Information Security Culture Concept towards Information Security Compliance: A Comparison between IT and Non-IT Professionals

This paper examines the factors determining a positive Information Security Culture (ISC) concept and the influence of ISC towards ISP compliance intention (INT) between IT and non-IT professionals in Malaysian public universities. Partial least square structural equation modelling, using PLS MGA, is used to assess the measurement and structural models, and to compare the results between the two groups. Results indicate all factors have significant contribution towards ISC in both groups, with two out of seven ISC factors have significant differences. This study has revealed that although both groups have the same ISC factors, IT and non-IT professionals have significant difference in terms of believe that Top Management Commitment and Information Security Knowledge are required for implementing a positive ISC. In addition, there is a significant difference between these two groups in terms of the influence of ISC towards ISP compliance intention. ISC has less influence towards INT for Non-IT professionals compared to IT professionals within the same ISC. These empirical findings would benefit in formulating better security strategies by providing appropriate efforts for different groups of employees in the organizations. This study also provides a total cyber security solution for improving information security culture and employees’ compliance towards Information Security Policy

Information Security Culture Concept towards Information Security Compliance: A Comparison between IT and Non-IT Professionals

This paper examines the factors determining a positive Information Security Culture (ISC) concept and the influence of ISC towards ISP compliance intention (INT) between IT and non-IT professionals in Malaysian public universities. Partial least square structural equation modelling, using PLS MGA, is used to assess the measurement and structural models, and to compare the results between the two groups. Results indicate all factors have significant contribution towards ISC in both groups, with two out of seven ISC factors have significant differences. This study has revealed that although both groups have the same ISC factors, IT and non-IT professionals have significant difference in terms of believe that Top Management Commitment and Information Security Knowledge are required for implementing a positive ISC. In addition, there is a significant difference between these two groups in terms of the influence of ISC towards ISP compliance intention. ISC has less influence towards INT for Non-IT professionals compared to IT professionals within the same ISC. These empirical findings would benefit in formulating better security strategies by providing appropriate efforts for different groups of employees in the organizations. This study also provides a total cyber security solution for improving information security culture and employees’ compliance towards Information Security Policy

How to Cultivate Cyber Security Culture? The Evidences from Literature

Cyber Security Culture (CSC) is a culture that could produce a secure cyber space and could improve the quality of cyber world engagement. Despite many benefits that could be offered by CSC, there is a lack of models and guidelines on how to cultivate this culture. This paper discusses the concept of CSC model in terms of elements that form the model to suggest how CSC could be cultivated. Information Security Culture (ISC) model developed by [1] is used as a framework in discussing the concept of CSC. A literature search also is conducted to find and analyses the most suitable elements for CSC. A new model of CSC was proposed as a result of this study. The findings could provide better understanding of CSC and could be used as baseline to conduct more research on CSC

A dimension-based information security culture model for information security policy compliance behavior in Malaysian public universities

Due to the increase of information security incidents and attacks caused by employees’ behavior, scholars and experts recommended the establishment of a positive Information Security Culture (ISC) to guide employees’ behavior towards complying with Information Security Policy (ISP) established in the organization. However, it is still unclear as to what elements or aspects required for a positive ISC formation, which would effectively influences ISP compliance behavior. Current studies still could not provide a conclusive finding on the actual influence of ISC towards ISP compliance behavior for suggesting ISC model that effectively influences ISP compliance behavior. The inconsistency of dimensions and approaches in conceptualizing the ISC are the main gaps in current studies. ISC literature indicates that different sets of dimensions used to conceptualize ISC in various studies. Apart from that, since some studies suggested ISC depends on cultural differences and national culture, previous findings could not be generalized to Malaysian organizations and employees. This research addresses these issues by developing an ISC model based on new formulated dimensions for employee’s ISP compliance behavior in Malaysian Public Universities. In this study, ISC was conceptualized as a dimension-based concept formed by seven dimensions formulated based on widely accepted concepts of Organizational Culture and ISC. The formulated dimensions not only covered all levels in these concepts, the dimensions were also covered most of ISC key factors in current literature. This ISC concept then was integrated with the most significant behavioral theory in ISP compliance behavior literature, which is Theory of Planned Behavior to thoroughly examine and demonstrate the effectiveness of new ISC concept in influencing employees’ ISP compliance behavior. The model was tested in public university settings in Malaysia, whereby a questionnaire-based survey was conducted to collect data from the employees using convenient sampling technique due to homogeneity of the population. This study employed Structural Equation Modeling (SEM) to validate the research model. Partial Least Squares (PLS) modeling technique was used to analyze the data via SmartPLS 3.0 software package. The findings show that all seven formulated dimensions are relevant and significant (weightage>0.1 and t-values>1.65, p-values<0.001) in contributing towards ISC concept used in the model. The ISC concept based on these seven dimensions was also found to be significant in influencing employees’ ISP compliance behavior (R2=0.449). These findings suggest that seven aspects represented by seven dimensions in the study could be used as guidelines to assess and establish a positive ISC in guiding employees’ security behavior in organizations especially in public universities in Malaysia. The findings also reveal that the most important aspect in establishing a positive ISC is Information Security Knowledge. Moreover, behavioral factors of Attitude, Normative Belief and SelfEfficacy were found to be significant in mediating the relationship between ISC and employee’s ISP compliance intention. These findings provide new insights and knowledge on standard issues regarding the concept of ISC based on its dimensions. They also provide a clear understanding on ISC influence towards employees’ security behavior. The model could also be used by Information Security Management (ISM) as guidelines to plan and establish effective ISC strategies and to predict security behavior in obtaining higher level of information security and its systems in Malaysian organizations

Information Security Policy Compliance Behavior Based on Comprehensive Dimensions of Information Security Culture: A Conceptual Framework

The adherence of employees towards Information Security Policy (ISP) established in the organization is crucial in reducing information security risks. Some scholars have suggested that employees’ compliance to ISP could be influenced by Information Security Culture (ISC) cultivated in the organization. Several studies on the impact of ISC towards ISP compliance have proposed different dimensions and factors associated to ISC with substantial differences in each finding. This paper is discussing an enhanced conceptual framework of ISP compliance behavior by addressing ISC as a multidimensional concept which consist of seven comprehensive dimensions. These new proposed ISC dimensions developed using all the key factors of ISC in literature and were aligned with the widely accepted concept of organizational culture and ISC. The framework also integrated with the most significant behavioral theory in this domain of study, which is Theory of Planned Behavior to provide more deep understanding and richer findings of the compliance behavior. This framework is expected to give more accurate findings on the relationships between ISC and ISP compliance behavior

Exploring Studies of Information Security Culture in Malaysia

security management in terms of improving employees’ security behavior in dealing with information assets. Many studies have been done to explore and investigate ISC in various aspects including the concepts, factors, challenges and particular applications related to assessment of ISC in an organization. However, there is no an indication on the current status of ISC studies that have been done in Malaysia. This paper will discuss these matters to provide a clear picture of the ISC studies in Malaysia and analyze particular areas that need to be further explored. It revealed that there are many areas and issues still not being comprehensively examined and series of studies need to be done so that better solutions relating to the ISC issues in Malaysian organization could be formulized

The Significance of Main Constructs of Theory of Planned Behavior in Recent Information Security Policy Compliance Behavior Study: A Comparison among Top Three Behavioral Theories

For a decade since year of 2000 until 2010, Theory of Planned Behavior [TPB] and its main construct of Attitude, Normative belief and Self-efficacy have been considered as a significant theory and factors in the area ISP compliance behaviour study. However, there are still some questions exist particularly on to what extent this theory is significant in recent studies compared to other competing theories. This paper presents a comparison on main constructs of top three behavioral theories in predicting and explaining the recent ISP compliance studies. The studies on ISP compliance published from 2010 until 2016 will be used to analyse the significance of this TPB compared to General Deterrence Theory [GDT] and Protection Motivation Theory [PMT]. Criteria of comparisons are based on the significance of main constructs towards dependent variable and the comprehensiveness of a theory’s main constructs usage in a research model from the selected studies. The results have confirmed that TPB is still relevant as the most significant in the area of ISP compliance study and its main constructs are the strongest predictors of dependent variables in most of ISP compliance models compare to GDT and PMT. This paper provides a clear status on the significance of TPB and its main constructs of Attitude, Normative belief and Self-efficacy in predicting and explaining ISP compliance behavior in recent studies. It could be used by academicians as references for statistical evidences on the comparison of the top behavioral theories

Information security culture for guiding employee’s security behaviour: A pilot study

Experts and scholars have suggested that cultivation of a positive Information Security Culture (ISC) could improve employee's security behaviour in organization. However, specific ISC model for employee's security behaviour is limited. This paper discusses a pilot study of our research-in-progress that proposes a holistic ISC model to be used as guidance for employee's security behaviour in organization. ISC concept model developed in the study is represented by seven comprehensive dimensions formulated based on widely accepted concepts of Organizational Culture and ISC. These dimensions embody various aspects of ISC cultivation. The model was tested in a Malaysian public university. This study employed Partial Least Square Structural Equation Modelling (PLS SEM) using Smart PLS 3 software to analyze and validate the model. The findings proved that the ISC model is significant in influencing security compliance behaviour. Hence, this study contributes to ISC literature in terms of conceptualization and empirical validation of a new ISC model based on seven comprehensive dimensions in relation with ISP compliance behaviour

The Formulation of Comprehensive Information Security Culture Dimensions for Information Security Policy Compliance Study

Few studies have shown there is significant relationship between Information Security Culture (ISC) and Information Security Policy (ISP) compliance behaviour. However, these findings still could not conclude the actual effect of ISC towards employees’ ISP compliance. There are issues of consistency and comprehensiveness of dimensions in representing ISC concept in all previous studies. While these dimensions are different from one study to another, there are also some ISC key factors in the ISC literature that are not being included in those studies. A comprehensive and more cohesive ISC dimensions that could represent all the key factors of ISC concept should be formulated in order to get more conclusive findings on the relationship between ISC and ISP compliance behavior. This paper discusses the formulation process of new comprehensive ISC dimensions to represent a holistic concept of ISC. The underlying concepts used in this formulation are based on widely accepted concepts of organizational culture and ISC conceptual model to make sure that the new formulated dimensions are supportive to all levels comprised in those concepts. Seven new dimensions have been proposed. These dimensions cover most of the ISC key factors in literature. The formulated dimensions also supported by previous theoretical and empirical findings from various ISC-related studies. Finally, we have demonstrated that these new comprehensive dimensions could be used to represent a holistic concept of ISC to be examined in ISP compliance behavior study

Conceptualizing and Validating Information Security Culture as a Multidimensional Second-Order Formative Construct

This paper discusses a pilot study on conceptualization and validation of Information Security Culture (ISC) as a multidimensional second-order formative construct. The concept was developed in our previous works, and is based on widely accepted concepts of Organizational Culture and ISC. The model is validated using samples from employees of one Malaysia Public University. The Partial Least Squares Approach to Structural Equation Modeling (PLSSEM) using Smart-PLS software was used to model and analyse the data. The ISC construct was treated as reflective formative second-order construct and analysed using the latest approach in PLS-SEM. The findings empirically support the conceptualization and validation of ISC as a reflective formative second-order construct with all seven dimensions being significant in contributing to the underlying concept of ISC. The study contributes to the ISC literature by providing new insights on the conceptualization, operationalization and validation of ISC the concept based on widely accepted concepts and approaches