Extant studies on compliance with security policies have largely ignored the impact of monitoring, security operations, and roles and responsibilities on employees' compliance. This chapter proposes a theoretical model that integrates security policy, monitoring, security operations, and security roles to examine employees' security compliance. Data were collected from 233 IT security and management professionals. Using partial least square structural equation modelling and testing hypotheses, the study finds that information security policy has significant indirect influence on information security compliance. The effect of security policy is fully mediated by security roles, operations security activities, and security monitoring activities. Security policy strongly influences operations security activities and has the greatest effect on security roles and responsibilities. Among the three mediating variables, monitoring has the most significant influence on security compliance. Conversely, the direct impact of security policy on compliance is not significant.
TopIntroduction
The failure of employee to comply with information systems security policies is a key concern for organizations (Puhakainen & Siponen, 2010). Information security breaches often result from employees' non-compliance with the security policy. A global survey profiles the nature of data breaches in 19 organizations from 27 countries. The study covers more than 47,000 reported security incidents and 621 confirmed data breaches. The findings reveal that over 50% of the insiders who committed sabotage were formal employees, 70% of Internet Protocol address (IP) theft cases were committed by internal people intended to resign their job, and 75% of attacks were opportunists with financial motives targeting no specific individual or organization (Data Breach Investigations Report [DBIR], 2013). This report heightens the need for organizations to ensure that essential security controls are put in place and security policies are complied with. A recent study found that insiders (current and former employees, third parties) with trusted network access represent a major threat to information security, yet many organisations fail to implement processes and technologies to address internal incidents (PWC Report, 2015). Sometimes, even the organisational efforts to protect information assets from employee security threats may rather encourage the behaviors organizations are attempting to thwart (Lowry et al., 2015).
Compliance with information security policy remains a challenging task (D'Arcy & Greene, 2014). To ensure compliance with security objectives, legal, and regulatory requirements, organizations have established security policies to guide employees’ behaviour. The information security policy contains intentions, principles, rules, and guidelines which the management wants the employees to adhere to (Sommestad et al., 2014). It provides management direction and support for information security (ISO/IEC, 2009). It generally describes the acceptable use of computer resources, information security roles and responsibilities, the type of training that employees should have, and the consequences of security policy violation (Sommestad et al., 2015). Providing adequate security to information security requires that technical information systems security and management personnel comply with security measures. For instance, critical data may be put at risk when the technical personnel fail to follow operational procedures, perform vulnerability assessment, check security in the third party products and services, perform regular backups, properly manage user accounts, secure mobile devices that are attached to the organization’s productive networks, effectively control malware activities, protect data transfer and network services, monitor, log, and audit information systems regularly. Accordingly, Qing et al. (2011) suggest the development and deployment of more advanced protective technologies and enforcement of effective security policies and procedures.