Information security policy compliance: a higher education case study
Abstract
Purpose: The purpose of this case study is to examine the factors that impact higher education employees’ violations of information security policy by developing a research model based on grounded theories such as deterrence theory, neutralization theory and justice theory. Design/methodology/approach: The research model was tested using 195 usable responses. After conducting model validation, the hypotheses were tested using multiple linear regression. Findings: The results of the study revealed that procedural justice, distributive justice, severity and celerity of sanction, privacy, responsibility and organizational security culture were significant predictors of violations of information security measures. Only interactional justice was not significant. Research limitations/implications: As with any exploratory case study, this research has limitations such as the self-reported information and the method of measuring the violation of information security measures. The method of measuring information security violations has been a challenge for researchers. Of course, the best method is to capture the actual behavior. Another limitation to this case study which might have affected the results is the significant number of faculty members in the respondent pool. The shared governance culture of faculty members on a US university campus might bias the results more than in a company environment. Caution should be applied when generalizing the results of this case study. Practical implications: The findings validate past research and should encourage managers to ensure employees are involved with developing and implementing information security measures. Additionally, the information security measures should be applied consistently and in a timely manner. Past research has focused more on the certainty and severity of sanctions and not as much on the celerity or swiftness of applying sanctions. The results of this research indicate there is a need to be timely (swift) in applying sanctions. The importance of information security should be grounded in company culture. Employees should have a strong sense of treating company data as they would want their own data to be treated. Social implications: Engaging employees in developing and implementing information security measures will reduce employees’ violations. Additionally, giving employees the assurance that all are given the same treatment when it comes to applying sanctions will reduce the violations. Originality/value: Setting and enforcing in a timely manner a solid sanction system will help in preventing information security violations. Moreover, creating a culture that fosters information security will help in positively affecting the employees’ perceptions toward privacy and responsibility, which in turn, impacts information security violations. This case study applies some existing theories in the context of the US higher education environment. The results of this case study contributed to the extension of existing theories by including new factors, on one hand, and confirming previous findings, on the other hand.
Collections
- Accounting & Information Systems [535 items ]
Related items
Showing items related by title, author, creator and subject.
-
A Framework of Information Security Integrated with Human Factors
Al-Darwish, Ahmed I.; Choe, Pilsung ( Springer Verlag , 2019 , Conference)Information systems support organizations to achieve strategic competitiveness over other organizations and assist senior management in the decision-making process. In addition, they help organizations in timely implementation ... -
Violators versus non-violators of information security measures in organizations-A study of distinguishing factors
Khan, Habib Ullah; AlShare, Khalid A. ( Taylor and Francis Inc. , 2019 , Article)The present study analyzes the elements that differentiate violators from non-violators of information security measures. Various elements are derived from established theories and models such as general deterrence theory, ... -
An examination of factors that influence the number of information security policy violations in Qatari organizations
Al-Mukahal H.M.; Alshare K. ( Emerald Group Publishing Ltd. , 2015 , Article)Purpose: This paper aims to investigate factors that impact the number of information security policy violations in Qatari organizations and to examine the moderating effect of Hofstede's cultural dimensions on the ...