perceived onlooker threat. This study has substantial theoretical and practical implications for information security scholars and practitioners