A Model of Information Security Policy Compliance for Public Universities: A Conceptual Model

  • AngrainiEmail author
  • Rose Alinda Alias
  • Okfalisa
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 1073)


The university is an organization that manages much public information, and therefore, information security policies are developed to ensure data security. However, during implementation still founded disobey behavior user and has an impact on data security. The previous research has been conducted to find influencing factor user comply with information security, although some model and theories still limited to implementation. There is a lack of researchers combine behavioral theory and organizational theory to develop models and previous model inadequate to universities that have unique characteristics. This study aims to explore and identify factors that influence information security compliance and continue to develop conceptual models for assessing information security policies. This conceptual model creates based on a systematic literature review and preliminary study. The results in the conceptual model found several variables, namely habits, attitudes, moral beliefs, self-efficacy from behavioral theories and human culture, commitment, rewards, costs can be used to evaluate user compliance with information security policies. Conceptual will be tested further to contribute to help universities to ensure and assess users to comply with information security policies.


Information security Security policy Compliance User behavior 


  1. 1.
    Bélanger, F., Collignon, S., Enget, K., Negangard, E.: Information & management determinants of early conformance with information security policies. Inf. Manag. 54, 887–901 (2017)CrossRefGoogle Scholar
  2. 2.
    Han, J.Y., Kim, Y.J., Kim, H.: An integrative model of information security policy compliance with psychological contract: examining a bilateral perspective. Comput. Secur. 66, 52–65 (2017)CrossRefGoogle Scholar
  3. 3.
    Pahnila, S., Siponen, M., Mahmood, A.: Which factors explain employees’ adherence to information security policies? An empirical study. In: Pacis 2007 Proceedings, pp. 438–439 (2007)Google Scholar
  4. 4.
    Siponen, M., Adam Mahmood, M., Pahnila, S.: Employees’ adherence to information security policies: an exploratory field study. Inf. Manag. 51, 217–224 (2014)CrossRefGoogle Scholar
  5. 5.
    Nasir, A., Arshah, R.A., Ab Hamid, M.R.: Information security policy compliance behavior based on comprehensive dimensions of information security culture. In: Proceedings of 2017 International Conference on Information System and Data Mining. - ICISDM 2017, pp. 56–60 (2017)Google Scholar
  6. 6.
    Abed, J., Dhillon, G., Ozkan, S.: Investigating continuous security compliance behavior : insights from information systems continuance model. In: Twenty-second Americas Conference on Information Systems, San Diego, pp. 1–10 (2016)Google Scholar
  7. 7.
    Humaidi, N., Balakrishnan, V.: Leadership styles and information security compliance behavior: the mediator effect of information security awareness. Int. J. Inf. Educ. Technol. 5, 311–318 (2015)Google Scholar
  8. 8.
    Doherty, N.F., Tajuddin, S.T.: Towards a user-centric theory of value-driven information security compliance. Inf. Technol. People 31, 348–367 (2018)CrossRefGoogle Scholar
  9. 9.
    Hwang, I., Kim, D., Kim, T., Kim, S.: Why not comply with information security? An empirical approach for the causes of non-compliance. Online Inf. Rev. 41, 2–18 (2017)CrossRefGoogle Scholar
  10. 10.
    Andress, J., Winterfeld, S.: Cyber Warfare Techniques, Tactics and Tools for Security Practitioners, vol. 2. Elsevier Inc., Waltham (2014)Google Scholar
  11. 11.
    Gikas, C.: A general comparison of FISMA, HIPAA, ISO 27000 and PCI-DSS standards. Inf. Secur. J. Glob. Perspect. 19, 132–141 (2010)CrossRefGoogle Scholar
  12. 12.
    Katz, F.H.: The effect of a university information security survey on instruction methods in information security. In: Proceedings of 2nd Annual Conference on Information Security Curriculum Development, pp. 43–48 (2005)Google Scholar
  13. 13.
    Ayyagari, R., Tyks, J.: Disaster at a university: a case study in information security. J. Inf. Technol. Educ. Innov. Pract. 11, 85–96 (2012)Google Scholar
  14. 14.
    BS ISO/IEC: ISO 27001 - Information Technology Security Techniques Information Security Management Systems, Requirements (2005)Google Scholar
  15. 15.
    Sommestad, T., Hallberg, J., Lundholm, K., Bengtsson, J.: Variables influencing information security policy compliance: a systematic review of quantitative studies. Inf. Manag. Comput. Secur. 22, 42–75 (2014)CrossRefGoogle Scholar
  16. 16.
    NIST: Glossary of Key Information Security Terms [NISTIR 7298 Rev 2] (2013)Google Scholar
  17. 17.
    Calder, A., Watkins, S.: It Governance an International Guide to Data Security and ISO 27001/ISO27002, vol. 6. Kopan Page, UK (2015)Google Scholar
  18. 18.
    Barry, L.: Information Security Policy Development for Compliance. CRC Press/Taylor & Francis Group, Boca Raton (2013)Google Scholar
  19. 19.
    Ross, R.S.: Assessing security and privacy controls in federal information systems and organizations: building effective assessment plans, pp. 1–487. NIST Special Publication (2014)Google Scholar
  20. 20.
    Sommestad, T., Karlzén, H., Hallberg, J.: The theory of planned behavior and information security policy compliance. J. Comput. Inf. Syst. 00, 1–10 (2017)Google Scholar
  21. 21.
    Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., Baskerville, R.: Future directions for behavioral information security research. Comput. Secur. 32, 90–101 (2013)CrossRefGoogle Scholar
  22. 22.
    Vroom, C., Von Solms, R.: Towards information security behavioural compliance. Comput. Secur. 23, 191–198 (2004)CrossRefGoogle Scholar
  23. 23.
    Kankanhalli, A., Teo, H.H., Tan, B.C.Y., Wei, K.K.: An integrative study of information systems security effectiveness. Int. J. Inf. Manag. 23, 139–154 (2003)CrossRefGoogle Scholar
  24. 24.
    Chang, S.E.: Organizational factors to the effectiveness of implementing information security management (2006)Google Scholar
  25. 25.
    Lowry, P.B., Posey, C., Bennett, R.B.J., Roberts, T.L.: Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: an empirical study of the influence of counterfactual reasoning and organisational trust. Inf. Syst. J. 25(3), 193–273 (2015)CrossRefGoogle Scholar
  26. 26.
    Alshare, K.A., Lane, P.L., Lane, M.R.: Information security policy compliance: a higher education case study. Inf. Comput. Secur. 26, 91–108 (2018)CrossRefGoogle Scholar
  27. 27.
    Doherty, N.F., Anastasakis, L., Fulford, H.: The information security policy unpacked: a critical study of the content of university policies. Int. J. Inf. Manag. 29, 449–457 (2009)CrossRefGoogle Scholar
  28. 28.
    Hina, S., Dominic, D.D.: Information security policies: investigation of compliance in universities. In: 2016 3rd International Conference on Computer and Information Sciences. In: Proceedings, ICCOINS 2016, pp 564–569 (2016)Google Scholar
  29. 29.
    Bamberg, S., Schmidt, P.: Incentives, morality, or habit? Predicting students’ car use for University routes with the models of Ajzen, Schwartz, and Triandis. Environ. Behav. 35, 264–285 (2003)CrossRefGoogle Scholar
  30. 30.
    Moody, G.D., Siponen, M., Pahnila, S.: Toward a unified model of information security policy compliance. MIS Q. 42, 285–311 (2018)CrossRefGoogle Scholar
  31. 31.
    Sohrabi Safa, N., Von Solms, R., Furnell, S.: Information security policy compliance model in organizations. Comput. Secur. 56, 1–13 (2016)CrossRefGoogle Scholar
  32. 32.
    Gerber, N., McDermott, R., Volkamer, M., Vogt, J.: Understanding information security compliance - why goal setting and rewards might be a bad idea. In: International Symposium on Information Assurance and Security, HAISA 2016, vol. 10, pp. 145–155 (2016)Google Scholar
  33. 33.
    Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34, 523–548 (2010)CrossRefGoogle Scholar
  34. 34.
    Kajtazi, M., Cavusoglu, H., Benbasat, I., Haftor, D.: Escalation of commitment as an antecedent to noncompliance with information security policy. Inf. Comput. Secur. 26, 171–193 (2018)CrossRefGoogle Scholar
  35. 35.
    Sharma, S., Warkentin, M.: Do I really belong? Impact of employment status on information security policy compliance. Comput. Secur. (2018)Google Scholar
  36. 36.
    Sommestad, T.: Social groupings and information security obedience within organizations. In: International Federation for Information Processing, pp. 325–338 (2015)Google Scholar
  37. 37.
    Arage, T., Belanger, F., Beshah, T.: Influence of national culture on employees’ compliance with information systems security (ISS) policies: towards ISS culture in Ethiopian companies. In: AMCIS 2015 Proceedings, pp. 1–7 (2015)Google Scholar
  38. 38.
    Amankwa, E., Loock, M., Kritzinger, E.: Establishing information security policy compliance culture in organizations. Inf. Comput. Secur. 26, 420–436 (2018)CrossRefGoogle Scholar
  39. 39.
    Kajtazi, M., Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Assessing sunk cost effect on employees’ intentions to violate information security policies in organizations. In: Proceedings of Annual Hawaii International Conference on System Sciences, pp. 3169–3177 (2014)Google Scholar
  40. 40.
    Sommestad, T., Karlzén, H., Hallberg, J.: The sufficiency of the theory of planned behavior for explaining information security policy compliance. Inf. Comput. Secur. 23, 200–217 (2015)CrossRefGoogle Scholar
  41. 41.
    Aurigemma, S., Mattson, T.: Privilege or procedure: evaluating the effect of employee status on intent to comply with socially interactive information security threats and controls. Comput. Secur. 66, 218–234 (2017)CrossRefGoogle Scholar
  42. 42.
    Sikolia, D., Twitchell, D., Sagers, G.: Employees’ adherence to information security policies: a partial replication. In: Proceedings of the Americas Conference on Information Systems, pp. 1–9 (2016).

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.School of Computing, Faculty EngineeringUniversiti Teknologi MalaysiaSkudaiMalaysia
  2. 2.Department of Information System, Azman Hashim International Business SchoolUniversiti Teknologi MalaysiaSkudaiMalaysia
  3. 3.Department of Informatics Engineering, Faculty Science and TechnologyUniversitas Islam Negeri Sultan Syarif KasimPekanbaruIndonesia
  4. 4.Department of Information Engineering, Faculty Science and TechnologyUniversitas Islam Negeri Sultan Syarif KasimPekanbaruIndonesia

Personalised recommendations