Employees’ Adherence to Information Security Policies: An Empirical Study

Abstract: The key threat to information security is constituted by careless employees who do not comply with information security policies. To ensure that employees comply with organizations' information security procedures, a number of information security policy compliance measures have been proposed in the past. Prior research has criticized these measures as lacking theoretically and empirically grounded principles to ensure that employees comply with information security policies. To fill this gap in research, this… Show more

“…It could be useful to develop a model that predicts how the information security culture or (more specifically) the employee behaviour could be improved in organisations with different types of organisational cultures. Similar models have been developed by Workman et al (in press) and Siponen et al (2007). Hypotheses derived from theory such as ''If employees have read the information security policy, they would have been more likely to adhere to the information security policy'' can then be explored.…”

“…Although these approaches touch on human components such as awareness and training, they do not focus on the employee or on how to direct, measure and change his/her behaviour. A number of research projects on information security focus on the human component, for instance information security awareness (Puhakainen, 2006;Kruger and Kearney, 2006), insider computer crime (Cardinali, 1995) and information security policy obedience (Vroom and Von Solms, 2004;Siponen et al, 2007). All are aimed at minimising the threat that user behaviour poses to the protection of information assets.…”

“…Quantitative research methods such as conducting surveys and the validation of frameworks and questionnaires have been deployed with great success in the information security discipline (Schlienger and Teufel, 2005;Straub et al, 2004;Straub, 1990;Workman et al, in press;Siponen et al, 2007;Woon et al, 2005). A survey is a method that organisations can use to study information security behavioural content in general, and attitude and opinions (Berry and Houston, 1993) of employees towards information security in particular.…”

A framework and assessment instrument for information security culture

“…It could be useful to develop a model that predicts how the information security culture or (more specifically) the employee behaviour could be improved in organisations with different types of organisational cultures. Similar models have been developed by Workman et al (in press) and Siponen et al (2007). Hypotheses derived from theory such as ''If employees have read the information security policy, they would have been more likely to adhere to the information security policy'' can then be explored.…”

“…Although these approaches touch on human components such as awareness and training, they do not focus on the employee or on how to direct, measure and change his/her behaviour. A number of research projects on information security focus on the human component, for instance information security awareness (Puhakainen, 2006;Kruger and Kearney, 2006), insider computer crime (Cardinali, 1995) and information security policy obedience (Vroom and Von Solms, 2004;Siponen et al, 2007). All are aimed at minimising the threat that user behaviour poses to the protection of information assets.…”

“…Quantitative research methods such as conducting surveys and the validation of frameworks and questionnaires have been deployed with great success in the information security discipline (Schlienger and Teufel, 2005;Straub et al, 2004;Straub, 1990;Workman et al, in press;Siponen et al, 2007;Woon et al, 2005). A survey is a method that organisations can use to study information security behavioural content in general, and attitude and opinions (Berry and Houston, 1993) of employees towards information security in particular.…”

A framework and assessment instrument for information security culture

“…To some extent they therefore do question the practical consequences of protecting information using solely "social and legal measures". That being said, utilizing sanctions as a means to coax people into complying with policies has been shown to effective [10].…”

Usage Control in Inter-organisational Collaborative Environments – A Case Study from an Industry Perspective

“…In terms of information security, organizational facilitation conditions of UTAUT are similar to self-efficacy of PMT. In many studies of protective behavior applying PMT, it has been found that there is a strong correlation between self-efficacy and protection behavioral intention [4,7,19]. In a survey on information security in 2016, information security budget was the most difficult factor on information security, followed by 'employment of information security professionals (34.0%)' and information security personnel management (28.1%)'.…”

A Study on Factors of Information Security Investment in the Fourth Industrial Revolution