Abstract
The security breaches of confidential information have remained difficult to solve due to increased external and internal threats to organization. The internal threat is predominantly the result of poor employee behavior towards organization’s information security policy. If users do not comply with information security policy, security solutions lose their efficacy. The information security policy serves as a tool to provide direction on how to manage and secure all organizational operations including critical assets, infrastructure, people, and process in organizations. A major challenge for organizations is encouraging employees to comply with information security policy. The objective of this paper is to develop a model for investigating the critical factors that influence employee compliance with information security policy based on Technology Acceptance Model (TAM). Some researchers have extended TAM to include additional factors that influence behavior. In order to develop the model, we conducted a literature review and a discussion with the information security experts from the Government and Higher Education Institutions. The factors that affect employee compliance with organization’s information security policy have been identified. Through this study, we find that the TAM can be used to develop a model for investigating employee compliance with Information Security Policy by extended it with organizational and national cultures.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Nugraha, Y.: Ian Brown. An adaptive wideband delphi method to study state cyber-defence requirements, IEEE, Ashwin Sasongko Sastrosubroto (2015)
Indonesia Gov-CSIRT: indonesia government computer security incident response team, security incident report (2014)
Osterman Research: Best Practices in Email. Osterman Research, Inc, Web and Social Media Security (2014)
Li, H., Zhang, J., Sarathy, R.: Understanding compliance with internet use policy from the perspective of rational choice theory, Decision Support Systems, Elsevier (2009)
Van Kessel, P.: Moving beyond compliance—ernt and young global information security survey (2008)
Al-Omari, A., El-Gayar, O., Deokar, A.: Security policy compliance: user acceptance perspective. In: 45th Hawaii International Conference on System Sciences, IEEE (2012)
Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34, 523–548 (2010)
Pramanik, S., Sankaranarayanan, V., Upadhyaya, S.: Security policies to mitigate insider threat in the document control domain. In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC’04), IEEE (2004)
Lebek, B., Uffen, J., Breitner, M.H., Neumann, M., Hohler, B.: Employees’ information security awareness and behavior: a literature review, IEEE (2012)
Beznosov, K., Beznosova, O.: On the imbalance of the security problem space and its expected consequences, information management & computer security, vol. 15 (2007)
Royd, J.: Virtual battlefield, CIR Magazine: August (2009)
Hu, Q., Dinev, T., Hart, P., Cooke, D.: Managing employee compliance with information security policies: the critical role of top management and organizational culture. Decis. Sci. J. 43(4) (2012)
Colwill, C.: Human factors in information security: the insider threat—who can you trust these days? Information Security Technical Report, ScienceDirect, Elsevier (2010)
Gallivan, M., Srite, M.: Information technology and culture: identifying fragmentary and holistic perspectives of culture. Inf. Organ. 15(4), 295–338 (2005)
Qwaider, W.Q.: The organizational and national culture impact of information system (IS). In: International Conference in Philadelphia University Amman—Jordan, 26–28 of November (2010)
Connolly, L., Lang, M.: Data protection and employee behaviour: the role of information systems security culture, IADIS WWW/Internet 2012 Conference (2012)
Straub, D., Loch, K., Hill, C.: Transfer of information technology to the arab world: a test of cultural influence modeling, Advanced Topics in Global Information Management, Hershey, PA: Idea Group Publishing, pp. 141–172 (2003)
Alnatheer, M. Nelson, K.: proposed framework for understanding information security culture and practices in the saudi context. In: Proceedings of the 7th Australian Information Security Management Conference (2009)
Hofstede, G.: Culture’s consequences: international differences in work-related values. Sage Publications, Beverly Hills (1980)
Hofstede, G., Hofstede, G.J., Minkov, M.: Cultures and Organizations: software of the Mind, revised and expanded, 3rd edn. McGraw-Hill, New York, NY (2010)
Davis and Venkatesh: A critical assessment of potential measurement biases in the technology ac-ceptance model: three experiments. Int. J. Hum.-Comput. Stud. 45, 19–45 (1996)
Venkatesh, V., Morris, M.G., Davis, G.B., Davis, F.D.: User acceptance of information technology: toward a unified view. MIS Q. 27(3), 425–478 (2003)
Vroom, C., Von Solms, R.: Towards information security behavioral compliance. Comput. Secur. 23(3), 191–198 (2004)
Jones, C.M., McCarthy, R.V., Halawi, L., Mujtaba, B.: Utilizing the technology acceptance model to assess the adoption of information system security measures. Issues Inf. Syst. XI(1) (2010)
Leidner, D.E., Kayworth, T.: Review: a review of culture in information systems research: toward a theory of information technology culture conflict. MIS Q. 30(2), 357–399 (2006)
Tsui, A.S., Zhang, Z.-X., Wang, H., Xin, K.R., Wu, J.B.: Unpacking the relationship between CEO leadership behavior and organizational culture. Leadersh. Quart. 17(2), 113–137 (2006)
Quinn, R.E.: Beyond rational management. Jossey-Bass, San Francisco, CA (1988)
Van Muijen, J.J., Koopman, P., De Witte, K., De Cock, G., Susanj, Z., Lemoine, C., Bourantas, D., Papalexandris, N., Branyicski, I., Spaltro, E., Jesuino, J., Neves, J.G.D., Pitariu, H., Konrad, E., Peir´O, J., Gonz´alez-Rom´a, V., & Turnipseed, D.: Organizational culture: The focus questionnaire. Eur. J. Work Organ. Psychol. 8(4), 551–568 (1999)
Zakour, A.B.: Cultural differences and information technology acceptance. In: Proceeding of the 7th Annual Conference of the Southern Association for Information Systems (2003)
Hofstede, G., Hofstede, G.-J.: Cultures and organizations: software of the mind. McGraw-Hill, New York (2004)
Ajzen, I.: Attitudes, personality, and behavior. Open University Press, Milton Keynes, England (1988)
Venkatesh, V., Davis, F.D.: A theoretical extension of the technology acceptance model: four longitudinal field studies. Manage. Sci. 46, 186–204 (2003)
Taylor, S., Todd, P.A.: Understanding information technology usage: a test of competing models. Inf. Syst. Res. 6(2), 144–176 (1995)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Syahrial, H., Prabowo, H., Budiastuti, D., Gaol, F.L. (2019). Information Security Policy Compliance Model at Indonesian Government Institutions: A Conceptual Framework. In: Abawajy, J., Othman, M., Ghazali, R., Deris, M., Mahdin, H., Herawan, T. (eds) Proceedings of the International Conference on Data Engineering 2015 (DaEng-2015) . Lecture Notes in Electrical Engineering, vol 520. Springer, Singapore. https://doi.org/10.1007/978-981-13-1799-6_41
Download citation
DOI: https://doi.org/10.1007/978-981-13-1799-6_41
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-1797-2
Online ISBN: 978-981-13-1799-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)