1
|
Palanisamy R, Norman AA, Mat Kiah ML. Employees’ BYOD Security Policy Compliance in the Public Sector. JOURNAL OF COMPUTER INFORMATION SYSTEMS 2023. [DOI: 10.1080/08874417.2023.2178038] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 03/06/2023]
|
2
|
Anderson C, Baskerville R, Kaul M. Managing compliance with privacy regulations through translation guardrails: A health information exchange case study. INFORMATION AND ORGANIZATION 2023. [DOI: 10.1016/j.infoandorg.2023.100455] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 02/16/2023]
|
3
|
What are the trend and core knowledge of information security? A citation and co-citation analysis. INFORMATION & MANAGEMENT 2023. [DOI: 10.1016/j.im.2023.103774] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 02/17/2023]
|
4
|
COVID-19 pandemic-induced organisational cultural shifts and employee information security compliance behaviour: a South African case study. INFORMATION AND COMPUTER SECURITY 2023. [DOI: 10.1108/ics-09-2022-0152] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 01/19/2023]
Abstract
Purpose
The purpose of this preliminary empirical research study is to understand how environmental disruption such as brought on by the COVID-19 pandemic induces shifts in organisational culture, information security culture and subsequently employee information security compliance behaviour.
Design/methodology/approach
A single-organisation case study was used to develop understanding from direct experiences of organisational life. Both quantitative and qualitative data were collected using a sequential mixed methods approach, with the qualitative phase following the quantitative to achieve complementarity and completeness in analysis. For the quantitative phase, 48 useful responses were received after a questionnaire was sent to all 150–200 employees. For the qualitative phase, eight semi-structured interviews were conducted. Statistical software was used to analyse the quantitative data and NVivo software was used to analyse the qualitative data.
Findings
The pandemic-induced environmental disruption manifested as a sudden shift to work-from-home for employees, and relatedly an increase in cybercrime. The organisational response to this gave rise to shifts in both organisational and information security culture towards greater control (rule and goal orientations) and greater flexibility (support and innovation orientations), most significantly with information security culture flexibility. The net effect was an increase in employee information security compliance.
Originality/value
The vast literature on organisational culture and information security culture was drawn on to theoretically anchor and develop parsimonious measures of information security culture. Environmental disruptions such as those caused by the pandemic are unpredictable and their effects uncertain, hence, the study provides insight into the consequences of such disruption on information security in organisations.
Collapse
|
5
|
Chen X, Tyran CK. A Framework for Analyzing and Improving ISP Compliance. JOURNAL OF COMPUTER INFORMATION SYSTEMS 2023. [DOI: 10.1080/08874417.2022.2161024] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 01/19/2023]
|
6
|
Wu AY, Hanus B, Xue B, Mahto RV. Information Security Ignorance: An Exploration of the Concept and Its Antecedents. INFORMATION & MANAGEMENT 2023. [DOI: 10.1016/j.im.2023.103753] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 01/13/2023]
|
7
|
Huang R, Liang N. The influence of familiarity with Information Technology on the effects of deterrence. CURRENT PSYCHOLOGY 2022. [DOI: 10.1007/s12144-022-03857-7] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/25/2022]
|
8
|
Lin C, Wittmer JL, Luo X(R. Cultivating proactive information security behavior and individual creativity: The role of human relations culture and IT use governance. INFORMATION & MANAGEMENT 2022. [DOI: 10.1016/j.im.2022.103650] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/05/2022]
|
9
|
Ghahramani F, Yazdanmehr A, Chen D, Wang J. Continuous improvement of information security management: an organisational learning perspective. EUR J INFORM SYST 2022. [DOI: 10.1080/0960085x.2022.2096491] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/03/2022]
Affiliation(s)
- Fereshteh Ghahramani
- School of Computing, Jarvis College of Computing and Digital Media, DePaul University
| | - Adel Yazdanmehr
- Paul H. Chook Department of Information Systems and Statistics, Zicklin School of Business, Baruch College, The City University of New York
| | - Daniel Chen
- Information Systems and Supply Chain Management Department, Neeley School of Business, Texas Christian University
| | - Jingguo Wang
- Information Systems & Operations Management Department, College of Business Administration, University of Texas at Arlington
| |
Collapse
|
10
|
Khan NF, Yaqoob A, Khan MS, Ikram N. The Cybersecurity Behavioral Research: A Tertiary Study. Comput Secur 2022. [DOI: 10.1016/j.cose.2022.102826] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/27/2022]
|
11
|
The influence of inputs in the information security policy development: an institutional perspective. TRANSFORMING GOVERNMENT- PEOPLE PROCESS AND POLICY 2022. [DOI: 10.1108/tg-03-2022-0030] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
The purpose of this paper is to investigate what role literature-based inputs have on the information security policy (ISP) development in practice.
Design/methodology/approach
A literature review is carried out to identify commonly used inputs for ISP development in theory firstly. Secondly, through the lens of institutional theory, an interpretive approach is adapted to study the influence of literature-based inputs in the ISP development in practice. Semi-structured interviews with senior experienced information security officers and managers from the public sector in Sweden are carried out for this research.
Findings
According to the literature review, 10 inputs for ISP development have been identified. The results from the interviews indicate that the role inputs have on the ISP development serves as more than a rational tool, where organisational context, institutional pressures and the search for legitimacy play an important role.
Research limitations/implications
From the institutional perspective, this study signifies the influence of inputs on ISP development can be derived from institutionalised rules or practices established by higher authorities; actions and practices that are perceived as successful and often used by other organisations; the beliefs of what is viewed as appropriate to meet the specific pressures from stakeholders.
Practical implications
This research recommends five practical implications for practitioners working with the ISP development. These recommendations aim to create an understanding of how an ISP could be developed, considering more than the rational functionalist perspective.
Originality/value
To the best of the authors’ knowledge, it is the first of its kind in examining the role of literature-based inputs in ISP development in practice through the lens of institutional theory.
Collapse
|
12
|
AlGhamdi S, Win KT, Vlahu-Gjorgievska E. Employees' intentions toward complying with information security controls in Saudi Arabia's public organisations. GOVERNMENT INFORMATION QUARTERLY 2022. [DOI: 10.1016/j.giq.2022.101721] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Submit a Manuscript] [Subscribe] [Scholar Register] [Indexed: 11/24/2022]
|
13
|
Chen L, Xie Z, Zhen J, Dong K. The Impact of Challenge Information Security Stress on Information Security Policy Compliance: The Mediating Roles of Emotions. Psychol Res Behav Manag 2022; 15:1177-1191. [PMID: 35586699 PMCID: PMC9109886 DOI: 10.2147/prbm.s359277] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Grants] [Track Full Text] [Download PDF] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 01/26/2022] [Accepted: 04/23/2022] [Indexed: 11/23/2022] Open
Abstract
Introduction Methods Results Conclusion
Collapse
Affiliation(s)
- Lin Chen
- College of Humanities and Law, Shandong University of Science and Technology, Qingdao, 266590, People’s Republic of China
| | - Zongxiao Xie
- China Financial Certification Authority, Beijing, 100054, People’s Republic of China
- Correspondence: Zongxiao Xie, China Financial Certification Authority, 20-3, South Street of Caishikou, Xicheng District, Beijing, 100054, People’s Republic of China, Tel +86 18901086108, Email
| | - Jie Zhen
- School of Management Science and Engineering, Chongqing Technology and Business University, Chongqing, 400067, People’s Republic of China
| | - Kunxiang Dong
- School of Management Science and Engineering, Shandong University of Finance and Economics, Jinan, 250014, People’s Republic of China
| |
Collapse
|
14
|
Goel L, Zhang JZ, Williamson S. IT assimilation: construct, measurement, and implications in cybersecurity. ENTERP INF SYST-UK 2022. [DOI: 10.1080/17517575.2022.2052187] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/18/2022]
Affiliation(s)
- Lakshmi Goel
- Department of Management, University of North Florida, Jacksonville, Florida, United States
| | - Justin Zuopeng Zhang
- Department of Management, University of North Florida, Jacksonville, Florida, United States
| | - Steven Williamson
- Department of Management, University of North Florida, Jacksonville, Florida, United States
| |
Collapse
|
15
|
Karlsson F, Kolkowska E, Petersson J. Information security policy compliance-eliciting requirements for a computerized software to support value-based compliance analysis. Comput Secur 2022. [DOI: 10.1016/j.cose.2021.102578] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.5] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/03/2022]
|
16
|
Chen Y, Xia W, Cousins K. Voluntary and instrumental information security policy compliance: an integrated view of prosocial motivation, self-regulation and deterrence. Comput Secur 2022. [DOI: 10.1016/j.cose.2021.102568] [Citation(s) in RCA: 2] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/27/2022]
|
17
|
Walser R, Cram WA, Bernroider EW, Wiener M. Control choices and enactments in IS development projects: Implications for legitimacy perceptions and compliance intentions. INFORMATION & MANAGEMENT 2021. [DOI: 10.1016/j.im.2021.103522] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/15/2022]
|
18
|
Donalds C, Barclay C. Beyond technical measures: a value-focused thinking appraisal of strategic drivers in improving information security policy compliance. EUR J INFORM SYST 2021. [DOI: 10.1080/0960085x.2021.1978344] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/20/2022]
Affiliation(s)
- Charlette Donalds
- Mona School of Business & Management, University of the West Indies at Mona , Mona, Jamaica
| | - Corlane Barclay
- Smart Projects 360, Kensington Crescent, Kingston 5, Jamaica
| |
Collapse
|
19
|
Chen Y, Galletta DF, Lowry PB, Luo X(R, Moody GD, Willison R. Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model. INFORMATION SYSTEMS RESEARCH 2021. [DOI: 10.1287/isre.2021.1014] [Citation(s) in RCA: 14] [Impact Index Per Article: 4.7] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/20/2022]
Abstract
A key approach in many organizations to address the myriad of information security threats is encouraging employees to better understand and comply with information security policies (ISPs). Despite a significant body of academic research in this area, a commonly held but questionable assumption in these studies is that noncompliance simply represents the opposite of compliance. Hence, explaining compliance is only half of the story, and there is a pressing need to understand the causes of noncompliance, as well. If organizational leaders understood what leads a normally compliant employee to become noncompliant, future security breaches might be avoided or minimized. In this study, we found that compliant and noncompliant behaviors can be better explained by uncovering actions that focus not only on efficacious coping behaviors, but also those that focus on frustrated users who must sometimes cope with emotions, too. Employees working from a basis of emotion-focused coping are unable to address the threat and, feeling overwhelmed, focus only on controlling their emotions, merely making themselves feel better. Based on our findings, organizations can enhance their security by understanding the “tipping point” where employees’ focus likely changes from problem-solving to emotion appeasement, and instead push them into a more constructive direction.Yan Chen is an associate professor at Florida International University. She received her PhD in management information systems from University of Wisconsin–Milwaukee. Her research focuses on information security management, online fraud, privacy, and social media. She has published more than 30 research papers in refereed academic journals and conference proceedings.Dennis F. Galletta is a LEO awardee, fellow, and former president of the Association for Information Systems and professor at University of Pittsburgh since 1985. He has published 108 articles and four books. He is a senior editor at MIS Quarterly and an editorial board member at the Journal of Management Information Systems, and has been on several other boards.Paul Benjamin Lowry is the Suzanne Parker Thornhill Chair Professor in Business Information Technology at the Pamplin College of Business at Virginia Tech. He has published more than 135 journal articles. His research areas include organizational and behavioral security and privacy; online deviance and harassment, and computer ethics; human–computer interaction, social media, and gamification; and decision sciences, innovation, and supply chains.Xin (Robert) Luo is Endowed Regent’s Professor and full professor of MIS at the University of New Mexico. His research has appeared in leading information systems journals, and he serves as an associate editor for the Journal of the Association for Information Systems, Decision Sciences Journal, Information & Management, Electronic Commerce Research, and the Journal of Electronic Commerce Research.Gregory D. Moody is currently Lee Professor of Information Systems at the University of Nevada Las Vegas, and director of the cybersecurity graduate program. His interests include information systems security and privacy, e-business, and human–computer interaction. He is currently a senior editor for the Information Systems Journal and Transactions on Human-Computer Interaction.Robert Willison is a professor of management at Xi’an Jiaotong–Liverpool University. He received his PhD in information systems from the London School of Economics. His research focuses on insider computer abuse, information security policy compliance/noncompliance, software piracy, and cyber-loafing. His research has appeared in refereed academic journals such as MIS Quarterly, Journal of the Association for Information Systems, Information Systems Journal, and others.
Collapse
Affiliation(s)
- Yan Chen
- College of Business, Florida International University, Miami, Florida 33199
| | - Dennis F. Galletta
- Katz Graduate School of Business, University of Pittsburgh, Pittsburgh, Pennsylvania 15260
| | | | - Xin (Robert) Luo
- Anderson School of Management, University of New Mexico, Albuquerque, New Mexico 87131
| | - Gregory D. Moody
- Lee Business School, University of Nevada, Las Vegas, Nevada 89154
| | - Robert Willison
- International Business School Suzhou, Xi’an Jiaotong–Liverpool University, Suzhou, Jiangsu Province 215123, P.R. China
| |
Collapse
|
20
|
Ogbanufe O. Enhancing End-User Roles in Information Security: Exploring the Setting, Situation, and Identity. Comput Secur 2021. [DOI: 10.1016/j.cose.2021.102340] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/21/2022]
|
21
|
|
22
|
Using alternate reality games to find a needle in a haystack: An approach for testing insider threat detection methods. Comput Secur 2021. [DOI: 10.1016/j.cose.2021.102314] [Citation(s) in RCA: 4] [Impact Index Per Article: 1.3] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/24/2022]
|
23
|
Davis J, Agrawal D, Guo X. Enhancing users’ security engagement through cultivating commitment: the role of psychological needs fulfilment. EUR J INFORM SYST 2021. [DOI: 10.1080/0960085x.2021.1927866] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/21/2022]
|
24
|
Trang S, Nastjuk I. Examining the role of stress and information security policy design in information security compliance behaviour: An experimental study of in-task behaviour. Comput Secur 2021. [DOI: 10.1016/j.cose.2021.102222] [Citation(s) in RCA: 5] [Impact Index Per Article: 1.7] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/15/2022]
|
25
|
Cyberbullying on social networking sites: A literature review and future research directions. INFORMATION & MANAGEMENT 2021. [DOI: 10.1016/j.im.2020.103411] [Citation(s) in RCA: 27] [Impact Index Per Article: 9.0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/20/2022]
|
26
|
Ameen N, Tarhini A, Shah MH, Madichie N, Paul J, Choudrie J. Keeping customers' data secure: A cross-cultural study of cybersecurity compliance among the Gen-Mobile workforce. COMPUTERS IN HUMAN BEHAVIOR 2021. [DOI: 10.1016/j.chb.2020.106531] [Citation(s) in RCA: 25] [Impact Index Per Article: 8.3] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/15/2022]
|
27
|
Cram WA, Proudfoot JG, D'Arcy J. When enough is enough: Investigating the antecedents and consequences of information security fatigue. INFORMATION SYSTEMS JOURNAL 2020. [DOI: 10.1111/isj.12319] [Citation(s) in RCA: 5] [Impact Index Per Article: 1.3] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/29/2022]
Affiliation(s)
- W. Alec Cram
- School of Accounting and Finance University of Waterloo Waterloo Ontario Canada
| | - Jeffrey G. Proudfoot
- Information and Process Management Department Bentley University Waltham Massachusetts USA
| | - John D'Arcy
- Department of Accounting and MIS University of Delaware Newark Delaware USA
| |
Collapse
|
28
|
Posey C, Folger R. An exploratory examination of organizational insiders’ descriptive and normative perceptions of cyber-relevant rights and responsibilities. Comput Secur 2020. [DOI: 10.1016/j.cose.2020.102038] [Citation(s) in RCA: 2] [Impact Index Per Article: 0.5] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/23/2022]
|
29
|
Rostami E, Karlsson F, Gao S. Requirements for computerized tools to design information security policies. Comput Secur 2020. [DOI: 10.1016/j.cose.2020.102063] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/23/2022]
|
30
|
Sarkar S, Vance A, Ramesh B, Demestihas M, Wu DT. The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context. INFORMATION SYSTEMS RESEARCH 2020. [DOI: 10.1287/isre.2020.0941] [Citation(s) in RCA: 10] [Impact Index Per Article: 2.5] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/20/2022]
Abstract
The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context
Collapse
Affiliation(s)
- Sumantra Sarkar
- School of Management, Binghamton University, State University of New York, Binghamton, New York 13902
| | - Anthony Vance
- Fox School of Business, Temple University, Philadelphia, Pennsylvania 19122
| | | | | | - Daniel Thomas Wu
- Emergency Medicine, Emory University Hospital, Emory University School of Medicine, Atlanta, Georgia 30303
| |
Collapse
|
31
|
Palanisamy R, Norman AA, Kiah MLM. Compliance with bring your own device security policies in organizations: A systematic literature review. Comput Secur 2020. [DOI: 10.1016/j.cose.2020.101998] [Citation(s) in RCA: 9] [Impact Index Per Article: 2.3] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/29/2022]
|
32
|
Kumar S, Biswas B, Bhatia MS, Dora M. Antecedents for enhanced level of cyber-security in organisations. JOURNAL OF ENTERPRISE INFORMATION MANAGEMENT 2020. [DOI: 10.1108/jeim-06-2020-0240] [Citation(s) in RCA: 8] [Impact Index Per Article: 2.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
PurposeThe present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource perspective using human–organisation–technology (HOT) theory.Design/methodology/approachThe study has been conducted on 151 professionals who have expertise in dealing with cyber-security in organisations in sectors such as retail, education, healthcare, etc. in India. The analysis of the data is carried out using partial least squares based structural equation modelling technique (PLS-SEM).FindingsThe results from the study suggest that “legal consequences” and “technical measures” adopted for securing cyber-security in organisations are the most important antecedents for enhanced cyber-security levels in the organisations. The other significant antecedents for enhanced cyber-security in organisations include “role of senior management” and “proactive information security”.Research limitations/implicationsThis empirical study has significant implications for organisations as they can take pre-emptive measures by focussing on important antecedents and work towards enhancing the level of cyber-security.Originality/valueThe originality of this research is combining both technical and human resource perspective in identifying the determinants of enhanced level of cyber-security in the organisations.
Collapse
|
33
|
Solomon G, Brown I. The influence of organisational culture and information security culture on employee compliance behaviour. JOURNAL OF ENTERPRISE INFORMATION MANAGEMENT 2020. [DOI: 10.1108/jeim-08-2019-0217] [Citation(s) in RCA: 6] [Impact Index Per Article: 1.5] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
PurposeOrganisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in facilitating compliance. The purpose of this paper is to explain the nature of the combined influence of organisational culture and information security culture on employee information security compliance. This study also aims to explain the influence of organisational culture on information security culture.Design/methodology/approachA theoretical model was developed showing the relationships between organisational culture, information security culture and employee compliance. Using an online survey, data was collected from a sample of individuals who work in organisations having information security policies. The data was analysed with Partial Least Square Structural Equation Modelling (PLS-SEM) to test the model.FindingsOrganisational culture and information security culture have significant, yet similar influences on employee compliance. In addition, organisational culture has a strong causal influence on information security culture.Practical implicationsControl-oriented organisational cultures are conducive to information security compliant behaviour. For an information security subculture to be effectively embedded in an organisation's culture, the dominant organisational culture would have to be considered first.Originality/valueThis research provides empirical evidence that information security subculture is influenced by organisational culture. Compliance is best explained by their joint influence.
Collapse
|
34
|
Liu C, Wang N, Liang H. Motivating information security policy compliance: The critical role of supervisor-subordinate guanxi and organizational commitment. INTERNATIONAL JOURNAL OF INFORMATION MANAGEMENT 2020. [DOI: 10.1016/j.ijinfomgt.2020.102152] [Citation(s) in RCA: 15] [Impact Index Per Article: 3.8] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/24/2022]
|
35
|
Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures. INFORMATION & MANAGEMENT 2020. [DOI: 10.1016/j.im.2019.103212] [Citation(s) in RCA: 21] [Impact Index Per Article: 5.3] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/21/2022]
|
36
|
Herath TC, Herath HSB, D'Arcy J. Organizational Adoption of Information Security Solutions. DATA BASE FOR ADVANCES IN INFORMATION SYSTEMS 2020. [DOI: 10.1145/3400043.3400046] [Citation(s) in RCA: 4] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 10/24/2022]
Abstract
Information systems literature has cast organizational information security practices as a form of innovation. Using the notions of innovation adoption and diffusion of innovations, this paper develops an integrative model grounded in two theoretical perspectives- diffusion of innovation theory and the technologyorganization- environment framework-to examine the adoption of information security solutions (ISS) in organizations. We specify four innovation characteristics that are specific to ISS (compatibility, complexity, costs, and perceived gain), two organizational factors (organizational readiness and top management support), and two environmental factors (external pressure and visibility) as influential toward ISS adoption. We tested our model using data collected through a survey of 368 information systems managers in North American organizations. Our findings are insightful and have important theoretical and practical implications. Overall, the results suggest that organizational and environmental factors contribute to the extent of ISS adoption above and beyond characteristics of ISS themselves. The results are consistent across two measures of ISS adoption- perceived and (self-reported) actual-thereby supporting the robustness of our findings.
Collapse
|
37
|
Moeini M, Simeonova B, Galliers RD, Wilson A. Theory borrowing in IT-rich contexts: Lessons from IS strategy research. JOURNAL OF INFORMATION TECHNOLOGY 2020. [DOI: 10.1177/0268396220912745] [Citation(s) in RCA: 5] [Impact Index Per Article: 1.3] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
While indigenous theorizing in information systems has clear merits, theory borrowing will not, and should not, be eschewed given its appeal and usefulness. In this article, we aim at increasing our understanding of modifying of borrowed theories in IT-rich contexts. We present a framework in which we discuss how two recontextualization approaches of specification and distinction help with increasing the IT-richness of borrowed constructs and relationships. In doing so, we use several illustrative examples from information systems strategy. The framework can be used by researchers as a tool to explore the multitude of ways in which a theory from another discipline can yield the understanding of IT phenomena.
Collapse
Affiliation(s)
| | | | - Robert D Galliers
- The University of Warwick, UK
- Loughborough University, UK
- Bentley University, USA
| | | |
Collapse
|
38
|
Smart City Development in Taiwan: From the Perspective of the Information Security Policy. SUSTAINABILITY 2020. [DOI: 10.3390/su12072916] [Citation(s) in RCA: 8] [Impact Index Per Article: 2.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/16/2022]
Abstract
A smart city is developed through the Internet of Things (IoT), cloud computing, big data, mobile Internet, and other new generation technologies regarding information and communication, and data resources in various fields are integrated and applied. The issue of information security in the network era is the strategic focus, as well as the focus of people’s attention, during Taiwan’s smart city construction. Information security policies are the information security guidelines for organizations, and are key to the organization’s information security performance; moreover, such policies show the organization’s support and commitment to the information security of smart cities. This paper discusses the model of information security policy in Taiwan’s smart cities, uses Path Analysis to explore the characteristics of information security policy in smart cities, and examines the relationship between the formulation, implementation, maintenance, and effectiveness of information security policies. Furthermore, this study examines the impact on the effectiveness of organizational information security policies and information security performance from the following aspects: The length of information security policy publication time, policy review, policy advocacy, employee compliance, fair law enforcement, etc., which are all concrete manifestations of the formulation, implementation, and maintenance of information security policy models. Through a questionnaire survey, the correlation between various assumptions, as well as the relationship between organizational information security characteristics, information security policies, and the effectiveness of information security, are verified one by one during the implementation of information security policies. Finally, conclusions and implications are put forward.
Collapse
|
39
|
Information system security policy noncompliance: the role of situation-specific ethical orientation. INFORMATION TECHNOLOGY & PEOPLE 2020. [DOI: 10.1108/itp-03-2019-0109] [Citation(s) in RCA: 7] [Impact Index Per Article: 1.8] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
PurposeThis study examines how neutralization strategies affect the efficacy of information system security policies. This paper proposes that neutralization strategies used to rationalize security policy noncompliance range across ethical orientations, extending from those helping the greatest number of people (ethics of care) to those damaging the fewest (ethics of justice). The results show how noncompliance differs between genders based on those ethical orientations.Design/methodology/approachA survey was used to measure information system security policy noncompliance intentions across six different hypothetical scenarios involving neutralization techniques used to justify noncompliance. Data was gathered from students at a mid-western, comprehensive university in the United States.FindingsThe empirical analysis suggests that gender does play a role in information system security policy noncompliance. However, its significance is dependent upon the underlying neutralization method used to justify noncompliance. The role of reward and punishment is contingent on the situation-specific ethical orientation (SSEO) which in turn is a combination of internal ethical positioning based on one's gender and external ethical reasoning based on neutralization technique.Originality/valueThis study extends ethical decision-making theory by examining how the use of punishments and rewards might be more effective in security policy compliance based upon gender. Importantly, the study emphasizes the interplay between ethics, gender and neutralization techniques, as different ethical perspectives appeal differently based on gender.
Collapse
|
40
|
Yazdanmehr A, Wang J, Yang Z. Peers matter: The moderating role of social influence on information security policy compliance. INFORMATION SYSTEMS JOURNAL 2020. [DOI: 10.1111/isj.12271] [Citation(s) in RCA: 24] [Impact Index Per Article: 6.0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/28/2022]
Affiliation(s)
- Adel Yazdanmehr
- Paul H. Chook Department of Information Systems and Statistics, Zicklin School of Business, Baruch CollegeThe City University of New York New York City , New York USA
| | - Jingguo Wang
- Department of Information Systems and Operations Management, College of BusinessThe University of Texas at Arlington Arlington Texas USA
| | - Zhiyong Yang
- Department of Marketing, Entrepreneurship, Sustainable Tourism and Hospitality, Bryan School of Business and EconomicsUniversity of North Carolina at Greensboro Greensboro North Carolina USA
| |
Collapse
|
41
|
Stakeholder perceptions of information security policy: Analyzing personal constructs. INTERNATIONAL JOURNAL OF INFORMATION MANAGEMENT 2020. [DOI: 10.1016/j.ijinfomgt.2019.04.011] [Citation(s) in RCA: 19] [Impact Index Per Article: 4.8] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/22/2022]
|
42
|
Schinagl S, Shahim A. What do we know about information security governance? INFORMATION AND COMPUTER SECURITY 2020. [DOI: 10.1108/ics-02-2019-0033] [Citation(s) in RCA: 9] [Impact Index Per Article: 2.3] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
This paper aims to review the information security governance (ISG) literature and emphasises the tensions that exist at the intersection of the rapidly changing business climate and the current body of knowledge on ISG.
Design/methodology/approach
The intention of the authors was to conduct a systematic literature review. However, owing to limited empirical papers in ISG research, this paper is more conceptually organised.
Findings
This paper shows that security has shifted from a narrow-focused isolated issue towards a strategic business issue with “from the basement to the boardroom” implications. The key takeaway is that protecting the organisation is important, but organizations must also develop strategies to ensure resilient businesses to take advantage of the opportunities that digitalization can bring.
Research limitations/implications
The concept of DSG is a new research territory that addresses the limitations and gaps of traditional ISG approaches in a digital context. To this extent, organisational theories are suggested to help build knowledge that offers a deeper understanding than that provided by the too often used practical approaches in ISG research.
Practical implications
This paper supports practitioners and decision makers by providing a deeper understanding of how organisations and their security approaches are actually affected by digitalisation.
Social implications
This paper helps individuals to understand that they have increasing rights with regard to privacy and security and a say in what parties they assign business to.
Originality/value
This paper makes a novel contribution to ISG research. To the authors’ knowledge, this is the first attempt to review and structure the ISG literature.
Collapse
|
43
|
|
44
|
Predicting employee information security policy compliance on a daily basis: The interplay of security-related stress, emotions, and neutralization. INFORMATION & MANAGEMENT 2019. [DOI: 10.1016/j.im.2019.02.006] [Citation(s) in RCA: 25] [Impact Index Per Article: 5.0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/18/2022]
|
45
|
Pérez-González D, Preciado ST, Solana-Gonzalez P. Organizational practices as antecedents of the information security management performance. INFORMATION TECHNOLOGY & PEOPLE 2019. [DOI: 10.1108/itp-06-2018-0261] [Citation(s) in RCA: 15] [Impact Index Per Article: 3.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
The purpose of this paper is to expand current knowledge about the security organizational practices and analyze its effects on the information security management performance.
Design/methodology/approach
Based on the literature review, the authors propose a research model together with hypotheses. The survey questionnaires were developed to collect data, which then validated the measurement model. The authors collected 111 responses from CEOs at manufacturing small- and medium-sized enterprises (SMEs) that had already implemented security policies. The hypothesized relationships were tested using the structural equation model approach with EQS 6.1 software.
Findings
Results validate that information security knowledge sharing, information security education and information security visibility, as well as security organizational practices, have a positive effect on the information security management performance.
Research limitations/implications
The consideration of organizational aspects of information security should be taken into account by academics, practitioners and policymakers in SMEs. Besides, the work helps validate novel constructs used in recent research (information security knowledge sharing and information security visibility).
Practical implications
The authors extend previous works by analyzing how security organizational practices affect the performance of information security. The results suggest that an improved performance of information security in the industrial SMEs requires innovative practices to foster knowledge sharing among employees.
Originality/value
The literature recognizes the need to develop empirical research on information security focused on SMEs. Besides the need to identify organizational practices that improve information security, this paper empirically investigates SMEs’ organizational practices in the security of information and analyzes its effects on the performance of information security.
Collapse
|
46
|
Gwebu KL, Wang J, Hu MY. Information security policy noncompliance: An integrative social influence model. INFORMATION SYSTEMS JOURNAL 2019. [DOI: 10.1111/isj.12257] [Citation(s) in RCA: 15] [Impact Index Per Article: 3.0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/30/2022]
Affiliation(s)
- Kholekile L. Gwebu
- Associate Professor of Decision Sciences, Peter T. Paul College of Business and Economics University of New Hampshire Durham New Hampshire 03824‐3593
| | - Jing Wang
- Associate Professor of Decision Sciences, Peter T. Paul College of Business and Economics University of New Hampshire Durham New Hampshire 03824‐3593
| | - Michael Y. Hu
- Emeritus Bridgestone Professor of International Business Kent State University Kent Ohio 44240
| |
Collapse
|
47
|
Connolly LY, Lang M, Wall DS. Information Security Behavior: A Cross-Cultural Comparison of Irish and US Employees. INFORMATION SYSTEMS MANAGEMENT 2019. [DOI: 10.1080/10580530.2019.1651113] [Citation(s) in RCA: 6] [Impact Index Per Article: 1.2] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 10/26/2022]
Affiliation(s)
| | - Michael Lang
- Business Information Systems, National University of Ireland Galway, Galway, Ireland
| | | |
Collapse
|
48
|
Niemimaa M, Niemimaa E. Abductive innovations in information security policy development: an ethnographic study. EUR J INFORM SYST 2019. [DOI: 10.1080/0960085x.2019.1624141] [Citation(s) in RCA: 2] [Impact Index Per Article: 0.4] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/26/2022]
Affiliation(s)
- Marko Niemimaa
- Faculty of Information Technology, University of Jyvaskyla, Jyvaskyla, Finland
| | - Elina Niemimaa
- Faculty of Information Technology, University of Jyvaskyla, Jyvaskyla, Finland
| |
Collapse
|
49
|
Kessler SR, Pindek S, Kleinman G, Andel SA, Spector PE. Information security climate and the assessment of information security risk among healthcare employees. Health Informatics J 2019; 26:461-473. [PMID: 30866704 DOI: 10.1177/1460458219832048] [Citation(s) in RCA: 26] [Impact Index Per Article: 5.2] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Since 2009, over 176 million patients in the United States have been adversely impacted by data breaches affecting Health Insurance Portability and Accountability Act-covered institutions. While the popular press often attributes data breaches to external hackers, most breaches are the result of employee carelessness and/or failure to comply with information security policies and procedures. To change employee behavior, we borrow from the organizational climate literature and introduce the Information Security Climate Index, developed and validated using two pilot samples. In this study, four categories of healthcare professionals (certified nursing assistants, dentists, pharmacists, and physician assistants) were surveyed. Likert-type items were used to assess the Information Security Climate Index, information security motivation, and information security behaviors. Study results indicated that the Information Security Climate Index was related to better employee information security motivation and information security behaviors. In addition, there were observed differences between occupational groups with pharmacists reporting a more favorable climate and behaviors than physician assistants.
Collapse
|
50
|
|