Skip to main content
SpringerLink
Log in

Fostering information security policies compliance with ISA-95-based framework: an empirical study of oil and gas employees

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Oil and gas (O&G) organizations are progressively being digitalized in order to facilitate substantial information flow to remain competitive in the information age. This critical sector is spearheading the establishment of technical security measures to mitigate information security risks, yet employee behavioral influence remains an ongoing challenge in assuring information security. Existing studies of this domain primarily focus on employee behavior reshaping through multiple psychological theories. However, these studies ignore how these critical infrastructures implement information security. Most such infrastructures follow the International Society of Automation (ISA)-95 levels of automation and implement information security controls in line with these levels. This research paper proposed a theoretical framework to enhance information security policy compliance (ISPC) at level 4 to level 2 automation level in O&G organizations. To support the hypotheses, data were collected from 13 Malaysian O&G organizations. A total of 254 O&G employees participated in the survey and the structural equation modeling technique was used for data analysis. The study confirmed that ISA-95-based organizational governance factors and social bonding could enhance ISPC in O&G organizations. However, risk assessment and involvement factors have shown less support to the notion. For information systems practitioners, this study has shown how to enhance ISPC in O&G organizations through ISA-95-based organizational governance and social bonding.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

Research data policy/Data availability statement

The data that support the findings of this study are available from PETRONAS Malaysia Sdn Bhd, but restrictions apply to the availability of these data, which were used under license for the current study and so are not publicly available. The data are, however, available from the authors upon reasonable request and with the permission of PETRONAS Malaysia Sdn Bhd.

References

  1. Abdul Hamid, H., Mohd Dali, N.: Curbing misbehaviour with information security measures: an empirical evidence from a case study. AL-ABQARI: J. Islam. Soc. Sci. Human. 17(1), 28–38 (2019)

    Google Scholar 

  2. Ajzen, I.: The theory of planned behavior. Organ. Behav. Hum. Decis. Process.Behav. Hum. Decis. Process. 50(2), 179–211 (1991)

    Article  Google Scholar 

  3. Albrechtsen, E., Hovden, J.: The information security digital divide between information security managers and users. Comput. Secur. Secur. 28(6), 476–490 (2009). https://doi.org/10.1016/j.cose.2009.01.003

    Article  Google Scholar 

  4. Albrechtsen, E., Hovden, J.: Improving information security awareness and behaviour through dialogue, participation and collective reflection: an intervention study. Comput. Secur. 29(4), 432–445 (2010). https://doi.org/10.1016/j.cose.2009.12.005

    Article  Google Scholar 

  5. Ali, R.F., Dominic, P., Ali, K.: Organizational governance, social bonds and information security policy compliance: a perspective towards oil and gas employees. Sustainability 12(20), 8576 (2020)

    Article  Google Scholar 

  6. Ali, R.F., Dominic, P., Ali, S.E.A., Rehman, M., Sohail, A.: Information security behavior and information security policy compliance: a systematic literature review for identifying the transformation process from noncompliance to compliance. Appl. Sci. 11(8), 3383 (2021)

    Article  Google Scholar 

  7. Alnatheer, M. A.: Information security culture critical success factors. Paper presented at the 2015 12th International Conference on Information Technology-New Generations (2015)

  8. Anderson, J.C., Gerbing, D.W.: Structural equation modeling in practice: a review and recommended two-step approach. Psychol. Bull. 103(3), 411 (1988)

    Article  Google Scholar 

  9. Bergh, L.I.V., Leka, S., Zwetsloot, G.: Tailoring psychosocial risk assessment in the oil and gas industry by exploring specific and common psychosocial risks. Saf. Health Work. Health Work 9(1), 63–70 (2018)

    Article  Google Scholar 

  10. Calder, B.J., Phillips, L.W., Tybout, A.M.: Designing research for application. J. Consum. Res. Consum. Res. 8(2), 197–207 (1981)

    Article  Google Scholar 

  11. Chen, Y., Ramamurthy, K., Wen, K.-W.: Impacts of comprehensive information security programs on information security culture. J. Comput. Inf. Syst. Comput. Inf. Syst. 55(3), 11–19 (2015)

    Google Scholar 

  12. Cheng, L., Li, Y., Li, W., Holm, E., Zhai, Q.: Understanding the violation of IS security policy in organizations: an integrated model based on social control and deterrence theory. Comput. Secur. 39(7), 447–459 (2013). https://doi.org/10.1016/j.cose.2013.09.009

    Article  Google Scholar 

  13. Chin, W.W.: How to write up and report PLS analyses. In: Esposito Vinzi, V., Chin, W., Henseler, J., Wang, H. (eds.) Handbook of Partial Least Squares, pp. 655–690. Springer, Berlin (2010)

    Chapter  Google Scholar 

  14. D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20(1), 79–98 (2009). https://doi.org/10.1287/isre.1070.0160

    Article  Google Scholar 

  15. Da Veiga, A.: The influence of information security policies on information security culture: illustrated through a case study. Paper presented at the Proceedings of Ninth international Symposium on Human Aspects of Information Security & Assurance (HAISA 2015) (2015)

  16. Da Veiga, A., Martins, N.: Defining and identifying dominant information security cultures and subcultures. Comput. Secur. 70(3), 72–94 (2017). https://doi.org/10.1016/j.cose.2017.05.002

    Article  Google Scholar 

  17. Erdfelder, E., Faul, F., Buchner, A.: GPOWER: A general power analysis program. Behav. Res. Methods Instrum. Comput.. Res. Methods Instrum. Comput. 28(1), 1–11 (1996)

    Article  Google Scholar 

  18. Etikan, I., Musa, S.A., Alkassim, R.S.: Comparison of convenience sampling and purposive sampling. Am. J. Theor. Appl. Stat.Theor. Appl. Stat. 5(1), 1–4 (2016)

    Article  Google Scholar 

  19. Furnell, S., Rajendran, A.: Understanding the influences on information security behaviour. Comput. Fraud Secur. 2012(3), 12–15 (2012). https://doi.org/10.1016/S1361-3723(12)70053-2

    Article  Google Scholar 

  20. Gefen, D., Rigdon, E.E., Straub, D.: Editor’s comments: an update and extension to SEM guidelines for administrative and social science research. MIS Q. 35, iii–xiv (2011)

    Article  Google Scholar 

  21. Gwebu, K.L., Wang, J., Hu, M.Y.: Information security policy noncompliance: an integrative social influence model. Inf. Syst. J. 30(2), 1350–1917 (2019). https://doi.org/10.1111/isj.12257

    Article  Google Scholar 

  22. Hair, J.F., Black, W.C., Babin, B.J., Anderson, R.E., Tatham, R.L.: Multivariate Data Analysis, 7th edn. Hoboken, Pearson Prentice Hall (2010)

    Google Scholar 

  23. Hair, J.F., Ringle, C.M., Sarstedt, M.: PLS-SEM: indeed a silver bullet. J. Mark. Theory Pract. 19(2), 139–152 (2011)

    Article  Google Scholar 

  24. Hair, J.F., Jr., Hult, G.T.M., Ringle, C., Sarstedt, M.: A Primer on Partial Least Squares Structural Equation Modeling (PLS-SEM), vol. 2, 2nd edn. Sage Publications, Thousand Oaks (2017)

    Google Scholar 

  25. Henseler, J., Ringle, C.M., Sarstedt, M.: A new criterion for assessing discriminant validity in variance-based structural equation modeling. J. Acad. Mark. Sci. 43(1), 115–135 (2015)

    Article  Google Scholar 

  26. Hina, S., Selvam, D.D.D.P., Lowry, P.B.: Institutional governance and protection motivation: theoretical insights into shaping employees’ security compliance behavior in higher education institutions in the developing world. Comput. Secur. 87, 101594 (2019)

    Article  Google Scholar 

  27. Hirschi, T.: Social bond theory. Criminological theory: past to present. Roxbury, Los Angeles (1998)

    Google Scholar 

  28. Hsu, J.S.-C., Shih, S.-P., Hung, Y.W., Lowry, P.B.: The role of extra-role behaviors and social controls in information security policy effectiveness. Inf. Syst. Res. 26(2), 282–300 (2015)

    Article  Google Scholar 

  29. Ifinedo, P.: Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput. Secur.31(1), 83–95 (2012)

    Article  Google Scholar 

  30. Ifinedo, P.: Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition. Inf. Manag. 51(1), 69–79 (2014)

    Article  Google Scholar 

  31. Ifinedo, P.: Roles of organizational climate, social bonds, and perceptions of security threats on IS security policy compliance intentions. Inf. Resour. Manag. J.Resour. Manag. J. 31(1), 53–82 (2018)

    Article  Google Scholar 

  32. Jaatun, M.G., Albrechtsen, E., Line, M.B., Tøndel, I.A., Longva, O.H.: A framework for incident response management in the petroleum industry. Int. J. Crit. Infrastruct. Prot.Infrastruct. Prot. 2(1–2), 26–37 (2009)

    Article  Google Scholar 

  33. Kessler, S.R., Pindek, S., Kleinman, G., Andel, S.A., Spector, P.E.: Information security climate and the assessment of information security risk among healthcare employees. Health Inform. J. 26(1), 461–473 (2020)

    Article  Google Scholar 

  34. Kline, R.B.: Principles and Practice of Structural Equation Modeling. Guilford Publications, New York (2015)

    Google Scholar 

  35. Kock, N., Lynn, G.: Lateral collinearity and misleading results in variance-based SEM: an illustration and recommendations. J. Assoc. Inf. Syst. 13(7), 1–40 (2012)

    Google Scholar 

  36. Lu, H., Guo, L., Azimi, M., Huang, K.: Oil and Gas 4.0 era: a systematic review and outlook. Comput. Ind.. Ind. 111(3), 68–90 (2019). https://doi.org/10.1016/j.compind.2019.06.007

    Article  Google Scholar 

  37. McNeish, D.: Thanks coefficient alpha, we’ll take it from here. Psychol. Methods 23(3), 412–433 (2018)

    Article  Google Scholar 

  38. Merhi, M.I., Ahluwalia, P.: Examining the impact of deterrence factors and norms on resistance to information systems security. Comput. Hum. Behav.. Hum. Behav. 92(March), 37–46 (2019)

    Article  Google Scholar 

  39. Naseer, S., Faizan Ali, R., Dominic, P., Saleem, Y.: Learning representations of network traffic using deep neural networks for network anomaly detection: a perspective towards oil and gas IT infrastructures. Symmetry 12(11), 1882 (2020)

    Article  Google Scholar 

  40. Ochieng, E.G., Ovbagbedia, O.O., Zuofa, T., Abdulai, R., Matipa, W., Ruan, X., Oledinma, A.: Utilising a systematic knowledge management based system to optimise project management operations in oil and gas organisations. Inf. Technol. People 31(2), 527–556 (2018)

    Article  Google Scholar 

  41. Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C.: Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014)

    Article  Google Scholar 

  42. Qassim, Q.S., Jamil, N., Daud, M., Patel, A., Jaaffar, N.: A review of security assessment methodologies in industrial control systems. Inf. Comput. Secur. 27, 47–61 (2019)

    Article  Google Scholar 

  43. Qian, Y., Fang, Y., Gonzalez, J.J.: Managing information security risks during new technology adoption. Comput. Secur. 31(8), 859–869 (2012)

    Article  Google Scholar 

  44. Rajab, M., Eydgahi, A.: Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education. Comput. Secur. 80, 211–223 (2019)

    Article  Google Scholar 

  45. Ramayah, T., Cheah, J., Chuah, F., Ting, H., Memon, M.A.: Partial least squares structural equation modeling (PLS-SEM) using smartPLS 3.0 Handbook of Market Research. In: 2nd edn Kuala Lumpur: Pearson Malaysia Sdn Bhd (2018)

  46. Ren, K., Wang, C., Wang, Q.: Security challenges for the public cloud. IEEE Intern. Comput. 16(1), 69–73 (2012)

    Article  Google Scholar 

  47. Ringle, C., Wende, S., & Becker, J. (2019). SmartPLS 3. Retrieved from http://www.smartpls.com

  48. Ruhwanya, Z., & Ophoff, J. (2019). Information security culture assessment of small and medium-sized enterprises in Tanzania. Paper presented at the International Conference on Social Implications of Computers in Developing Countries.

  49. Safa, N.S., Maple, C., Furnell, S., Azad, M.A., Perera, C., Dabbagh, M., Sookhak, M.: Deterrence and prevention-based model to mitigate information security insider threats in organisations. Fut. Gener. Comput. Syst. 97(5), 587–597 (2019). https://doi.org/10.1016/j.future.2019.03.024

    Article  Google Scholar 

  50. Safa, N.S., Maple, C., Watson, T., Von Solms, R.: Motivation and opportunity based model to reduce information security insider threats in organisations. J. Inf. Secur. Appl. 40(June), 247–257 (2018)

    Google Scholar 

  51. Safa, N.S., Von Solms, R., Furnell, S.: Information security policy compliance model in organizations. Comput. Secur. 56(1), 70–82 (2016)

    Article  Google Scholar 

  52. Sekaran, U., Bougie, R.: Research Methods for Business: A Skill Building Approach. Wiley, New York (2016)

    Google Scholar 

  53. Stergiopoulos, G., Gritzalis, D.A., Limnaios, E.: Cyber-attacks on the Oil & Gas sector: a survey on incident assessment and attack patterns. IEEE Access 8(1), 128440–128475 (2020)

    Article  Google Scholar 

  54. Tsakalidis, G., Vergidis, K., Petridou, S., Vlachopoulou, M.: A cybercrime incident architecture with adaptive response policy. Comput. Secur. 83, 22–37 (2019)

    Article  Google Scholar 

  55. Urbach, N., Ahlemann, F.: Structural equation modeling in information systems research using partial least squares. J. Inf. Technol. Theory Appl. 11(2), 5–40 (2010)

    Google Scholar 

  56. Vance, A., Siponen, M.T., Straub, D.W.: Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures. Inf. Manag. 57(4), 103212 (2020)

    Article  Google Scholar 

  57. Yazdanmehr, A., Wang, J.: Employees’ information security policy compliance: a norm activation perspective. Decis. Supp. Syst. 92(December), 36–46 (2016)

    Article  Google Scholar 

  58. Zakaria, K.M., Nawawi, A., Salin, A.S.A.P.: Internal controls and fraud–empirical evidence from oil and gas company. J. Financ. Crime 23(4), 1154–1168 (2016)

    Article  Google Scholar 

Download references

Funding

This work was supported in part by YUTP-FRG Grant 015LCO-171. PETRONAS Govt of Malaysia.

Author information

Authors and Affiliations

  1. School of Systems and Technology, University of Management and Technology, Johar Town, Lahore, 54782 C-II, Pakistan

    Rao Faizan Ali & Sheraz Naseer

  2. Department of Computer and Information Sciences, Universiti Teknologi PETRONAS, 32610, Seri Iskandar, Perak Darul Ridzuan, Malaysia

    Rao Faizan Ali & P. D. D. Dominic

  3. School of Science, Engineering and Environment, University of Salford, Manchester, UK

    Sadaf Hina

  4. Xeven Solutions, Plot 15, Civic Centre Block D 2 Phase 1, Johar Town, Lahore, Pakistan

    Sheraz Naseer

Authors
  1. Rao Faizan Ali
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. P. D. D. Dominic
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sadaf Hina
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sheraz Naseer
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

Conceptualization, RFA and PDDD; methodology, RFA and SN; software, SH; validation, RFA and SH; formal analysis, RFA, PDDD and SN; data curation, RFA and PDDD; writing—original draft preparation, RFA and PDDD; writing—review and editing, PDDD and SH; visualization, RFA and SH; supervision, PDD Dominic; project administration, RFA and PDDD; funding acquisition, PDDD.

Corresponding author

Correspondence to P. D. D. Dominic.

Ethics declarations

Conflict of interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Ethical statement

Authors consciously assure that, this is authors' own original work, which has not been previously published elsewhere. The paper is not currently being considered for publication elsewhere. The paper reflects the authors' own research and analysis in a truthful and complete manner. The paper properly credits the meaningful contributions of co-authors and co-researchers. The results are appropriately placed in the context of prior and existing research. The results are appropriately placed in the context of prior and existing research. All authors have been personally and actively involved in substantial work leading to the paper and will take public responsibility for its content.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Faizan Ali, R., Dominic, P.D.D., Hina, S. et al. Fostering information security policies compliance with ISA-95-based framework: an empirical study of oil and gas employees. Int. J. Inf. Secur. 23, 1197–1213 (2024). https://doi.org/10.1007/s10207-023-00786-9

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-023-00786-9

Keywords

Search

Navigation