Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture*

The Role of the Organization in Promoting Information Security-Related Behavior Among Resident Physicians in Hospitals in Germany: Cross-Sectional Questionnaire Study

BACKGROUND

Nowadays, optimal patient care should be based on data-driven decisions. In the course of digitization, hospitals, in particular, are becoming complex organizations with an enormously high density of digital information. Ensuring information security is, therefore, essential and has become a major challenge. Researchers have shown that-in addition to technological and regulatory measures-it is also necessary for all employees to follow security policies and consciously use information technology (compliance), because noncompliance can lead to security breaches with far-reaching consequences for the organization. There is little empirical research on information security-related behavior in hospitals and its organizational antecedents.

OBJECTIVE

This study aimed to explore the impact of specific job demands and resources on resident physicians' information security-related compliance in hospitals through the mediating role of work engagement and information security-related awareness.

METHODS

We used a cross-sectional, survey-based study design to collect relevant data from our target population, namely resident physicians in hospitals. For data analysis, we applied structural equation modeling. Our research model consisted of a total of 7 job demands and resources as exogenous variables, 2 mediators, and information security-related compliance as the endogenous variable.

RESULTS

Overall, data from 281 participating physicians were included in the analyses. Both mediators-work engagement and awareness-had a significant positive effect on information security-related compliance (β=.208, P=.001 vs β=.552, P<.001). Quality of leadership was found to be the only resource with a significant indirect effect on physicians' compliance, mediated by work engagement (β=.086, P=.03). Furthermore, awareness mediated the relationships between information security-related communication and information security-related compliance (β=.192, P<.001), as well as between further education and training and the endogenous variable (β=.096, P=.02). Contrary to our hypothesis, IT resources had a negative effect on compliance, mediated by awareness (β=-.114, P=.02).

CONCLUSIONS

This study provides new insights into how a high standard of information security compliance among resident physicians could be achieved through strengthening physicians' security work engagement and awareness. Hospital management is required to establish an information security culture that is informative and motivating and that raises awareness. Particular attention should be paid to the quality of leadership, further education and training, as well as clear communication.

The impact of environmental stimuli on the psychological and behavioral compliance of international construction employees

Introduction

This study explores the overlooked psychological and behavioral dynamics of employees in compliance management, applying the Stimulus-Organism-Response (SOR) framework to assess environmental stimuli's impact on employees in international construction projects.

Methods

A scenario-based survey involving 270 international construction employees was analyzed using Partial Least Squares Structural Equation Modeling (PLS-SEM) and Necessary Condition Analysis (NCA), focusing on the relationship between environmental stimuli and compliance intentions.

Results

Findings categorize environmental influences on compliance into internal and external organizational dimensions, highlighting the significant impact of internal factors on compliance intentions. Key determinants identified for high compliance intention include individual traits and organizational climate, while project pressures, rules and regulations, and cultural differences show variable influence.

Conclusion

This study enhances the understanding of the psychological factors driving non-compliant behaviors and introduces a binary micro-ecological approach to compliance management, effectively integrating individual and project organizational elements. In contrast to traditional corporate governance approaches, this strategy emphasizes the role of project organizational micro-ecology in the management of international construction projects. The strategy aims to improve compliance management among international contractors by influencing the psychological and behavioral compliance of frontline employees.

COVID-19 pandemic-induced organisational cultural shifts and employee information security compliance behaviour: a South African case study

Purpose

The purpose of this preliminary empirical research study is to understand how environmental disruption such as brought on by the COVID-19 pandemic induces shifts in organisational culture, information security culture and subsequently employee information security compliance behaviour.

Design/methodology/approach

A single-organisation case study was used to develop understanding from direct experiences of organisational life. Both quantitative and qualitative data were collected using a sequential mixed methods approach, with the qualitative phase following the quantitative to achieve complementarity and completeness in analysis. For the quantitative phase, 48 useful responses were received after a questionnaire was sent to all 150–200 employees. For the qualitative phase, eight semi-structured interviews were conducted. Statistical software was used to analyse the quantitative data and NVivo software was used to analyse the qualitative data.

Findings

The pandemic-induced environmental disruption manifested as a sudden shift to work-from-home for employees, and relatedly an increase in cybercrime. The organisational response to this gave rise to shifts in both organisational and information security culture towards greater control (rule and goal orientations) and greater flexibility (support and innovation orientations), most significantly with information security culture flexibility. The net effect was an increase in employee information security compliance.

Originality/value

The vast literature on organisational culture and information security culture was drawn on to theoretically anchor and develop parsimonious measures of information security culture. Environmental disruptions such as those caused by the pandemic are unpredictable and their effects uncertain, hence, the study provides insight into the consequences of such disruption on information security in organisations.

Smartphone Use and Security Challenges in Hospitals: A Survey among Resident Physicians in Germany

Although mobile devices support physicians in a variety of ways in everyday clinical practice, the use of (personal) mobile devices poses potential risks for information security, data protection, and patient safety in hospitals. We used a cross-sectional survey-based study design to assess the current state of smartphone use among resident physicians in hospitals and to investigate the relationships between working conditions, current smartphone usage patterns, and security-related behavior. In total, data from 343 participating physicians could be analyzed. A large majority (98.3%) used their smartphones during clinical practice. Of the respondents who used a smartphone during clinical practice, only 4.5% were provided with a smartphone by their employer. Approximately three-quarters of the respondents who used their smartphones for professional communication never/almost never used dedicated GDPR-compliant messenger services. Using a hierarchical regression model, we found a significant effect of the organizational resources Social Support (Supervisor) and Information Security-related Communication on security-related behavior during the selection of medical apps (App Selection). Smartphones are an important part of digital support for physicians in everyday clinical practice. To minimize the risks of use, technical and organizational measures should be taken by the hospital management, resulting, for example, in a Bring-Your-Own-Device (BYOD) initiative.

An Investigation of the Factors that Influence Job Performance During Extreme Events: The Role of Information Security Policies

Diligent compliance with Information security Policies (ISP) can effectively deter threats but can also adversely impact organizational productivity, impeding organizational task completion during extreme events. This paper examines employees' job performance during extreme events. We use the conservation of resources (COR) theory to examine how psychological resources (individual resilience, job meaningfulness, self-efficacy) and organizational resources (incident command leadership, information availability, and perceived effectiveness of security and privacy controls) influence ISP compliance decisions and job performance during extreme events. The results show that a one-size-fits-all approach to ISP is not ideal during extreme events; ISP can distract employees from critical job tasks. We also observed that under certain conditions, psychological resources, such as individual resilience, are reserved for job performance, while others, such as self-efficacy, are reserved for ISP compliance. A post hoc analysis of data from respondents who experienced strain during a real extreme event while at work was conducted. Our discussion provides recommendations on how security and privacy policies can be designed to reflect disaster conditions by relaxing some policy provisions.

The effect of perceived organizational culture on employees’ information security compliance

Purpose

This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.

Design/methodology/approach

The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy.

Findings

The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance.

Research limitations/implications

The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance.

Practical implications

Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations.

Originality/value

Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

Smartphone use behavior and quality of life: What is the role of awareness?

How does smartphone use behavior affect quality of life factors? The following work suggests new insights into smartphone use behavior, mainly regarding two contradicting smartphone modes of use that affect quality of life in opposite ways. The Aware smartphone mode of use reflects an active lifestyle, while the Unaware mode of use reflects the use of the smartphone in conjunction with other activities. Using data from 215 individuals who reported their quality of life and smartphone use habits, we show that high levels of smartphone use in the Unaware mode of use have a significant negative effect on the quality of life. However, the results show a mild positive effect when the individual uses the smartphone in an aware mode of use. We identify three latent factors within the quality-of-life construct and measure the effect of the different smartphone modes of use on these quality-of-life factors. We find that (i) The functioning latent factor, which is an individual's ability to function well in his or her daily life, is not affected by smartphone use behavior. In contrast, (ii) the competence latent factor, which is a lack of negative emotions or pain, and (iii) the positive feelings latent factor both show a clear effect with the smartphone Unaware mode of use. This implies that the unaware use of smartphones, which is its use in conjunction with other activities or late at night, can be related to lower levels of quality of life. Since smartphones currently serve as an interface between the self and the cyber space, as well as an interface between the self and other individuals online, these results need to be considered for social wellbeing in relation to digital human behavior, smartphone addiction and a healthy mode of use.

How personal characteristics impact phishing susceptibility: The mediating role of mail processing

In the phishing email literature, recent researchers have given much attention to individual differences in phishing susceptibility from the perspective of the Big Five personality traits. Although the effectiveness and advantages of the phishing susceptibility measures in the signal detection theory (SDT) framework have been verified, the cognitive mechanisms that lead to individual differences in these measures remain unknown. The current study proposed and examined a theoretical path model to explore how the Big Five personality traits, related knowledge and experience and the cognitive processing of emails (i.e., mail elaboration) influence users' susceptibility to phishing emails. A sample of 414 Chinese participants completed the 44-item Big Five Personality Inventory (BFI-44), Mail Elaboration Scale (MES), Web Experience Questionnaire, Experience with Electronic Mail Scale, Knowledge and Technical Background Test and a demographic questionnaire. The phishing susceptibility measures were calculated after the participants finished an email legitimacy task in a role-playing scenario. The results showed that the general profile of the "victim personality" included low conscientiousness, low openness and high neuroticism, and Internet experience and computer and web knowledge played an important role. All of these factors have significant indirect effects on phishing susceptibility by influencing mail elaboration. Moreover, the probabilities of checking for further information or deleting the email reflect the sensitivity of email judgment. These findings reveal the mediating role of cognitive processing between individual factors and phishing susceptibility. The theoretical implications of this study for the phishing susceptibility literature and its applications to phishing risk interventions or training programs are discussed.

Impact of regulatory focus on security technostress and organizational outcomes: the moderating effect of security technostress inhibitors

Purpose

Organizations invest in information security (IS) technology to be more competitive; however, implementing IS measures creates environmental conditions, such as overload uncertainty, and complexity, which can cause employees technostress, eventually resulting in poor security performance. This study seeks to contribute to the intersection of research on regulatory focus (promotion and prevention) as a type of individual personality traits, technostress, and IS.

Design/methodology/approach

A survey questionnaire was developed, collecting 346 responses from various organizations, which were analyzed using the structural equation model approach with AMOS 22.0 to test the proposed hypotheses.

Findings

The results indicate support for both the direct and moderating effects of security technostress inhibitors. Moreover, a negative relationship exists between promotion-focused employees and facilitators of security technostress, which negatively affects strains (organizational commitment and compliance intention).

Practical implications

Organizations should develop various programs and establish a highly IS-aware environment to strengthen employees' behavior regarding IS. Furthermore, organizations should consider employees' focus types when engaging in efforts to minimize security technostress, as lowering technostress results in positive outcomes.

Originality/value

IS management at the organizational level is directly related to employees' compliance with security rather than being a technical issue. Using the transaction theory perspective, this study seeks to enhance current research on employees' behavior, particularly focusing on the effect of individuals' personality types on IS. Moreover, this study theorizes the role of security technostress inhibitors for understanding employees' IS behaviors.

“SME executives’ perceptions and the information security preparedness model”

Purpose

Information security has increasingly been in the headlines as data breaches continue to occur at alarming rates. This paper aims to propose an Information Security Preparedness Model that was developed to examine how SME executives’ perceptions of security importance, implementation challenges and external influences impact their awareness and commitment to security preparedness.

Design/methodology/approach

Funded by the Department of Justice, a national survey of SME executives’ perceptions of information security preparedness was conducted. Using PLS-SEM, the survey responses were used to test the proposed Information Security Preparedness Model.

Findings

The results indicate that as perceptions of security importance and external influences increase, SME executives’ awareness and commitment to information security also increases. In addition, as implementation challenges increase, awareness and commitment to information security decreases. Finally, as security importance and awareness and commitment to information security increases, executives’ perception of security preparedness also increases.

Research limitations/implications

Executive perceptions of information security were measured and not the actual level of security. Further research that examines the agreement between executive perceptions and the true state of information security within the organization is warranted.

Originality/value

Prior information security studies using Roger’s (1975, 1983) Protection Motivation Theory have produced mixed results. This paper develops and tests the Information Security Preparedness Model to more fully explain SME executive’s perceptions of information security.

The Impact of Executives’ IT Expertise on Reported Data Security Breaches

Data security breaches (DSBs) are increasing investor and regulator pressure on firms to improve their IT governance (ITG) in an effort to mitigate the related risk. We argue that DSB risk cannot be mitigated by one executive alone, but, rather, is a shared leadership responsibility of the top management team (TMT) (i.e., Chief Executive Officer [CEO], Chief Financial Officer [CFO], and Chief Information Officer [CIO]). Our results suggest that IT-savvy CEOs see technologies related to mitigating DSBs as a top-three most important type of digital methodology for their firm. Similarly, the results related to CFOs with IT expertise single out the critical investment in controls designed to prevent DSBs. Our strong findings for CIOs on the TMT add to the related guidance from COBIT 5 for information security and consistently suggest that they are the key executive for securing IT systems. Finally, our granular explanation of each executive’s DSB-related responsibility could potentially provide firms the start of a governance-led roadmap for compliance to the Securities and Exchange Commission’s and Justice Department’s cyber regulations.

Assessing the Moderating Effect of Security Technologies on Employees Compliance with Cybersecurity Control Procedures

The increase in cybersecurity threats and the challenges for organisations to protect their information technology assets has made adherence to organisational security control processes and procedures a critical issue that needs to be adequately addressed. Drawing insight from organisational theory literature, we develop a multi-theory model, combining the elements of the theory of planned behaviour, competing value framework, and technology—organisational and environmental theory to examine how the organisational mechanisms interact with espoused cultural values and employee cognitive belief to influence cybersecurity control procedures. Using a structured questionnaire, we deployed structural equation modelling (SEM) to analyse the survey data obtained from public sector information technology organisations in Nigeria to test the hypothesis on the relationship of socio-organisational mechanisms and techno-cultural factors with other key determinants of employee security behaviour. The results showed that knowledge of cybersecurity and employee cognitive belief significantly influence the employees’ intentions to comply with organisational cybersecurity control mechanisms. The research further noted that the influence of organisational elements such as leadership on employee security behaviour is mediated by espoused cultural values while the impact of employee cognitive belief is moderated by security technologies. For effective cybersecurity compliance, leaders and policymakers are therefore to promote organisational security initiatives that ensure incorporation of cybersecurity principles and practices into job descriptions, routines, and processes. This study contributes to behavioural security research by highlighting the critical role of leadership and cultural values in fostering organisational adherence to prescribed security control mechanisms.

Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance

A grave concern to an organization’s information security is employees’ behavior when they do not value information security policy compliance (ISPC). Most ISPC studies evaluate compliance and noncompliance behaviors separately. However, the literature lacks a comprehensive understanding of the factors that transform the employees’ behavior from noncompliance to compliance. Therefore, we conducted a systematic literature review (SLR), highlighting the studies done concerning information security behavior (ISB) towards ISPC in multiple settings: research frameworks, research designs, and research methodologies over the last decade. We found that ISPC research focused more on compliance behaviors than noncompliance behaviors. Value conflicts, security-related stress, and neutralization, among many other factors, provided significant evidence towards noncompliance. At the same time, internal/external and protection motivations proved positively significant towards compliance behaviors. Employees perceive internal and external motivations from their social circle, management behaviors, and organizational culture to adopt security-aware behaviors. Deterrence techniques, management behaviors, culture, and information security awareness play a vital role in transforming employees’ noncompliance into compliance behaviors. This SLR’s motivation is to synthesize the literature on ISPC and ISB, identifying the behavioral transformation process from noncompliance to compliance. This SLR contributes to information system security literature by providing a behavior transformation process model based on the existing ISPC literature.

Human factor, a critical weak point in the information security of an organization's Internet of things

Internet of Things (IoT) presents opportunities for designing new technologies for organizations. Many organizations are beginning to accept these technologies for their daily work, where employees can be connected, both on the organization's premises and the "outside", for business continuity. However, organizations continue to experience data breach incidents. Even though there is a plethora of researches in Information Security, there "seems" to be little or lack of interest from the research community, when it comes to human factors and its relationship to data breach incidents. The focus is usually on the technological component of Information Technology systems. Regardless of any technological solutions introduced, human factors continue to be an area that lacks the required attention. Making the assumption that people will follow expected secure behavioral patterns and therefore system security expectations will be satisfied, may not necessarily be true. Security is not something that can simply be purchased; human factors will always prove to be an important space to explore. Hence, human factors are without a doubt a critical point in Information Security. In this study, we propose an Organizational Information Security Framework For Human Factors applicable to the Internet of Things, which includes countermeasures that can help prevent or reduce data breach incidents as a result of human factors. Using linear regression on data breach incidents reported in the United States of America from 2009 to 2017, the study validates human factors as a weak-point in information security that can be extended to Internet of Things by predicting the relationship between human factors and data breach incidents, and the strength of these relationships. Our results show that five breach incidents out of the seven typified human factors to statistically and significantly predict data breach incidents. Furthermore, the results also show a positive correlation between human factors and these data breach incidents.

Ensuring employees' information security policy compliance by carrot and stick: the moderating roles of organizational commitment and gender

Purpose

Employees’ information security policy (ISP) compliance exerts a significant strain on information security management. Drawing upon the compliance theory and control theory, this study attempts to examine the moderating roles of organizational commitment and gender in the relationships between reward/punishment expectancy and employees' ISP compliance.

Design/methodology/approach

Using survey data collected from 310 employees in Chinese organizations that have formally adopted information security policies, the authors applied the partial least square method to test hypotheses.

Findings

Punishment expectancy positively affects ISP compliance, but reward expectancy has no significant impact on ISP compliance. Compared with committed employees, both reward expectancy and punishment expectancy have stronger impacts on low-commitment employees' ISP compliance. As for gender differences, punishment expectancy exerts a stronger effect on females' ISP compliance than it does on males.

Originality/value

By investigating the moderating roles of organizational commitment and gender, this paper offers a deeper understanding of reward and punishment in the context of ISP compliance. The findings reveal that efforts in building organizational commitment will reduce the reliance on reward and punishment, and further controls rather than the carrot and stick should be applied to ensure male employees' ISP compliance.

Toward a Unified View of Dynamic Information Security Behaviors

Extant information systems security research identified and examined a variety of individual as well as organizational factors influencing information security behaviors, but rarely offered sufficient theoretical insight into the interaction of the individual factors with the organizational context in impacting information security behaviors. To fill this gap, this study proposes a theoretical framework that builds on the concepts of organizational culture and sensemaking to show that: 1) information security behaviors are outcomes of sensemaking; and 2) sensemaking is enabled as well as constrained by organizational culture. This study further epitomizes that information security diagnosing, solving, and performing behaviors emerge as outcomes of sensemaking about information security during the organization's interactions with technology. Theoretical and pragmatic contributions of this framework and future research directions are also demonstrated.

Antecedents for enhanced level of cyber-security in organisations

Purpose

The present study aims to identify and investigate the antecedents of enhanced level of cyber-security at the organisational level from both the technical and the human resource perspective using human–organisation–technology (HOT) theory.

Design/methodology/approach

The study has been conducted on 151 professionals who have expertise in dealing with cyber-security in organisations in sectors such as retail, education, healthcare, etc. in India. The analysis of the data is carried out using partial least squares based structural equation modelling technique (PLS-SEM).

Findings

The results from the study suggest that “legal consequences” and “technical measures” adopted for securing cyber-security in organisations are the most important antecedents for enhanced cyber-security levels in the organisations. The other significant antecedents for enhanced cyber-security in organisations include “role of senior management” and “proactive information security”.

Research limitations/implications

This empirical study has significant implications for organisations as they can take pre-emptive measures by focussing on important antecedents and work towards enhancing the level of cyber-security.

Originality/value

The originality of this research is combining both technical and human resource perspective in identifying the determinants of enhanced level of cyber-security in the organisations.

The influence of organisational culture and information security culture on employee compliance behaviour

Purpose

Organisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in facilitating compliance. The purpose of this paper is to explain the nature of the combined influence of organisational culture and information security culture on employee information security compliance. This study also aims to explain the influence of organisational culture on information security culture.

Design/methodology/approach

A theoretical model was developed showing the relationships between organisational culture, information security culture and employee compliance. Using an online survey, data was collected from a sample of individuals who work in organisations having information security policies. The data was analysed with Partial Least Square Structural Equation Modelling (PLS-SEM) to test the model.

Findings

Organisational culture and information security culture have significant, yet similar influences on employee compliance. In addition, organisational culture has a strong causal influence on information security culture.

Practical implications

Control-oriented organisational cultures are conducive to information security compliant behaviour. For an information security subculture to be effectively embedded in an organisation's culture, the dominant organisational culture would have to be considered first.

Originality/value

This research provides empirical evidence that information security subculture is influenced by organisational culture. Compliance is best explained by their joint influence.

The “Right” recipes for security culture: a competing values model perspective

Purpose

This study argues that the effect of perceived organizational culture on the formation of security-related subjective norms and the level of compliance pressure will vary based on how the employees perceive their organization's cultural values. These perceptions reflect on the assumptions and principles that organizations use to guide their security-related behaviors. To make these arguments, we adopt the competing values model (CVM), which is a model used to understand the range of organizational values and resulting cultural archetypes.

Design/methodology/approach

This study conducted a survey of working professionals in the banking and higher education industries and used partial least squares (PLS)-structural equation model (SEM) to analyze the data. In a series of post hoc analyses, we ran a set of multi-group analyses to compare the perceived organizational cultural effects between the working professionals in both industries.

Findings

Our study reveals that perceived organizational cultures in favor of stability and control promoted more positive security-related behaviors. However, the different effects were more pronounced when comparing the effects between the working professionals in both industries.

Originality/value

This study is one of the few that examines which cultural archetypes are more effective at fostering positive security behaviors. These findings suggest that we should be cautious about generalizing the effects of organizational culture on security-related actions across different contexts and industries.

Bring Your Own Device (BYOD) as reversed IT adoption: Insights into managers' coping strategies

The adoption of Bring Your Own Device (BYOD), initiated by employees, refers to the provision and use of personal mobile devices and applications for both private and business purposes. This bottom-up phenomenon, not initiated by managers, corresponds to a reversed IT adoption logic that simultaneously entails business opportunities and threats. Managers are thus confronted with this unchosen BYOD usage by employees and consequently adopt different coping strategies. This research aims to investigate the adaptation strategies embraced by managers to cope with the BYOD phenomenon. To this end, we operationalized the coping model of user adaptation (CMUA) in the organizational decision-making context to conduct a survey addressing 337 top managers. Our main results indicate that the impact of the CMUA constructs varies according to the period (pre- or post-implementation). The coping strategies differ between those who have already implemented measures to regulate BYOD usage and those who have not. We contribute to theory by integrating the perception of BYOD-related opportunities and threats and by shedding light on the decisional processes in the adoption of coping strategies. The managerial contributions of this research correspond to the improved protection of corporate information and the maximization of BYOD-related benefits.