Abstract
Information security policy (ISP) noncompliance continue to impede information security in organizations. This paper consolidates the strength of previous studies into an effective single solution. The paper, first, synthesizes the existing literature and groups relevant ISP compliance factors into user involvement, personality types, security awareness and training, behavioral factors, and information security culture. Secondly, a generic framework that guides the development of frameworks for ISP compliance in organizations was developed based on the literature review. The generic framework categorized elements required for developing an ISP compliance framework into structure, content and outcome elements. Thirdly, the generic framework was applied to develop a composite ISP compliance framework that proposes the establishment of ISP compliance as a culture in organizations. Finally, the results of the expert review assessment showed that the proposed composite ISP framework was suitable, structurally sound and fit for purpose.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Stewart, H., Jürjens, J.: Information security management and the human aspect in organizations. Inf. Comput. Secur. 25(5), 494–534 (2017)
Iriqat, Y.M., Ahlan, A.R., Nuha, N., Molok, A.: Information security policy perceived compliance among staff in palestine universities: an empirical pilot study. In: 2019 IEEE Jordan International Joint Conference on Electrical Engineering and Information Technology (JEEIT), pp. 580–585 (2019)
Mccormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., Pattinson, M.: Individual differences and information security awareness. Comput. Hum. Behav. 69(2017), 151–156 (2017)
Moody, G.D.: Toward a unified model of information security policy compliance. MIS Q. 42(1), 285–311 (2018)
Ponemon Institute, “State of End Point Security,” State of End Point Security: The Ponemon Institute LLC (2016). https://cdn2.hubspot.net/hubfs/150964/2016_State_of_Endpoint_Report.pdf. Accessed 05 Dec 2016
Alzahrani, A., Johnson, C., Altamimi, S.: Information security policy compliance : investigating the role of intrinsic motivation towards policy compliance in the organization. In: 2018 4th International Conference on Information Management (ICIM), pp. 125–132 (2018)
Alotaibi, M., Furnell, S., Clarke, N.: Information security policies : a review of challenges and influencing factors. In: The 11th International Conference for Internet Technology and Secured Transactions (ICITST-2016) Information, pp. 352–358 (2016)
Safa, N.S., von Solms, R., Furnell, S.: Information security policy compliance model in organizations. Comput. Secur. 56, 70–82 (2016)
Bano, M., Zowghi, D.: User involvement in software development and system success : a systematic literature review. In: Proceedings of EASE 2013, pp. 125–130 (2013)
Ögutçü, G., Müge Testik, Ö., Chouseinoglou, O.: Analysis of personal information security behavior and awareness. Comput. Secur. 56(2016), 83–93 (2016)
Shropshire, J., Warkentin, M., Sharma, S.: Personality, attitudes, and intentions: predicting initial adoption of information security behavior. Comput. Secur. 49(2015), 177–191 (2015)
Pattinson, M., Parsons, K., Butavicius, M., Mccormac, A., Calic, D.: Assessing information security attitudes: a comparison of two studies. Inf. Comput. Secur. 24(2), 228–240 (2016)
Amankwa, E., Loock, M., Kritzinger, E.: A conceptual analysis of information security education, information security training and information security awareness definitions. In: The 9th International Conference for Internet Technology and Secured Transactions (ICITST -2014), pp. 248–252 (2014)
Stanciu, V., Tinca, A.: Students’ awareness on information security between own perception and reality – an empirical study. Account. Manag. Inf. Syst. 15(1), 112–130 (2016)
Ogutcu, G., Testik, O.M., Chouseinoglou, O.: Analysis of personal information security behavior and awareness. Comput. Secur. 56, 83–93 (2016)
Palega, M., Knapinski, M.: Assessment of employees level of awareness in the aspect of information security. Syst. Saf. Hum. - Tech. Facil. – Environ. 1(1), 132–140 (2019)
Amankwa, E., Loock, M., Kritzinger, E.: Establishing information security policy compliance culture in organizations. Inf. Comput. Secur. 26(4), 420–436 (2018)
Tolah, A., Furnell, S.M., Papadaki, M.: A Comprehensive Framework for Cultivating and Assessing Information Security Culture, Haisa, pp. 52–64 (2017)
da Veiga, A., Martins, N.: Defining and identifying dominant information security cultures and subcultures. Comput. Secur. 70(2017), 72–94 (2017)
Alhogail, A.: Design and validation of information security culture framework. Comput. Hum. Behav. 49, 567–575 (2015)
Sherif, E., Furnell, S., Clarke, N.: An identification of variables influencing the establishment of information security culture. In: Tryfonas, T., Askoxylakis, I. (eds.) The Human-Computer Interaction (HCI) Conference – Human Aspects of Information Security, Security, Privacy and Trust (HAS), LNCS 9190, pp. 436–448. Springer, Heidelberg (2015)
Da Veiga, A.: Comparing the information security culture of employees who had read the information security policy and those who had not - illustrated through an empirical study. Inf. Comput. Secur. 24(2), 139–151 (2016)
Lebek, B., Uffen, J., Breitner, M.H., Neumann, M., Hohler, B.: Employees’ information security awareness and behavior: a literature review. In: Proceedings of Annual Hawaii International Conference System Science, pp. 2978–2987 (2013)
Sommestad, T., Karlzén, H., Hallberg, J.: The sufficiency of the theory of planned behavior for explaining information security policy compliance. Inf. Comput. Secur. 23(2), 200–217 (2015)
Hina, S., Dominic, D.D.: Information security policies : investigation of compliance in universities. In: 3rd International Conference on Computer and Information Sciences (ICCOINS) Information, pp. 1–6 (2016)
Safa, N.S., Maple, C., Watson, T., Furnell, S.: Information security collaboration formation in organizations. IET Inf. Secur. 12(3), 238–245 (2018)
Lembcke, T.-B., Masuch, K., Trang, S., Hengstler, S., Plics, P., Pamuk, M.: Fostering information security compliance : comparing the predictive power of social learning theory and deterrence theory. In: Twenty-Fifth Americas Conference on Information Systems, pp. 1–10, August 2019
Aurigemma, A., Panko, R.: A composite framework for behavioral compliance with information security policies. In: Proceedings of the 45th Hawaii International Conference on System Sciences (HICSS), pp. 3248–3257 (2012)
Siponen, M., Mahmood, M.A., Pahnila, S.: Employees’ adherence to information security policies: an exploratory field study. Inf. Manage. 51(2), 217–224 (2014)
Drechsler, A., Hevner, A.: A four-cycle model of is design science research : capturing the dynamic nature of IS artifact design. In: Parsons, J., Tuunanen, T., Venable, J.R., Helfert, M., Donnellan, B., Kenneally, J. (eds.) Breakthroughs and Emerging Insights from Ongoing Design Science Projects: Research-in-progress papers and poster presentations from the 11th International Co, pp. 1–8 (2016)
Peffers, K., Tuunanen, T., Niehaves, B.: Design science research genres: introduction to the special issue on exemplars and criteria for applicable design science research. Eur. J. Inf. Syst. 27(2), 129–139 (2018)
Cooper, D.R., Schindler, P.S.: Business Research Methods, 12th edn. McGraw-Hill/Irwin, New York (2014)
Prat, N., Comyn-Wattiau, I., Akoka, J.: Artefact evaluation in information systems design-science research—a holistic view. In: PACIS 2014 Proceedings (2014). http://aisel.aisnet.org/pacis2014/23. Accessed 15 Mar 2017
Parsons, K.M., Young, E., Butavicius, M.A., Robert, M.: The influence of organizational information security culture on information security decision making. J. Cogn. Eng. Decis. Mak. 9, 117–129 (2015)
Alnatheer, M., Nelson, K.: Proposed framework for understanding information security culture and practices in the Saudi context. In: The 7th Australian Information Security Management Conference, pp. 5–47, December 2009
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Amankwa, E., Loock, M., Kritzinger, E. (2020). A Composite Framework to Promote Information Security Policy Compliance in Organizations. In: Serrhini, M., Silva, C., Aljahdali, S. (eds) Innovation in Information Systems and Technologies to Support Learning Research. EMENA-ISTL 2019. Learning and Analytics in Intelligent Systems, vol 7. Springer, Cham. https://doi.org/10.1007/978-3-030-36778-7_51
Download citation
DOI: https://doi.org/10.1007/978-3-030-36778-7_51
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-36777-0
Online ISBN: 978-3-030-36778-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)