Abstract
Oil and gas (O&G) organizations are progressively being digitalized in order to facilitate substantial information flow to remain competitive in the information age. This critical sector is spearheading the establishment of technical security measures to mitigate information security risks, yet employee behavioral influence remains an ongoing challenge in assuring information security. Existing studies of this domain primarily focus on employee behavior reshaping through multiple psychological theories. However, these studies ignore how these critical infrastructures implement information security. Most such infrastructures follow the International Society of Automation (ISA)-95 levels of automation and implement information security controls in line with these levels. This research paper proposed a theoretical framework to enhance information security policy compliance (ISPC) at level 4 to level 2 automation level in O&G organizations. To support the hypotheses, data were collected from 13 Malaysian O&G organizations. A total of 254 O&G employees participated in the survey and the structural equation modeling technique was used for data analysis. The study confirmed that ISA-95-based organizational governance factors and social bonding could enhance ISPC in O&G organizations. However, risk assessment and involvement factors have shown less support to the notion. For information systems practitioners, this study has shown how to enhance ISPC in O&G organizations through ISA-95-based organizational governance and social bonding.
Similar content being viewed by others
Research data policy/Data availability statement
The data that support the findings of this study are available from PETRONAS Malaysia Sdn Bhd, but restrictions apply to the availability of these data, which were used under license for the current study and so are not publicly available. The data are, however, available from the authors upon reasonable request and with the permission of PETRONAS Malaysia Sdn Bhd.
References
Abdul Hamid, H., Mohd Dali, N.: Curbing misbehaviour with information security measures: an empirical evidence from a case study. AL-ABQARI: J. Islam. Soc. Sci. Human. 17(1), 28–38 (2019)
Ajzen, I.: The theory of planned behavior. Organ. Behav. Hum. Decis. Process.Behav. Hum. Decis. Process. 50(2), 179–211 (1991)
Albrechtsen, E., Hovden, J.: The information security digital divide between information security managers and users. Comput. Secur. Secur. 28(6), 476–490 (2009). https://doi.org/10.1016/j.cose.2009.01.003
Albrechtsen, E., Hovden, J.: Improving information security awareness and behaviour through dialogue, participation and collective reflection: an intervention study. Comput. Secur. 29(4), 432–445 (2010). https://doi.org/10.1016/j.cose.2009.12.005
Ali, R.F., Dominic, P., Ali, K.: Organizational governance, social bonds and information security policy compliance: a perspective towards oil and gas employees. Sustainability 12(20), 8576 (2020)
Ali, R.F., Dominic, P., Ali, S.E.A., Rehman, M., Sohail, A.: Information security behavior and information security policy compliance: a systematic literature review for identifying the transformation process from noncompliance to compliance. Appl. Sci. 11(8), 3383 (2021)
Alnatheer, M. A.: Information security culture critical success factors. Paper presented at the 2015 12th International Conference on Information Technology-New Generations (2015)
Anderson, J.C., Gerbing, D.W.: Structural equation modeling in practice: a review and recommended two-step approach. Psychol. Bull. 103(3), 411 (1988)
Bergh, L.I.V., Leka, S., Zwetsloot, G.: Tailoring psychosocial risk assessment in the oil and gas industry by exploring specific and common psychosocial risks. Saf. Health Work. Health Work 9(1), 63–70 (2018)
Calder, B.J., Phillips, L.W., Tybout, A.M.: Designing research for application. J. Consum. Res. Consum. Res. 8(2), 197–207 (1981)
Chen, Y., Ramamurthy, K., Wen, K.-W.: Impacts of comprehensive information security programs on information security culture. J. Comput. Inf. Syst. Comput. Inf. Syst. 55(3), 11–19 (2015)
Cheng, L., Li, Y., Li, W., Holm, E., Zhai, Q.: Understanding the violation of IS security policy in organizations: an integrated model based on social control and deterrence theory. Comput. Secur. 39(7), 447–459 (2013). https://doi.org/10.1016/j.cose.2013.09.009
Chin, W.W.: How to write up and report PLS analyses. In: Esposito Vinzi, V., Chin, W., Henseler, J., Wang, H. (eds.) Handbook of Partial Least Squares, pp. 655–690. Springer, Berlin (2010)
D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20(1), 79–98 (2009). https://doi.org/10.1287/isre.1070.0160
Da Veiga, A.: The influence of information security policies on information security culture: illustrated through a case study. Paper presented at the Proceedings of Ninth international Symposium on Human Aspects of Information Security & Assurance (HAISA 2015) (2015)
Da Veiga, A., Martins, N.: Defining and identifying dominant information security cultures and subcultures. Comput. Secur. 70(3), 72–94 (2017). https://doi.org/10.1016/j.cose.2017.05.002
Erdfelder, E., Faul, F., Buchner, A.: GPOWER: A general power analysis program. Behav. Res. Methods Instrum. Comput.. Res. Methods Instrum. Comput. 28(1), 1–11 (1996)
Etikan, I., Musa, S.A., Alkassim, R.S.: Comparison of convenience sampling and purposive sampling. Am. J. Theor. Appl. Stat.Theor. Appl. Stat. 5(1), 1–4 (2016)
Furnell, S., Rajendran, A.: Understanding the influences on information security behaviour. Comput. Fraud Secur. 2012(3), 12–15 (2012). https://doi.org/10.1016/S1361-3723(12)70053-2
Gefen, D., Rigdon, E.E., Straub, D.: Editor’s comments: an update and extension to SEM guidelines for administrative and social science research. MIS Q. 35, iii–xiv (2011)
Gwebu, K.L., Wang, J., Hu, M.Y.: Information security policy noncompliance: an integrative social influence model. Inf. Syst. J. 30(2), 1350–1917 (2019). https://doi.org/10.1111/isj.12257
Hair, J.F., Black, W.C., Babin, B.J., Anderson, R.E., Tatham, R.L.: Multivariate Data Analysis, 7th edn. Hoboken, Pearson Prentice Hall (2010)
Hair, J.F., Ringle, C.M., Sarstedt, M.: PLS-SEM: indeed a silver bullet. J. Mark. Theory Pract. 19(2), 139–152 (2011)
Hair, J.F., Jr., Hult, G.T.M., Ringle, C., Sarstedt, M.: A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM), vol. 2, 2nd edn. Sage Publications, Thousand Oaks (2017)
Henseler, J., Ringle, C.M., Sarstedt, M.: A new criterion for assessing discriminant validity in variance-based structural equation modeling. J. Acad. Mark. Sci. 43(1), 115–135 (2015)
Hina, S., Selvam, D.D.D.P., Lowry, P.B.: Institutional governance and protection motivation: theoretical insights into shaping employees’ security compliance behavior in higher education institutions in the developing world. Comput. Secur. 87, 101594 (2019)
Hirschi, T.: Social bond theory. Criminological theory: past to present. Roxbury, Los Angeles (1998)
Hsu, J.S.-C., Shih, S.-P., Hung, Y.W., Lowry, P.B.: The role of extra-role behaviors and social controls in information security policy effectiveness. Inf. Syst. Res. 26(2), 282–300 (2015)
Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur.31(1), 83–95 (2012)
Ifinedo, P.: Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition. Inf. Manag. 51(1), 69–79 (2014)
Ifinedo, P.: Roles of organizational climate, social bonds, and perceptions of security threats on IS security policy compliance intentions. Inf. Resour. Manag. J.Resour. Manag. J. 31(1), 53–82 (2018)
Jaatun, M.G., Albrechtsen, E., Line, M.B., Tøndel, I.A., Longva, O.H.: A framework for incident response management in the petroleum industry. Int. J. Crit. Infrastruct. Prot.Infrastruct. Prot. 2(1–2), 26–37 (2009)
Kessler, S.R., Pindek, S., Kleinman, G., Andel, S.A., Spector, P.E.: Information security climate and the assessment of information security risk among healthcare employees. Health Inform. J. 26(1), 461–473 (2020)
Kline, R.B.: Principles and Practice of Structural Equation Modeling. Guilford Publications, New York (2015)
Kock, N., Lynn, G.: Lateral collinearity and misleading results in variance-based SEM: an illustration and recommendations. J. Assoc. Inf. Syst. 13(7), 1–40 (2012)
Lu, H., Guo, L., Azimi, M., Huang, K.: Oil and Gas 4.0 era: a systematic review and outlook. Comput. Ind.. Ind. 111(3), 68–90 (2019). https://doi.org/10.1016/j.compind.2019.06.007
McNeish, D.: Thanks coefficient alpha, we’ll take it from here. Psychol. Methods 23(3), 412–433 (2018)
Merhi, M.I., Ahluwalia, P.: Examining the impact of deterrence factors and norms on resistance to information systems security. Comput. Hum. Behav.. Hum. Behav. 92(March), 37–46 (2019)
Naseer, S., Faizan Ali, R., Dominic, P., Saleem, Y.: Learning representations of network traffic using deep neural networks for network anomaly detection: a perspective towards oil and gas IT infrastructures. Symmetry 12(11), 1882 (2020)
Ochieng, E.G., Ovbagbedia, O.O., Zuofa, T., Abdulai, R., Matipa, W., Ruan, X., Oledinma, A.: Utilising a systematic knowledge management based system to optimise project management operations in oil and gas organisations. Inf. Technol. People 31(2), 527–556 (2018)
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C.: Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014)
Qassim, Q.S., Jamil, N., Daud, M., Patel, A., Jaaffar, N.: A review of security assessment methodologies in industrial control systems. Inf. Comput. Secur. 27, 47–61 (2019)
Qian, Y., Fang, Y., Gonzalez, J.J.: Managing information security risks during new technology adoption. Comput. Secur. 31(8), 859–869 (2012)
Rajab, M., Eydgahi, A.: Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education. Comput. Secur. 80, 211–223 (2019)
Ramayah, T., Cheah, J., Chuah, F., Ting, H., Memon, M.A.: Partial least squares structural equation modeling (PLS-SEM) using smartPLS 3.0 Handbook of Market Research. In: 2nd edn Kuala Lumpur: Pearson Malaysia Sdn Bhd (2018)
Ren, K., Wang, C., Wang, Q.: Security challenges for the public cloud. IEEE Intern. Comput. 16(1), 69–73 (2012)
Ringle, C., Wende, S., & Becker, J. (2019). SmartPLS 3. Retrieved from http://www.smartpls.com
Ruhwanya, Z., & Ophoff, J. (2019). Information security culture assessment of small and medium-sized enterprises in Tanzania. Paper presented at the International Conference on Social Implications of Computers in Developing Countries.
Safa, N.S., Maple, C., Furnell, S., Azad, M.A., Perera, C., Dabbagh, M., Sookhak, M.: Deterrence and prevention-based model to mitigate information security insider threats in organisations. Fut. Gener. Comput. Syst. 97(5), 587–597 (2019). https://doi.org/10.1016/j.future.2019.03.024
Safa, N.S., Maple, C., Watson, T., Von Solms, R.: Motivation and opportunity based model to reduce information security insider threats in organisations. J. Inf. Secur. Appl. 40(June), 247–257 (2018)
Safa, N.S., Von Solms, R., Furnell, S.: Information security policy compliance model in organizations. Comput. Secur. 56(1), 70–82 (2016)
Sekaran, U., Bougie, R.: Research Methods for Business: A Skill Building Approach. Wiley, New York (2016)
Stergiopoulos, G., Gritzalis, D.A., Limnaios, E.: Cyber-attacks on the Oil & Gas sector: a survey on incident assessment and attack patterns. IEEE Access 8(1), 128440–128475 (2020)
Tsakalidis, G., Vergidis, K., Petridou, S., Vlachopoulou, M.: A cybercrime incident architecture with adaptive response policy. Comput. Secur. 83, 22–37 (2019)
Urbach, N., Ahlemann, F.: Structural equation modeling in information systems research using partial least squares. J. Inf. Technol. Theory Appl. 11(2), 5–40 (2010)
Vance, A., Siponen, M.T., Straub, D.W.: Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures. Inf. Manag. 57(4), 103212 (2020)
Yazdanmehr, A., Wang, J.: Employees’ information security policy compliance: a norm activation perspective. Decis. Supp. Syst. 92(December), 36–46 (2016)
Zakaria, K.M., Nawawi, A., Salin, A.S.A.P.: Internal controls and fraud–empirical evidence from oil and gas company. J. Financ. Crime 23(4), 1154–1168 (2016)
Funding
This work was supported in part by YUTP-FRG Grant 015LCO-171. PETRONAS Govt of Malaysia.
Author information
Authors and Affiliations
Contributions
Conceptualization, RFA and PDDD; methodology, RFA and SN; software, SH; validation, RFA and SH; formal analysis, RFA, PDDD and SN; data curation, RFA and PDDD; writing—original draft preparation, RFA and PDDD; writing—review and editing, PDDD and SH; visualization, RFA and SH; supervision, PDD Dominic; project administration, RFA and PDDD; funding acquisition, PDDD.
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Ethical statement
Authors consciously assure that, this is authors' own original work, which has not been previously published elsewhere. The paper is not currently being considered for publication elsewhere. The paper reflects the authors' own research and analysis in a truthful and complete manner. The paper properly credits the meaningful contributions of co-authors and co-researchers. The results are appropriately placed in the context of prior and existing research. The results are appropriately placed in the context of prior and existing research. All authors have been personally and actively involved in substantial work leading to the paper and will take public responsibility for its content.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Faizan Ali, R., Dominic, P.D.D., Hina, S. et al. Fostering information security policies compliance with ISA-95-based framework: an empirical study of oil and gas employees. Int. J. Inf. Secur. 23, 1197–1213 (2024). https://doi.org/10.1007/s10207-023-00786-9
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-023-00786-9