Name
Title | ||
|---|---|---|
Technical opinion: Are employees putting your company at risk by not following information security policies? |
Abstract | ||
|---|---|---|
Introduction Careless employees, who do not follow information security policies, constitute a serious threat to their organization. We conducted a field survey in order to understand which factors help towards employees' compliance with these security policies. Our research shows that the visibility of the desired practices and normative expectations of peers will provide a solid foundation towards employees complying with these policies. Our research also shows that if employees realize how vulnerable their organization is to security threats and the severity of these threats, they are likely to have a strong intention to comply with information security policies. Finally, employees' self-efficacy and response efficacy motivate them to comply with these policies. This article provides an information security strategic plan that puts together various best practices we found in our survey and that shows how these practices can be used to alleviate employees' non-compliance with organizational security policies. Information security breaches can cause serious damage to organizations. Such breaches can harm irreparably by shutting down computers forcing businesses to loose potential revenues or by leaking corporate confidential information and customer data possibly making corporations vulnerable to legal and regulatory problems and bad publicity.4,5 Most organizations encounter more than one information security breaches in a given year.2 Prior information security research studies suggest that 91% of organizations' own employees frequently fail to adhere to information security policies2 paving the way for such breaches. To tackle this situation, a number of suggestions have been made in the literature to help ensure employees' compliance with security policies. Commentators have, however, pointed out a serious of weaknesses in the existing approaches. They suggest that these approaches lack empirical evidence on their effectiveness in practice. Because practitioners need empirically validated information, it is extremely important that we study employees' non-compliance with information security policies using field research. In order to understand why employees are careless about following security policies and which factors are important toward employees' compliance with these policies, we conducted a field survey of information security professionals from five Finnish companies operating in different lines of business. The survey instrument was developed based on a theoretical model developed from behavioral theories including the Theory of Reasoned Action1 and the Protection Motivation Theory.3 Since employees' compliance with information security policies is ultimately a psychological phenomenon; we find these theories useful in understanding how organizations can help their employees comply with these security policies. We show how these theories can be useful in offering a new and practical insight into what motivates employees to comply with these policies. Some 3130 employees from four Finnish corporations were asked to fill out a Web-based information security instrument. Of these, 919 filled out the questionnaire resulting in a 29.4% response rate. The demographic data, among the respondents, show that the number of male (56.1%) and female (43.1%) are fairly evenly distributed. In order to test our model, we analyzed the field survey responses using factor analysis and multiple regression analysis. All constructs were found to have an acceptable level of reliability and validity confirming soundness of the measuring instrument. |
Year | DOI | Venue |
|---|---|---|
2009 | 10.1145/1610252.1610289 | Commun. ACM |
Keywords | Field | DocType |
information security policy,security threat,prior information security research,technical opinion,web-based information security instrument,information security breach,security policy,organizational security policy,information security professional,information security strategic plan,information security policies2,empirical evidence,multiple regression analysis,response rate,factor analysis,best practice,information security,strategic planning,self efficacy | Computer science,Information security standards,Public relations,Information security,Knowledge management,Theoretical computer science,Information security management,Critical security studies,Security policy,Information security audit,Line of business,Security management | Journal |
Volume | Issue | ISSN |
52 | 12 | 0001-0782 |
Citations | PageRank | References |
20 | 0.70 | 4 |
Authors | ||
3 | ||
Name | Order | Citations | PageRank |
|---|---|---|---|
| Mikko T. Siponen | 1 | 1082 | 64.28 |
| M. Adam Mahmood | 2 | 193 | 9.61 |
| Seppo Pahnila | 3 | 738 | 23.82 |