Abstract
Information security is an important aspect of every organisation today, specifically in Sub Saharan African (SSA) countries whose economies are perceived to be a growing home ground for cyber criminals. Whilst studies on information security policies (ISP) have offered understanding as to why threat agents do not comply with ISP; this understanding comes mainly from the developed economies, thereby giving a generalised view of ISP compliance. This study identifies the factors influencing ISP compliance within emerging economies of SSA. Following a literature review synthesis of the information security terrain, the findings show that ISP compliance is influenced by three main factors of individual characteristics, organisational and environment characteristics. Further, the findings show how the lack of institutional structures that require organisation to abide to both normative and cohesive pressure; influences organisations not to seek information security legitimacy This then influences how threat agents respond to ISP compliance. The implications of these findings for practice and policy are highlighted.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Von Solms, R., Van Niekerk, J.: From information security to cyber security. Comput. Secur. 38, 97–102 (2013)
Glaspie, H.W., Karwowski, W.: Human factors in information security culture: a literature review. In: Nicholson, D. (ed.) Advances in Human Factors in Cybersecurity, pp. 269–280. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-60585-2_25
Heneke, D., Ophoff, J., Stander, A.: The threats that insiders pose to critical infrastructure–a South African perspective. In: HAISA, pp. 279–289 (2016)
Sarkar, K.R.: Assessing insider threats to information security using technical, behavioural and organisational measures. Inf. Secur. Tech. Rep. 15(3), 112–133 (2010). https://doi.org/10.1016/j.istr.2010.11.002
Agrafiotis, I., Nurse, J.R., Buckley, O., Legg, P., Creese, S., Goldsmith, M.: Identifying attack patterns for insider threat detection. Comput. Fraud Secur. 2015(7), 9–17 (2015)
Kshetri, N.: Cybercrime and cybersecurity in Africa. J. Glob. Inf. Technol. Manag. 22(2), 77–81 (2019)
Ben-David, Y., et al.: Computing security in the developing world: a case for multidisciplinary research. In: NSDR 2011, pp. 1–6 (2011)
Van Niekerk, B.: An analysis of cyber-incidents in South Africa. Afr. J. Inf. Commun. 20, 113–132 (2017)
Homoliak, I., Toffalini, F., Guarnizo, J., Elovici, Y., Ochoa, M.: Insight into insiders and it: a survey of insider threat taxonomies, analysis, modeling, and countermeasures. ACM Comput. Surv. (CSUR) 52(2), 1–40 (2019)
Moore, A.P., Cassidy, T.M., Theis, M.C., Bauer, D., Rousseau, D.M., Moore, S.B.: Balancing organizational incentives to counter insider threat. In: 2018 IEEE Security and Privacy Workshops (SPW), pp. 237–246. IEEE, May 2018
Haidar, D., Gaber, M.M., Kovalchuk, Y.: Anythreat: an opportunistic knowledge discovery approach to insider threat detection. arXiv preprint arXiv:1812.00257 (2018)
Nkosi, L., Tarwireyi, P., Adigun, M.O.: Insider threat detection model for the cloud. In: 2013 Information Security for South Africa, pp. 1–8. IEEE, August 2013
Padayachee, K.: An assessment of opportunity-reducing techniques in information security: an insider threat perspective. Decis. Support Syst. 92, 47–56 (2016)
Dagada, R., Mukwevho, S.: Industrial espionage threat in corporate South Africa. In: Society of Digital Information and Wireless Communications Conference (2013)
Safa, N.S., Maple, C., Watson, T., Von Solms, R.: Motivation and opportunity based model to reduce information security insider threats in organisations. J. Inf. Secur. Appl. 40, 247–257 (2018)
Fagade, T., Tryfonas, T.: Malicious insider threat detection: a conceptual model. Secur. Prot. Inf. 2017, 31–44 (2017)
Velez, J.A., Ewoldsen, D.R., Hanus, M.D., Song, H., Villarreal, J.A.: Social comparisons and need fulfillment: interpreting video game enjoyment in the context of leaderboards. Commun. Res. Rep. 35(5), 424–433 (2018)
Poetz, K.: Establishing socially responsible workplaces: need perceptions and institutional forces acting on MSE owners in Tanzania. Can. J. Adm. Sci./Revue Canadienne des Sciences de l’Administration 33(3), 197–212 (2016)
Li, Y., Zhang, N., Siponen, M.: Keeping secure to the end: a long-term perspective to understand employees’ consequence-delayed information security violation. Behav. Inf. Technol. 38(5), 435–453 (2019)
Santos Cesário, F., José Chambel, M., Guillén, C.: What if expatriates decide to leave? The mediation effect of the psychological contract fulfilment. Manag. Res.: J. Iberoamerican Acad. Manag. 12(2), 103–122 (2014)
Aransiola, J.O., Asindemade, S.O.: Understanding cybercrime perpetrators and the strategies they employ in Nigeria. Cyberpsychol. Behav. Soc. Netw. 14(12), 759–763 (2011)
Ojedokun, U.A., Eraye, M.C.: Socioeconomic lifestyles of the yahoo-boys: a study of perceptions of university students in Nigeria. Int. J. Cyber Criminol. 6(2), 1001 (2012)
Uberti, L.J.: Can institutional reforms reduce corruption? Economic theory and patron–client politics in developing countries. Dev. Chang. 47(2), 317–345 (2016)
Pillay, S., Kluvers, R.: An institutional theory perspective on corruption: the case of a developing democracy. Finan. Accountability Manag. 30(1), 95–119 (2014)
Adesina, O.S.: Cybercrime and poverty in Nigeria. Can. Soc. Sci. 13(4), 19–29 (2017)
Dheer, R.J.S.: Cross-national differences in entrepreneurial activity: role of culture and institutional factors. Small Bus. Econ. 48(4), 813–842 (2016). https://doi.org/10.1007/s11187-016-9816-8
Quarshie, H.O., Martin-Odoom, A.: Fighting cybercrime in Africa. Comput. Sci. Eng. 2(6), 98–100 (2012)
Moraski, L.: Cybercrime knows no borders. Infosecurity 8(2), 20–23 (2011)
Hewitt, B., Kruck, S.E.: Incorporating global information security and assurance in I.S. education. J. Inf. Syst. Educ. 24(1), 11–13 (2013)
Rowe, D.C., Lunt, B.M., Ekstrom, J.J.: The role of cyber-security in information technology education. In: SIGTE Conference, p. 113 (2011)
Calderaro, A., Craig, A.J.S.: Transnational governance of cybersecurity: policy challenges and global inequalities in cyber capacity building. Third World Q. 41(6), 917–938 (2020). https://doi.org/10.1080/01436597.2020.1729729
Futcher, L., Schroder, C., von Solms, R.: Information security education in South Africa. Inf. Manag. Comput. Secur. 18(5), 366–374 (2010)
Shafqat, N., Masood, A.: Comparative analysis of various national cyber security strategies. Int. J. Comput. Sci. Inf. Secur. 14(1), 129 (2016)
Herley, C.: Why do Nigerian scammers say they are from nigeria?. In: WEIS, June 2012
Moody, G.D., Siponen, M., Pahnila, S.: Toward a unified model of information security policy compliance. MIS Q. 42(1), 285–311 (2018)
Khan, H.U., AlShare, K.A.: Violators versus non-violators of information security measures in organizations—a study of distinguishing factors. J. Organ. Comput. Electron. Commer. 29(1), 4–23 (2019)
Bauer, S., Bernroider, E.W.: From information security awareness to reasoned compliant action: analyzing information security policy compliance in a large banking organization. ACM SIGMIS Database: DATABASE Adv. Inf. Syst. 48(3), 44–68 (2017)
Hsiao, C.H., Chang, J.J., Tang, K.Y.: Exploring the influential factors in continuance usage of mobile social apps: satisfaction, habit, and customer value perspectives. Telemat. Inform. 33(2), 342–355 (2016)
Siponen, M., Pahnila, S., Mahmood, A.: Employees’ adherence to information security policies: an empirical study. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., Solms, R. (eds.) SEC 2007. IIFIP, vol. 232, pp. 133–144. Springer, Boston (2007). https://doi.org/10.1007/978-0-387-72367-9_12
Narain Singh, A., Gupta, M.P., Ojha, A.: Identifying factors of “organizational information security management.” J. Enterp. Inf. Manag. 27(5), 644–667 (2014)
AlKalbani, A., Deng, H., Kam, B.: Organisational security culture and information security compliance for E-government development: the moderating effect of social pressure. In: PACIS, p. 65, July 2015
Guhr, N., Lebek, B., Breitner, M.H.: The impact of leadership on employees’ intended information security behaviour: an examination of the full-range leadership theory. Inf. Syst. J. 29(2), 340–362 (2019)
Rodrigues, A.D.O., Ferreira, M.C.: The impact of transactional and transformational leadership style on organizational citizenship behaviors. Psico-USF 20(3), 493–504 (2015)
Flores, W.R., Ekstedt, M.: Shaping intention to resist social engineering through transformational leadership, information security culture and awareness. Comput. Secur. 59, 26–44 (2016)
Pathania, A., Rasool, G.: Investigating power styles and behavioural compliance for effective hospital administration: an application of AHP. Int. J. Health Care Qual. Assur. 32(6), 958–977 (2019)
Okeke, V.I.: Leadership Style and SMEs Sustainability in Nigeria: A Multiple Case Study (2019)
Dzomonda, O., Fatoki, O., Oni, O.: The impact of leadership styles on the entrepreneurial orientation of small and medium enterprises in South Africa. J. Econ. Behav. Stud. 9(2(J)), 104–113 (2017)
Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.H.: Information security awareness and behavior: a theory-based literature review. Manag. Res. Rev. 37(12), 1049–1092 (2014). https://doi.org/10.1108/MRR-04-2013-0085
Safa, N.S., Von Solms, R., Furnell, S.: Information security policy compliance model in organizations. Comput. Secur. 56, 70–82 (2016)
Al-Omari, A., El-Gayar, O., Deokar, A.: Information security policy compliance: the role of information security awareness (2012)
Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)
Cheng, L., Li, Y., Li, W., Holm, E., Zhai, Q.: Understanding the violation of IS security policy in organizations: an integrated model based on social control and deterrence theory. Comput. Secur. 39, 447–459 (2013)
Lee, J.K.: Research framework for AIS grand vision of the bright ICT initiative. MIS Q. 39(2), iii–xii (2015)
Dojkovski, S., Lichtenstein, S., Warren, M.: Enabling information security culture: influences and challenges for Australian SMEs. In: Proceedings of the 21st Australasian Conference on Information Systems, ACIS 2010, January 2010
Ng, Z.X., Ahmad, A., Maynard, S.B.: Information security management: factors that influence security investments in SMES. In: Australian Information Security Management Conference. Edith Cowan University, Perth, Western Australia, 2nd–4th December 2013 (2013)
Flowerday, S.V., Tuyikeze, T.: Information security policy development and implementation: the what, how and who. Comput. Secur. 61, 169–183 (2016)
Kamariza, Y.: Implementation of information security policies in public organizations: top management as a success factor. Dissertation, pp. 13–37 (2017)
Tang, M., Li, M., Zhang, T.: The impacts of organizational culture on information security culture: a case study. Inf. Technol. Manag. 17(2), 179–186 (2015). https://doi.org/10.1007/s10799-015-0252-2
Da Veiga, A., Martins, N.: Improving the information security culture through monitoring and implementation actions illustrated through a case study. Comput. Secur. 49, 162–176 (2015)
Chaturvedi, M., Narain Singh, A., Prasad Gupta, M., Bhattacharya, J.: Analyses of issues of information security in Indian context. Transforming Gov.: People Process Policy 8(3), 374–397 (2014)
Cavusoglu, H., Cavusoglu, H., Son, J.Y., Benbasat, I.: Institutional pressures in security management: direct and indirect influences on organizational investment in information security control resources. Inf. Manag. 52(4), 385–400 (2015)
De Lange, J., Von Solms, R., Gerber, M.: Better information security management in municipalities. In: 2015 IST-Africa Conference, pp. 1–10. IEEE, May 2015
Cassim, F.: Addressing the growing spectre of cyber crime in Africa: evaluating measures adopted by South Africa and other regional role players. Comp. Int. Law J. Southern Afr. 44, 123–138 (2011)
Wilson, J.: Scamming the scammers with their own tricks. Comput. Fraud Secur. 2018(9), 14–16 (2018)
Leukfeldt, E.R.: Organised cybercrime and social opportunity structures. A proposal for future research directions. Eur. Rev. Organ. Crime 2(2), 91–103 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Kabanda, S., Mogoane, S.N. (2022). A Conceptual Framework for Exploring the Factors Influencing Information Security Policy Compliance in Emerging Economies. In: Sheikh, Y.H., Rai, I.A., Bakar, A.D. (eds) e-Infrastructure and e-Services for Developing Countries. AFRICOMM 2021. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 443. Springer, Cham. https://doi.org/10.1007/978-3-031-06374-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-031-06374-9_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-06373-2
Online ISBN: 978-3-031-06374-9
eBook Packages: Computer ScienceComputer Science (R0)