A Conceptual Analysis about the Organizational Impact of Compliance on Information Security Policy

  • Maurizio Cavallari
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 103)

Abstract

Protection of data and information security are crucial to business processes and include technical, sociological and organizational aspects. The purpose of this paper is to explore the importance of information security policy and organizational compliance within a socio-technical framework. Citing come of the major compliance acts in the United States, this paper examines how the need arose for information security compliance and the antecedents that made compliance mandatory for organizations. This would apply to any organization, in whichever other country, within its legal compliance framework. A discussion follows to help shed light on how both individual employees and the organization as a whole often fail to implement a satisfactory compliance initiative. Finally, the research presents a set of key factors that influence successful implementation of information system security Compliance into the information security policy (ISP), along with what actions should be taken to make compliance a competitive advantage for the organization, taking advantage of the particular relationship between compliance and ISP.

Keywords

Compliance information security policy ISP information systems security ISS 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Stanton, J., Stam, K., Mastrangelo, P., Jolton, J.: Analysis of End User Security Behaviors. Computers and Security 24(2), 124–133 (2005)CrossRefGoogle Scholar
  2. 2.
    D’Arcy, J., Hovav, A., Galletta, D.: User Awareness of Security Countermeasures and its Impact on Information Systems Misuse: A Deterrence Approach. Information Systems Research 20(1), 79–98 (2009)CrossRefGoogle Scholar
  3. 3.
    Clemons, E.K., Kimbrough, S.O.: IS for Sustainable Competitive Advantage. Information & Management 11(3), 131–136 (1986)CrossRefGoogle Scholar
  4. 4.
    Kearns, G.S., Lederer, A.L.: A resource-based view of strategic IT alignment: how knowledge sharing creates competitive advantage. Decision Sciences 34(1), 1–29 (2003)CrossRefGoogle Scholar
  5. 5.
    Elliot, S.: Operationalizing Compliance through Business Service Automation (2008), http://www.idc.com (July 30, 2010)
  6. 6.
    Dhillon, G., Backhouse, J.: Current Directions in Information Security Research: Toward Socio-Organizational Perspectives. Information Systems Journal 11(2), 127–153 (2001)CrossRefGoogle Scholar
  7. 7.
    Siponen, M.T., Pahnila, S., Mahmood, A.: Employees’ Adherence to Information Security Policies: An Empirical Study. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds.) New Approaches for Security, Privacy and Trust in Complex Environments. IFIP, vol. 232, pp. 133–144. Springer, Boston (2007)CrossRefGoogle Scholar
  8. 8.
    Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness. MIS Quarterly 34(3), 523–548 (2010)Google Scholar
  9. 9.
  10. 10.
    Siponen, M.T.: An Analysis of the Traditional IS Security Approaches: Implications for Research and Practice. European Journal of Information Systems 14(3), 303–315 (2005)CrossRefGoogle Scholar
  11. 11.
    Schlarman, S.: The IT Compliance Equation: Understanding the Elements. Information Systems Security 16, 224–232 (2007)CrossRefGoogle Scholar
  12. 12.
    Whitman, M.E., Townsend, A.M., Aalberts, R.J.: Information Systems Security and the Need for Policy. In: Dhillon, G. (ed.) Information Security Management – Global Challenges in the Next Millennium, pp. 9–18. Idea Group, London (2001)CrossRefGoogle Scholar
  13. 13.
    Hu, Q., Hart, P., Cooke, D.: The role of external and internal influences on information systems security – a neo-institutional perspective. Journal of Strategic Information Systems 16, 153–172 (2007)CrossRefGoogle Scholar
  14. 14.
    Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A., Boss, R.W.: If Someone Is Watching, I’ll Do What I’m Asked: Mandatoriness, Control, and Information Security. European Journal of Information Systems 18(2), 151–164 (2009)CrossRefGoogle Scholar
  15. 15.
    Cavusoglu, H., Cavusoglu, H., Raghunathan, S.: Economics of IT Security Management: Four Improvements to Current Security Practices. Communications of the Association for Information Systems (14), 65–75 (2004)Google Scholar
  16. 16.
    Ransbotham, S., Mitra, S.: Choice and Chance: A Conceptual Model of Paths to Information Security Compromise. Information Systems Research 20(1), 121–139 (2009)CrossRefGoogle Scholar
  17. 17.
    Elffers, H., Heijden, P., Hezemans, M.: Explaining Regulatory Noncompliance: A Survey Study of Rule Transgression for Two Dutch Instrumental Laws, Applying the Randomized Response Method. Journal of Quantitative Criminology 19(4), 409–439 (2003)CrossRefGoogle Scholar
  18. 18.
    Bhatt, G., Emdad, A., Roberts, N., Grover, V.: Building and leveraging information in dynamic environments: The role of IT infrastructure flexibility as enabler of organizational responsiveness and competitive advantage. Information & Management 47, 341–349 (2010)CrossRefGoogle Scholar
  19. 19.
    Sambamurthy, V., Bharadwaj, A., Grover, V.: Shaping agility through digital options: reconceptualizing the role of information technology in contemporary firms. MIS Quarterly 27(2), 237–263 (2003)Google Scholar
  20. 20.
    Melville, N., Kraemer, K., Gurbaxani, V.: Review: information technology and organizational performance: an integrative model of IT business value. MIS Quarterly 28(2), 283–322 (2004)Google Scholar
  21. 21.
    Warkentin, M., Willison, R.: Behavioral and Policy Issues in Information Systems Security: The Insider Threat. European Journal of Information Systems 18(2), 101–105 (2009)CrossRefGoogle Scholar
  22. 22.
    Vardi, Y., Weitz, E.: Misbehavior in Organizations: Theory, Research, and Management. Lawrence Erlbaum Associates, Hillsdale (2004)Google Scholar
  23. 23.
    Siponen, M.T., Vance, A.: Neutralization: New Insight into the Problem of Employee Information Systems Security Policy Violations. MIS Quarterly 34(3), 487–502 (2010)Google Scholar
  24. 24.
    Straub, D.W.: Effective IS Security: An Empirical Study. Information Systems Research 1(3), 255–276 (1990)CrossRefGoogle Scholar
  25. 25.
    Straub, D.W.: Coping with Systems Risk: Security Planning Models for Management Decision Making. MIS Quarterly 22(4), 441–469 (1998)CrossRefGoogle Scholar
  26. 26.
    Cavusoglu, H., Mishra, B., Raghunathan, S.: A Model for Evaluating IT Security Investments. Communications of the ACM 47(7), 87–92 (2004a)CrossRefGoogle Scholar
  27. 27.
    Ponemon, L.: Trends in Insider Compliance with Data Security Policies. Ponemon Institute, USA (2009)Google Scholar
  28. 28.
    Whitman, M.E.: Security Policy: From Design to Maintenance. In: Straub, D.W., Goodman, S., Baskerville, R. (eds.) Information Security: Policy, Processes, and Practices, pp. 123–151. M. E. Sharpe, Armonk (2008)Google Scholar
  29. 29.
    Siponen, M.T.: Designing Secure Information Systems and Software. Oulu University Press, Oulu (2002)Google Scholar
  30. 30.
    Dhillon, G.: Managing Information System Security. Macmillan, London (1997)CrossRefGoogle Scholar
  31. 31.
    Thomson, M.E., von Solms, R.: Information Security Awareness: Educating Your Users Effectively. Information Management and Computer Security 6(4), 167–173 (1998)CrossRefGoogle Scholar
  32. 32.
    Doherty, N.F., Fulford, H.: Aligning the Information Security Policy with the Strategic Information Systems Plan. Computers and Security 25(1), 55–63 (2006)CrossRefGoogle Scholar
  33. 33.
    Ernst & Young. Ernst & Young 2009 12th annual global information security survey, Outpacing change (2009), http://www.ey.com/Publication/vwLUAssets/12th_annual_GISS/$FILE/12th_annual_GISS.pdf (October 10, 2010)
  34. 34.
    Gordon, L.A., Loeb, M.P., Lucyshyn, W., Richardson, R.: CSI/FBI Computer Crime and Security Survey, Computer Security Institute (2006), http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf (October 23, 2010)
  35. 35.
    Ponemon, L.: Cyber Security Mega Trends, Ponemon Institute, USA (2009a)Google Scholar
  36. 36.
    Neumann, P.G.: Risks of Insiders. Comunications of the ACM 42(12), 160 (1999)CrossRefGoogle Scholar
  37. 37.
    Anderson, R.J.: Security, Functionality and Scale? In: Atluri, V. (ed.) DAS 2008. LNCS, vol. 5094, p. 64. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  38. 38.
    Stallings, W., Brown, L.: Computer Security: Principles and Practice. Prentice Hall, Upper Saddle River (2008)Google Scholar
  39. 39.
    Bodungen, C., Whitney, J., Paul, C.: SCADA Security Compliance and Liability- A Survival Guide (2008)Google Scholar
  40. 40.
    Drimer, S., Murdoch, S.J., Anderson, R.J.: Thinking Inside the Box: System-Level Failures of Tamper Proofing. In: IEEE Symposium on Security and Privacy, pp. 281–295 (2008)Google Scholar
  41. 41.
    Anderson, R.J.: Technical perspective - A chilly sense of security. Communication of ACM 52(5), 90 (2009)CrossRefGoogle Scholar
  42. 42.
    Murdoch, S.J., Anderson, R.J.: Verified by Visa and MasterCard SecureCode: Or, How Not to Design Authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 336–342. Springer, Heidelberg (2010), http://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf CrossRefGoogle Scholar
  43. 43.
    Hayden, L.: Designing Common Control Frameworks: A Model for Evaluating Information Technology Governance, Risk, and Compliance Control Rationalization Strategies. Information Security Journal: A Global Perspective 18, 297–305 (2009)Google Scholar
  44. 44.
    Hartman, B.: Security Compliance in a Virtual World (2009), http://www.rsa.com (July 27, 2010)
  45. 45.
    Springsteel, F.N.: Network Database Systems. Encyclopedia of Information Systems, 267–277 (2004)Google Scholar
  46. 46.
    Dowland, P., Furnell, S., Thuraisingham, B.: Security management, integrity, and internal control in information systems. In: IFIP TC-11 WG 11.1 & WG 11.5 Joint Working Conference (2004)Google Scholar
  47. 47.
    Freeman, E.H.: Regulatory Compliance and the Chief Compliance Officer. Information Systems Security 16, 357–361 (2007)CrossRefGoogle Scholar
  48. 48.
    Papadaki, M., Steven Furnell, S.: Vulnerability management: an attitude of mind? Network Security 2010(10), 4–8 (2010)Google Scholar
  49. 49.
    Storey, D.: Ten consequences of network blindness. Network Security 2010(8), 7–9 (2010)CrossRefGoogle Scholar
  50. 50.
    Danezis, G., Lesniewski-Laas, C., Kaashoek, M.F., Anderson, R.J.: Sybil-resistant DHT Routing. In: De Capitani di Vimercati, S., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 305–318. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  51. 51.
    Eisen, O.: Online security - a new strategic approach. Network Security 2010(7), 14–15 (2010)CrossRefGoogle Scholar
  52. 52.
    Casey, D.: Turning log files into a security asset. Network Security 2008(2), 4–7 (2008)CrossRefGoogle Scholar
  53. 53.
    Lobo, C.: Security Log Management. Network Security 2003(11), 6–9 (2003)CrossRefGoogle Scholar
  54. 54.
    Kaarst-Brown, M.L., Kelly, S.: IT Governance and Sarbanes-Oxley: The latest sales pitch or real challenges for the IT Function? In: Proceedings of the Thirty-Eighth Hawaii on System Sciences, New York (2005)Google Scholar
  55. 55.
    Alter, A.: CIOs Find Compliance Brings Business Benefits (2006a), http://www.cioinsight.com/c/a/Past-News/June-2006-Compliance-Survey-CIOs-Find-Compliance-Brings-Business-Benefits/ (July 27, 2010)
  56. 56.
    HIPAA. Health Insurance Portability and Accountability Action 1996 (P.L.104-191), Security Rule (February 2003), http://en.wikipedia.org/wiki/HIPAA#Security_Rule
  57. 57.
    HITECH. Health Information Technology for Economic and Clinical Health Act, Privacy Requirements (February 2004), http://en.wikipedia.org/wiki/HIPAA#HITECH_Act:_Privacy_Requirements
  58. 58.
    GLB. Gramm–Leach–Bliley Act, aka the Financial Services Modernization Act of 1999, Pub.L. 106-102, 113 Stat. 1338, enacted (November 12, 1999) Google Scholar
  59. 59.
    Alter, A.: Compliance Spending is Leveling Off (2006b), http://www.cioinsight.com/c/a/Past-News/June-2006-Survey-Compliance-Spending-is-Leveling-Off/ (July 27, 2010)
  60. 60.
    Alter, A.: Compliance Remains a Project, Not a Process (2006c), http://www.cioinsight.com/c/a/Past-News/June-2006-Survey-Compliance-Remains-a-Project-Not-a-Process/ (July 29, 2010)
  61. 61.
    Anderson, R.J., Schneier, B.: Economics of Information Security. IEEE Security & Privacy 3(1), 12–13 (2005)CrossRefGoogle Scholar
  62. 62.
    Dhillon, G., Torkzadeh, G.: Value-Focused Assessment of Information System Security in Organizations. In: Storey, V., Sarkar, S., DeGross, J.I. (eds.) Proceedings of the International Conference on Information Systems, ICIS 2001, New Orleans, Louisiana, USA, December 16-19, pp. 561–566. Association for Information System ICIS (2001)Google Scholar
  63. 63.
    Anderson, R.: Information Security Economics - and Beyond. In: van der Meyden, R., van der Torre, L. (eds.) DEON 2008. LNCS (LNAI), vol. 5076, p. 49. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  64. 64.
    Forrester. The Value of Corporate Secrets, Forrester Consulting Thought Leadership Paper (September 30, 2010), http://www.forrester.com
  65. 65.
    Oltsik, J.: Database Security and Compliance Risks, Enterprise Strategy Group Market Research (2009)Google Scholar
  66. 66.
    Pahnila, S., Siponen, M., Mahmood, A.: Employees’ Behavior towards IS Security Policy Compliance. In: Proceedings of the 40th Hawaii International Conference on System Sciences, pp. 156–166. IEEE Computer Society, Los Alamitos (2007)Google Scholar
  67. 67.
    Alter, A.: Data Security Receives a Boost from Compliance Efforts (2006d), http://www.cioinsight.com/c/a/Past-News/June-2006-Survey-Data-Security-Receives-a-Boost-from-Compliance-Efforts/ (July 29, 2010)
  68. 68.
    Siponen, M.T., Mahmood, M.A., Pahnila, S.: Technical opinion - Are employees putting your company at risk by not following information security policies? Commun. ACM 52(12), 145–147 (2009)CrossRefGoogle Scholar
  69. 69.
    Dhillon, G., Siponen, M.T., Sharman, R.: Information Systems Security Management. In: Proceedings of 38th Hawaii International Conference on System Sciences (HICSS-38 2005), January 3-6. IEEE Computer Society, Big Island (2005)Google Scholar
  70. 70.
    Im, G., Baskerville, R.: A Longitudinal Study of Information Systems Threat Categories: The Enduring Problem of Human Error. The DATA BASE for Advances in Information Systems 36(4), 68–79 (2005)CrossRefGoogle Scholar
  71. 71.
    Herath, T., Rao, H.R.: Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organizations. European Journal of Information Systems (18), 106–125 (2009)Google Scholar
  72. 72.
    Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., Vance, A.: What Levels of Moral Reasoning and Values Explain Adherence to Information Security Rules? An Empirical Study, European Journal of Information Systems (18), 126–139 (2009)Google Scholar
  73. 73.
    Ajzen, I., Fishbein, M.: Understanding Attitudes and Predicting Social Behavior. Prentice- Hall, Englewood Cliffs (1980)Google Scholar
  74. 74.
    Ajzen, I.: Theory of Planned Behavior. Organizational Behavior and Human Decision Processes 50(2), 179–211 (1991)CrossRefGoogle Scholar
  75. 75.
    Ajzen, I., Albarracin, D.: Predicting and Changing Behavior: A Reasoned Action Approach. In: Ajzen, I., Albarracin, D., Hornik, R. (eds.) Prediction and Change of Health Behavior: Applying the Reasoned Action Approach, pp. 3–21. Lawrence Erlbaum & Associates, Hillsdale (2007)Google Scholar
  76. 76.
    Mathieson, K., Peacock, E., Chin, W.: Extending the Technology Acceptance Model: The Influence of Perceived User Resources. The Database for Advances in Information Systems 32(3), 86–112 (2001)CrossRefGoogle Scholar
  77. 77.
    Fishbein, M.: A Reasoned Action Approach: Some Issues, Questions, and Clarifications. In: Ajzen, I., Albarracin, D., Hornik, R. (eds.) Prediction and Change of Health Behavior: Applying the Reasoned Action Approach, pp. 281–296. Lawrence Erlbaum & Associates, Hillsdale (2007)Google Scholar
  78. 78.
    Lee, J., Lee, Y.: A Holistic Model of Computer Abuse Within Organizations. Information Management and Computer Security 10(2/3), 57–63 (2002)CrossRefGoogle Scholar
  79. 79.
    Boss, S.R., Kirsch, L.J.: The Last Line of Defense: Motivating Employees to Follow Corporate Security Guidelines. In: Proceedings of the 28th International Conference on Information Systems, December 9-12 (2007)Google Scholar
  80. 80.
    West, R.: The Psychology of Security. Communications of the ACM 51(4), 34–40 (2008)CrossRefGoogle Scholar
  81. 81.
    GAO. United States Government Accountability Office, GAO 08-280, Report to the Chairman of Securities and Exchange Commission, Information Security, Securities and Exchange Commission Needs to Continue to Improve Its Program, (February 2008), http://www.gao.gov/new.items/d08280.pdf (October 15, 2010)
  82. 82.
    Siponen, M.T., Pahnila, S., Mahmood, A.: Compliance with Information Security Policies: An Empirical Investigation. IEEE Computer 43(2), 64–71 (2010)CrossRefGoogle Scholar
  83. 83.
    Dinev, T., Hu, Q.: The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies. Journal of the Association for Information Systems 8(7), 386–408 (2007)Google Scholar
  84. 84.
    CSI. 4th Annual CSI Computer Crime and Security Survey, Executive Summary (March 13, 2010), http://www.personal.utulsa.edu/~james-childress/cs5493/CSISurvey/CSISurvey2009.pdf
  85. 85.
    Tarn, J.M., Raymond, H., Razi, M., Han, T.B.: Exploring information security compliance in corporate IT governance. Human Systems Management 28, 131–140 (2009)Google Scholar
  86. 86.
    Rau, K.G.: Effective Governance of IT: Design Objectives, Roles and Relationships. Information Systems Management 21(4), 35 (2004)CrossRefGoogle Scholar
  87. 87.
    Pavlou, P.A., El Sawy, O.A.: From IT leveraging competence to competitive advantage in turbulent environments: the case of new product development. Information Systems Research 17(3), 198–227 (2006)CrossRefGoogle Scholar
  88. 88.
    Dehning, B., Stratopoulos, T.: Determinants of a Sustainable Competitive Advantage Due to an IT-enabled Strategy. Journal of Strategic Information Systems 12 (2003)CrossRefGoogle Scholar
  89. 89.
    Järvinen, P.: The new classification of research approaches. In: Zemanek, H. (ed.) The IFIP Pink Summary – 36 years of IFIP, Austria. IFIP, pp. 124–131 (1997)Google Scholar
  90. 90.
    Järvinen, P.: Research questions guiding selection of an appropriate research method. In: Proceedings of the 8th European Conference on Information Systems (ECIS), Vienna, Austria (2000)Google Scholar
  91. 91.
    Mautner, T.: A dictionary of philosophy. Blackwell Publishers Ltd., Oxford (1996)Google Scholar
  92. 92.
    Walsham, G.: The emergence of interpretivism in IS research. Information Systems Research (6), 376–394 (1996)Google Scholar
  93. 93.
    Cole, M., Avison, D.: The potential of hermeneutics in information systems research. European Journal of Information Systems 16(6), 820–833 (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Maurizio Cavallari
    • 1
  1. 1.Dept. of Business AdministrationCatholic UniversityMilanItaly

Personalised recommendations