Abstract
Users are considered the weakest link in ensuring information security (InfoSec). As a result, users' security behaviour remains crucial in many organizations. In response, InfoSec research has produced many behavioural theories targeted at explaining information security policy (ISP) compliance. Meanwhile, these theories mostly draw samples from employees often in developing countries. Such theories are not applicable to students in educational institutions since their psychological orientation with regards to InfoSec is different when compared with employees. Based on this premise, the chapter presents arguments founded on synthesis from existing literature. It proposes a students' security compliance model (SSCM) that attempts to explain predictive factors of students' ISP compliance intentions. The study encourages further research to confirm the proposed relationships using qualitative and quantitative techniques.
TopLiterature Review
The importance of organizations’ information security cannot be overemphasized. Hence, technological as well as behavioural measures are often initiated to curb the adverse effects of improper use and policy non-conformity. However, behavioural issues top the approaches in safeguarding information (Safa et al., 2016). Therefore, scholars have explored various avenues in an attempt to explain information security behaviour. Considering that human behaviour is complex and difficult to understand (Wiafe, Nakata, Moran, & Gulliver, 2011). Mostly, the factors that determine adherence to policies meant to guide security behaviour has been explored. Extant studies agree that deterrent mechanisms such as fear appeal, threat, certainty of and severity of punishment are effective in guiding people to comply with security policies (Cheng, Li, Li, Holm, & Zhai, 2013; Herath & Rao, 2009; Safa et al., 2019). Other studies have argued that concepts such as habit strength, security support, prior experiences, self-efficacy, and perceived vulnerability are more effective in explaining information security compliance (Ifinedo, 2012; Johnston & Warkentin, 2010; Tsai et al., 2016).
Key Terms in this Chapter
Attitude: A student’s positive or negative affect towards information security policy.
Information Security Policies (ISPs): It denotes acceptable guidelines for ensuring institutions’ information security.
Information Systems (IS): An integrated set of digital products for collecting, processing, and storing institutions’ informational resources.
Information Security Awareness: The degree to which students are conscious of acceptable security behavior.
Deterrence: An action of discouraging improper security behavior by instilling fear of punishment.
Information Security Knowledge Sharing: The probability that students will willingly share the information security knowledge they have acquired.
Subjective norm: The likehood that a student will perform security behaviour because of the expectation of relevant others.