CHAPTER 2: LITERATURE REVIEW

2. Introduction

2.11 Information Security Policy

69

impact on the protection of information in any public organisation. If the user of an IT system provides a password to unauthorised personnel, this can lead to a cyber-attack (Taylor and Bean, 2017). Cyber-attacks can have an adverse effect on public organisation, as they can encrypt or alter essential business information (Heckmann, Comes and Nickel, 2015). Any of these illegal activities can cause business loss or loss of reputation for any public organisation. Hence, it can be said that users of IT systems in a public organisation must be aware of the IS policies (Sheeran and Rivis, 2017). The policies are very significant in addressing the security threats coming from an uninformed or careless workforce.

70

The main objectives of an IT security policy are confidentiality and integrity as well as availability of the information used by the organisation’s staff. Information security policies are linked to subjective norms and attributes as changes in a policy may affect organisational change, which may result in violation within the organisation (Teh et al., 2015). The personal norms, information security standards, benefits, attitudes and values matter with regard to how the employees perceive the information security issues and those related to the information security policies. Privacy is achieved by two approaches: protection of the organisation’s operational practices and maintenance along with control of data management procedures throughout the product lifecycle (Crossler et al., 2013). The approaches are used to promote the employees’ informational security awareness, which is implemented through an effective educational programme. Training is provided to promote in addition to enhance informational security.

2.11.2 User Behaviour Related to the Information Security Policy

In the field of information security, the human factor is considered as a vulnerability and an unpredictable one. Heckmann, Comes and Nickel (2015) mentioned that the human factor is a variable which is most hard to control. Most information security issues arise due to the human factor and human errors. Humphries (2017) discussed that, when an organisation is dealing with the human factor, the method to place the staff at the right level of commitment is based on information security policies. The policies contain an assessment of the security behaviour of humans and individual employees. Kim et al. (2014) suggested that, when there is a level of compliance with acceptance of the security policies, then control over humans is being measured to achieve the success of the information security policies.

71

Teh et al. (2015) named the levels of compliance relating to the information security policies and user behaviour. The first compliance level is culture, which means the security is a natural part of the daily behaviour of individuals. The second is commitment, which means the security is not part of the users’ behaviour. The users should be required to provide guidance and leadership for proper understanding of information security policies. The third level of obedience is where the users are required to instruct rather than providing guidance. Gerber et al. (2016) mentioned that awareness is where the users can become aware of the security risks and threats at a level and then present high level of adverse effects of the security incidents. The fourth is awareness, where the users are required to be aware of the security risks and show the required human behaviour. Ignorance is the fifth level, where the users are not aware of the security risks at this level and then represent a high risk of accidental adverse effects. The sixth compliance level is apathy, where the users are aware of their role in preventing security threats but not acting as the roles requires. Hsu et al. (2015) mentioned that the seventh level is resistance, which means the users are aware of their role regarding security but they are working against aspects of the security practices. Disobedience is the final compliance level, where the users are breaking information security rules and failing to comply with the security controls.

2.11.3 Compliance with the Information Security Policy

Information security policy compliance protects the information assets of public organisations. Information security has significant effect on employee attitudes towards compliance with the organisational security policies (Sinha, 2015). Employee attitude has a significant effect on behavioural intention regarding compliance with information security.

Kampas et al. (2016) illustrated that it is a key factor in reducing the risks. Understanding of employees’ compliance behaviour is a step to leverage worker assets towards reduction of risks.

72

The main aim of those policies is to design and provide the employees with guidelines on securing the information resources while performing their job regarding information security.

Employee compliance is required to prevent as well as reduce the misuse of information system resources in addition to abuse by insiders (Safa et al., 2016). Behavioural theories are employed to study people’s compliance intentions with prevention of misuse of an information system.

Therefore, proper actions need to be taken by public organisations to comply with the associated information security issues.

Pearlson et al. (2016) stated that professionals are dedicated to maintaining the confidentiality of organisational information but they are resistant to maintaining information security environments. Based on the theory of planned behaviour and protection motivation theory, the behavioural factors are identified which influence the compliance with the information security policy. Based on the theory of planned behaviour, people’s attitudes towards compliance and belief are believed to determine their intention to comply with the information security policy. Dependent on the protection motivation theory, expected efficacy impacts compliance intentions. Taylor et al. (2014) mentioned that the main requirement of their research study was to identify the human factor’s perspectives of information security that connect end users ‘behaviours along with compliance with the information security policy within an organisation. Mistakes and human errors are to be mitigated in order to achieve a proper information security policy.