Organizational information security policies: a review and research framework

COVID-19 pandemic-induced organisational cultural shifts and employee information security compliance behaviour: a South African case study

Purpose

The purpose of this preliminary empirical research study is to understand how environmental disruption such as brought on by the COVID-19 pandemic induces shifts in organisational culture, information security culture and subsequently employee information security compliance behaviour.

Design/methodology/approach

A single-organisation case study was used to develop understanding from direct experiences of organisational life. Both quantitative and qualitative data were collected using a sequential mixed methods approach, with the qualitative phase following the quantitative to achieve complementarity and completeness in analysis. For the quantitative phase, 48 useful responses were received after a questionnaire was sent to all 150–200 employees. For the qualitative phase, eight semi-structured interviews were conducted. Statistical software was used to analyse the quantitative data and NVivo software was used to analyse the qualitative data.

Findings

The pandemic-induced environmental disruption manifested as a sudden shift to work-from-home for employees, and relatedly an increase in cybercrime. The organisational response to this gave rise to shifts in both organisational and information security culture towards greater control (rule and goal orientations) and greater flexibility (support and innovation orientations), most significantly with information security culture flexibility. The net effect was an increase in employee information security compliance.

Originality/value

The vast literature on organisational culture and information security culture was drawn on to theoretically anchor and develop parsimonious measures of information security culture. Environmental disruptions such as those caused by the pandemic are unpredictable and their effects uncertain, hence, the study provides insight into the consequences of such disruption on information security in organisations.

The influence of inputs in the information security policy development: an institutional perspective

Purpose

The purpose of this paper is to investigate what role literature-based inputs have on the information security policy (ISP) development in practice.

Design/methodology/approach

A literature review is carried out to identify commonly used inputs for ISP development in theory firstly. Secondly, through the lens of institutional theory, an interpretive approach is adapted to study the influence of literature-based inputs in the ISP development in practice. Semi-structured interviews with senior experienced information security officers and managers from the public sector in Sweden are carried out for this research.

Findings

According to the literature review, 10 inputs for ISP development have been identified. The results from the interviews indicate that the role inputs have on the ISP development serves as more than a rational tool, where organisational context, institutional pressures and the search for legitimacy play an important role.

Research limitations/implications

From the institutional perspective, this study signifies the influence of inputs on ISP development can be derived from institutionalised rules or practices established by higher authorities; actions and practices that are perceived as successful and often used by other organisations; the beliefs of what is viewed as appropriate to meet the specific pressures from stakeholders.

Practical implications

This research recommends five practical implications for practitioners working with the ISP development. These recommendations aim to create an understanding of how an ISP could be developed, considering more than the rational functionalist perspective.

Originality/value

To the best of the authors’ knowledge, it is the first of its kind in examining the role of literature-based inputs in ISP development in practice through the lens of institutional theory.

The Impact of Challenge Information Security Stress on Information Security Policy Compliance: The Mediating Roles of Emotions

Introduction

Methods

Results

Conclusion

Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model

A key approach in many organizations to address the myriad of information security threats is encouraging employees to better understand and comply with information security policies (ISPs). Despite a significant body of academic research in this area, a commonly held but questionable assumption in these studies is that noncompliance simply represents the opposite of compliance. Hence, explaining compliance is only half of the story, and there is a pressing need to understand the causes of noncompliance, as well. If organizational leaders understood what leads a normally compliant employee to become noncompliant, future security breaches might be avoided or minimized. In this study, we found that compliant and noncompliant behaviors can be better explained by uncovering actions that focus not only on efficacious coping behaviors, but also those that focus on frustrated users who must sometimes cope with emotions, too. Employees working from a basis of emotion-focused coping are unable to address the threat and, feeling overwhelmed, focus only on controlling their emotions, merely making themselves feel better. Based on our findings, organizations can enhance their security by understanding the “tipping point” where employees’ focus likely changes from problem-solving to emotion appeasement, and instead push them into a more constructive direction.Yan Chen is an associate professor at Florida International University. She received her PhD in management information systems from University of Wisconsin–Milwaukee. Her research focuses on information security management, online fraud, privacy, and social media. She has published more than 30 research papers in refereed academic journals and conference proceedings.Dennis F. Galletta is a LEO awardee, fellow, and former president of the Association for Information Systems and professor at University of Pittsburgh since 1985. He has published 108 articles and four books. He is a senior editor at MIS Quarterly and an editorial board member at the Journal of Management Information Systems, and has been on several other boards.Paul Benjamin Lowry is the Suzanne Parker Thornhill Chair Professor in Business Information Technology at the Pamplin College of Business at Virginia Tech. He has published more than 135 journal articles. His research areas include organizational and behavioral security and privacy; online deviance and harassment, and computer ethics; human–computer interaction, social media, and gamification; and decision sciences, innovation, and supply chains.Xin (Robert) Luo is Endowed Regent’s Professor and full professor of MIS at the University of New Mexico. His research has appeared in leading information systems journals, and he serves as an associate editor for the Journal of the Association for Information Systems, Decision Sciences Journal, Information & Management, Electronic Commerce Research, and the Journal of Electronic Commerce Research.Gregory D. Moody is currently Lee Professor of Information Systems at the University of Nevada Las Vegas, and director of the cybersecurity graduate program. His interests include information systems security and privacy, e-business, and human–computer interaction. He is currently a senior editor for the Information Systems Journal and Transactions on Human-Computer Interaction.Robert Willison is a professor of management at Xi’an Jiaotong–Liverpool University. He received his PhD in information systems from the London School of Economics. His research focuses on insider computer abuse, information security policy compliance/noncompliance, software piracy, and cyber-loafing. His research has appeared in refereed academic journals such as MIS Quarterly, Journal of the Association for Information Systems, Information Systems Journal, and others.

The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context

The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context

Antecedents for enhanced level of cyber-security in organisations

Purpose

The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource perspective using human–organisation–technology (HOT) theory.

Design/methodology/approach

The study has been conducted on 151 professionals who have expertise in dealing with cyber-security in organisations in sectors such as retail, education, healthcare, etc. in India. The analysis of the data is carried out using partial least squares based structural equation modelling technique (PLS-SEM).

Findings

The results from the study suggest that “legal consequences” and “technical measures” adopted for securing cyber-security in organisations are the most important antecedents for enhanced cyber-security levels in the organisations. The other significant antecedents for enhanced cyber-security in organisations include “role of senior management” and “proactive information security”.

Research limitations/implications

This empirical study has significant implications for organisations as they can take pre-emptive measures by focussing on important antecedents and work towards enhancing the level of cyber-security.

Originality/value

The originality of this research is combining both technical and human resource perspective in identifying the determinants of enhanced level of cyber-security in the organisations.

The influence of organisational culture and information security culture on employee compliance behaviour

Purpose

Organisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in facilitating compliance. The purpose of this paper is to explain the nature of the combined influence of organisational culture and information security culture on employee information security compliance. This study also aims to explain the influence of organisational culture on information security culture.

Design/methodology/approach

A theoretical model was developed showing the relationships between organisational culture, information security culture and employee compliance. Using an online survey, data was collected from a sample of individuals who work in organisations having information security policies. The data was analysed with Partial Least Square Structural Equation Modelling (PLS-SEM) to test the model.

Findings

Organisational culture and information security culture have significant, yet similar influences on employee compliance. In addition, organisational culture has a strong causal influence on information security culture.

Practical implications

Control-oriented organisational cultures are conducive to information security compliant behaviour. For an information security subculture to be effectively embedded in an organisation's culture, the dominant organisational culture would have to be considered first.

Originality/value

This research provides empirical evidence that information security subculture is influenced by organisational culture. Compliance is best explained by their joint influence.

Organizational Adoption of Information Security Solutions

Information systems literature has cast organizational information security practices as a form of innovation. Using the notions of innovation adoption and diffusion of innovations, this paper develops an integrative model grounded in two theoretical perspectives- diffusion of innovation theory and the technologyorganization- environment framework-to examine the adoption of information security solutions (ISS) in organizations. We specify four innovation characteristics that are specific to ISS (compatibility, complexity, costs, and perceived gain), two organizational factors (organizational readiness and top management support), and two environmental factors (external pressure and visibility) as influential toward ISS adoption. We tested our model using data collected through a survey of 368 information systems managers in North American organizations. Our findings are insightful and have important theoretical and practical implications. Overall, the results suggest that organizational and environmental factors contribute to the extent of ISS adoption above and beyond characteristics of ISS themselves. The results are consistent across two measures of ISS adoption- perceived and (self-reported) actual-thereby supporting the robustness of our findings.

Theory borrowing in IT-rich contexts: Lessons from IS strategy research

While indigenous theorizing in information systems has clear merits, theory borrowing will not, and should not, be eschewed given its appeal and usefulness. In this article, we aim at increasing our understanding of modifying of borrowed theories in IT-rich contexts. We present a framework in which we discuss how two recontextualization approaches of specification and distinction help with increasing the IT-richness of borrowed constructs and relationships. In doing so, we use several illustrative examples from information systems strategy. The framework can be used by researchers as a tool to explore the multitude of ways in which a theory from another discipline can yield the understanding of IT phenomena.

Smart City Development in Taiwan: From the Perspective of the Information Security Policy

A smart city is developed through the Internet of Things (IoT), cloud computing, big data, mobile Internet, and other new generation technologies regarding information and communication, and data resources in various fields are integrated and applied. The issue of information security in the network era is the strategic focus, as well as the focus of people’s attention, during Taiwan’s smart city construction. Information security policies are the information security guidelines for organizations, and are key to the organization’s information security performance; moreover, such policies show the organization’s support and commitment to the information security of smart cities. This paper discusses the model of information security policy in Taiwan’s smart cities, uses Path Analysis to explore the characteristics of information security policy in smart cities, and examines the relationship between the formulation, implementation, maintenance, and effectiveness of information security policies. Furthermore, this study examines the impact on the effectiveness of organizational information security policies and information security performance from the following aspects: The length of information security policy publication time, policy review, policy advocacy, employee compliance, fair law enforcement, etc., which are all concrete manifestations of the formulation, implementation, and maintenance of information security policy models. Through a questionnaire survey, the correlation between various assumptions, as well as the relationship between organizational information security characteristics, information security policies, and the effectiveness of information security, are verified one by one during the implementation of information security policies. Finally, conclusions and implications are put forward.

Information system security policy noncompliance: the role of situation-specific ethical orientation

Purpose

This study examines how neutralization strategies affect the efficacy of information system security policies. This paper proposes that neutralization strategies used to rationalize security policy noncompliance range across ethical orientations, extending from those helping the greatest number of people (ethics of care) to those damaging the fewest (ethics of justice). The results show how noncompliance differs between genders based on those ethical orientations.

Design/methodology/approach

A survey was used to measure information system security policy noncompliance intentions across six different hypothetical scenarios involving neutralization techniques used to justify noncompliance. Data was gathered from students at a mid-western, comprehensive university in the United States.

Findings

The empirical analysis suggests that gender does play a role in information system security policy noncompliance. However, its significance is dependent upon the underlying neutralization method used to justify noncompliance. The role of reward and punishment is contingent on the situation-specific ethical orientation (SSEO) which in turn is a combination of internal ethical positioning based on one's gender and external ethical reasoning based on neutralization technique.

Originality/value

This study extends ethical decision-making theory by examining how the use of punishments and rewards might be more effective in security policy compliance based upon gender. Importantly, the study emphasizes the interplay between ethics, gender and neutralization techniques, as different ethical perspectives appeal differently based on gender.

What do we know about information security governance?

Purpose

This paper aims to review the information security governance (ISG) literature and emphasises the tensions that exist at the intersection of the rapidly changing business climate and the current body of knowledge on ISG.

Design/methodology/approach

The intention of the authors was to conduct a systematic literature review. However, owing to limited empirical papers in ISG research, this paper is more conceptually organised.

Findings

This paper shows that security has shifted from a narrow-focused isolated issue towards a strategic business issue with “from the basement to the boardroom” implications. The key takeaway is that protecting the organisation is important, but organizations must also develop strategies to ensure resilient businesses to take advantage of the opportunities that digitalization can bring.

Research limitations/implications

The concept of DSG is a new research territory that addresses the limitations and gaps of traditional ISG approaches in a digital context. To this extent, organisational theories are suggested to help build knowledge that offers a deeper understanding than that provided by the too often used practical approaches in ISG research.

Practical implications

This paper supports practitioners and decision makers by providing a deeper understanding of how organisations and their security approaches are actually affected by digitalisation.

Social implications

This paper helps individuals to understand that they have increasing rights with regard to privacy and security and a say in what parties they assign business to.

Originality/value

This paper makes a novel contribution to ISG research. To the authors’ knowledge, this is the first attempt to review and structure the ISG literature.

Organizational practices as antecedents of the information security management performance

Purpose

The purpose of this paper is to expand current knowledge about the security organizational practices and analyze its effects on the information security management performance.

Design/methodology/approach

Based on the literature review, the authors propose a research model together with hypotheses. The survey questionnaires were developed to collect data, which then validated the measurement model. The authors collected 111 responses from CEOs at manufacturing small- and medium-sized enterprises (SMEs) that had already implemented security policies. The hypothesized relationships were tested using the structural equation model approach with EQS 6.1 software.

Findings

Results validate that information security knowledge sharing, information security education and information security visibility, as well as security organizational practices, have a positive effect on the information security management performance.

Research limitations/implications

The consideration of organizational aspects of information security should be taken into account by academics, practitioners and policymakers in SMEs. Besides, the work helps validate novel constructs used in recent research (information security knowledge sharing and information security visibility).

Practical implications

The authors extend previous works by analyzing how security organizational practices affect the performance of information security. The results suggest that an improved performance of information security in the industrial SMEs requires innovative practices to foster knowledge sharing among employees.

Originality/value

The literature recognizes the need to develop empirical research on information security focused on SMEs. Besides the need to identify organizational practices that improve information security, this paper empirically investigates SMEs’ organizational practices in the security of information and analyzes its effects on the performance of information security.

Information security climate and the assessment of information security risk among healthcare employees

Since 2009, over 176 million patients in the United States have been adversely impacted by data breaches affecting Health Insurance Portability and Accountability Act-covered institutions. While the popular press often attributes data breaches to external hackers, most breaches are the result of employee carelessness and/or failure to comply with information security policies and procedures. To change employee behavior, we borrow from the organizational climate literature and introduce the Information Security Climate Index, developed and validated using two pilot samples. In this study, four categories of healthcare professionals (certified nursing assistants, dentists, pharmacists, and physician assistants) were surveyed. Likert-type items were used to assess the Information Security Climate Index, information security motivation, and information security behaviors. Study results indicated that the Information Security Climate Index was related to better employee information security motivation and information security behaviors. In addition, there were observed differences between occupational groups with pharmacists reporting a more favorable climate and behaviors than physician assistants.