Abstract
One of the major concerns of organizations in today's networked world is to unravel how employees comply with information security policies (ISPs) since the internal employee has been identified as the weakest link in security policy breaches. A number of studies have examined ISP compliance from the perspective of deterrence; however, there have been mixed results. The study seeks to examine information security compliance from the perspective of the general deterrence theory (GDT) and information security climate (ISC). Data was collected from 329 employees drawn from the five top-performing banks in Ghana and analyzed with PLS-SEM. Results from the study show that security education training and awareness, top-management's commitment for information security, and peer non-compliance behavior affect the information security climate in an organization. Information security climate, punishment severity, and certainty of deterrent were also found to influence employees' intention to comply with ISP. The implications, limitations, and directions for future research are discussed.
TopIntroduction
“Data breaches keep happening. So why don’t you do something? – The New York Times”
Worldwide IT security spending was poised to increase to $124 billion dollars in 2019 from $71.1 billion in 2017 (Gartner, 2018; Hwang et al., 2017). Big ticket cases of data breaches in 2017 and 2018 more than ever, highlighted the need for better systems and controls to curtail and contain data protection contraventions. Both small and large companies like Yahoo, AT&T Citi Bank, JP Morgan, and Equifax have all fallen prey to data protection problems, internally (New York Times, 2018). Data compliance has become a key competitive resource employed by firms to outpace their competitors – typically involving the adoption and use of security policy initiatives (Kim & Kim, 2017). It is therefore by no means an understatement when reiterated that information security and its application is pivotal to the firms growth and success (Doherty et al. 2009). Furthermore, clarity has been established that the human element is major cause of information security breachesin organizations. In other words information security policy behavior is key to improving information security levels in organizations (Balozian & Leidner, 2017).
Prior research has attempted to explain information security policy breaches through the General Deterrence Theory (Chan et al., 2005; Donalds & Osei-Bryson, 2020; C. Lee et al., 2016; S. M. Lee et al., 2004), Theory of Planned Behavior, Protection Motivation Theory and Organizational Theory (Rajab & Eydgahi, 2019). While organizational theory focuses on the effect of security climate on security policy compliance (Chan et al., 2005), deterrence theory highlights the effect of user awareness of IS security countermeasures on perceived certainty and severity of organizational sanctions (D’Arcy et al., 2009). According to the literature, one key way to encourage and motivate employees to comply with Information Security Policy (ISP) is the enforcement of sanctions under the general deterrence theory framework (GDT) (Aurigemma & Mattson, 2017). The GDT framework embraces disinsentives that match appropriate sanctions to violators of the ISP (Wall et al., 2013). In other words, if employees perceive that there are harsh penalties once they are caught violating information systems security policy; they are less likely to violate information systems security policy (Cheng et al., 2013). Further, Diver (2007) opines that understanding and interpreting the effects of sanctions are critical because employee non-compliance is typically the mainspring of all ISPs. This therefore almost certainly addresses the relevance of the GDT in enforcing ISP. As maintained by the literature, another major compliance attribute – information security climate – has been found to have significant impact on compliance because workplace quality devoid of anti-compliance behavior is driven by the nature of peer socialization in the organization (Yazdanmehr & Wang, 2016). Although studies on GDT and security climate have laid solid foundation in the field, they have largely been inconclusive with respect to compliance (Chen et al., 2018; D’Arcy et al., 2009; Herath et al., 2018; Herath & Rao, 2009; Safa et al., 2019).
Key Terms in this Chapter
Deterrence: Is defined as the preventative effect that actual or threatened punishment has on potential offenders.
Information Security Education: Refers to a program or efforts to make employees aware of the environment, policy and manual of an organization’s security.
Information Security Culture: Is defined as a natural aspect in the daily activities of every employee.
Perceived Severity of Punishment: Is defined as actor’s subjective judgment of how costly to himself the penalty he expects would be.
Compliant Information Security Behavior: Refers to the set of core information security activities that need to be carried out by individuals to maintain information security as defined by information security policies.
Information Security Climate: Is defined as the employee's perception of the current organizational state in terms of information security as evidenced through dealings with internal and external stakeholders.
General Deterrence Theory (GDT): Originates from criminology. It proposes that severe, swift, and certain sanctions result in deterring individuals from engaging in particular behaviours.