Advanced search
Publication Cover
Journal of Computer Information Systems Volume 64, 2024 - Issue 1
Submit an article Journal homepage
492
Views
0
CrossRef citations to date
0
Altmetric
Original Articles

Employees’ BYOD Security Policy Compliance in the Public Sector

Rathika Palanisamya University of Malaya, Jalan Universiti, Kuala Lumpur, MalaysiaView further author information
,
Azah Anir Normanb University of Malaya, Kuala Lumpur, MalaysiaCorrespondence[email protected]
ORCID Iconhttps://orcid.org/0000-0001-5420-0452View further author information
ORCID Icon &
Miss Laiha Mat Kiaha University of Malaya, Jalan Universiti, Kuala Lumpur, MalaysiaORCID Iconhttps://orcid.org/0000-0002-1240-5406View further author information
ORCID Icon
Pages 62-77 | Published online: 03 Mar 2023

References

  • Harris J, Ives L, Junglas I. IT consumerization: when gadgets turn into enterprise IT tools. MIS Q Exec. 2012;11:99–112.
  • Brown WS, Palvia P. Are mobile devices threatening your work-life balance? Int J Mob Commun. 2015;13(3):317–38. doi:10.1504/IJMC.2015.069128.
  • Papagiannidis S, Harris J, Morton D. WHO led the digital transformation of your company? A reflection of IT related challenges during the pandemic. Int J Inf Manage [Internet]. 2020;55(102166):1–5. doi:10.1016/j.ijinfomgt.2020.102166.
  • Davison RM. The transformative potential of disruptions: a viewpoint. Int J Inf Manage. 2020;55(102149):1–4. doi:10.1016/j.ijinfomgt.2020.102149.
  • Dao K, Chun M, Griffy-Brown C. Unprecedented times prompting companies to revisit strategy with the new norm of balancing two environments. Graziado Bus Rev [Internet]. 2020;23(2). https://gbr.pepperdine.edu/2020/09/unprecedented-times/.
  • Shin B, Lowry PB. A review and theoretical explanation of the ‘Cyberthreat-Intelligence (CTI) capability’ that needs to be fostered in information security practitioners and how this can be accomplished. Comput Secur [Internet]. 2020;92:101761. doi:10.1016/j.cose.2020.101761.
  • Ameen N, Tarhini A, Shah MH, Madichie N, Paul J, Choudrie J. Keeping customers’ data secure: a cross-cultural study of cybersecurity compliance among the Gen-Mobile workforce. Comput Human Behav. 2021;114:114. doi:10.1016/j.chb.2020.106531.
  • Velzian B. How to create a Bring Your Own Device (BYOD) policy [Internet]. Wandera. 2021. https://www.wandera.com/how-to-create-a-bring-your-own-device-byod-policy/.
  • Bautista JR, Rosenthal S, Lin TTC, Theng YL. Predictors and outcomes of nurses’ use of smartphones for work purposes. Comput Human Behav [Internet]. 2018;84:360–74. doi:10.1016/j.chb.2018.03.008.
  • Willison R, Warkentin M. Beyond deterrence: an expanded view of employee computer abuse. MIS Q. 2013;37(1):1–20. doi:10.25300/MISQ/2013/37.1.01.
  • Parsons K, Calic D, Pattinson M, Butavicius M, McCormac A, Zwaans T. The Human Aspects of Information Security Questionnaire (HAIS-Q): two further validation studies. Comput Secur [Internet]. 2017;66:40–51. doi:10.1016/j.cose.2017.01.004.
  • Crossler RE, Ogbanufe O, Biros D. Exploring stewardship: a precursor to voluntary security behaviors. Comput Secur [Internet]. 2021;109:102397. doi:10.1016/j.cose.2021.102397.
  • Teoh CS, Kamil Mahmood A, Dzazali S 2018. Cyber security challenges in organisations: a case study in Malaysia. In 2018 4th International Conference on Computer and Information Sciences: Revolutionising Digital Landscape for Sustainable Smart Society ICCOINS 2018 - Proceeding. p. 1–6. doi:10.1109/ICCOINS.2018.8510569.
  • Nabe C. 2021. Impact of COVID-19 on cybersecurity. Deloitte [Internet]. https://www2.deloitte.com/ch/en/pages/risk/articles/impact-covid-cybersecurity.html
  • Naidoo R. A multi-level influence model of COVID-19 themed cybercrime. Eur J Inf Syst [Internet]. 2020;29(3):306–21. doi:10.1080/0960085X.2020.1771222.
  • Warkentin M, Orgeron C. Using the security triad to assess blockchain technology in public sector applications. Int J Inf Manage [Internet]. 2020;52:102090. doi:10.1016/j.ijinfomgt.2020.102090.
  • Dzazali S, Sulaiman A, Zolait AH. Information security landscape and maturity level: case study of Malaysian Public Service (MPS) organizations. Gov Inf Q [Internet]. 2009;26(4):584–93. doi:10.1016/j.giq.2009.04.004.
  • NACSA. The critical national information infrastructure. Natl Cyber Secur Agency [Internet]. 2021. https://www.nacsa.gov.my/cnii.php.
  • Siponen MT, Mahmood MA, Pahnila S. Employees’ adherence to information security policies: an exploratory field study. Inf Manag [Internet]. 2014;51(2):217–24. doi:10.1016/j.im.2013.08.006.
  • Bernama. National security council: govt to set up special task force to identify cyber security issues [Internet]. 2021. https://www.malaymail.com/news/malaysia/2020/12/17/national-security-council-govt-to-set-up-special-task-force-to-identify-cyb/1932893.
  • Moody GD, Siponen M, Pahnila S. Toward a unified model of information security policy compliance. MIS Q [Internet]. 2018;42(1):285–311. doi:10.25300/MISQ/2018/13853.
  • Safa NS, Von Solms R, Furnell S. Information security policy compliance model in organizations. Comput Secur [Internet]. 2016;56:1–13. doi:10.1016/j.cose.2015.10.006.
  • Palanisamy R, Norman AA, Kiah MLM. Compliance with bring your own device security policies in organizations: a systematic literature review. Comput Secur. 2020;98:101998. doi:10.1016/j.cose.2020.101998.
  • Balozian P, Leidner D. Review of is security policy compliance. ACM SIGMIS Database DATABASE Adv Inf Syst [Internet]. 2017;48(3):11–43. doi:10.1145/3130515.3130518.
  • Wiley A, McCormac A, Calic D. More than the individual: examining the relationship between culture and information security awareness. Comput Secur. 2020;88:88. doi:10.1016/j.cose.2019.101640.
  • Palanisamy R, Norman AA, Kiah MLM. BYOD policy compliance: risks and strategies in organizations. J Comput Inf Syst [Internet]. 2020;62(1):1–12. doi:10.1080/08874417.2019.1703225.
  • Barlette Y, Jaouen A, Baillette P. Bring Your Own Device (BYOD) as reversed IT adoption: insights into managers’ coping strategies. Int J Inf Manage [Internet]. 2021;56:102212. doi:10.1016/j.ijinfomgt.2020.102212.
  • Chen H, Li Y, Chen L, Yin J. Understanding employees’ adoption of the Bring-Your-Own-Device (BYOD): the roles of information security–related conflict and fatigue. J Enterp Inf Manag. 2020;34(3):770–92. doi:10.1108/JEIM-10-2019-0318.
  • Wu D, Moody GD, Zhang J, Lowry PB. Effects of the design of mobile security notifications and mobile app usability on users’ security perceptions and continued use intention. Inf Manag [Internet]. 2020;57(5):103235. doi:10.1016/j.im.2019.103235.
  • CGSO Malaysia. 2018. Cabaran BYOD dalam persekitaran kerja [Internet]. [place unknown]. https://documen.site/download/kawalan-keselamatan-dokumen-maklumat-yang-di-proses-di_pdf.
  • Palanisamy R, Norman AA, Kiah MLM. BYOD security risks and mitigation strategies: insights from IT security experts. J Organ Comput Electron Commer [Internet]. 2022;31(4):1–23. doi:10.1080/10919392.2022.2028530.
  • Koohang A, Anderson J, Nord JH, Paliszkiewicz J. Building an awareness-centered information security policy compliance model. Ind Manag Data Syst. 2019;120(1):231–47. doi:10.1108/IMDS-07-2019-0412.
  • Tang Z, Miller AS, Zhou Z, Warkentin M. Does government social media promote users’ information security behavior towards COVID-19 scams? Cultivation effects and protective motivations. Gov Inf Q [Internet]. 2021;38(2):101572. doi:10.1016/j.giq.2021.101572.
  • Ifinedo P. Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition. Inf Manag Internet. 2014;51(1):69–79. doi:10.1016/j.im.2013.10.001.
  • Cram WA, Proudfoot JG, D’arcy J. Organizational information security policies: a review and research framework. Eur J Inf Syst. 2017;26(6):605–41. doi:10.1057/s41303-017-0059-9.
  • Paananen H, Lapke M, Siponen M. State of the art in information security policy development. Comput Secur [Internet]. 2020;88:101608. doi:10.1016/j.cose.2019.101608.
  • Ouchi WG, Maguire MA. Organizational control: two functions. Adm Sci Q. 1975;20(4):559. doi:10.2307/2392023.
  • Kirsch LJ. Deploying common systems globally: the dynamics of control. Inf Syst Res. 2004;15(4):374–95. doi:10.1287/isre.1040.0036.
  • Cardinal LB. Technological innovation in the pharmaceutical industry: the use of organizational control in managing research and development. Organ Sci. 2001;12(1):19–36. doi:10.1287/orsc.12.1.19.10119.
  • Boss SR, Kirsch LJ, Angermeier I, Shingler RA, Boss RW. If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. Eur J Inf Syst. 2009;18(2):151–64. doi:10.1057/ejis.2009.8.
  • Lowry PB, Moody GD. Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Inf Syst J. 2015;25(5):433–63. doi:10.1111/isj.12043.
  • Bandura A. Self-efficacy: toward a unifying theory of behavioral change. Psychol Rev. 1977;84(2):191–215. doi:10.1037/0033-295X.84.2.191.
  • Bandura A. Social foundations of thought and action. [place unknown]: Prentice Hall; 1986.
  • da Veiga A, Martins N. Defining and identifying dominant information security cultures and subcultures. Comput Secur [Internet]. 2017;70:72–94. doi:10.1016/j.cose.2017.05.002.
  • da Veiga A, Astakhova LV, Botha A, Herselman M. Defining organisational information security culture – Perspectives from academia and industry. Comput Secur [Internet]. 2020;92:101713. doi:10.1016/j.cose.2020.101713.
  • Connolly LY, Lang M, Gathegi J, Tygar DJ. Organisational culture, procedural countermeasures, and employee security behaviour a qualitative study. Inf Comput Secur. 2017;25(2):118–36. doi:10.1108/ICS-03-2017-0013.
  • Kolkowska E, Karlsson F, Hedström K. Towards analysing the rationale of information security non-compliance: devising a value-based compliance analysis method. J Strateg Inf Syst [Internet]. 2017;26(1):39–57. doi:10.1016/j.jsis.2016.08.005.
  • Karlsson F, Åström J, Karlsson M. Information security culture state-of-the-art review between 2000 and 2013. Inf Comput Secur. 2015;23(3):246–85. doi:10.1108/ICS-05-2014-0033.
  • Eisenhardt KM. Control: organizational and economic approaches. Manage Sci. 1985;31(2):134–49. doi:10.1287/mnsc.31.2.134.
  • Diesch R, Pfaff M, Krcmar H. A comprehensive model of information security factors for decision-makers. Comput Secur. 2020;92:92. doi:10.1016/j.cose.2020.101747.
  • Beautement A, Sasse MA, Wonham M 2008. The compliance budget: managing security behaviour in organisations. In: Proceedings 2008 New Security Paradigms Work. place unknown; p. 47–58.
  • Blythe JM, Coventry L. Costly but effective: comparing the factors that influence employee anti-malware behaviours. Comput Human Behav. 2018;87:87–97. doi:10.1016/j.chb.2018.05.023.
  • Galvez SM, Shackman JD, Guzman IR, Ho SM. Factors affecting individual information security practices. SIGMIS-CPR’15. Jun 2015;26(8):555–57. doi:10.1145/2751957.2751966.
  • Vroom C, Von Solms R. Towards information security behavioural compliance. Comput Secur. 2004;23(3):191–98. doi:10.1016/j.cose.2004.01.012.
  • Angraini A, Okfalisa RA. Information security policy compliance: systematic literature review. Procedia Comput Sci [Internet]. 2019;161:1216–24. doi:10.1016/j.procs.2019.11.235.
  • Brown SA, Massey AP, Montoya-Weiss MM, Burkman JR. Do I really have to? User acceptance of mandated technology. Eur J Inf Syst. 2002;11(4):283–95. doi:10.1057/palgrave.ejis.3000438.
  • Buckley O, Nurse JRC, Legg PA, Goldsmith M, Creese S 2014. Reflecting on the ability of enterprise security policy to address accidental insider threat. In: Work Socio-Technical Aspects in Security and Trust. place unknown: IEEE; p. 8–15. doi:10.1109/STAST.2014.10
  • Compeau D, Higgins CA. Computer self-efficacy: development of a measure and initial test. MIS Q [Internet]. 1995;19(2):189. doi:10.2307/249688.
  • Hovav A, Putri FF. This is my device! Why should I follow your rules? Employees’ compliance with BYOD security policy. Pervasive Mob Comput [Internet]. 2016;32:35–49. doi:10.1016/j.pmcj.2016.06.007.
  • Sharma S, Warkentin M. Do I really belong?: impact of employment status on information security policy compliance. Comput Secur [Internet]. 2019;87:101397. doi:10.1016/j.cose.2018.09.005.
  • Doargajudhur MS, Dell P. Impact of BYOD on organizational commitment: an empirical investigation. Inf Technol People. 2019;32(2):246–68. doi:10.1108/ITP-11-2017-0378.
  • Timms K. BYOD must be met with a wider appreciation of the cyber-security threat. Comput Fraud Secur [Internet]. 2017;2017(7):5–8. doi:10.1016/S1361-3723(17)30058-1.
  • Evans M, He Y, Maglaras L, Yevseyeva I, Janicke H. Evaluating information security core human error causes (IS-CHEC) technique in public sector and comparison with the private sector. Int J Med Inform [Internet]. 2019;127:109–19. doi:10.1016/j.ijmedinf.2019.04.019.
  • Karjalainen M, Siponen M, Sarker S. Toward a stage theory of the development of employees’ information security behavior. Comput Secur [Internet]. 2020;93:101782. doi:10.1016/j.cose.2020.101782.
  • D’arcy J, Hovav A, Galletta D. User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf Syst Res. 2009;20(1):79–98. doi:10.1287/isre.1070.0160.
  • Albrechtsen E, Hovden J. Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Comput Secur [Internet]. 2010;29(4):432–45. doi:10.1016/j.cose.2009.12.005.
  • Rhee HS, Kim C, Ryu YU. Self-efficacy in information security: its influence on end users’ information security practice behavior. Comput Secur [Internet]. 2009;28(8):816–26. doi:10.1016/j.cose.2009.05.008.
  • da Veiga A, Martins N. Improving the information security culture through monitoring and implementation actions illustrated through a case study. Comput Secur. 2015;49:162–76. doi:10.1016/j.cose.2014.12.006.
  • Hovav A, D’arcy J. Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the U.S. and South Korea. Inf Manag [Internet]. 2012;49(2):99–110. doi:10.1016/j.im.2011.12.005.
  • Safa NS, Sookhak M, Von Solms R, Furnell S, Ghani NA, Herawan T. Information security conscious care behaviour formation in organizations. Comput Secur [Internet]. 2015;53:65–78. doi:10.1016/j.cose.2015.05.012.
  • Lee D, LaRose R, Rifon N. Keeping our network safe: a model of online protection behaviour. Behav Inf Technol. 2008;27(5):445–54. doi:10.1080/01449290600879344.
  • Ng BY, Kankanhalli A, Xu Y (Calvin). Studying users’ computer security behavior: a health belief perspective. Decis Support Syst [Internet]. 2009;46(4):815–25. doi:10.1016/j.dss.2008.11.010.
  • Chan M, Woon I, Kankanhalli A. Perceptions of information security in the workplace: linking information security climate to compliant behavior. J Inf Priv Secur. 2005;1(3):18–41. doi:10.1080/15536548.2005.10855772.
  • Workman M, Bommer WH, Straub D. Security lapses and the omission of information security measures: a threat control model and empirical test. Comput Human Behav. 2008;24(6):2799–816. doi:10.1016/j.chb.2008.04.005.
  • Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 2010;34(3):523–48. doi:10.2307/25750690.
  • Crossler RE, Long JH, Loraas TM, Trinkle BS. Understanding compliance with bring your own device policies utilizing protection motivation theory: bridging the intention-behavior gap. J Inf Syst [Internet]. 2014;28(1):209–26. doi:10.2308/isys-50704.
  • Dhillon G, Talib YYA, Picoto WN. The mediating role of psychological empowerment in information security compliance intentions. J Assoc Inf Syst. 2020;21(1):152–74. doi:10.17705/1jais.00595.
  • Chang SE, Lin C-S. Exploring organizational culture for information security management. Ind Manag Data Syst. 2007;107(3):438–58. doi:10.1108/02635570710734316.
  • D’arcy J, Greene G. Security culture and the employment relationship as drivers of employees’ security compliance. Inf Manag Comput Secur. 2014;22(5):474–89. doi:10.1108/IMCS-08-2013-0057.
  • Knapp KJ, Marshall TE, Rainer RK, Ford FN. Information security: management’s effect on culture and policy. Inf Manag Comput Secur. 2006;14(1):24–36. doi:10.1108/09685220610648355.
  • D’arcy J, Greene G. The multifaceted nature of security culture and its influence on end user behavior. In IFIP TC 8 International Workshop on Information Systems Security Research. Cape Town, South Africa; 2009. p. 145–57.
  • Daud M, Rasiah R, George M, Asirvatham D, Thangiah G. Bridging the gap between organisational practices and cyber security compliance: can cooperation promote compliance in organisations? Int J Bus Soc. 2018;19:161–80.
  • Liang H, Xue Y. Understanding security behaviors in personal computer usage: a threat avoidance perspective. J Assoc Inf Syst. 2010;11(7):394–413. doi:10.17705/1jais.00232.
  • Hu Q, Dinev T, Hart P, Cooke D. Managing employee compliance with information security policies: the critical role of top management and organizational culture. Decis Sci. 2012;43(4):615–60. doi:10.1111/j.1540-5915.2012.00361.x.
  • Flores WR, Ekstedt M. Shaping intention to resist social engineering through transformational leadership, information security culture and awareness. Comput Secur [Internet]. 2016;59:26–44. doi:10.1016/j.cose.2016.01.004.
  • Humaidi N, Balakrishnan V. Leadership styles and information security compliance behavior: the mediator effect of information security awareness. Int J Inf Educ Technol. 2015;5(4):311–18. doi:10.7763/IJIET.2015.V5.522.
  • Hina S, Dddp S, Lowry PB. Institutional governance and protection motivation: theoretical insights into shaping employees’ security compliance behavior in higher education institutions in the developing world. Comput Secur [Internet]. 2019;87:101594. doi:10.1016/j.cose.2019.101594.
  • Jackson GW, Rahman SSM 2017. Security governance, management and strategic alignment via capabilities. In: 2017 International Conference on Computational Science and Computational Intelligence. place unknown: IEEE; p. 44–49. doi:10.1109/CSCI.2017.8
  • AlGhamdi S, Win KT, Vlahu-Gjorgievska E. Information security governance challenges and critical success factors: systematic review. Comput Secur [Internet]. 2020;99:102030. doi:10.1016/j.cose.2020.102030.
  • D’arcy J, Hovav A. Does one size fit all? Examining the differential effects of is security countermeasures. J Bus Ethics. 2009;89(Suppl. 1):59–71. doi:10.1007/s10551-008-9909-7.
  • Lee J, Warkentin M, Crossler RE, Otondo R. Implications of monitoring mechanisms on bring your own device adoption. J Comput Inf Syst [Internet]. 2017;57(4):309–18. doi:10.1080/08874417.2016.1184032.
  • Pierce JL, Kostova T, Dirks KT. The state of psychological ownership: integrating and extending a century of research. Rev Gen Psychol. 2003;7(1):84–107. doi:10.1037/1089-2680.7.1.84.
  • Van Dyne L, Pierce JL. Psychological ownership and feelings of possession: three field studies predicting employee attitudes and organizational citizenship behavior. J Organ Behav [Internet]. 2004;25(4):439–59. http://www.jstor.org/stable/4093721.
  • Thompson N, McGill TJ, Wang X. “Security begins at home”: determinants of home computer and mobile device security behavior. Comput Secur [Internet]. 2017;70:376–91. doi:10.1016/j.cose.2017.07.003.
  • Klesel M, Ndicu M, Niehaves B. Exploring psychological ownership of IT: an empirical study. In: 24th European Conference on Information Systems ECIS 2016. Istanbul, Turkey; 2016.
  • Carter M, Grover V. Me, my self, and I(T): conceptualizing information technology identity and its implications. MIS Q Manag Inf Syst. 2015;39(4):931–58. doi:10.25300/misq/2015/39.4.9.
  • Safa NS, Maple C, Furnell S, Azad MA, Perera C, Dabbagh M, Sookhak M. Deterrence and prevention-based model to mitigate information security insider threats in organisations. Futur Gener Comput Syst [Internet]. 2019;97:587–97. doi:10.1016/j.future.2019.03.024.
  • Koohang A, Nord JH, Sandoval ZV. Reliability, validity, and strength of a unified model for information security policy compliance. J Comput Inf Syst [Internet]. 2020;1–9. doi:10.1080/08874417.2020.1779151.
  • Yusof NAZM, Haron H, Ismail I. Internal audit practice in Malaysian public sector organizations. Natl Conf Postgrad Res. 2016;107:120–26.
  • Sarstedt M, Hair JF, Cheah J, Becker J, Ringle CM. How to specify, estimate, and validate higher-order constructs in. Australas Mark J [Internet]. 2019;27(3):197–211. doi:10.1016/j.ausmj.2019.05.003.
  • Hair J, Sarstedt M, Ringle CM, Gudergan SP. Advanced issues in partial least squares structural equation modeling. place unknown: Sage Publications; 2018.
  • Petter S, Straub D, Rai A. Specifying formative constructs in information systems research. MIS Q. 2007;31(4):623–56. doi:10.2307/25148814.
  • Shmueli G, Ray S, Velasquez Estrada JM, Chatla SB. The elephant in the room: predictive performance of PLS models. J Bus Res [Internet]. 2016;69(10):4552–64. doi:10.1016/j.jbusres.2016.03.049.
  • Shmueli G, Sarstedt M, Hair JF, Cheah JH, Ting H, Vaithilingam S, Ringle CM. Predictive model assessment in PLS-SEM: guidelines for using PLSpredict. Eur J Mark. 2019;53(11):2322–47. doi:10.1108/EJM-02-2019-0189.
  • Anderson J, Gerbing DW. Structural equation modeling in practice: a review and recommended two-step approach. Psychol Bull. 1988;103(3):411–23. doi:10.1037/0033-2909.103.3.411.
  • Hair JF, Hult TM, Ringle CM, Sarstedt M. A primer on partial least squares structural equation modeling (PLS-SEM). place unknown. 2017. doi: 10.1080/1743727x.2015.1005806.
  • Podsakoff PM, MacKenzie SB, Podsakoff NP. Sources of method bias in social science research and recommendations on how to control it. Annu Rev Psychol. 2012;63(1):539–69. doi:10.1146/annurev-psych-120710-100452.
  • Gefen D, Straub D, Boudreau M-C. Structural equation modeling and regression: guidelines for research practice. Commun Assoc Inf Syst. 2000;4(August). doi:10.17705/1cais.00407.
  • Podsakoff PM, Organ DW. Self-reports in organizational research: problems and prospects. J Manage. 1986;12(4):531–44. doi:10.1177/014920638601200408.
  • Chin WW, Marcolin BL, Newsted PR. A partial least squares latent variable modeling approach for measuring interaction effects: results from a Monte Carlo simulation study and an electronic-mail emotion/adoption study. Inf Syst Res. 2003;14(2):189–217. doi:10.1126/science.143.3610.994.
  • Henseler J, Ringle CM, Sarstedt M. A new criterion for assessing discriminant validity in variance-based structural equation modeling. J Acad Mark Sci. 2015;43(1):115–35. doi:10.1007/s11747-014-0403-8.
  • Franke G, Sarstedt M. Heuristics versus statistics in discriminant validity testing: a comparison of four procedures. Internet Res. 2019;29(3):430–47. doi:10.1108/IntR-12-2017-0515.
  • Diamantopoulos A, Siguaw JA. Formative versus reflective indicators in organizational measure development: a comparison and empirical illustration. Br J Manag. 2006;17(4):263–82. doi:10.1111/j.1467-8551.2006.00500.x.
  • Chin WW, Cheah JH, Liu Y, Ting H, Lim XJ, Cham TH. Demystifying the role of causal-predictive modeling using partial least squares structural equation modeling in information systems research. Ind Manag Data Syst. 2020;120(12):2161–209. doi:10.1108/IMDS-10-2019-0529.
  • Cuganesan S, Steele C, Hart A. How senior management and workplace norms influence information security attitudes and self-efficacy. Behav Inf Technol Internet. 2018;37(1):50–65. doi:10.1080/0144929X.2017.1397193.
  • AlGhamdi S, Win KT, Vlahu-Gjorgievska E. Employees’ intentions toward complying with information security controls in Saudi Arabia’s public organisations. Gov Inf Q [Internet]. 2022;39(4):101721. doi:10.1016/j.giq.2022.101721.
  • Bates E 2021. Understanding the third-party impact on cybersecurity risk [Internet]. https://www.forbes.com/sites/forbestechcouncil/2021/02/11/understanding-the-third-party-impact-on-cybersecurity-risk/?sh=61e072cc7089.
  • Herath T, Rao HR. Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis Support Syst [Internet]. 2009;47(2):154–65. doi:10.1016/j.dss.2009.02.005.
  • Chen X, Wu D, Chen L, Teng JKL. Sanction severity and employees’ information security policy compliance: investigating mediating, moderating, and control variables. Inf Manag [Internet]. 2018;55(8):1049–60. doi:10.1016/j.im.2018.05.011.
  • Giwah AD, Wang L, Levy Y, Hur I. Empirical assessment of mobile device users’ information security behavior towards data breach - leveraging protection motivation theory. J Intellect Cap. 2019;21(2):215–33. doi:10.1108/JIC-03-2019-0063.
  • Alassaf M, Alkhalifah A. Exploring the influence of direct and indirect factors on information security policy compliance: a systematic literature review. IEEE Access. 2021;9:162687–705. doi:10.1109/access.2021.3132574.
  • Greene G, D’arcy J. Assessing the impact of security culture and the employee-organization relationship in is security compliance. 5th Annu Symp Inf Assur (ASIA ’10). 2010;10:42–49. doi:10.1108/IMCS-08-2013-0057.
  • Sommestad T, Hallberg J, Lundholm K, Bengtsson J. Variables influencing information security policy compliance: a systematic review of quantitative studies. Inf Manag Comput Secur. 2014;22(1):42–75. doi:10.1108/IMCS-08-2012-0045.
  • Schein EH. Organizational culture and leadership. place unknown; 1985. doi:10.1016/0024-6301(93)90120-5.
  • Schein EH. Organizational culture and leadership. 3rd ed. Jossey-Bass; 2004.
  • Alshaikh M. Developing cybersecurity culture to influence employees behavior: a practice perspective. Comput Secur [Internet]. 2020;98:102003. doi:10.1016/j.cose.2020.102003.
  • Posey C, Bennett B, Roberts T, Lowry P. When computer monitoring backfires: invasion of privacy and organizational injustice as precursors to computer abuse. J Inf Syst Secur. 2011;7:24–47.
  • Singh T, Johnston AC, Thatcher JB. How much is too much: employee monitoring, surveillance, and strain. International Conference on Information Systems, Munich; 2019. p. 1–9.
  • Furnell S, Thomson KL. From culture to disobedience: recognising the varying user acceptance of IT security. Comput Fraud Secur. 2009;2009(2):5–10. doi:10.1016/S1361-3723(09)70019-3.
  • Rajab M, Eydgahi A. Evaluating the explanatory power of theoretical frameworks on intention to comply with information security policies in higher education. Comput Secur. 2019;80:211–23. doi:10.1016/j.cose.2018.09.016.
  • Warkentin M, Willison R. Behavioral and policy issues in information systems security: the insider threat. Eur J Inf Syst. 2009;18(2):101–05. doi:10.1057/ejis.2009.12.
  • Tejay GPS, Mohammed ZA. Cultivating security culture for information security success: a mixed-methods study based on anthropological perspective. Inf Manage. 2022;103751. doi:10.1016/j.im.2022.103751.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.