Skip to main content
SpringerLink
Log in

A Model of Information Security Policy Compliance for Public Universities: A Conceptual Model

  • Conference paper
  • First Online:
Emerging Trends in Intelligent Computing and Informatics (IRICT 2019)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 1073))

Abstract

The university is an organization that manages much public information, and therefore, information security policies are developed to ensure data security. However, during implementation still founded disobey behavior user and has an impact on data security. The previous research has been conducted to find influencing factor user comply with information security, although some model and theories still limited to implementation. There is a lack of researchers combine behavioral theory and organizational theory to develop models and previous model inadequate to universities that have unique characteristics. This study aims to explore and identify factors that influence information security compliance and continue to develop conceptual models for assessing information security policies. This conceptual model creates based on a systematic literature review and preliminary study. The results in the conceptual model found several variables, namely habits, attitudes, moral beliefs, self-efficacy from behavioral theories and human culture, commitment, rewards, costs can be used to evaluate user compliance with information security policies. Conceptual will be tested further to contribute to help universities to ensure and assess users to comply with information security policies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bélanger, F., Collignon, S., Enget, K., Negangard, E.: Information & management determinants of early conformance with information security policies. Inf. Manag. 54, 887–901 (2017)

    Article  Google Scholar 

  2. Han, J.Y., Kim, Y.J., Kim, H.: An integrative model of information security policy compliance with psychological contract: examining a bilateral perspective. Comput. Secur. 66, 52–65 (2017)

    Article  Google Scholar 

  3. Pahnila, S., Siponen, M., Mahmood, A.: Which factors explain employees’ adherence to information security policies? An empirical study. In: Pacis 2007 Proceedings, pp. 438–439 (2007)

    Google Scholar 

  4. Siponen, M., Adam Mahmood, M., Pahnila, S.: Employees’ adherence to information security policies: an exploratory field study. Inf. Manag. 51, 217–224 (2014)

    Article  Google Scholar 

  5. Nasir, A., Arshah, R.A., Ab Hamid, M.R.: Information security policy compliance behavior based on comprehensive dimensions of information security culture. In: Proceedings of 2017 International Conference on Information System and Data Mining. - ICISDM 2017, pp. 56–60 (2017)

    Google Scholar 

  6. Abed, J., Dhillon, G., Ozkan, S.: Investigating continuous security compliance behavior : insights from information systems continuance model. In: Twenty-second Americas Conference on Information Systems, San Diego, pp. 1–10 (2016)

    Google Scholar 

  7. Humaidi, N., Balakrishnan, V.: Leadership styles and information security compliance behavior: the mediator effect of information security awareness. Int. J. Inf. Educ. Technol. 5, 311–318 (2015)

    Google Scholar 

  8. Doherty, N.F., Tajuddin, S.T.: Towards a user-centric theory of value-driven information security compliance. Inf. Technol. People 31, 348–367 (2018)

    Article  Google Scholar 

  9. Hwang, I., Kim, D., Kim, T., Kim, S.: Why not comply with information security? An empirical approach for the causes of non-compliance. Online Inf. Rev. 41, 2–18 (2017)

    Article  Google Scholar 

  10. Andress, J., Winterfeld, S.: Cyber Warfare Techniques, Tactics and Tools for Security Practitioners, vol. 2. Elsevier Inc., Waltham (2014)

    Google Scholar 

  11. Gikas, C.: A general comparison of FISMA, HIPAA, ISO 27000 and PCI-DSS standards. Inf. Secur. J. Glob. Perspect. 19, 132–141 (2010)

    Article  Google Scholar 

  12. Katz, F.H.: The effect of a university information security survey on instruction methods in information security. In: Proceedings of 2nd Annual Conference on Information Security Curriculum Development, pp. 43–48 (2005)

    Google Scholar 

  13. Ayyagari, R., Tyks, J.: Disaster at a university: a case study in information security. J. Inf. Technol. Educ. Innov. Pract. 11, 85–96 (2012)

    Google Scholar 

  14. BS ISO/IEC: ISO 27001 - Information Technology Security Techniques Information Security Management Systems, Requirements (2005)

    Google Scholar 

  15. Sommestad, T., Hallberg, J., Lundholm, K., Bengtsson, J.: Variables influencing information security policy compliance: a systematic review of quantitative studies. Inf. Manag. Comput. Secur. 22, 42–75 (2014)

    Article  Google Scholar 

  16. NIST: Glossary of Key Information Security Terms [NISTIR 7298 Rev 2] (2013)

    Google Scholar 

  17. Calder, A., Watkins, S.: It Governance an International Guide to Data Security and ISO 27001/ISO27002, vol. 6. Kopan Page, UK (2015)

    Google Scholar 

  18. Barry, L.: Information Security Policy Development for Compliance. CRC Press/Taylor & Francis Group, Boca Raton (2013)

    Google Scholar 

  19. Ross, R.S.: Assessing security and privacy controls in federal information systems and organizations: building effective assessment plans, pp. 1–487. NIST Special Publication (2014)

    Google Scholar 

  20. Sommestad, T., Karlzén, H., Hallberg, J.: The theory of planned behavior and information security policy compliance. J. Comput. Inf. Syst. 00, 1–10 (2017)

    Google Scholar 

  21. Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., Baskerville, R.: Future directions for behavioral information security research. Comput. Secur. 32, 90–101 (2013)

    Article  Google Scholar 

  22. Vroom, C., Von Solms, R.: Towards information security behavioural compliance. Comput. Secur. 23, 191–198 (2004)

    Article  Google Scholar 

  23. Kankanhalli, A., Teo, H.H., Tan, B.C.Y., Wei, K.K.: An integrative study of information systems security effectiveness. Int. J. Inf. Manag. 23, 139–154 (2003)

    Article  Google Scholar 

  24. Chang, S.E.: Organizational factors to the effectiveness of implementing information security management (2006)

    Google Scholar 

  25. Lowry, P.B., Posey, C., Bennett, R.B.J., Roberts, T.L.: Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: an empirical study of the influence of counterfactual reasoning and organisational trust. Inf. Syst. J. 25(3), 193–273 (2015)

    Article  Google Scholar 

  26. Alshare, K.A., Lane, P.L., Lane, M.R.: Information security policy compliance: a higher education case study. Inf. Comput. Secur. 26, 91–108 (2018)

    Article  Google Scholar 

  27. Doherty, N.F., Anastasakis, L., Fulford, H.: The information security policy unpacked: a critical study of the content of university policies. Int. J. Inf. Manag. 29, 449–457 (2009)

    Article  Google Scholar 

  28. Hina, S., Dominic, D.D.: Information security policies: investigation of compliance in universities. In: 2016 3rd International Conference on Computer and Information Sciences. In: Proceedings, ICCOINS 2016, pp 564–569 (2016)

    Google Scholar 

  29. Bamberg, S., Schmidt, P.: Incentives, morality, or habit? Predicting students’ car use for University routes with the models of Ajzen, Schwartz, and Triandis. Environ. Behav. 35, 264–285 (2003)

    Article  Google Scholar 

  30. Moody, G.D., Siponen, M., Pahnila, S.: Toward a unified model of information security policy compliance. MIS Q. 42, 285–311 (2018)

    Article  Google Scholar 

  31. Sohrabi Safa, N., Von Solms, R., Furnell, S.: Information security policy compliance model in organizations. Comput. Secur. 56, 1–13 (2016)

    Article  Google Scholar 

  32. Gerber, N., McDermott, R., Volkamer, M., Vogt, J.: Understanding information security compliance - why goal setting and rewards might be a bad idea. In: International Symposium on Information Assurance and Security, HAISA 2016, vol. 10, pp. 145–155 (2016)

    Google Scholar 

  33. Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34, 523–548 (2010)

    Article  Google Scholar 

  34. Kajtazi, M., Cavusoglu, H., Benbasat, I., Haftor, D.: Escalation of commitment as an antecedent to noncompliance with information security policy. Inf. Comput. Secur. 26, 171–193 (2018)

    Article  Google Scholar 

  35. Sharma, S., Warkentin, M.: Do I really belong? Impact of employment status on information security policy compliance. Comput. Secur. (2018)

    Google Scholar 

  36. Sommestad, T.: Social groupings and information security obedience within organizations. In: International Federation for Information Processing, pp. 325–338 (2015)

    Google Scholar 

  37. Arage, T., Belanger, F., Beshah, T.: Influence of national culture on employees’ compliance with information systems security (ISS) policies: towards ISS culture in Ethiopian companies. In: AMCIS 2015 Proceedings, pp. 1–7 (2015)

    Google Scholar 

  38. Amankwa, E., Loock, M., Kritzinger, E.: Establishing information security policy compliance culture in organizations. Inf. Comput. Secur. 26, 420–436 (2018)

    Article  Google Scholar 

  39. Kajtazi, M., Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Assessing sunk cost effect on employees’ intentions to violate information security policies in organizations. In: Proceedings of Annual Hawaii International Conference on System Sciences, pp. 3169–3177 (2014)

    Google Scholar 

  40. Sommestad, T., Karlzén, H., Hallberg, J.: The sufficiency of the theory of planned behavior for explaining information security policy compliance. Inf. Comput. Secur. 23, 200–217 (2015)

    Article  Google Scholar 

  41. Aurigemma, S., Mattson, T.: Privilege or procedure: evaluating the effect of employee status on intent to comply with socially interactive information security threats and controls. Comput. Secur. 66, 218–234 (2017)

    Article  Google Scholar 

  42. Sikolia, D., Twitchell, D., Sagers, G.: Employees’ adherence to information security policies: a partial replication. In: Proceedings of the Americas Conference on Information Systems, pp. 1–9 (2016). https://doi.org/10.1109/ICMTMA.2009.433

Download references

Author information

Authors and Affiliations

  1. School of Computing, Faculty Engineering, Universiti Teknologi Malaysia, 81310, Skudai, Johor, Malaysia

    Angraini

  2. Department of Information System, Azman Hashim International Business School, Universiti Teknologi Malaysia, 81310, Skudai, Johor, Malaysia

    Rose Alinda Alias

  3. Department of Informatics Engineering, Faculty Science and Technology, Universitas Islam Negeri Sultan Syarif Kasim, Pekanbaru, Riau, Indonesia

    Okfalisa

  4. Department of Information Engineering, Faculty Science and Technology, Universitas Islam Negeri Sultan Syarif Kasim, Pekanbaru, Riau, Indonesia

    Angraini

Authors
  1. Angraini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rose Alinda Alias
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Okfalisa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Angraini .

Editor information

Editors and Affiliations

  1. College of Computer Science and Engineering, Taibah University, Medina, Saudi Arabia

    Faisal Saeed

  2. School of Computing, Universiti Utara Malaysia (UUM), Sintok, Kedah Darul Aman, Malaysia

    Fathey Mohammed

  3. Management of Information Systems Department College of Business Administration, Taibah University, Yanbu, Saudi Arabia

    Nadhmi Gazem

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Angraini, Alias, R.A., Okfalisa (2020). A Model of Information Security Policy Compliance for Public Universities: A Conceptual Model. In: Saeed, F., Mohammed, F., Gazem, N. (eds) Emerging Trends in Intelligent Computing and Informatics. IRICT 2019. Advances in Intelligent Systems and Computing, vol 1073. Springer, Cham. https://doi.org/10.1007/978-3-030-33582-3_76

Download citation

Publish with us

Policies and ethics

Search

Navigation