Exploring the Factors That Contribute Towards Information Security Policy Compliance Culture

There is over-reliance on information systems to run virtually all aspects of modern institutions. This has put more burden on information security managers to come up with more robust and efficient ways to enhance information security policy compliance. Therefore, despite existing efforts in the area of information security management, there remains a critical need for more research to be done. The existing research has also concentrated on hypothesis testing rather than a qualitative approach. So, there is an existential methodology gap that can give another alternative result that still needs to be covered. That is why we embarked on exploring the factors that influence information security compliance in organizations. The research was conducted in two universities with a diverse population. The research design was exploratory, encompassing qualitative in-depth case interviews with grounded theory as the analysis strategy. A total of 20 interviews were conducted and each analysis was done after every few batches of interviews in line with grounded theory principles. A theoretical model was generated and discussed. Implications for the research were also discussed and recommendations made. The study found individual factors, organizational factors, and external influence to be important factors in strategizing how to increase compliance with policies. The results also showed that practitioners need to factor in a combination of elements in their strategies in order to enhance compliance with information security policies. Keywords: Information Security Policy Compliance Culture, Theoretical Model, Grounded Theory, Information systems security DOI: 10.7176/IKM/10-5-05 Publication date:August 31st 202

A Separate Phone to Work and Play: Protection Motivation Theory and Smartphone Security Behaviour

Smartphone security is a growing concern. In this study, we use of the Protection Motivation Theory (PMT) to explore users’ attitudes, perceptions and behaviours towards the security of their work provided and personal smartphones. Australian employees from an insurance company participated in in-depth semi-structured interviews focussed on their behaviours. Data was analysed using deductive and inductive thematic analysis, guided by PMT to explore the comparisons between personal and work devices. The main overarching theme was that people behave more safely on their work smartphones compared to on their personal smartphones. Results suggest that perceived vulnerability, perceived reward, response cost, self-efficacy and social influence largely contributed to a lack of protective behaviour displayed when using personal smartphones. Despite the safe behaviour reported for work smartphones, these behaviours appear to be motivated by organisational controls, rather than intrinsically. This research has applied implications for education, relevant to both personal and workplace contexts

Exploring Knowledge Sharing Practices for Raising Security Awareness

This study aims to explore the types of information can be effectively communicated in three knowledge-sharing methods and their impact on employees’ security practice. On one end, guarding the organisation’s information system against cyber-attacks is critical and improving users’ knowledge and skills is a common approach to any security program. On the other end, organisations lack a clear understanding in determining what types of security information should be delivered through various methods of communication to be effective in boosting users’ knowledge and compliance behaviour. The study employed a qualitative method using semi-structured interviews with business users in Vietnam. The initial findings indicate a single method of knowledge and skill development is not sufficient to assist users to deal with complex and constant changing security needs. It is necessary to further experiment methods of encouraging formal and peer knowledge sharing that can support individual effort in complying with security policies

To Transfer or Not to Transfer: Identifying and Protecting Human Rights Interests in Non-Refoulment

Human rights law imposes upon States an absolute duty not to transfer an individual to another State where there are substantial grounds for believing he or she will be tortured or subjected to cruel, inhuman, or degrading treatment. This protection, called non-refoulement, emanates from a theory of human rights that recognizes rights fulfillment requires States to protect those within their jurisdiction from rights violations perpetrated by third parties, including other States. Generally human rights law recognizes that resource constraints and/or competing rights restrict protection duties. But such limitations have not been recognized in the non-refoulement context. In recent years the obligation to provide non-refoulement protection has run into conflict with the State\u27s obligation to protect its public from aliens suspected of involvement in terrorism. Expulsion is the traditional tool available to States to mitigate the threat posed by dangerous aliens. With this tool removed, States often lack an alternative route to mitigate this threat, with criminal prosecution and indefinite detention pending deportation not available for various reasons. The result has been numerous cases where States have been forced either to release dangerous aliens back onto the street, consistent with international law, or to find alternative means to deal with the threat in the shadow of human rights law. This Article argues that there is a clash of human rights duties that arises in these transfer situations: the State\u27s duty to protect aliens from post-transfer mistreatment conflicts with its duty to protect members of the public from rights violations committed by dangerous private persons within society. Human rights law has in recent years recognized a duty on the part of States to take reasonable operational measures to protect the public from private person harms where the State knows or should know of the risk. In the case of dangerous aliens, these operational measures presumably would include expulsion. By depriving the State of the ability to expel dangerous aliens, non-refoulement protection places the human rights of dangerous aliens and the public into direct conflict. Recognition of this rights competition is important for two reasons. First, for too long human rights scholars and bodies have dismissed the security consequences of non-refoulement as outside the concern of human rights. Acceptance that these security consequences themselves affect human rights requires consideration of how the law should address the conflict. Second, once a rights competition is accepted, human rights law prescribes a methodology for mediating between conflicting rights: balancing. A balancing approach would allow States a margin of appreciation to determine in the first instance how to choose between competing duties. The role of human rights apparatus, including national courts, international institutions, and non-governmental organizations, is to monitor this balance and to push States where the balance chosen appears over or under rights protective. A balancing approach has at least three major advantages. First, it brings within the law both relevant sets of human rights, ensuring that the rights competition in which States are engaged is recognized by the law. This recognition allows for better monitoring by the human rights apparatus, and reduces the incentives of States to act outside of the law in protecting the public. Second, balancing reduces the security consequences for States of granting additional categories of post-transfer mistreatment non-refoulement protection-a major goal of the human rights movement-thereby increasing the likelihood States will accept such future obligations. Third, by balancing the need to protect rights between both the transferring and receiving States, a balancing approach may actually lead to a more comprehensive anti-torture strategy, and therefore reduced occurrence of the practice

To Transfer or Not to Transfer: Identifying and Protecting Human Rights Interests in Non-Refoulment

Human rights law imposes upon States an absolute duty not to transfer an individual to another State where there are substantial grounds for believing he or she will be tortured or subjected to cruel, inhuman, or degrading treatment. This protection, called non-refoulement, emanates from a theory of human rights that recognizes rights fulfillment requires States to protect those within their jurisdiction from rights violations perpetrated by third parties, including other States. Generally human rights law recognizes that resource constraints and/or competing rights restrict protection duties. But such limitations have not been recognized in the non-refoulement context. In recent years the obligation to provide non-refoulement protection has run into conflict with the State\u27s obligation to protect its public from aliens suspected of involvement in terrorism. Expulsion is the traditional tool available to States to mitigate the threat posed by dangerous aliens. With this tool removed, States often lack an alternative route to mitigate this threat, with criminal prosecution and indefinite detention pending deportation not available for various reasons. The result has been numerous cases where States have been forced either to release dangerous aliens back onto the street, consistent with international law, or to find alternative means to deal with the threat in the shadow of human rights law. This Article argues that there is a clash of human rights duties that arises in these transfer situations: the State\u27s duty to protect aliens from post-transfer mistreatment conflicts with its duty to protect members of the public from rights violations committed by dangerous private persons within society. Human rights law has in recent years recognized a duty on the part of States to take reasonable operational measures to protect the public from private person harms where the State knows or should know of the risk. In the case of dangerous aliens, these operational measures presumably would include expulsion. By depriving the State of the ability to expel dangerous aliens, non-refoulement protection places the human rights of dangerous aliens and the public into direct conflict. Recognition of this rights competition is important for two reasons. First, for too long human rights scholars and bodies have dismissed the security consequences of non-refoulement as outside the concern of human rights. Acceptance that these security consequences themselves affect human rights requires consideration of how the law should address the conflict. Second, once a rights competition is accepted, human rights law prescribes a methodology for mediating between conflicting rights: balancing. A balancing approach would allow States a margin of appreciation to determine in the first instance how to choose between competing duties. The role of human rights apparatus, including national courts, international institutions, and non-governmental organizations, is to monitor this balance and to push States where the balance chosen appears over or under rights protective. A balancing approach has at least three major advantages. First, it brings within the law both relevant sets of human rights, ensuring that the rights competition in which States are engaged is recognized by the law. This recognition allows for better monitoring by the human rights apparatus, and reduces the incentives of States to act outside of the law in protecting the public. Second, balancing reduces the security consequences for States of granting additional categories of post-transfer mistreatment non-refoulement protection-a major goal of the human rights movement-thereby increasing the likelihood States will accept such future obligations. Third, by balancing the need to protect rights between both the transferring and receiving States, a balancing approach may actually lead to a more comprehensive anti-torture strategy, and therefore reduced occurrence of the practice

Information security: Listening to the perspective of organisational insiders

Aligned with the strategy-as-practice research tradition, this article investigates how organisational insiders understand and perceive their surrounding information security practices, how they interpret them, and how they turn such interpretations into strategic actions. The study takes a qualitative case study approach, and participants are employees at the Research & Development department of a multinational original brand manufacturer. The article makes an important contribution to organisational information security management. It addresses the behaviour of organisational insiders – a group whose role in the prevention, response and mitigation of information security incidents is critical. The article identifies a set of organisational insiders’ perceived components of effective information security practices (organisational mission statement; common understanding of information security; awareness of threats; knowledge of information security incidents, routines and policy; relationships between employees; circulation of stories; role of punishment provisions; and training), based on which more successful information security strategies can be developed