Litcius/Paper detail

Beyond technical measures: a value-focused thinking appraisal of strategic drivers in improving information security policy compliance

Charlette Donalds, Corlane Barclay

2021European Journal of Information Systems28 citationsDOI

Abstract

The evolving sophistication of threats and the impact of security breaches have caused managers to continually grapple with strategies to reduce these risks. One common security control is the adoption of information security policies (ISPs) geared at improving employees’ compliance behaviour. However, there is mounting empirical evidence that shows that ISP compliance is a challenging undertaking with less than satisfactory outcomes. Further, little attention is placed on developing economies in the study of this phenomenon. This research adopts a values-based methodology to determine fundamental and means objectives in maximising employees’ compliance with ISPs in a developing economy context. The research identifies 30 objectives and demonstrates that risk mitigation, people, technical and organisational factors are essential to improving compliance. The results contribute objectives, contextualised to the people for whom the results are relevant, thus promoting deeper understanding. The research offers utility to managers in the design and implementation of InfoSec strategies and policies. The findings can also inform investment decisions regarding compliance tools, methods and technologies. Recognising that security (information and cyber) threats are a global dilemma, we contend that investigating forms of security risks and potential solutions can mitigate the social and economic costs of security incidents.

Topics & Concepts

SophisticationInformation securityBusinessInformation security managementInformation security standardsCompliance (psychology)Context (archaeology)Risk analysis (engineering)Information technologyEmpirical researchKnowledge managementSecurity managementComputer securityProcess managementSecurity information and event managementComputer scienceCloud computing securitySecurity serviceNetwork security policyFinanceEpistemologySociologyOperating systemPhilosophyCloud computingBiologySocial psychologyPaleontologySocial sciencePsychologyInformation and Cyber SecurityCybercrime and Law Enforcement StudiesInformation Technology Governance and Strategy
Beyond technical measures: a value-focused thinking appraisal of strategic drivers in improving information security policy compliance | Litcius