Skip to main content
SpringerLink
Log in

A Composite Framework to Promote Information Security Policy Compliance in Organizations

  • Conference paper
  • First Online:
Innovation in Information Systems and Technologies to Support Learning Research (EMENA-ISTL 2019)

Part of the book series: Learning and Analytics in Intelligent Systems ((LAIS,volume 7))

  • 1095 Accesses

Abstract

Information security policy (ISP) noncompliance continue to impede information security in organizations. This paper consolidates the strength of previous studies into an effective single solution. The paper, first, synthesizes the existing literature and groups relevant ISP compliance factors into user involvement, personality types, security awareness and training, behavioral factors, and information security culture. Secondly, a generic framework that guides the development of frameworks for ISP compliance in organizations was developed based on the literature review. The generic framework categorized elements required for developing an ISP compliance framework into structure, content and outcome elements. Thirdly, the generic framework was applied to develop a composite ISP compliance framework that proposes the establishment of ISP compliance as a culture in organizations. Finally, the results of the expert review assessment showed that the proposed composite ISP framework was suitable, structurally sound and fit for purpose.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 229.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 299.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 299.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Stewart, H., Jürjens, J.: Information security management and the human aspect in organizations. Inf. Comput. Secur. 25(5), 494–534 (2017)

    Article  Google Scholar 

  2. Iriqat, Y.M., Ahlan, A.R., Nuha, N., Molok, A.: Information security policy perceived compliance among staff in palestine universities: an empirical pilot study. In: 2019 IEEE Jordan International Joint Conference on Electrical Engineering and Information Technology (JEEIT), pp. 580–585 (2019)

    Google Scholar 

  3. Mccormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., Pattinson, M.: Individual differences and information security awareness. Comput. Hum. Behav. 69(2017), 151–156 (2017)

    Article  Google Scholar 

  4. Moody, G.D.: Toward a unified model of information security policy compliance. MIS Q. 42(1), 285–311 (2018)

    Article  Google Scholar 

  5. Ponemon Institute, “State of End Point Security,” State of End Point Security: The Ponemon Institute LLC (2016). https://cdn2.hubspot.net/hubfs/150964/2016_State_of_Endpoint_Report.pdf. Accessed 05 Dec 2016

  6. Alzahrani, A., Johnson, C., Altamimi, S.: Information security policy compliance : investigating the role of intrinsic motivation towards policy compliance in the organization. In: 2018 4th International Conference on Information Management (ICIM), pp. 125–132 (2018)

    Google Scholar 

  7. Alotaibi, M., Furnell, S., Clarke, N.: Information security policies : a review of challenges and influencing factors. In: The 11th International Conference for Internet Technology and Secured Transactions (ICITST-2016) Information, pp. 352–358 (2016)

    Google Scholar 

  8. Safa, N.S., von Solms, R., Furnell, S.: Information security policy compliance model in organizations. Comput. Secur. 56, 70–82 (2016)

    Article  Google Scholar 

  9. Bano, M., Zowghi, D.: User involvement in software development and system success : a systematic literature review. In: Proceedings of EASE 2013, pp. 125–130 (2013)

    Google Scholar 

  10. Ögutçü, G., Müge Testik, Ö., Chouseinoglou, O.: Analysis of personal information security behavior and awareness. Comput. Secur. 56(2016), 83–93 (2016)

    Article  Google Scholar 

  11. Shropshire, J., Warkentin, M., Sharma, S.: Personality, attitudes, and intentions: predicting initial adoption of information security behavior. Comput. Secur. 49(2015), 177–191 (2015)

    Article  Google Scholar 

  12. Pattinson, M., Parsons, K., Butavicius, M., Mccormac, A., Calic, D.: Assessing information security attitudes: a comparison of two studies. Inf. Comput. Secur. 24(2), 228–240 (2016)

    Article  Google Scholar 

  13. Amankwa, E., Loock, M., Kritzinger, E.: A conceptual analysis of information security education, information security training and information security awareness definitions. In: The 9th International Conference for Internet Technology and Secured Transactions (ICITST -2014), pp. 248–252 (2014)

    Google Scholar 

  14. Stanciu, V., Tinca, A.: Students’ awareness on information security between own perception and reality – an empirical study. Account. Manag. Inf. Syst. 15(1), 112–130 (2016)

    Google Scholar 

  15. Ogutcu, G., Testik, O.M., Chouseinoglou, O.: Analysis of personal information security behavior and awareness. Comput. Secur. 56, 83–93 (2016)

    Article  Google Scholar 

  16. Palega, M., Knapinski, M.: Assessment of employees level of awareness in the aspect of information security. Syst. Saf. Hum. - Tech. Facil. – Environ. 1(1), 132–140 (2019)

    Google Scholar 

  17. Amankwa, E., Loock, M., Kritzinger, E.: Establishing information security policy compliance culture in organizations. Inf. Comput. Secur. 26(4), 420–436 (2018)

    Article  Google Scholar 

  18. Tolah, A., Furnell, S.M., Papadaki, M.: A Comprehensive Framework for Cultivating and Assessing Information Security Culture, Haisa, pp. 52–64 (2017)

    Google Scholar 

  19. da Veiga, A., Martins, N.: Defining and identifying dominant information security cultures and subcultures. Comput. Secur. 70(2017), 72–94 (2017)

    Article  Google Scholar 

  20. Alhogail, A.: Design and validation of information security culture framework. Comput. Hum. Behav. 49, 567–575 (2015)

    Article  Google Scholar 

  21. Sherif, E., Furnell, S., Clarke, N.: An identification of variables influencing the establishment of information security culture. In: Tryfonas, T., Askoxylakis, I. (eds.) The Human-Computer Interaction (HCI) Conference – Human Aspects of Information Security, Security, Privacy and Trust (HAS), LNCS 9190, pp. 436–448. Springer, Heidelberg (2015)

    Google Scholar 

  22. Da Veiga, A.: Comparing the information security culture of employees who had read the information security policy and those who had not - illustrated through an empirical study. Inf. Comput. Secur. 24(2), 139–151 (2016)

    Article  Google Scholar 

  23. Lebek, B., Uffen, J., Breitner, M.H., Neumann, M., Hohler, B.: Employees’ information security awareness and behavior: a literature review. In: Proceedings of Annual Hawaii International Conference System Science, pp. 2978–2987 (2013)

    Google Scholar 

  24. Sommestad, T., Karlzén, H., Hallberg, J.: The sufficiency of the theory of planned behavior for explaining information security policy compliance. Inf. Comput. Secur. 23(2), 200–217 (2015)

    Article  Google Scholar 

  25. Hina, S., Dominic, D.D.: Information security policies : investigation of compliance in universities. In: 3rd International Conference on Computer and Information Sciences (ICCOINS) Information, pp. 1–6 (2016)

    Google Scholar 

  26. Safa, N.S., Maple, C., Watson, T., Furnell, S.: Information security collaboration formation in organizations. IET Inf. Secur. 12(3), 238–245 (2018)

    Article  Google Scholar 

  27. Lembcke, T.-B., Masuch, K., Trang, S., Hengstler, S., Plics, P., Pamuk, M.: Fostering information security compliance : comparing the predictive power of social learning theory and deterrence theory. In: Twenty-Fifth Americas Conference on Information Systems, pp. 1–10, August 2019

    Google Scholar 

  28. Aurigemma, A., Panko, R.: A composite framework for behavioral compliance with information security policies. In: Proceedings of the 45th Hawaii International Conference on System Sciences (HICSS), pp. 3248–3257 (2012)

    Google Scholar 

  29. Siponen, M., Mahmood, M.A., Pahnila, S.: Employees’ adherence to information security policies: an exploratory field study. Inf. Manage. 51(2), 217–224 (2014)

    Article  Google Scholar 

  30. Drechsler, A., Hevner, A.: A four-cycle model of is design science research : capturing the dynamic nature of IS artifact design. In: Parsons, J., Tuunanen, T., Venable, J.R., Helfert, M., Donnellan, B., Kenneally, J. (eds.) Breakthroughs and Emerging Insights from Ongoing Design Science Projects: Research-in-progress papers and poster presentations from the 11th International Co, pp. 1–8 (2016)

    Google Scholar 

  31. Peffers, K., Tuunanen, T., Niehaves, B.: Design science research genres: introduction to the special issue on exemplars and criteria for applicable design science research. Eur. J. Inf. Syst. 27(2), 129–139 (2018)

    Article  Google Scholar 

  32. Cooper, D.R., Schindler, P.S.: Business Research Methods, 12th edn. McGraw-Hill/Irwin, New York (2014)

    Google Scholar 

  33. Prat, N., Comyn-Wattiau, I., Akoka, J.: Artefact evaluation in information systems design-science research—a holistic view. In: PACIS 2014 Proceedings (2014). http://aisel.aisnet.org/pacis2014/23. Accessed 15 Mar 2017

  34. Parsons, K.M., Young, E., Butavicius, M.A., Robert, M.: The influence of organizational information security culture on information security decision making. J. Cogn. Eng. Decis. Mak. 9, 117–129 (2015)

    Article  Google Scholar 

  35. Alnatheer, M., Nelson, K.: Proposed framework for understanding information security culture and practices in the Saudi context. In: The 7th Australian Information Security Management Conference, pp. 5–47, December 2009

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of ICT, Presbyterian University College Ghana, Abetifi, Ghana

    Eric Amankwa

  2. School of Computing, University of South Africa, Pretoria, South Africa

    Eric Amankwa, Marianne Loock & Elmarie Kritzinger

Authors
  1. Eric Amankwa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marianne Loock
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Elmarie Kritzinger
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eric Amankwa .

Editor information

Editors and Affiliations

  1. Department of Computer Science, Faculty of Sciences, Mohammed Premier University, Oujda, Morocco

    Mohammed Serrhini

  2. Department of Computer Science, School of Management Sciences, Engineering and Technology, Atlantica University, Lisbon, Portugal

    Carla Silva

  3. Department of Computer Science, Taif University, College of Computers and Information Technology, Al Huwaya, Saudi Arabia

    Sultan Aljahdali

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Amankwa, E., Loock, M., Kritzinger, E. (2020). A Composite Framework to Promote Information Security Policy Compliance in Organizations. In: Serrhini, M., Silva, C., Aljahdali, S. (eds) Innovation in Information Systems and Technologies to Support Learning Research. EMENA-ISTL 2019. Learning and Analytics in Intelligent Systems, vol 7. Springer, Cham. https://doi.org/10.1007/978-3-030-36778-7_51

Download citation

Publish with us

Policies and ethics

Search

Navigation