A conceptual model for promoting information security policy compliance behaviour at workplace
List of Authors
  • Allen Peter Diman , Titik Khawa Abdul Rahman

Keyword
  • Information security, Information Security Policy, Health Action Process Approach Model, Self-efficacy, Compliance

Abstract
  • Securing sensitive and critical information is a significant challenge for many organisations, as leaks can cause financial, reputational, and competitiveness losses. Organisations can implement an Information Security Policy (ISP) that employees must comply with to minimise this risk. However, ensuring compliance with the ISP continues to be a problem. To address this issue, a conceptual model has been proposed that organisations can use to promote ISP compliance behaviour among their employees. The Health Action Process Approach (HAPA) Model is used to derive this model. The model consists of two phases - motivational and volitional which are expected to cover the elements needed to promote behavioural change for ISP compliance. The model's multi-processes approach, covering critical aspects such as risk assessment, self-efficacy, initiation, and maintenance, enables it to serve as a platform for organisations to sustain ISP compliance over the long term. Organisations can conduct employee assessments and provide ISP compliance training and awareness campaigns to implement the model. They can also disseminate cues about information security issues and how the ISP can assist employees in handling them, discourage behaviour that leads to complacency towards ISP compliance, and update the ISP to keep it relevant. The proposed model presents an opportunity for future research to evaluate its applicability in organisational settings.

Reference
  • 1. Aggarwal, A., & Dhurkari, R. K. (2023). Association between stress and information security policy non-compliance behaviour: A meta-analysis. Computers and Security, 124. https://doi.org/10.1016/j.cose.2022.102991

    2. Alanazi, S. T., Anbar, M., Ebad, S. A., Karuppayah, S., & Al-Ani, H. A. (2020). Theory-based model and prediction analysis of information security compliance behaviour in the Saudi healthcare sector. Symmetry, 12(9). https://doi.org/10.3390/SYM12091544

    3. Alassaf, M., & Alkhalifah, A. (2021). Exploring the influence of direct and indirect factors on information security policy compliance: A systematic literature review. In IEEE Access (Vol. 9). https://doi.org/10.1109/ACCESS.2021.3132574

    4. Alexandrou, A., & Chen, L.-C. (2019). A security risk perception model for the adoption of mobile devices in the healthcare industry. Security Journal, 32(4), 410–434. https://doi.org/10.1057/s41284-019-00170-0

    5. Ali, R. F., Dominic, P. D. D., & Ali, K. (2020). Organizational governance, social bonds and information security policy compliance: A perspective towards oil and gas employees. Sustainability, 12(20), 8576. https://doi.org/10.3390/su12208576

    6. Ali, R. F., Dominic, P. D., Ali, S. E., Rehman, M., & Sohail, A. (2021). Information security behavior and information security policy compliance: A systematic literature review for identifying the transformation process from noncompliance to compliance. Applied Sciences, 11(8), 3383. https://doi.org/10.3390/app11083383

    7. Almansoori, A., Al-Emran, M., & Shaalan, K. (2023). Exploring the frontiers of cybersecurity behavior: A systematic review of studies and theories. In Applied Sciences (Switzerland), 13(9). https://doi.org/10.3390/app13095700

    8. Alraja, M. N., Butt, U. J., & Abbod, M. (2023). Information security policies compliance in a global setting: An employee’s perspective. Computers & Security, 129, 103208. https://doi.org/10.1016/j.cose.2023.103208

    9. Angraini, C., Alias, R. A., & Okfalisa, A. (2019). Information security policy compliance: Systematic literature review. Procedia Computer Science, 161, 1216–1224. https://doi.org/10.1016/j.procs.2019.11.235

    10. Bayona-Oré, S., & Ochoa, N. F. (2023). Information security policy compliance: Usefulness and ease of use. Proceedings of Eighth International Congress on Information and Communication Technology, 413–419. https://doi.org/10.1007/978-981-99-3236-8_32

    11. Bélanger, F., Maier, J., & Maier, M. (2022). A longitudinal study on improving employee information protective knowledge and behaviors. Computers & Security, 116, 102641. https://doi.org/10.1016/j.cose.2022.102641

    12. Bolek, V., Romanová, A., & Korcek, F. (2023). The information security management systems in e-business. Journal of Global Information Management, 31(1), 1–29. https://doi.org/http://dx.doi.org/10.4018/JGIM.316833

    13. Brooks, R. R., Williams, K. J., & Lee, S.-Y. (2023). Personal and contextual predictors of information security policy compliance: Evidence from a low-fidelity simulation. Journal of Business and Psychology. https://doi.org/10.1007/s10869-023-09878-8

    14. Butler, K. J., & Brown, I. (2023). COVID-19 pandemic-induced organisational cultural shifts and employee information security compliance behaviour: A South African case study. Information and Computer Security, 31(2). https://doi.org/10.1108/ICS-09-2022-0152

    15. Chen, H., Liu, M., & Lyu, T. (2022). Understanding employees’ information security-related stress and policy compliance intention: The roles of information security fatigue and psychological capital. Information & amp; Computer Security, 30(5), 751–770. https://doi.org/10.1108/ics-03-2022-0047

    16. Chen, X., & Tyran, C. K. (2023). A framework for analysing and improving ISP compliance. Journal of Computer Information Systems, 63(6), 1408–1423. https://doi.org/10.1080/08874417.2022.2161024

    17. Cheng, Y., Mei, S., Zhong, W., & Gao, X. (2021). Managing consumer privacy risk: The effects of privacy breach insurance. Electronic Commerce Research, 23(2), 807–841. https://doi.org/10.1007/s10660-021-09492-x

    18. Chiniah, A., & Ghannoo, F. (2023). A multi-theory model to evaluate new factors influencing information security compliance. International Journal of Security and Networks, 18(1). https://doi.org/10.1504/IJSN.2023.129949

    19. Choi, Y., Yang, S. J., & Song, H. Y. (2018). Effects of the variables related to the health action process approach model on physical activity: A systematic literature review and meta-analysis. Journal of Korean Academy of Community Health Nursing, 29(3), 359. https://doi.org/10.12799/jkachn.2018.29.3.359

    20. Dong, T., Zhu, S., Oliveira, M., & Luo, X. (Robert). (2022). Making better IS security investment decisions: Discovering the cost of data breach announcements during the COVID-19 pandemic. Industrial Management & Data Systems, 123(2), 630–652. https://doi.org/10.1108/imds-06-2022-0376

    21. He, J., & Sun, Y. (2022). Information security countermeasures for big data platforms based on cloud computing. Mobile Information Systems, 2022, 1–11. https://doi.org/10.1155/2022/3981775

    22. Hengstler, S., Kuehnel, S., Masuch, K., Nastjuk, I., & Trang, S. (2023). Should I really do that? Using quantile regression to examine the impact of sanctions on information security policy compliance behavior. Computers & Security, 133, 103370. https://doi.org/10.1016/j.cose.2023.103370

    23. Hengstler, S., Nickerson, R. C., & Trang, S. (2022). Towards a taxonomy of information security policy non-compliance behavior. Proceedings of the Annual Hawaii International Conference on System Sciences, 2022-January. https://doi.org/10.24251/hicss.2022.588

    24. Hong, Y., & Furnell, S. (2022). Motivating information security policy compliance: Insights from perceived organizational formalization. Journal of Computer Information Systems, 62(1). https://doi.org/10.1080/08874417.2019.1683781

    25. Huang, H.-H., & Lin, J.-W. (2023). Inconsistencies between information security policy compliance and shadow IT USAGE. Journal of Computer Information Systems, 1–11. https://doi.org/10.1080/08874417.2023.2234318

    26. Iriqat, Y. M., Ahlan, A. R., & Molok, N. N. (2019). Information security policy perceived compliance among staff in Palestine universities: An empirical pilot study. 2019 IEEE Jordan International Joint Conference on Electrical Engineering and Information Technology (JEEIT). https://doi.org/10.1109/jeeit.2019.8717438

    27. Jeon, S., Son, I., & Han, J. (2020). Exploring the role of intrinsic motivation in ISSP compliance: Enterprise digital rights management system case. Information Technology & People, 34(2), 599–616. https://doi.org/10.1108/itp-05-2018-0256

    28. Kang, P., Kang, J., & Monsen, K. A. (2023). Nurse information security policy compliance, information competence, and information security attitudes predict information security behavior. CIN - Computers Informatics Nursing, 41(8). https://doi.org/10.1097/CIN.0000000000000981

    29. Kuppusamy, P., Samy, G. N., Maarop, N., Shanmugam, B., & Perumal, S. (2022). Information security policy compliance behaviour models, theories, and influencing factors: A systematic literature review. The Journal of Theoretical and Applied Information Technology, 100(5).

    30. Lee, D., Lallie, H. S., & Michaelides, N. (2023). The impact of an employee’s psychological contract breach on compliance with information security policies: Intrinsic and extrinsic motivation. Cognition, Technology & Work, 25(2–3), 273–289. https://doi.org/10.1007/s10111-023-00727-5

    31. Li, Y. J., & Hoffman, E. (2023). Designing an incentive mechanism for information security policy compliance: An experiment. Journal of Economic Behavior & Organization, 212, 138–159. https://doi.org/10.1016/j.jebo.2023.05.033

    32. Liu, C., Wang, N., & Liang, H. (2020). Motivating information security policy compliance: The critical role of supervisor-subordinate Guanxi and organizational commitment. International Journal of Information Management, 54, 102152. https://doi.org/10.1016/j.ijinfomgt.2020.102152

    33. Marshall, B., Curry, M., Crossler, R. E., & Correia, J. (2021). Machine learning and survey-based predictors of Infosec Non-Compliance. ACM Transactions on Management Information Systems, 13(2), 1–20. https://doi.org/10.1145/3466689

    34. Martin, J. J., Snapp, E., & Ketcheson, L. (2020). Motivational theories. Routledge Handbook of Adapted Physical Education, 347–362. https://doi.org/10.4324/9780429052675-26

    35. Naik, L. B. (2022). Cyber security challenges and its emerging trends on the latest technologies. International Journal of Scientific Research in Engineering and Management, 06(06). https://doi.org/10.55041/ijsrem14488

    36. Nasir, A., Arshah, R. A., Ab Hamid, M. R., & Fahmy, S. (2022). Information security culture concept towards information security compliance: A comparison between it and Non-IT Professionals. International Journal of Integrated Engineering, 14(3). https://doi.org/10.30880/ijie.2022.14.03.017

    37. Ogbanufe, O., Crossler, R. E., & Biros, D. (2023). The valued coexistence of protection motivation and stewardship in information security behaviors. Computers & Security, 124, 102960. https://doi.org/10.1016/j.cose.2022.102960

    38. Palanisamy, R., Norman, A. A., & Mat Kiah, M. L. (2023). Employees’ BYOD security policy compliance in the public sector. Journal of Computer Information Systems, 64(1), 62–77. https://doi.org/10.1080/08874417.2023.2178038

    39. Reshmi, T. R. (2021). Information security breaches due to ransomware attacks - A systematic literature review. International Journal of Information Management Data Insights, 1(2), 100013. https://doi.org/10.1016/j.jjimei.2021.100013

    40. Ryutov, T. (2023). An empirical investigation of psychological factors affecting compliance with information security organizational policies. In Cybersecurity for Decision Makers. https://doi.org/10.1201/9781003319887_15

    41. Schwarzer, R., & Hamilton, K. (2020). Changing behaviour using the Health Action Process Approach. The Handbook of Behavior Change, 89–103. https://doi.org/10.1017/9781108677318.007

    42. Sharma, S., & Aparicio, E. (2022). Organizational and team culture as antecedents of protection motivation among its employees. Computers & Security, 120, 102774. https://doi.org/10.1016/j.cose.2022.102774

    43. Sulaiman, N. S., Fauzi, M. A., Wider, W., Rajadurai, J., Hussain, S., & Harun, S. A. (2022). Cyber-information security compliance and violation behaviour in organisations: A systematic review. In Social Sciences (Vol. 11, Issue 9). https://doi.org/10.3390/socsci11090386

    44. Trang, S., & Nastjuk, I. (2021). Examining the role of stress and information security policy design in information security compliance behaviour: An experimental study of in-task behaviour. Computers & Security, 104, 102222. https://doi.org/10.1016/j.cose.2021.102222

    45. Uddin Sharif, M. H., & Mohammed, M. A. (2022). A literature review of financial losses statistics for cybersecurity and future trends. World Journal of Advanced Research and Reviews, 15(1), 138–156. https://doi.org/10.30574/wjarr.2022.15.1.0573

    46. Van Nes, K. A., van Loveren, C., Luteijn, M. F., & Slot, D. E. (2022). Health Action Process Approach in oral health behaviour: Target interventions, constructs and groups—a systematic review. International Journal of Dental Hygiene, 21(1), 59–76. https://doi.org/10.1111/idh.12628

    47. Wang, X., Wang, C., Yi, T., & Li, W. (2024). Understanding the deterrence effect of punishment for marine information security policies non-compliance. Journal of Ocean Engineering and Science, 9(1), 9–12. https://doi.org/10.1016/j.joes.2022.06.001