The COVID-19 era brought a crucial issue within many organizations – the lack of relevant information security protocols. Even before the virus outbreak, according to Duffy (2020), “attacks against healthcare entities were 350% higher in the fourth quarter of 2019 than they were in the fourth quarter of 2018” (p. 1). The necessity to transfer employees to remote workplaces created a new set of vulnerabilities that were exploited by hackers and scammers, who took advantage of the situation (Duffy, 2020). Although the Cybersecurity and Infrastructure Security Agency provided advice for organizations that handle personal digital data regarding the methods for prevention of cyberattacks, the necessity for more advanced information security measures stays actual.
There is a definite need to analyze the actions of organizations towards higher information security standards and protection measures. Nowadays, a significant portion of valuable assets of companies consists of digital data, which opens them up for threats from both inside and outside actors (Moody et al., 2018). Information security can be defined as a set of processes and policies that exist to protect information from unauthorized access (Choi et al., 2018). Any organization needs to follow this organizational strategy to prevent leaks of commercial data to their competitors and to protect their customers’ and employees’ privacy (Hwang et al., 2017). With an ever-expanding set of tools provided by the newest information technologies, organizations must explore all possibilities for data leaks.
Many organizations struggle to properly link information security with threats outside of IT-related breaches and take into account human error. Choi et al. (2018) state that “organizations increasingly focus on implementing information security products such as anti-virus, intrusion detection, and prevention systems, total PC security, database/contents security, total security systems and public key infrastructure” (p. 756). However, Choi et al. (2018) also state that “information security requires a strategy that orchestrates structured actions, policy and governance to protect organisational information assets” (p. 756). Despite this apparent necessity, Pérez-González et al. (2019) state that the lack of internal protection creates “more damage and losses than security incidents caused by outsiders” (p. 1263). Moreover, Pérez-González et al. (2019) reveal that “government programs and grants to help companies improve information security focus on supporting companies in the purchase of hardware and software technology solutions, without paying attention to organizational issues” (p. 1271). This study aims to fill the gap between the technical measures of information protection and the company’s information security policies for employees.
Why Do Employees Not Comply with Security Policy?
To understand the effects of information security policies on compliance, researchers must examine the reasons for non-compliance. These reasons include organizational and individual security factors, which will be described separately. Individual security factors include the impairment of workflow, the negative attitude of peers towards information security, and security system anxiety (Hwang et al., 2017). According to Hwang et al. (2017), organizational factors consist of “security systems, security education, and security visibility” (p. 2). Organizations should consider these factors to create efficient information security protocols.
Workers can ignore specific security policies when completing their tasks due to their unwieldiness. Work impediment refers to an adverse impact of the implemented security measures on task completion (Hwang et al., 2017). Other sources can stem from insufficient training or policies that are implemented to protect data. Security system anxiety can come from the unwillingness of a worker to report security incidents due to the fear of punishment (Hwang et al., 2017). Moreover, such anxiety can appear due to the complexity of information security systems or the lack of employees’ understanding of their functions (Hwang et al., 2017). The third primary source of non-compliance behavior is the social pressure from other employees. Employees’ behavior is affected by their peers, which includes the attitude of the collective towards information security. Workers feel more confident with following security instructions when they observe their peers do the same (Hwang et al., 2017). A company needs to assess the organizational culture to identify such issues.
Organizational factors refer to the reasons for unintended data exposure due to inadequate security policies and technologies. Ideally, a company must implement a security system that will prevent both external attempts to gain unlawful access to information while preventing employees from sharing it at the same time (Hwang et al., 2017). The integrity of a security system affects all levels of individual compliance factors (Hwang et al., 2017). An easy-to-use system reduces employees’ anxiety when interacting with it.
The lack of education about the topic among workers is a significant source of unintentional data leaks. It is up to an organization to educate its employees on the subject of data security, as any person with access to the internal network can be a potential threat (Hwang et al., 2017). Moreover, untrained staff will not be able to deal with the ongoing data loss efficiently, which will add to the damage and cause more anxiety, potentially promoting non-compliant behavior if left unattended (Moody et al., 2018). The third major factor is the visibility of security measures, which implies the need for a continuous advertisement of correct behavior to remind employees about digital safety (Hwang et al., 2017). These factors show that the efforts of an organization play a crucial role in its protection against data breaches.
Factors Influencing Information Security Performance
Several crucial aspects define the capability of employees to pursue information security within the organization strictly. The intentions of employees to comply with data security policies can be influenced by organizations by investing in this organizational strategy (Hwang et al., 2017). However, before examining potential solutions to the problem, it is essential to investigate what factors influence the ability of the existing measures for information security to cover all sources of data leaks.
The rapid development of IT technologies leads to the creation of a highly efficient, albeit complex, way to organize business tasks and activities. This approach to data management, however, requires constant maintenance and updates, therefore it has to be researched. Pérez-González et al. (2019) argue that “experts face similar problems in this domain and they should provide proper solutions for them, preventing the development of the same solutions for similar problems by means of sharing knowledge” (p. 1264). Information security knowledge sharing not only decreases the costs of developing new means of protection but also increases the efficiency of current ones by adding to the knowledge of the potential threats (Pérez-González et al., 2019). Shared studies cover a more extensive range of leaks, which benefits all companies.
The second factor – information security education – stems from these studies. Personnel with an adequate level of knowledge of information security adds to a company’s safety, while employees who lack this training have high chances to become a source of a data breach (Pérez-González et al., 2019). Employees’ training must be specific, based on the latest studies, easily accessible, and needs to be assessed for knowledge retention (Pérez-González et al., 2019). Studies by Peikari et al. (2018) show that “training can increase staff knowledge and awareness about the threats and consequences of a security breach, leading to the prevention of such incidents” (p. 3). However, Peikari et al. (2018) state that “organizations do not usually employ security trained staff, which leads to vulnerabilities in their information security” (p. 3). Knowledge retention can be a significant issue in a company whose organizational culture is weak, and the pressure from non-compliant peers is high. The efforts of an organization to promote compliant behavior add to the training employees receive regarding information security (Pérez-González et al., 2019). Companies must refer to these three interconnected factors when developing their information security systems and protocols.
Another layer of security protection that is essential for a company is the physical protection of access points. This type of defense against unauthorized data access relies on both people and technology to stop intruders (Peikari et al., 2018). Technological means of physical protection often require additional input from an organization in the form of security guards. Peikari et al. (2018) argue that “employee monitoring and surveillance reduces the likelihood of an employee-related security breach by increasing their perceived certainty and severity of punishments” (p. 3). These factors, when appropriately implemented, can significantly boost the performance of security systems.
Ethics play an important role in the efficiency of security measures. Employees must understand that it is up to them to take responsibility for the safety of the personal information of their customers and the organization (Peikari et al., 2018). Moreover, the ethical practices of an organization increase customers’ trust towards it (Peikari et al., 2018). Efficient measures of information security that customers can observe positively affect their attitude towards that organization, making it less likely to negate these beneficial policies and technologies (Peikari et al., 2018). Peikari et al. (2018) argue that “many of the security and privacy threats could be prevented if the computer users observed the ethical standards in the other interacting parties” (p. 5). Companies must promote and uphold high ethical standards regarding information security to achieve the highest performance of their protection systems
While the focus of the paper is on the non-technological means of information security, technical protection remains a crucial factor in the ability of a company to prevent unauthorized access. High levels of technical protection convey the value that the company puts into data security (Peikari et al., 2018). This notion increases both customers’ trust in the company, as well as employees’ compliance levels, as their attitude towards the importance of information security improves (Peikari et al., 2018). While the companies tend to pay significantly closer attention to this factor, it is only a part of a larger structure.
Implications for Practice
Organizations that aim to raise their information security levels should continuously evaluate what factors affect the compliance rates of their employees. The needs and goals of the information security framework must incorporate both technical and social aspects related to the potential data leaks, and both means must stay up to date. As new threats continue to emerge, the ability of a company to adapt to the changing digital environment relies heavily on its information security systems.
As it has been shown in previous paragraphs, it is impossible to overestimate the importance of employees’ education regarding information security. It is the primary source of security improvement among non-technological interventions and must be the first choice to be utilized in practice (Peikari et al., 2018). Hwang et al. (2017) state that “continuous education on security processes, behaviors, and performance may reduce system anxiety regarding security behaviors and the non-compliance of peers” (p. 13). To achieve a high level of information security, an organization must work towards reducing the adverse impact of security measures on workflow.
It is beneficial for an organization to adhere to the suggestions of its employees regarding information security policies to find the new potential for improvement. Employees must be encouraged to express their grievances regarding the interference of information security policies with their work to reduce impediments (Hwang et al., 2017). Hwang et al. (2017) add that “a good mix of investment in security systems, education, and visibility may lead to the favorable compliance of employees” (p. 14). To reduce information security anxiety and non-compliance among peers, companies can use motivational materials, such as posters, and provide guidelines to promote safety policies (Hwang et al., 2017). Technical means of monitoring can offer a small yet efficient boost to compliance rates as well.
Technological means must be able to support the standards set by the company. In practice, it is impossible to achieve a high level of information security when means of protection rely solely on employees’ responsibilities, technologies must operate in synergy with workers (Peikari et al., 2018). Both customers and employees are more likely to perceive their private information and the company’s data as well-secured when observing advanced methods of physical protection of information, such as electronic locks, CCTV, and others (Peikari et al., 2018). In practice, the standards of data security must be equal between the efforts of employees and the technological solutions.
While technical solutions implemented by companies can sometimes cover this area of a potential breach, employees need to adhere to the device usage rules while browsing the organization’s internal network. To support this policy, additional training to achieve proper behavior can be implemented. However, safeguard measures, such as VPN and multi-factor authentication, can provide an extra layer of information security when dealing with unauthorized access to the company’s network (Duffy, 2020). The company can not always rely on digital solutions, and ethical standards regarding personal devices must be set in place.
The study of the most popular approaches to information security management by Moody et al. led to a proposal of the Unified Model of Security Policy Compliance (UMISPC) based on the most efficient practices. Their research shows that several methods that aim to instill a proper attitude towards information security in employees are more efficient than others. They support the recurrent evidence that education is the most efficient source of improvement, while rewards, monitoring, and social factors have less impact on compliance rates (Moody et al., 2018). On this basis, Moody et al. (2018) argue that companies have “the need for ISS regulative actions (e.g., user guidelines or procedures) that match the context of the employees’ work and their work tasks” (p. 308). Again, in practice, training is shown to be the most efficient tool for information security.
Moreover, a company needs to create a clear set of mandatory requirements and outline what punishments can be expected for non-compliance with information security policies. The studies reviewed by Moody et al. (2018) “have highlighted that individuals choose to engage in protective information security behaviors due to a perceived fear felt because of a perceived threat” (p. 301). A firm must also take into account monitoring and control and include technical means of detection of non-compliance incidents.
A clear explanation of the goals of implemented practices can help with knowledge retention regarding the necessity of data security. Information assets of a company must be clearly defined and marked as such, proper monitoring of access to these assets must be set in place (Choi et al., 2018). Employees who understand the consequences of the leaks of confidential data for an organization and themselves have higher chances to express compliant behavior (Moody et al., 2018). In practice, managers can define what responsibilities related to IT security an employee has and what consequences the inappropriate data handling can have in his or her specific case.
To achieve the higher efficiency of data leak prevention measures, organizations must be encouraged to cooperate with other companies in their industry, as well as with researchers. A firm must share the knowledge of information security they have generated to help with the development of new tools and strategies (Choi et al., 2018). The overall cost-efficiency of information security measures will rise as more sophisticated ways of protection are invented.
While dealing with factors that affect employees’ compliance with information security policies is a crucial step in improving data protection systems, a company must set an efficient framework for it first. The company must determine its goals and pursue them first and deal with the reduction of the adverse factors that appear from its existence later (Choi et al., 2018). Compliance intentions must be evaluated, and the work towards their elimination should start after the company’s valuable assets have been put under protection. It also implies that information security systems must be flexible to adapt to the needs of the organization and its employees.
In conclusion, the efforts of organizations in implementing and upholding a high standard of information security among employees are as essential as the technical capabilities for the protection of the firm’s soft- and hardware. Knowledge about information security and willingness to comply with a company’s standards regarding it among employees is as crucial for an organization as a protected business network. Teaching information security is especially vital in preventing the recent surge of hacking and scamming attempts on businesses due to the global transition to remote workplaces.
The much-needed attention to the topic provided many new highlights on the most optimal strategies for data security. In recent times, there is a trend for increased investment into managerial approaches that aim to increase employee compliance, which raised interest in researching non-technical means of information security (Hwang et al., 2017). These studies show that the information security of a company can not consist solely of technical means of protection (Moody et al., 2018). Moreover, employees’ compliance with security policies demands the same level of attention, including support and updates via advertisement-like reminders and training courses (Moody et al., 2018).
In practice, a company must adhere to the implications of the studies from this paper and pay equal attention to non-technical solutions for data security measures. Newly emerged methods to achieve high compliance rates show that both individual and organizational factors that add to non-compliance can be solved with two primary sources of improvement: technical protection and training courses (Moody et al., 2018). The UMISPC proposed by Moody et al. depicts in a simulation the weight of each factor, confirming the importance of education of employees in information security (Moody et al., 2018). The usage of physical and technical protection and highly trained personnel with ethics that show their intentions to ensure the safety of customers’ data are essential components that shape customers’ trust (Peikari et al., 2018). Motivated workers can benefit the company and help their peers with upholding the standards of compliance.
This paper has covered the primary factors that need to be taken into consideration and shows that they are interconnected. The performance of technical means of protection is limited by the ability of the company’s employees to assist and get assistance from protection utilities in stopping data leaks (Pérez-González et al., 2019). Therefore, the primary goal of any organization that deals with sensitive data is to establish this connection and teach its employees how to interact with an information security system. Companies must pay attention to each factor in a roughly equal manner to achieve the most optimal result possible. Not only does compliance reduce the threats of loss from unauthorized access to private data of the company, but it also positively affects its reputation.
Choi, S., Martins, J. T., & Bernik, I. (2018). Information security: Listening to the perspective of organisational insiders. Journal of Information Science, 44(6), 752-767. Web.
Duffy, K. (2020). Protecting health information in the COVID-19 era. Briefings on HIPAA, 20(5).
Hwang, I., Kim, D., Kim, T., & Kim, S. (2017). Why not comply with information security? An empirical approach for the causes of non-compliance. Online Information Review, 41(1), 2-18. Web.
Moody, G. D., Siponen, M., & Pahnila, S. (2018). Toward a unified model of information security policy compliance. MIS Quarterly, 42(1), 285-311. Web.
Peikari, H. R., Ramayah, T., Shah, M. H., & Lo, M. C. (2018). Patients’ perception of the information security management in health centers: The role of organizational and human factors. BMC Medical Informatics and Decision Making, 18(1). Web.
Pérez-González, D., Preciado, S. T., & Solana-Gonzalez, P. (2019). Organizational practices as antecedents of the information security management performance. Information Technology & People, 32(5), 1262-1275. Web.