Towards Modelling the Impact of Security Policy on Compliance

Towards Modelling the Impact of Security Policy on Compliance

Winfred Yaokumah (Department of Information Technology, Pentecost University College, Accra, Ghana), Steven Brown (School of Business and Technology, Capella University, Minneapolis, MN, USA) and Alex Ansah Dawson (School of Technology, Ghana Institute of Management and Public Administration, Accra, Ghana)
Copyright: © 2016 |Pages: 16
DOI: 10.4018/JITR.2016040101
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

This study develops a model, based on the controls present in ISO/IEC 27002 framework, to integrate the role of technical and administrative security controls. The model provides better understanding of how security policy can influence security compliance and the pathway through which this effect is generated. Data were collected from 223 IT security and management professionals. Using Partial Least Square Structural Equation Modelling (PLS-SEM) and testing hypotheses, the study finds that information security policy has significant indirect influence on information security compliance. The effect of security policy is fully mediated by security roles and responsibilities, operations security activities, and security monitoring and review activities. Security policy strongly influences operations security activities and has the greatest effect on security roles and responsibilities. Among the three mediating variables, monitoring and reviews has the most significant influence on security compliance. Conversely, the impact of security policy on compliance is not significant.
Article Preview

Introduction

Various threats (potential dangers exploiting system vulnerabilities) are militating against information assets as a result of vulnerabilities in information systems. Vulnerabilities are weaknesses or lack of countermeasures in the information systems themselves (Shon, 2013). Threats may be intentional or unintentional and can come from both internal and external sources. Internal (insider) threats to information security are critical issues for organizations (Baracaldo & Joshi, 2013; Wang, Gupta, & Rao, 2015). A global survey profiles the nature of data breaches in 19 organizations from 27 countries. The study covers more than 47,000 reported security incidents and 621 confirmed data breaches. The findings reveal that over 50% of the insiders who committed sabotage were formal employees, 70% of Internet Protocol address (IP) theft cases were committed by internal people intended to resign their job, and 75% of attacks were opportunists with financial motives targeting no specific individual or organization (Data Breach Investigations Report [DBIR], 2013). This report heightens the need for organizations to ensure that essential security controls are put in place and security policies are complied with.

Though several threats including browser exploits, data interception, malware, network exploits, spamming, spoofing, and theft/loss (US GAO, 2012) exist, technical (logical) controls are available to protect information systems. Technical controls such as firewalls, intrusion preventive and detection systems, antimalware, encryption, backup and restoration mechanisms, logging, monitoring, auditing, identification and authentication mechanisms were implemented in software configurations, hardware devices, and in procedures to protect information systems. Apart from technical controls, administrative controls (such as security policies and procedures) and physical controls (such as cable locks, fencing, closed-circuit TV, and lighting) play a major role in security systems (Shon, 2013). These controls provide functionalities intended to secure information systems.

These functionalities comprise of deterrent (intended to discourage a potential attacker), preventive (intended to avoid an incident from occurring), corrective (fixes components or systems after an incident has occurred), recovery (intended to bring the environment back to regular operations), and detective (identify an incident’s activities and potential intruder) (Shon, 2013). Despite these security measures, the major threat is the members of the organization themselves who are entrusted to protect information systems (Willison & Warkentin, 2013) and are required to comply with the organization’s security measures and policies. A recent study found that insiders (current and former employees, third parties) with trusted network access represent a major threat to information security, yet many organisations fail to implement processes and technologies to address internal incidents (PWC Report, 2015).

To ensure compliance with security objectives, legal, and regulatory requirements, organizations have established security policies to guide employees’ behaviour. The information security policy contains intentions, principles, rules, and guidelines which the management wants the employees to adhere to (Sommestad et al., 2014). It provides management direction and support for information security ((ISO/IEC, 2009). It generally describes the acceptable use of computer resources, information security roles and responsibilities, the type of training that employees should have, and the consequences of security policy violation (Sommestad et al., 2015). Providing adequate security to information security requires that technical information systems security and management personnel comply with security measures. For instance, critical data may be put at risk when the technical personnel fail to follow operational procedures, perform vulnerability assessment, check security in the third party products and services, perform regular backups, properly manage user accounts, secure mobile devices that are attached to the organization’s productive networks, effectively control malware activities, protect data transfer and network services, monitor, log, and audit information systems regularly.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 10: 4 Issues (2017)
Volume 9: 4 Issues (2016)
Volume 8: 4 Issues (2015)
Volume 7: 4 Issues (2014)
Volume 6: 4 Issues (2013)
Volume 5: 4 Issues (2012)
Volume 4: 4 Issues (2011)
Volume 3: 4 Issues (2010)
Volume 2: 4 Issues (2009)
Volume 1: 4 Issues (2008)
View Complete Journal Contents Listing