Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Data and Information Management

4 Issues per year

Open Access
Online
ISSN
2543-9251
See all formats and pricing
More options …

Information Security Compliance in Organizations: An Institutional Perspective

Ahmed AlKalbani
  • School of Business Information Technology and Logistics, RMIT University, Melbourne, Australia
  • Other articles by this author:
  • De Gruyter OnlineGoogle Scholar
/ Hepu Deng
  • School of Business Information Technology and Logistics, RMIT University, Melbourne, Australia
  • Other articles by this author:
  • De Gruyter OnlineGoogle Scholar
/ Booi Kam
  • School of Business Information Technology and Logistics, RMIT University, Melbourne, Australia
  • Other articles by this author:
  • De Gruyter OnlineGoogle Scholar
/ Xiaojuan Zhang
Published Online: 2017-12-29 | DOI: https://doi.org/10.1515/dim-2017-0006

Abstract

The increasing recognition of the importance of information security has created institutional pressures on organizations to comply with information security standards and policies for protecting their information. How such pressures influence information security compliance in organisations, however, is unclear. This paper presents an empirical study to investigate the impact of institutional pressures on information security compliance in organizations. With the use of structural equation modelling for analysing the data collected through an online survey, the study shows that coercive pressures, normative pressures, and mimetic pressures positively influence information security compliance in organizations. It reveals that the benefits of information security compliance motivate management to strengthen their commitments at information security compliance. Furthermore, the study finds out that social pressures do not have a significant impact on management commitments towards information security compliance. Theoretically this study contributes to the information security research by better understanding how institutional pressures can be used for enhancing information security compliance in organizations. Practically this study informs information security policy makers of the major institutional drivers for information security compliance.

Keywords: information security; institutional pressures; information security compliance; management support; empirical study

1 Introduction

The increasing dependence on information systems in organizations has led their critical information exposed to the possibility of cyber-crime nowadays (Tassabehji et al., 2007; Reddy & Rao, 2016). As a result, proactive approaches have to be adopted in organizations to safeguard organizational information in today’s dynamic environment. Enforcing information security compliance (Boss & Kirsch,, 2007; Siponen et al., 2007; Lee et al., 2016), which is referred to as the implementation of information security standards and policies for protecting information in organizations, is a proactive approach that is widely used (Von Solms, 2005; Alkalbani et al., 2014; 2015a; Safa et al., 2016). There is an accelerated adoption of the information security compliance approach in organizations across the world (Kim et al., 2016). A report from the International Standards Certifications (ISC 2015) points out that there is an increasing spending in organizations to ensure their compliance with existing standards and policies for information security.

There is an increasing recognition of the importance of information security in organizations across the world (Alkalbani et al., 2015b; Appari et al., 2009; Bulgurcu et al., 2010). This leads to specific laws, regulations, standards and policies that have been developed for helping organizations adequately protect their information. Such laws, regulations, standards and policies create institutional pressures on individual organizations on what they have to do in protecting their information through the adoption of information security compliance (Cavusoglu et al., 2015; Kim et al., 2016). Furthermore, there is an increasing expectation from various stakeholders on what organizations are required to do for protecting their information through information security compliance (Davidsson et al., 2006, Hu et al., 2007). All such pressures to some extent influence the behaviors of individual organizations in their compliance with information security laws, regulations, standards and policies for protecting organizational information in today’s dynamic environment.

There are numerous studies that have been conducted on information security compliance in organizations (Herath & Rao, 2009; Bulgurcu et al., 2010; Ifinedo, 2013; Kim et al., 2016). Herath and Rao (2009), for example, investigate the factors related to the behaviors, motivations, values and norms that affect employees’ intentions to comply with information security compliance in organizations. Siponen et al. (2010) examine the factors related to normative beliefs, threat appraisal, self-efficacy, and visibility that influence employees’ intention to comply with information security policies in organizations. Ifinedo (2013) assesses the social influence of changing individual’s thoughts, actions, feelings, attitudes, and behaviors on information security compliance in organizations. Kim et al. (2016) investigate the factors that influence employees` information security policy compliance behaviors using elements of the Triandis model. These studies have focused primarily on understanding employees’ attitudes, and behavior on information security compliance in organizations. There is, however, lack of research in better understanding the impact of institutional pressures on information security compliance in organizations (Vance et al., 2012).

This paper presents an empirical study to investigate the impact of institutional pressures on information security compliance in organizations. With the use of structural equation modeling for analyzing the data collected through an online survey, the study shows that coercive pressures, normative pressures, and mimetic pressures positively influence information security compliance in organizations. It reveals that the benefits of information security generate pressures on management to strengthen their commitments at information security compliance in organizations. Furthermore, the study find out that social pressures do not have a significant impact on management commitments towards information security compliance. Theoretically this study contributes to the information security compliance research by better understanding how institutional pressures can be used as a baseline for enhancing information security compliance in organizations. Practically this study informs information security policy makers in organizations on the major institutional drivers for influencing information security compliance.

The rest of this paper is organized as follows. Section 2 presents a literature review of information security compliance from the perspective of institutional pressures on organizations. Section 3 presents an information security compliance model with a focus on the impact of institutional pressures on information security compliance in organizations. Section 4 describes the research methodology that this study adopts. Section 5 presents the research findings based on the analysis of the survey data. Finally Section 6 presents the conclusion with the limitations of the study and future research.

2 Literature Review

With the rapid development of information and communication technologies, the security of information is becoming increasingly critical in organizations. This has led organizations to adopt various security practices and solutions including the adoption of the information security compliance approach for establishing a proper use of their organizational information (Al-Kalbani et al., 2015b; Siponen et al., 2007; Vance et al., 2012). Information security compliance ensures that information security mechanisms implemented in an organisation can work together effectively to protect the critical information (Tassabehji et al., 2007; Kim et al., 2016). It is considered as an institutional yardstick for showing that adequate steps have been taken to protect organizational information (Boss & Kirsch, 2007; Safa et al., 2016; Siponen et al., 2010).

The institutional theory (DiMaggio & Powell, 1983) is widely used for better understanding how institutional pressures influence information security compliance in organizations. Such a theory states that organizations must secure legitimacy from stakeholders by conforming to external expectations (Appari et al., 2009; Hu et al., 2007). This legitimacy can be gained by making strategic responses to external pressures (Cavusoglu et al., 2015). The basic notion of the institutional theory is that organizational structures and behaviors are based on the cultural and social pressures of their environments (Luna-Reyes & Gil-García, 2011). These pressures may determine, for example, how an organization is built, how it is run, and how it is understood and evaluated in a specific situation.

There are three types of external pressures that an organization has to consider including coercive pressures, normative pressures, and mimetic pressures (Davidsson et al., 2006; Cavusoglu et al., 2015). Coercive pressures force organizations to adopt certain institutionalized regulations and practices with respect to the security of organizational information in managing the organization (Hu et al., 2007). Such pressures stems from government laws and regulations that force organizations to act in compliance to certain rules and practices to receive legitimacy (Edwards et al., 2009). Normative pressures come from the community expectation that organizations are compelled to honor as responsible citizens in a specific circumstance (Appari et al., 2009). Mimetic pressures refer to the acquiescence by imitating peers to gain organizational legitimacy for better collaboration and cooperation along the supply chain in order to be competitive in the market place (Safa et al., 2016). They are present when an organization adopts the same actions, structure, and behaviors of similar organizations within their environments as a means of gaining legitimacy.

The usefulness of the institutional theory in understanding the adoption of specific technological innovations is well exemplified in the existing literature (Cavusoglu et al., 2015; Liang et al., 2007). Butler (2003), for example, uses the institutional theory to show that a high degree of established commitments and maintaining existing relationships are the two institutional factors that influence the development of web-based systems in organizations. Cavalluzzo and Ittner (2004) reveal that the adoption of legislative requirements influences the implementation of management control systems that increases the operational productivity in public organizations. Liang et al. (2007) use the institutional theory to show that there is a significant impact of existing rules and regulations, and public opinions on organizational behaviors in the organizational compliance process. These studies demonstrate that the institutional theory provides a sounding theoretical background for understanding the adoption of technological innovations from the institutional perspective in organizations.

There are several studies that have investigated information security compliance in organizations with the use of various theories (Pahnila et al., 2007; Herath & Rao, 2009; Bulgurcu et al., 2010; Warkentin et al., 2011). Bulgurcu et al. (2010), for example, find that having information security awareness programs highly affects employees’ beliefs about the benefits of compliance and the cost of non-compliance with the use of the theory of planned behaviour. Shaw (2012) shows that having an organizational security culture improves employees’ attitudes towards information security compliance using the attitude theory. Kankanhalli et al. (2003) find out that the fear of sanction of non-compliance with information security policies has a significant impact on employees’ behavior towards information security compliance on the basis of an organizational theory. These studies show a predominant focus on influencing employees’ attitudes for improving information security compliance in organizations (Herath & Rao, 2009). There is, however, more on information security compliance such as information security governance (Smith & Jamieson, 2006) and legislative requirements that may influence information security compliance in organizations. There is an increasing call for using socio-organizational theories such as the institutional theory (DiMaggio & Powell, 1983) for better understanding how organizations comply with various information security regulations,, standards and policies from an institutional perspective (Hovav & D’Arcy, 2012). This is because the institutional theory can be used to better explain how an organizational environment can be used to influence the development of a formal information security structure in organizations.

3 Hypotheses Development

Non-compliance to information security standards and policies is one of the main reasons for security breaches in organizations (AlKalbani et al., 2014; Ullah et al., 2013). The adoption of information security compliance is becoming increasingly the focus for adequately protecting organizational information (Boss & Kirsch, 2007; Kim et al., 2016; Siponen et al., 2007; Von Safa et al., 2016; Solms, 2005). Adopting the information security compliance approach, however, is both complex and challenging. This is because the adoption of information security compliance in organizations involves in (a) putting in place information security measures and mechanisms that can work together effectively, (b) satisfying the legal and security requirements and expectations of individual organizations and their stakeholders, and (c) maintaining both employees’ and stakeholders’ confidence and trust in the security of organisational information (Steinbart et al., 2012).

Organizations gain legitimacy from all the stakeholders through the development and implementation of specific strategies and policies for information security (Cavusoglu et al., 2015). This is because that there are increasing pressures on organizations from their operations environments that force individual organizations to pursue such legitimacy. Often such pressures determine the ways in which organizations integrate their information security practices and solutions in the process of complying with information security standards and policies (Khansa & Liginlal, 2007). The presence of various laws and regulations on information security, for example, often forces organizations to act in compliance to receive legitimacy from government departments (Edwards et al., 2009).

The adoption of the institutional theory in this study offers a new lens of rigor to examine the dynamics of information security compliance practices in organizations. Such a theory can be used as a theoretical lens to (a) explain whether specific organizational behaviours are consistent with institutional forces (Liang et al., 2007; Delmas & Toffel, 2008) and (b) understand the process of diffusion by the need to conform and imitate to institutional forces by which the actual security structure in organizations is developed (Khansa & Liginlal, 2007; Appari et al., 2009; Cavusoglu et al., 2015). The institutional theory classifies pressures into coercive pressures, normative pressures, and mimetic pressures (Davidsson et al., 2006).

3.1 Coercive Pressures

Coercive pressures force organizations to adopt certain institutionalized rules and practices in managing the organization for information security (Hu et al., 2007). They stem from government laws and regulations. Such pressures force organizations to act in compliance to certain rules and practices for information security in order to receive legitimacy (Edwards et al., 2009). Existing laws and regulations such as the Privacy Act are a source of coercive pressures (Hu et al., 2007; Khansa & Liginlal, 2007). These laws and regulations are made for the protection of organisational information to satisfy the requirements of various stakeholders for information security in organizations. To gain legitimacy, organizations have to adopt various information security practices to provide the foundation for building a robust response to regulatory requirements. They have to incorporate specific legal requirements in their information security practices for meeting the legal obligations for information security (Khansa & Liginlal, 2007). As a result, significant changes in organizations such as the standardization of operational processes and practices have to be made to show the conformity with such laws and regulations for gaining legitimacy from their stakeholders with respect to information security in organizations.

Existing laws and regulations influence the commitment of organizational management towards information security compliance (Hu et al., 2006; Liang et al., 2007). Such an impact is often reflected by the change of the attitudes and behaviours of management towards information security in organizations. Usually, management is responsible for ensuring that their organizations comply with applicable laws and regulations for information security. Failures to do so can result in stringent legal actions against them and the organization. As a result, a periodic review of their current security practices is often conducted for ensuring the organizational compliance with information security laws and regulations (Hu et al., 2007). The discussion above leads to the following hypothesis.

H1: Laws and regulations have a positive impact on information security compliance in organizations.

H2: Laws and regulations have a positive impact on management commitment towards information security compliance in organization.

3.2 Normative Pressures

Normative pressures come from the community expectation that organizations are compelled to honour as responsible citizens in a specific circumstance (Appari et al., 2009). A decision to adopt new practices is often influenced by how organizational stakeholders take actions with respect to the new practices (Cavusoglu et al., 2015). Such pressures are raised from the values and norms that are embedded in the organization for information security (Appari et al., 2009).

Organizations are likely to adjust their behaviours based on their beliefs about what is viewed as appropriate among members of their social networks and consequently adopt techniques and methods that reflect the current standards of those networks (Scott, 2013). This implies that organizations are subjected to specific pressures exerted by the expectations of their stakeholders in a specific time (Kam et al., 2013). The privacy, trust, and quality of services, for example, are social desirable needs in today’s dynamic environment that must be adequately addressed in organizations. These social desirable needs put organizations and their management in the spot light, making them conscious of the need to maintain the trust of stakeholders and preserve their reputation as a responsible public entity in protecting stockholders’ information (Zhang et al., 2005).

There is abundant literature supporting the use of normative pressures for enhancing information security compliance (Appari et al., 2009). Delmas and Toffel (2008), for instance, show that the expectation of stakeholders plays a major role in shaping the information security compliance practice in organizations. Alfawaz et al. (2008) demonstrate that different community pressures have an impact on information security compliance in public organizations in developing countries. Kam et al. (2013) find that stakeholders’ expectations of information security generate specific pressures in organizations to strengthen their information security practices. Based on the above discussion, this study argues that normative pressures are exerted mainly through social pressures that influence information security compliance in organizations and strengthen management commitments towards information security compliance. This leads the following hypothesis.

H3: Social pressures have a positive impact on information security compliance.

H4: Social pressures have a positive impact on management commitment towards information security compliance.

3.3 Mimetic Pressures

Mimetic pressures refer to the acquiescence by imitating peers to gain organizational legitimacy (DiMaggio & Powell, 1983). Such pressures are present when an organization adopts the same actions, structure, and behaviours of similar organizations within their environments for gaining legitimacy (DiMaggio & Powell, 1983). Mimetic pressures cause organizations to imitate success actions and practices taken by others, such as competitors and business partners along the supply chain within their industry. These successes serve as the basis of the desirable imitation, especially when organizations face similar needs and hoping for similar success.

The perceived benefits of information security practices in terms of minimizing risks and threats, increasing stakeholders’ confidence and trust, and improving employees’ performance, and minimizing the negative impacts on organizations are the foundation for organizations to mimic each other (Steinbart et al., 2012). When organizations publicize their perceived benefits, they create pressures on other organizations to take actions with respect to their information security practices. That leads organizations to mimic each other. The perceived benefits may exhibit individual personality characteristics to imitate their successful peers to behave in a similar manner. Organizations with effective information security practices influence employees’ behaviours to conform to industry norms. The discussion above leads the following hypothesis.

H5: Information security benefits have a positive impact on information security compliance in organizations.

H6: Information security benefits have a positive impact on management commitment towards information security compliance.

3.4 Management Commitment

Management commitment is a reflection of the efforts of senior management to promote information security compliance in organizations (Kajava et al., 2007; Karunasena & Deng, 2013). It is related to the decisions, investments and actions taken for enforcing information security standards and policies across the organization. Commitment from top management is significant for information security compliance in organizations, since their decisions usually drive the operational practices across the organisation. Failing to understand information security as a core competency in organizations could have a direct implications for business survivability (Kajava et al., 2007; Gupta, 2008). Senior management should provide visible support and real commitment towards information security compliance in their organizations.

Management commitment is an internalised organizational pressure that affects the behaviours of employees in complying with information security standards and policies. The visible participation, ongoing communication and championing of senior management stimulate employees’ intentions towards information security compliance and encourage the adherence to information security standards and policies (Knapp et al., 2006; Kolkowska & Dhillon, 2012). Management commitment has a persuasive effect on employees’ information security compliance. The development and enforcement of organizational security standards and policies would not be taken seriously without the support and involvement of top management in organizations (Knapp et al., 2006). This leads to the following hypothesis.

H7: Management commitment has a positive impact on information security compliance in organizations.

The discussion above suggests that institutional pressures have a significant impact on information security compliance in organizations. This leads to the development of a conceptual model shown as in Figure 1. Such a conceptual model hypotheses that institutional pressures have a positive impact on information security compliance in organisations. It further assumes that institutional pressures affect senior management commitments towards information security compliance. Figure 1 shows the conceptual model with the identified constructs and their associated attributes.

A research model.
Figure 1

A research model.

4 Research Methodology

This study aims to evaluate the impact of institutional pressures on information security compliance in organizations for better understanding the relationships between institutional pressures and information security compliance. To fulfil this objective, structural equation modelling is used for testing the relationships proposed in the conceptual model in Figure 1. Such a technique is required in this research for testing the relationships between measured variables and unobserved constructs and for estimating the relationships between unobserved constructs (Duan et al, 2012).

A web-based survey is used for data collection from public organisations in Oman. The questionnaire is tested for content and construct validity with experts in the field of information security and academics in information systems. A seven point Likert scale is used to obtaining respondents’ assessments of a range of information security compliance items, with “7” denoting ‘highly important’ and “1” representing ‘not important at all’. Overall, 326 responses are received, 32 responses with missing data and aberrant responses are excluded, yielding a total of 294 completed questionnaires for the analysis.

Overall 294 responses are ready for the structural equation modelling analysis. The demographic statistics of these responses is analysed across the participants’ age group, educational level, employment type, and organization size based on the total number of employees. Figure 2 presents the age profile of the respondents. 47% of respondents are within the range of 30 years and under, and 45% in the range of 31-40 years old. A minority (8%) of the respondents represent the age range of more than 41 years old.

The age profile of the respondents.
Figure 2

The age profile of the respondents.

The respondents’ level of education is also examined. As presented in Figure 3, 12% of the respondents have high school education. 22% of the respondents have diploma or advanced diploma, 13% of the respondents have master degree, and 2% of the respondents have doctoral degree. A majority (51%) of the respondents have bachelor degree.

The educational profile of the respondents.
Figure 3

The educational profile of the respondents.

The employment profile of the respondents is examined. A majority of the respondents that is at 28% comes from the ICT sector. The remaining 72% work in the education (18%), travel and tourism (5%), agriculture (6%), healthcare (12%), trading (15%), and finance sectors (16%). Figure 4 presents the employment profile of the respondents.

The employment profile of the respondents.
Figure 4

The employment profile of the respondents.

Figure 5 presents the organizational profile based on total number of employees at the time of this research. 1% of respondents are from organizations with less than 50 employees, 3% in the range of 51 to 100 employees, 11% are in the range of 101 to 250 employees. There are 24% of the respondents who come from organizations with 251 to 500 employees, and 21% are in the range of 501 to 1000 employees. A majority (40%) of the respondents represent organizations within the range of more than 1001 employees.

The organizational profile of the respondents.
Figure 5

The organizational profile of the respondents.

The analysis above shows that the respondents are from different age groups, employment profiles, and organizational profiles with a variety of educational background. This shows that the sample of the data collected is representative of the population. As a result, the research findings form this study is robust and generalizable to some degrees.

5 Data Analysis and Research Findings

This study uses structural equation modeling for testing the relationships proposed in the conceptual model as in Figure 1. The use of structural equation modeling is appropriate for this study due to its potential for extending the theory development and its capability of simultaneously assessing the multiple and interrelated dependence relationships. This study uses a two-step approach to structural equation modeling, namely a measurement model and a structural model. The measurement model involves in conducting a confirmatory factor analysis (CFA) for assessing the contribution of each indicator variable and for measuring the adequacy of the measurement model. The structure model contains the path coefficients that indicate the strength and the sign of the paths between variables (Hair, 2010).

5.1 A Measurement Model

To validate the measurement model, individual constructs are assessed based on (a) the reliability, (b) the discriminant validity, and (c) the adequacy of the model fitness. To test the reliability of the constructs, Cronbach’s alpha is used. Table 1 shows that all the constructs have values of alpha exceeding 0.7. This proves that there is high construct reliability.

Table 1

Reliability and validity measurements.

The convergent validity for a single factor is confirmed by examining both the average variance extracted (AVE) and the factor loadings of the indicator associated with each construct. The results indicate that the five factors have the AVE values exceeding the threshold value of 0.5. With the presence of these results, the validity of the constructs used in the model is supported (Hair, 2010).

Discriminant validity is assessed by comparing the square root of the AVE for each construct against the inter-construct correlation estimates. Table 2 shows the acceptable discriminant validity between each pair of constructs, with all AVE square roots greater than the correlation between the constructs. For example, the security benefits construct shows the highest discriminant validity among all other constructs. The square root of AVE for the security benefits is 0.76 while the correlations between the security benefits and other constructs are ranged from 0.42 to 0.64. This shows that the security benefits construct satisfies the discriminant validity (Hair, 2010).

Table 2

The model constructs correlation.

The goodness-of-fit (GOF) measure is used to assess each single-factor model for their validity with various fitness indices, such as normed chi-square (χ2 /d.f.), normed fit index (NFI), non-normed fit index (NNFI), comparative fit index (CFI), goodness of fit index (GFI), standardized root mean square residual (SRMR), and root mean-square error of approximation (RMSEA). Table 3 presents the final GOF results for both the individual single-factor model and the full measurement model within the acceptable range.

Table 3

The GOF Results.

5.2 A Structural Model

The significance of the structure model is tested using the paths coefficient and the explanatory power for each dependent variable (R2) (Byrne, 2013). The hypothesized model contains five constructs as shown in Figure 6. The hypothesized model with the path coefficient and the explanatory power (R2) for each dependent construct is displayed in Figure 6. All coefficients on hypothesized paths except for the path coefficient from social pressures to management commitment are found to significantly differ from zero (p< 0.05 or p<0.01), as shown by the dotted lines.

The hypothesised model results.
Figure 6

The hypothesised model results.

The results of the model indicate a strong support for H1, H2, H3, H4, H6 and H7 with path coefficient values ranged from 0.42 to 0.74 respectively (p <0.05 or p <0.01). The results reject H5 implying that social pressures have an insignificant effect on management commitment for information security in organizations. In addition, in terms of the explanatory power, the model accounts for 76% of the variance in coercive pressures, 60% of the variance in normative pressures, 67% of the variance in mimetic pressures, and 70% of the variance in management commitment. With this result, the study can conclude that all hypotheses except H5 are supported.

This study confirms the significance of institutional pressures on information security compliance in organizations. These pressures cause organizations to put in extra efforts to maintain effective information security compliance in order to gain legitimacy from all the stakeholders. The study has also confirmed the significance of coercive pressures and mimetic pressures for influencing management commitment towards information security compliance. It confirms the assumption that the higher impact of coercive pressures exerted by regulatory agencies and the mimetic pressures that are exerted through the influences of security benefits among partners, the greater the commitment of senior management is towards information security compliance. On the other hand, the insignificant effect of social pressures on management commitment towards information security compliance suggests that management commitment towards information security compliance is not dependent on the presence of social pressures in the external environment.

The study contributes to the information security research by extending the current understanding of information security compliance in terms of the values of institutional pressures to foster information security compliance in organizations. In practice, this study sheds lights on how institutional pressures affect the information security compliance process in organizations. Such findings offer individual organizations with valuable suggestions on how organizations can improve their information security compliance. They inform management and security practitioners to adequately consider institutional pressures within their organizational environments for effective information security compliance in organizations.

6 Conclusion

This study proposes and validates a hypothesized conceptual model in evaluating the impact of institutional pressures on information security compliance in organizations. It shows that there is a strong support for six hypotheses and no support for one of the seven hypothesized relationships in the proposed conceptual model. Specifically, this study demonstrates that institutional pressures have a positive impact on information security compliance in organizations. It clearly indicates that law and regulation and security benefits have a direct effect on management commitments towards information security compliance in organizations. Such findings underscore the importance of having institutional pressures for effective information security compliance.

There are several limitations in this study which can be addressed in future. First, some tangible measures of information security compliance could be considered. Second, the research findings remain limited, since these findings have been validated in a single country. As a result, replicating this study in other countries with different organizational and cultural settings would be a fruitful direction to assess and gauge the generalizability of the research findings in this study. Third, further studies should consider incorporating technological and psychological factors for enforcing information security compliance in organizations.

Acknowledgment

This work is supported by the Natural Science Foundation of China (Grant #71473182).

References

  • Al-Kalbani, A, Deng, H & Kam, B (2015a), Investigating the role of socio-organizational factors in the information security compliance in organizations, Proceedings of the 26thAustralasian Conference on Information Systems (ACIS 2015) (pp. 1-12), Adelaide, Australia. Google Scholar

  • Al-Kelbani, A, Deng, H & Kam, B (2015b), Organisational security culture and information security compliance for e-government development: the moderating effect of social pressure, Proceedings of the 19th Pacific Asia Conference on Information Systems (PACIS 2015) (pp. 1-11). Atlanta, GA, United States: Association for Information Systems (AIS). Google Scholar

  • Al-Kalbani, A, Deng, H & Kam, B (2014), A Conceptual Framework for Information Security in Public Organizations for E-Government Development, in Felix B Tan, Deborah Bunker (ed.) Proceedings of the 25th Australasian Conference on Information Systems (ACIS 2014) (pp. 1-11.). Auckland, New Zealand: Auckland University of Technology. Google Scholar

  • Appari, A., Johnson, M. E., & Anthony, D. L. (2009). HIPAA Compliance: An Institutional Theory Perspective, Proceedings of the Amercian Confernece on Information Systems. pp. 252. Google Scholar

  • Kirsch, L. J., & Boss, S. R. (2007). The Last Line of Defense: Motivating Employees to Follow Corporate Security Guidelines. International Conference on Information Systems, Icis 2007, 103. Google Scholar

  • Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523-548. CrossrefGoogle Scholar

  • Butler, T. (2003). An Institutional Perspective on Developing and Implementing Intranet-and Internet-Based Information Systems, Information Systems Journal, 13(3), 209-231. CrossrefGoogle Scholar

  • Byrne, B. M. 2013. Structural Equation Modeling with AMOS: Basic Concepts, Applications, and Programming, New York: Routledge. Google Scholar

  • Cavusoglu, H., Cavusoglu, H., Son, J. Y., & Benbasat, I. (2015). Institutional pressures in security management: direct and indirect influences on organizational investment in information security control resources. Information & Management, 52(4), 385-400. CrossrefWeb of ScienceGoogle Scholar

  • Cavalluzzo, K. S., & Ittner, C. D. (2004). Implementing Performance Measurement Innovations: Evidence from Government, Accounting, Organizations and Society, 29(3), 243-267. CrossrefGoogle Scholar

  • Davidsson, P., Hunter, E., & Klofsten, M. (2006). Institutional forces: the invisible hand that shapes venture ideas?. International Small Business Journal, 24(2), 115-131. CrossrefGoogle Scholar

  • Delmas, M. A., & Toffel, M. W. (2008). Organizational responses to environmental demands: opening the black box. Strategic Management Journal, 29(10), 1027-1055. Web of ScienceCrossrefGoogle Scholar

  • Duan, X., Deng, H., & Corbitt, B. (2012). Evaluating the critical determinants for adopting e-market in australian small-and-medium sized enterprises. Management Research Review, 35(3/4), 289-308. CrossrefGoogle Scholar

  • DiMaggio, P., & Powell, W. W. (1983). The Iron Cage Revisited: Collective Rationality and Institutional Isomorphism in Organizational Fields, American Sociological Review 48(2), 147-160. CrossrefGoogle Scholar

  • Edwards, J. R., Mason, D. S., & Washington, M. (2009). Institutional Pressures, Government Funding and Provincial Sport Organisations, International Journal of Sport Management and Marketing 6(2), 128-149. CrossrefGoogle Scholar

  • Gupta, J. N., & Sharma, S. (2009). Handbook of Research on Information Security and Assurance (pp. 1-586). Hershey, PA: IGI Global.  CrossrefGoogle Scholar

  • Hair, J. F., Black, W. C., & Babin, B. J. (2010). Multivariate Data Analysis: A Global Perspective. New York: Pearson Education. Google Scholar

  • Herath, T., & Rao, H. R. (2009). Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organisations, European Journal of Information Systems, 18(2), 106-125. CrossrefWeb of ScienceGoogle Scholar

  • Hovav, A., & D’Arcy, J. (2012). Does Culture Really Matter? A Cross-Cultural Analysis of Security Countermeasure Effectiveness based on Deterrence Theory, Information & Management, 49(2), 99-110. Google Scholar

  • Hu, Q., Hart, P., & Cooke, D. (2007). The Role of External and Internal Influences on Information Systems Security – A Neo-Institutional Perspective,” The Journal of Strategic Information Systems, 16(2), 153-172. CrossrefWeb of ScienceGoogle Scholar

  • Ifinedo, P. (2013). Information Systems Security Policy Compliance: An Empirical Study of the Effects of Socialization, Influence, and Cognition, Information & Management, 51(1), 69-79. Google Scholar

  • Information Security Compliance (ISC) (2015). Global Information Security Study, Retrieved July 16,2016, from https://www.cybercompex.org/fileSendAction/fcType/0/fcOid/445471828686010375/filePointer/445471828686010530/fodoid/445471828686010527/frostsullivan-ISC2-global-information-security-workforce-2015.pdf (Viewed on July, 2016).

  • Kajava, J., Anttila, J., Varonen, R., Savola, R., & Röning, J. (2007). Senior Executives Commitment to Information Security – from Motivation to Responsibility. In Y. Wang, Y.-m. Cheung & H. Liu (Eds.), Computational Intelligence and Security: International Conference, CIS 2006. Guangzhou, China, November 3-6, 2006. Revised Selected Papers (pp. 833-838). Berlin, Heidelberg: Springer Berlin Heidelberg. Google Scholar

  • Kankanhalli, A., Teo, H.-H., Tan, B. C., & Wei, K.-K. (2003). An Integrative Study of Information Systems Security Effectiveness, International Journal of Information Management, 23(2), 139-154. CrossrefGoogle Scholar

  • Kam, H. J., Katerattanakul, P., Gogolin, G., & Hong, S. G. (2013). Information Security Policy Compliance in Higher Education: A Neo-Institutional Perspective. Proceedings of Pacific Asia Conference on Information Systems (PACIS) 2013 52, 271-273. Google Scholar

  • Karunasena, K., & Deng, H. (2009). A Conceptual Framework for Evaluating the Public Value of E-Government: A Case Study from Sri Lanka, Proceedings of the 20th Australasian Conference on Information Systems, Monash University, Melbourne. Google Scholar

  • Khansa, L., & Liginlal, D. (2007). The Influence of Regulations on Innovation in Information Security, Proceedings of the Amercian Confernece on Information Systems. pp. 180. Google Scholar

  • Kim, D.J., Hwang, I.H. & Kim, J.S., (2016). A Study on Employee’s Compliance Behavior towards Information Security Policy: A Modified Triandis Model. Journal of Digital Convergence, 14(4), 209-220. CrossrefGoogle Scholar

  • Knapp, K. J., Marshall, T. E., Rainer, R. K., & Ford, F. N. (2006). Information Security: Management’s Effect on Culture and Policy, Information Management & Computer Security, 14(1), 24-36. CrossrefGoogle Scholar

  • Kolkowska, E., & Dhillon, G. (2012). Organizational Power and Information Security Rule Compliance, Computers & Security, 33, 3-11. Web of ScienceGoogle Scholar

  • Lee, C., Lee, C.C. & Kim, S., (2016). Understanding Information Security Stress: Focusing on the Type of Information Security Compliance Activity, Computers & Security, 59, 60-70. Web of ScienceCrossrefGoogle Scholar

  • Liang, H., Saraf, N., Hu, Q., & Xue, Y. (2007). Assimilation of Enterprise Systems: the Effect of Institutional Pressures and the Mediating Role of Top Management, MIS quarterly, 31(1), 59-87. CrossrefGoogle Scholar

  • Luna-Reyes, L. F., & Gil-García, J. R. (2011). Using Institutional Theory and Dynamic Simulation to Understand Complex E-Government Phenomena, Government Information Quarterly, 28:(3), 329-345. CrossrefWeb of ScienceGoogle Scholar

  • Pahnila, S., Siponen, M., & Mahmood, A. (2007). Employees’ Behavior towards IS Security Policy Compliance, Proceedings of the 40th Annual Hawaii International Conference on Systems Science.  CrossrefGoogle Scholar

  • Reddy, D. S., & Rao, S. V. (2016). Cybersecurity skills: The moderating role in the relationship between cybersecurity awareness and compliance. In AMCIS 2016: Surfing the IT Innovation Wave - 22nd American Conference on Information Systems Association for Information SystemsGoogle Scholar

  • Safa, N.S., Von Solms, R. & Furnell, S., (2016). Information Security Policy Compliance Model in Organizations, computers & security, 56, 70-82. Web of ScienceCrossrefGoogle Scholar

  • Scott, W. W. R. 2013. Institutions and Organizations: Ideas, Interests, and Identities, California: Sage Publications. Google Scholar

  • Shaw, R. M. (2012). The influence of organizational culture on employee attitudes towards information security policy. Dissertations & Theses - Gradworks, 10(5), 67-78. Google Scholar

  • Siponen, M., Pahnila, S., & Mahmood, A. (2007). Employees’ Adherence to Information Security Policies: An Empirical Study, New Approaches for Security, Privacy and Trust in Complex Environments, Springer, pp. 133-144. Google Scholar

  • Siponen, M., Pahnila, S., & Mahmood, M. A. (2010). Compliance with Information Security Policies: An Empirical Investigation, Computer, 43(2), 64-71. CrossrefWeb of ScienceGoogle Scholar

  • Smith, S., & Jamieson, R. (2006). Determining Key Factors in E-Government Information System Security, Information Systems Management, 23(2), 23-32. CrossrefGoogle Scholar

  • Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N. (2012). The Relationship between Internal Audit and Information Security: An Exploratory Investigation, International Journal of Accounting Information Systems, 13(3), 228-243. CrossrefWeb of ScienceGoogle Scholar

  • Tassabehji, R., Elliman, T., & Mellor, J. (2007). Generating Citizen Trust in E-Government Security: Challenging Perceptions, International Journal of Cases on Electronic Commerce, 3(3), 1-17. CrossrefGoogle Scholar

  • Ullah, K. W., Ahmed, A. S., & Ylitalo, J. (2013). Towards Building an Automated Security Compliance Tool for the Cloud. IEEE International Conference on Trust, Security and Privacy in Computing and Communications 8, 1587-1593 Google Scholar

  • Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS Security Compliance: Insights from Habit and Protection Motivation Theory, Information & Management, 49(3), 190-198. CrossrefWeb of ScienceGoogle Scholar

  • Von Solms, S. (2005). Information Security Governance – Compliance Management vs Operational Management, Computers & Security, 24(6), 443-447. CrossrefGoogle Scholar

  • Warkentin, M., Johnston, A. C., & Shropshire, J. (2011). The Influence of the Informal Social Learning Environment on Information Privacy Policy Compliance Efficacy and Intention, European Journal of Information Systems, 20(3), 267-284. CrossrefWeb of ScienceGoogle Scholar

  • Zhang, J., Dawes, S. S., and Sarkis, J. (2005). Exploring Stakeholders’ Expectations of the Benefits and Barriers of E-Government Knowledge Sharing, Journal of Enterprise Information Management, 18(5), 548-567. CrossrefGoogle Scholar

About the article

Received: 2017-04-02

Accepted: 2017-05-04

Published Online: 2017-12-29


Citation Information: Data and Information Management, Volume 1, Issue 2, Pages 104–114, ISSN (Online) 2543-9251, DOI: https://doi.org/10.1515/dim-2017-0006.

Export Citation

© 2017 Ahmed AlKalbani et al.. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License. BY-NC-ND 3.0

Comments (0)

Please log in or register to comment.
Log in