Information security policies’ compliance: a perspective for higher education institutions

Hina, Sadaf; Dominic, P. D. D.

doi:10.1080/08874417.2018.1432996

Cited by 42 publications

(33 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Multiple frameworks are available to assess human intentions towards information security policies, but none of the frameworks can be used as a standard behavioral process model. All the frameworks defined in the extant literature are either specific to a sector (for example, finance, higher education) [25,26] or specific to various theories [18,24,27]. None of the previous studies has made an effort to develop a consolidated information security behavior process which can exhibit the transformation process from noncompliance to compliance.…”

Section: Introductionmentioning

confidence: 99%

Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance

et al. 2021

View full text Add to dashboard Cite

A grave concern to an organization’s information security is employees’ behavior when they do not value information security policy compliance (ISPC). Most ISPC studies evaluate compliance and noncompliance behaviors separately. However, the literature lacks a comprehensive understanding of the factors that transform the employees’ behavior from noncompliance to compliance. Therefore, we conducted a systematic literature review (SLR), highlighting the studies done concerning information security behavior (ISB) towards ISPC in multiple settings: research frameworks, research designs, and research methodologies over the last decade. We found that ISPC research focused more on compliance behaviors than noncompliance behaviors. Value conflicts, security-related stress, and neutralization, among many other factors, provided significant evidence towards noncompliance. At the same time, internal/external and protection motivations proved positively significant towards compliance behaviors. Employees perceive internal and external motivations from their social circle, management behaviors, and organizational culture to adopt security-aware behaviors. Deterrence techniques, management behaviors, culture, and information security awareness play a vital role in transforming employees’ noncompliance into compliance behaviors. This SLR’s motivation is to synthesize the literature on ISPC and ISB, identifying the behavioral transformation process from noncompliance to compliance. This SLR contributes to information system security literature by providing a behavior transformation process model based on the existing ISPC literature.

show abstract

Section: Introductionmentioning

confidence: 99%

Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance

et al. 2021

View full text Add to dashboard Cite

show abstract

“…Digitizing the educational services makes the HEIs more targeted by cybersecurity attacks, like any other organization. However, HEIs lack the security awareness needed to handle these security issues ( Hina & Dominic, 2018 ). Therefore, they could use systems such as m-learning systems with security risks ( Badwelan, Drew & Bahaddad, 2016 ).…”

Section: Related Workmentioning

confidence: 99%

“…This could happen because there is neither standards nor guidelines to be applied or forced in HEIs. Moreover, most organizations do not monitor their users’ misbehavior ( Hina & Dominic, 2018 ). Since not all IT departments in higher education institutions/universities have the same experience and understanding of how important cybersecurity is, they do not treat it as a continuous process.…”

Section: Related Workmentioning

confidence: 99%

Cybersecurity maturity assessment framework for higher education institutions in Saudi Arabia

Almomani

Ahmed

Μαγλαράς

2021

PeerJ Computer Science

View full text Add to dashboard Cite

The Saudi Arabia government has proposed different frameworks such as the CITC’s Cybersecurity Regulatory Framework (CRF) and the NCA’s Essential Cybersecurity Controls (ECC) to ensure data and infrastructure security in all IT-based systems. However, these frameworks lack a practical, published mechanism that continuously assesses the organizations’ security level, especially in HEI (Higher Education Institutions) systems. This paper proposes a Cybersecurity Maturity Assessment Framework (SCMAF) for HEIs in Saudi Arabia. SCMAF is a comprehensive, customized security maturity assessment framework for Saudi organizations aligned with local and international security standards. The framework can be used as a self-assessment method to establish the security level and highlight the weaknesses and mitigation plans that need to be implemented. SCMAF is a mapping and codification model for all regulations that the Saudi organizations must comply with. The framework uses different levels of maturity against which the security performance of each organization can be measured. SCMAF is implemented as a lightweight assessment tool that could be provided online through a web-based service or offline by downloading the tool to ensure the organizations’ data privacy. Organizations that apply this framework can assess the security level of their systems, conduct a gap analysis and create a mitigation plan. The assessment results are communicated to the organization using visual score charts per security requirement per level attached with an evaluation report.

show abstract

“…In the area of information security, personal responsibility is considered as the belief that an individual must take actions to achieve the goal of information security (LaRose et al, 2008). If individuals believe to a high extent that it is their responsibility to take control of security, this will increase the acceptable and proactive behaviors regarding information security (Anderson & Agarwal, 2010;D'Arcy & Greene, 2014;Workman et al 2008), while a lack of understanding of responsibility will result in noncompliance and breaches (Hina & Dominic, 2018). For example, Workman et al (2008) found that locus of control has a significant negative impact on subjective omissive behavior, indicating that individuals with a higher willingness to accept responsibility for information security will tend to practice information security measures.…”

Section: Hypotheses Developmentmentioning

confidence: 99%

Autonomous Motivation and Information Security Policy Compliance

Hong

2021

Journal of Organizational and End User Computing

View full text Add to dashboard Cite

Many existing studies focus on the effect of external influence mechanisms (e.g., deterrence) impacting information security policy compliance (ISPC). This study explores the formation of ISPC from an autonomous motivation perspective, based on social exchange theory and self-determination theory. Data were gathered by conducting a survey of 261 employees, with hierarchical regression analysis being used to test our hypotheses.The results indicated the following: First, job satisfaction and personal responsibility positively impact ISPC. Second, job satisfaction perceived by employees is positively linked to personal responsibility, where deterrence severity has a negative moderating effect on this relationship. Finally, personal responsibility mediates the relationship between job satisfaction and ISPC. This study suggests that organizational support should focus on promoting perceived self-determination of employees, and that deterrence should be maintained at a moderate level to adapt to the organization's security strategy and information security environment.

show abstract

Information security policies’ compliance: a perspective for higher education institutions

Cited by 42 publications

References 36 publications

Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance

Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance

Cybersecurity maturity assessment framework for higher education institutions in Saudi Arabia

Autonomous Motivation and Information Security Policy Compliance

Contact Info

Product

Resources

About