Building an awareness-centered information security policy compliance model

Pages231-247
Published date04 December 2019
DOIhttps://doi.org/10.1108/IMDS-07-2019-0412
Date04 December 2019
AuthorAlex Koohang,Jonathan Anderson,Jeretta Horn Nord,Joanna Paliszkiewicz
Subject MatterInformation & knowledge management,Information systems,Data management systems,Knowledge management,Knowledge sharing,Management science & operations,Supply chain management,Supply chain information systems,Logistics,Quality management/systems
Building an awareness-centered
information security policy
compliance model
Alex Koohang and Jonathan Anderson
Middle Georgia State University, Macon, Georgia, USA
Jeretta Horn Nord
Oklahoma State University, Stillwater, Oklahoma, USA, and
Joanna Paliszkiewicz
Department of Economics, Warsaw University of Life Sciences,
Warsaw, Poland
Abstract
Purpose The purpose of this paper is to build an awareness-centered information security policy (ISP)
compliance model, asserting that awareness is the key to ISP compliance and that awareness depends upon
several variables that influence successful ISP compliance.
Design/methodology/approach The authors built a model with seven constructs, i.e., leadership,
trusting beliefs, information security issues awareness (ISIA), ISP awareness, understanding resource
vulnerability, self-efficacy (SE) and intention to comply. Seven hypotheses were stated. A sample of 285
non-management employees was used from various organizations in the USA. The authors used path
modeling to analyze the data.
Findings The findings indicated that IS awareness depends on effective organizational leadership and
elevated employeestrusting beliefs. The understanding of resource vulnerability (URV) and SE are
influenced by IS awareness resulting from effective leadership and elevated employeestrusting beliefs which
guide employees to comply with ISP requirements.
Practical implications Practical implications were aimed at organizations embracing an awareness-centered
information security compliance program to secure organizationsassets against threats by implementing various
security education and training awareness programs.
Originality/value This paper asserts that awareness is central to ISP compliance.Leadership and trusting
beliefs variables play significant roles in the information security awareness which in turn positively affect
employeesURV and SE variables leading employees to comply with the ISP requirements.
Keywords Compliance, Leadership, Trust, Awareness, Information security policy
Paper type Research paper
1. Introduction
Information security within any organization must be a top strategic priority both for the IT
security personnel and the top management (Safa et al., 2016). Information security
embraces both technical and non-technical measures. The technical measures to safeguard
information security within organizations are related to the hardware, e.g., installing
firewalls, deploying antivirus software, using data backup, implementing access control
procedures, using encryption and continuously monitoring the system against all types of
threats (Ifinedo, 2012). Non-technical measures include behavioral measures that are related
to individual and organizational issues (Ifinedo, 2014). These measures incorporate
sociological, psychological and organizational behavior theories into information security to
improve information security policy (ISP) compliance (Ifinedo, 2014).
ISP assists users to effectively protect their systems. ISP refers to guidelines,
requirements and rules that are set forward by management to target employeesbehaviors
that enhance the organizations information security (Ifinedo, 2014). Nieles et al. (2017, p. 26)
define ISP as the [] aggregate of directives, regulations, rules, and practices that
Industrial Management & Data
Systems
Vol. 120 No. 1, 2020
pp. 231-247
© Emerald PublishingLimited
0263-5577
DOI 10.1108/IMDS-07-2019-0412
Received 4 August 2019
Revised 29 October 2019
Accepted 9 November 2019
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/0263-5577.htm
231
Awareness-
centered ISP
compliance
model
prescribes how an organization manages, protects, and distributes information.
The importance of information security compliance in organizations is evident in the
literature. To protect an organizations assets against security threats, employees must
comply with the organizations ISP. Non-compliance with ISP results in risks to
organizational operations and assets. Research, in general, agrees that security risks can be
devastating to organizations (e.g. Bulgurcu et al., 2010; Vance et al., 2012; Posey et al., 2014).
Employee compliance with the organizations ISP minimizes these risks (Furnell and
Rajendran, 2012).
Various ISP compliance models have been presented in the literature (e.g. Ifinedo, 2012,
2018; Moody et al., 2018; Bulgurcu et al., 2010). For example, Bulgurcu et al. (2010) proposed
an ISP compliance model that included variables such as self-efficacy (SE), understanding
the vulnerability of resources and awareness.
In the present study, via path modeling, we build an awareness-centered ISP compliance
model with seven constructs. Our basic premise is that awareness is the key to ISP
compliance and that awareness depends on several variables that lead to successful ISP
compliance. Five of the seven constructs, i.e., information security issues awareness (ISIA),
ISP awareness (ISPA), understanding of resource vulnerability (URV), SE and intention to
comply have been studied in previous research (e.g. Bulgurcu et al., 2010). However, the
variables of leadership and trusting beliefs have not been extensively studied in relation to
employeescompliance with the ISP. Young and Windsor (2010) asserted that leadership
plays a vital role in information security planning within organizations and Von Solms and
Von Solms (2004) stated that security culture within an organization should include a shared
belief of information security that is advanced by education among employees within the
organization. Furthermore, Paliszkiewicz (2019) stated that leadership regarding the
organizations ISP is influenced by employeestrusting beliefs and that trust among
employees should be promoted by leadership.
2. Literature review and theoretical foundations
2.1 Leadership and trust
Northouse (2010) asserted that leadership is about influencing people to accomplish
common goals within organizations. Effective leadership encompasses safeguarding the
organizations advancement and improving productivity (Koohang et al., 2017). In the
context of ISP, most research in information security has mainly focused on employees
behaviors toward information security where employeesare the least effective linkage in
the protection of information security (Bulgurcu et al., 2010; Siponen and Vance, 2010;
Hu et al., 2012). Nevertheless, Von Solms and Von Solms (2004) asserted that leadership
plays a vital role in information security within organizations and that leadership must take
the responsibility of governing information security in organizations. Dutta and McCrohan
(2002) argued that information security is a top management issue. Commitment and
effective leadership from the top management support implementation and enforcement of
ISP within organizations (Kayworth and Whitten, 2010; Siponen and Oinas-Kukkonen, 2007;
Yildirim et al., 2011).
Young and Windsor (2010) stated that top management/leadership plays a vital role in IS
planning and that effective information security management should be a well-rounded
security strategy that can be evaluated for effectiveness and its value to the organization.
According to Mayer et al. (1995), trust is defined as the willingness to be vulnerable based
on positive expectations about the actions of others. Many studies have shown that trust
includes three characteristics of competence, benevolence and integrity (e.g. Mayer et al.,
1995; Frazier et al., 2010; Mayer and Davis, 1999; Mayer and Gavin, 2005). McKnight et al.
(2002) believed that competence trust is the ability of the trustee to execute responsibilities
related to his or her job. These abilities are assisting people to learn new skills, affording
232
IMDS
120,1

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT