A Conceptual Model for Promoting Information Security Policy Compliance Behaviour at Workplace

  • Allen Peter Diman
  • Titik Khawa Abdul Rahman

Abstract

Securing sensitive and critical information is a significant challenge for many organisations, as leaks can cause financial, reputational, and competitiveness losses. Organisations can implement an Information Security Policy (ISP) that employees must comply with to minimise this risk. However, ensuring compliance with the ISP continues to be a problem. To address this issue, a conceptual model has been proposed that organisations can use to promote ISP compliance behaviour among their employees. The Health Action Process Approach (HAPA) Model is used to derive this model. The model consists of two phases - motivational and volitional which are expected to cover the elements needed to promote behavioural change for ISP compliance. The model's multi-processes approach, covering critical aspects such as risk assessment, self-efficacy, initiation, and maintenance, enables it to serve as a platform for organisations to sustain ISP compliance over the long term. Organisations can conduct employee assessments and provide ISP compliance training and awareness campaigns to implement the model. They can also disseminate cues about information security issues and how the ISP can assist employees in handling them, discourage behaviour that leads to complacency towards ISP compliance, and update the ISP to keep it relevant. The proposed model presents an opportunity for future research to evaluate its applicability in organisational settings.

References

Aggarwal, A., & Dhurkari, R. K. (2023). Association between stress and information security policy non-compliance behaviour: A meta-analysis. Computers and Security, 124. https://doi.org/10.1016/j.cose.2022.102991
Alanazi, S. T., Anbar, M., Ebad, S. A., Karuppayah, S., & Al-Ani, H. A. (2020). Theory-based model and prediction analysis of information security compliance behaviour in the Saudi healthcare sector. Symmetry, 12(9). https://doi.org/10.3390/SYM12091544
Alassaf, M., & Alkhalifah, A. (2021). Exploring the influence of direct and indirect factors on information security policy compliance: A systematic literature review. In IEEE Access (Vol. 9). https://doi.org/10.1109/ACCESS.2021.3132574
Alexandrou, A., & Chen, L.-C. (2019). A security risk perception model for the adoption of mobile devices in the healthcare industry. Security Journal, 32(4), 410–434. https://doi.org/10.1057/s41284-019-00170-0
Ali, R. F., Dominic, P. D. D., & Ali, K. (2020). Organizational governance, social bonds and information security policy compliance: A perspective towards oil and gas employees. Sustainability, 12(20), 8576. https://doi.org/10.3390/su12208576
Ali, R. F., Dominic, P. D., Ali, S. E., Rehman, M., & Sohail, A. (2021). Information security behavior and information security policy compliance: A systematic literature review for identifying the transformation process from noncompliance to compliance. Applied Sciences, 11(8), 3383. https://doi.org/10.3390/app11083383
Almansoori, A., Al-Emran, M., & Shaalan, K. (2023). Exploring the frontiers of cybersecurity behavior: A systematic review of studies and theories. In Applied Sciences (Switzerland), 13(9). https://doi.org/10.3390/app13095700
Alraja, M. N., Butt, U. J., & Abbod, M. (2023). Information security policies compliance in a global setting: An employee’s perspective. Computers & Security, 129, 103208. https://doi.org/10.1016/j.cose.2023.103208
Angraini, C., Alias, R. A., & Okfalisa, A. (2019). Information security policy compliance: Systematic literature review. Procedia Computer Science, 161, 1216–1224. https://doi.org/10.1016/j.procs.2019.11.235
Bayona-Oré, S., & Ochoa, N. F. (2023). Information security policy compliance: Usefulness and ease of use. Proceedings of Eighth International Congress on Information and Communication Technology, 413–419. https://doi.org/10.1007/978-981-99-3236-8_32
Bélanger, F., Maier, J., & Maier, M. (2022). A longitudinal study on improving employee information protective knowledge and behaviors. Computers & Security, 116, 102641. https://doi.org/10.1016/j.cose.2022.102641
Bolek, V., Romanová, A., & Korcek, F. (2023). The information security management systems in e-business. Journal of Global Information Management, 31(1), 1–29. https://doi.org/http://dx.doi.org/10.4018/JGIM.316833
Brooks, R. R., Williams, K. J., & Lee, S.-Y. (2023). Personal and contextual predictors of information security policy compliance: Evidence from a low-fidelity simulation. Journal of Business and Psychology. https://doi.org/10.1007/s10869-023-09878-8
Butler, K. J., & Brown, I. (2023). COVID-19 pandemic-induced organisational cultural shifts and employee information security compliance behaviour: A South African case study. Information and Computer Security, 31(2). https://doi.org/10.1108/ICS-09-2022-0152
Chen, H., Liu, M., & Lyu, T. (2022). Understanding employees’ information security-related stress and policy compliance intention: The roles of information security fatigue and psychological capital. Information & amp; Computer Security, 30(5), 751–770. https://doi.org/10.1108/ics-03-2022-0047
Chen, X., & Tyran, C. K. (2023). A framework for analysing and improving ISP compliance. Journal of Computer Information Systems, 63(6), 1408–1423. https://doi.org/10.1080/08874417.2022.2161024
Cheng, Y., Mei, S., Zhong, W., & Gao, X. (2021). Managing consumer privacy risk: The effects of privacy breach insurance. Electronic Commerce Research, 23(2), 807–841. https://doi.org/10.1007/s10660-021-09492-x
Chiniah, A., & Ghannoo, F. (2023). A multi-theory model to evaluate new factors influencing information security compliance. International Journal of Security and Networks, 18(1). https://doi.org/10.1504/IJSN.2023.129949
Choi, Y., Yang, S. J., & Song, H. Y. (2018). Effects of the variables related to the health action process approach model on physical activity: A systematic literature review and meta-analysis. Journal of Korean Academy of Community Health Nursing, 29(3), 359. https://doi.org/10.12799/jkachn.2018.29.3.359
Dong, T., Zhu, S., Oliveira, M., & Luo, X. (Robert). (2022). Making better IS security investment decisions: Discovering the cost of data breach announcements during the COVID-19 pandemic. Industrial Management & Data Systems, 123(2), 630–652. https://doi.org/10.1108/imds-06-2022-0376
He, J., & Sun, Y. (2022). Information security countermeasures for big data platforms based on cloud computing. Mobile Information Systems, 2022, 1–11. https://doi.org/10.1155/2022/3981775
Hengstler, S., Kuehnel, S., Masuch, K., Nastjuk, I., & Trang, S. (2023). Should I really do that? Using quantile regression to examine the impact of sanctions on information security policy compliance behavior. Computers & Security, 133, 103370. https://doi.org/10.1016/j.cose.2023.103370
Hengstler, S., Nickerson, R. C., & Trang, S. (2022). Towards a taxonomy of information security policy non-compliance behavior. Proceedings of the Annual Hawaii International Conference on System Sciences, 2022-January. https://doi.org/10.24251/hicss.2022.588
Hong, Y., & Furnell, S. (2022). Motivating information security policy compliance: Insights from perceived organizational formalization. Journal of Computer Information Systems, 62(1). https://doi.org/10.1080/08874417.2019.1683781
Huang, H.-H., & Lin, J.-W. (2023). Inconsistencies between information security policy compliance and shadow IT USAGE. Journal of Computer Information Systems, 1–11. https://doi.org/10.1080/08874417.2023.2234318
Iriqat, Y. M., Ahlan, A. R., & Molok, N. N. (2019). Information security policy perceived compliance among staff in Palestine universities: An empirical pilot study. 2019 IEEE Jordan International Joint Conference on Electrical Engineering and Information Technology (JEEIT). https://doi.org/10.1109/jeeit.2019.8717438
Jeon, S., Son, I., & Han, J. (2020). Exploring the role of intrinsic motivation in ISSP compliance: Enterprise digital rights management system case. Information Technology & People, 34(2), 599–616. https://doi.org/10.1108/itp-05-2018-0256
Kang, P., Kang, J., & Monsen, K. A. (2023). Nurse information security policy compliance, information competence, and information security attitudes predict information security behavior. CIN - Computers Informatics Nursing, 41(8). https://doi.org/10.1097/CIN.0000000000000981
Kuppusamy, P., Samy, G. N., Maarop, N., Shanmugam, B., & Perumal, S. (2022). Information security policy compliance behaviour models, theories, and influencing factors: A systematic literature review. The Journal of Theoretical and Applied Information Technology, 100(5).
Lee, D., Lallie, H. S., & Michaelides, N. (2023). The impact of an employee’s psychological contract breach on compliance with information security policies: Intrinsic and extrinsic motivation. Cognition, Technology & Work, 25(2–3), 273–289. https://doi.org/10.1007/s10111-023-00727-5
Li, Y. J., & Hoffman, E. (2023). Designing an incentive mechanism for information security policy compliance: An experiment. Journal of Economic Behavior & Organization, 212, 138–159. https://doi.org/10.1016/j.jebo.2023.05.033
Liu, C., Wang, N., & Liang, H. (2020). Motivating information security policy compliance: The critical role of supervisor-subordinate Guanxi and organizational commitment. International Journal of Information Management, 54, 102152. https://doi.org/10.1016/j.ijinfomgt.2020.102152
Marshall, B., Curry, M., Crossler, R. E., & Correia, J. (2021). Machine learning and survey-based predictors of Infosec Non-Compliance. ACM Transactions on Management Information Systems, 13(2), 1–20. https://doi.org/10.1145/3466689
Martin, J. J., Snapp, E., & Ketcheson, L. (2020). Motivational theories. Routledge Handbook of Adapted Physical Education, 347–362. https://doi.org/10.4324/9780429052675-26
Naik, L. B. (2022). Cyber security challenges and its emerging trends on the latest technologies. International Journal of Scientific Research in Engineering and Management, 06(06). https://doi.org/10.55041/ijsrem14488
Nasir, A., Arshah, R. A., Ab Hamid, M. R., & Fahmy, S. (2022). Information security culture concept towards information security compliance: A comparison between it and Non-IT Professionals. International Journal of Integrated Engineering, 14(3). https://doi.org/10.30880/ijie.2022.14.03.017
Ogbanufe, O., Crossler, R. E., & Biros, D. (2023). The valued coexistence of protection motivation and stewardship in information security behaviors. Computers & Security, 124, 102960. https://doi.org/10.1016/j.cose.2022.102960
Palanisamy, R., Norman, A. A., & Mat Kiah, M. L. (2023). Employees’ BYOD security policy compliance in the public sector. Journal of Computer Information Systems, 64(1), 62–77. https://doi.org/10.1080/08874417.2023.2178038
Reshmi, T. R. (2021). Information security breaches due to ransomware attacks - A systematic literature review. International Journal of Information Management Data Insights, 1(2), 100013. https://doi.org/10.1016/j.jjimei.2021.100013
Ryutov, T. (2023). An empirical investigation of psychological factors affecting compliance with information security organizational policies. In Cybersecurity for Decision Makers. https://doi.org/10.1201/9781003319887_15
Schwarzer, R., & Hamilton, K. (2020). Changing behaviour using the Health Action Process Approach. The Handbook of Behavior Change, 89–103. https://doi.org/10.1017/9781108677318.007
Sharma, S., & Aparicio, E. (2022). Organizational and team culture as antecedents of protection motivation among its employees. Computers & Security, 120, 102774. https://doi.org/10.1016/j.cose.2022.102774
Sulaiman, N. S., Fauzi, M. A., Wider, W., Rajadurai, J., Hussain, S., & Harun, S. A. (2022). Cyber-information security compliance and violation behaviour in organisations: A systematic review. In Social Sciences (Vol. 11, Issue 9). https://doi.org/10.3390/socsci11090386
Trang, S., & Nastjuk, I. (2021). Examining the role of stress and information security policy design in information security compliance behaviour: An experimental study of in-task behaviour. Computers & Security, 104, 102222. https://doi.org/10.1016/j.cose.2021.102222
Uddin Sharif, M. H., & Mohammed, M. A. (2022). A literature review of financial losses statistics for cybersecurity and future trends. World Journal of Advanced Research and Reviews, 15(1), 138–156. https://doi.org/10.30574/wjarr.2022.15.1.0573
van Nes, K. A., van Loveren, C., Luteijn, M. F., & Slot, D. E. (2022). Health Action Process Approach in oral health behaviour: Target interventions, constructs and groups—a systematic review. International Journal of Dental Hygiene, 21(1), 59–76. https://doi.org/10.1111/idh.12628
Wang, X., Wang, C., Yi, T., & Li, W. (2024). Understanding the deterrence effect of punishment for marine information security policies non-compliance. Journal of Ocean Engineering and Science, 9(1), 9–12. https://doi.org/10.1016/j.joes.2022.06.001
Published
2024-07-31
How to Cite
PETER DIMAN, Allen; ABDUL RAHMAN, Titik Khawa. A Conceptual Model for Promoting Information Security Policy Compliance Behaviour at Workplace. International Journal of Business and Technology Management, [S.l.], v. 6, n. 2, p. 324-337, july 2024. ISSN 2682-7646. Available at: <https://myjms.mohe.gov.my/index.php/ijbtm/article/view/27276>. Date accessed: 19 sep. 2024.
Section
English Section