Excerpt from "Establishing information security policy compliance culture in organizations"
Author: Eric Amankwa, Marianne Loock, and Elmarie Kritzinger Publication: Information & Computer Security Vol. 26 No. 4, 2018, pp. 420-436
This research proposed the establishment of ISPCC (Information Security Policy Compliance Culture) as a novel approach to address employees’ non-compliance with ISP by investigating the effects of leadership, end-user involvement and supportive organizational culture on attitudes. First, we found that compliance leadership had no significant influence on employees’ attitudes towards compliance. This implies that the compliance intentions of subordinate employees may not necessarily increase with the existence of compliance leadership in the organization. Nonetheless, management could encourage compliance from peers by identifying and tasking all leaders (managers or heads of departments) across the organization to demonstrate ISP compliant behaviour intentions to motivate their peers. Employees have been shown to display the tendency to act consistently with peer behaviour (Hwang et al., 2017), therefore management should nurture a security culture that motivates compliance from peers.
Second, the results of the study showed that involving end-users in the process of developing ISPs could have significant influence on attitudes towards compliance. Therefore, organizational management should provide a platform to solicit for end-users’ views on existing security policies and during the drafting of new policies. Management could task all unit heads or managers to discuss at workshops or seminars the rules and procedures for safeguarding information assets with the aim to ensure user involvement. Employees should be encouraged to report challenges with the existing ISPs and suggest possible solutions to circumvent the challenge while protecting information assets.
Third, the results of the study indicated that management could leverage existing organizational culture to influence employees’ attitudes towards compliance with ISP. Management should ensure that existing ISP reflects the organization’s vision and strategies of information security. Management should promote ISP through awareness campaigns in the form of seminars, workshops and publication on Web portals. Management should then establish a system for monitoring compliance and deviations from the approved rules and procedures and this would shape employees’ behaviour intentions towards compliance with ISP. Over a period of time the majority of employees will share the IS values, perceptions and policy principles as enshrined in the ISP document, causing a compliance culture to emerge.
Further, employees’ attitudes towards compliance with ISP and behavioural intentions have statistically shown positive influence on the establishment of ISPCC in organizations. Given this result, management should introduce awareness and training programs that emphasize the importance of compliance with ISP. Also, management should clearly define employees’ roles and responsibilities in respect of information security. Further, effective activity monitoring in respect of ISP compliance should be put in place to ensure proper accountability of assigned roles and responsibilities. Finally, management should appoint an individual responsible for compliance checking in the organization. Implementing these recommendations will therefore nurture a culture where employees illustrate attitudes, behaviour intentions, assumptions, beliefs and values that are conducive for the protection of information assets in the organization.
Finally, in line with the proposed research model and results from the field survey, this study suggests that management consider addressing the problem of employees’ non- compliance with ISP by establishing ISPCC in organization. To do this, management should involve end-users during the development of new and revision of existing ISP, encourage all in leadership positions to demonstrate leadership support during ISP implementation and nurture a culture that is conducive for ISP compliance in the organization. Management should also convince employees that complying with ISP to protect information assets is one of the performance factors for promotions and other rewards. Therefore, opportunities should be provided for all employees to better understand existing ISP and accompanying security practices and implications.