A Composite Framework to Promote Information Security Policy Compliance in Organizations

  • Eric AmankwaEmail author
  • Marianne Loock
  • Elmarie Kritzinger
Conference paper
Part of the Learning and Analytics in Intelligent Systems book series (LAIS, volume 7)


Information security policy (ISP) noncompliance continue to impede information security in organizations. This paper consolidates the strength of previous studies into an effective single solution. The paper, first, synthesizes the existing literature and groups relevant ISP compliance factors into user involvement, personality types, security awareness and training, behavioral factors, and information security culture. Secondly, a generic framework that guides the development of frameworks for ISP compliance in organizations was developed based on the literature review. The generic framework categorized elements required for developing an ISP compliance framework into structure, content and outcome elements. Thirdly, the generic framework was applied to develop a composite ISP compliance framework that proposes the establishment of ISP compliance as a culture in organizations. Finally, the results of the expert review assessment showed that the proposed composite ISP framework was suitable, structurally sound and fit for purpose.


Information security Policy Security culture Security compliance Behavior intentions ISPCC Compliance framework 


  1. 1.
    Stewart, H., Jürjens, J.: Information security management and the human aspect in organizations. Inf. Comput. Secur. 25(5), 494–534 (2017)CrossRefGoogle Scholar
  2. 2.
    Iriqat, Y.M., Ahlan, A.R., Nuha, N., Molok, A.: Information security policy perceived compliance among staff in palestine universities: an empirical pilot study. In: 2019 IEEE Jordan International Joint Conference on Electrical Engineering and Information Technology (JEEIT), pp. 580–585 (2019)Google Scholar
  3. 3.
    Mccormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., Pattinson, M.: Individual differences and information security awareness. Comput. Hum. Behav. 69(2017), 151–156 (2017)CrossRefGoogle Scholar
  4. 4.
    Moody, G.D.: Toward a unified model of information security policy compliance. MIS Q. 42(1), 285–311 (2018)CrossRefGoogle Scholar
  5. 5.
    Ponemon Institute, “State of End Point Security,” State of End Point Security: The Ponemon Institute LLC (2016). Accessed 05 Dec 2016
  6. 6.
    Alzahrani, A., Johnson, C., Altamimi, S.: Information security policy compliance : investigating the role of intrinsic motivation towards policy compliance in the organization. In: 2018 4th International Conference on Information Management (ICIM), pp. 125–132 (2018)Google Scholar
  7. 7.
    Alotaibi, M., Furnell, S., Clarke, N.: Information security policies : a review of challenges and influencing factors. In: The 11th International Conference for Internet Technology and Secured Transactions (ICITST-2016) Information, pp. 352–358 (2016)Google Scholar
  8. 8.
    Safa, N.S., von Solms, R., Furnell, S.: Information security policy compliance model in organizations. Comput. Secur. 56, 70–82 (2016)CrossRefGoogle Scholar
  9. 9.
    Bano, M., Zowghi, D.: User involvement in software development and system success : a systematic literature review. In: Proceedings of EASE 2013, pp. 125–130 (2013)Google Scholar
  10. 10.
    Ögutçü, G., Müge Testik, Ö., Chouseinoglou, O.: Analysis of personal information security behavior and awareness. Comput. Secur. 56(2016), 83–93 (2016)CrossRefGoogle Scholar
  11. 11.
    Shropshire, J., Warkentin, M., Sharma, S.: Personality, attitudes, and intentions: predicting initial adoption of information security behavior. Comput. Secur. 49(2015), 177–191 (2015)CrossRefGoogle Scholar
  12. 12.
    Pattinson, M., Parsons, K., Butavicius, M., Mccormac, A., Calic, D.: Assessing information security attitudes: a comparison of two studies. Inf. Comput. Secur. 24(2), 228–240 (2016)CrossRefGoogle Scholar
  13. 13.
    Amankwa, E., Loock, M., Kritzinger, E.: A conceptual analysis of information security education, information security training and information security awareness definitions. In: The 9th International Conference for Internet Technology and Secured Transactions (ICITST -2014), pp. 248–252 (2014)Google Scholar
  14. 14.
    Stanciu, V., Tinca, A.: Students’ awareness on information security between own perception and reality – an empirical study. Account. Manag. Inf. Syst. 15(1), 112–130 (2016)Google Scholar
  15. 15.
    Ogutcu, G., Testik, O.M., Chouseinoglou, O.: Analysis of personal information security behavior and awareness. Comput. Secur. 56, 83–93 (2016)CrossRefGoogle Scholar
  16. 16.
    Palega, M., Knapinski, M.: Assessment of employees level of awareness in the aspect of information security. Syst. Saf. Hum. - Tech. Facil. – Environ. 1(1), 132–140 (2019)Google Scholar
  17. 17.
    Amankwa, E., Loock, M., Kritzinger, E.: Establishing information security policy compliance culture in organizations. Inf. Comput. Secur. 26(4), 420–436 (2018)CrossRefGoogle Scholar
  18. 18.
    Tolah, A., Furnell, S.M., Papadaki, M.: A Comprehensive Framework for Cultivating and Assessing Information Security Culture, Haisa, pp. 52–64 (2017)Google Scholar
  19. 19.
    da Veiga, A., Martins, N.: Defining and identifying dominant information security cultures and subcultures. Comput. Secur. 70(2017), 72–94 (2017)CrossRefGoogle Scholar
  20. 20.
    Alhogail, A.: Design and validation of information security culture framework. Comput. Hum. Behav. 49, 567–575 (2015)CrossRefGoogle Scholar
  21. 21.
    Sherif, E., Furnell, S., Clarke, N.: An identification of variables influencing the establishment of information security culture. In: Tryfonas, T., Askoxylakis, I. (eds.) The Human-Computer Interaction (HCI) Conference – Human Aspects of Information Security, Security, Privacy and Trust (HAS), LNCS 9190, pp. 436–448. Springer, Heidelberg (2015)Google Scholar
  22. 22.
    Da Veiga, A.: Comparing the information security culture of employees who had read the information security policy and those who had not - illustrated through an empirical study. Inf. Comput. Secur. 24(2), 139–151 (2016)CrossRefGoogle Scholar
  23. 23.
    Lebek, B., Uffen, J., Breitner, M.H., Neumann, M., Hohler, B.: Employees’ information security awareness and behavior: a literature review. In: Proceedings of Annual Hawaii International Conference System Science, pp. 2978–2987 (2013)Google Scholar
  24. 24.
    Sommestad, T., Karlzén, H., Hallberg, J.: The sufficiency of the theory of planned behavior for explaining information security policy compliance. Inf. Comput. Secur. 23(2), 200–217 (2015)CrossRefGoogle Scholar
  25. 25.
    Hina, S., Dominic, D.D.: Information security policies : investigation of compliance in universities. In: 3rd International Conference on Computer and Information Sciences (ICCOINS) Information, pp. 1–6 (2016)Google Scholar
  26. 26.
    Safa, N.S., Maple, C., Watson, T., Furnell, S.: Information security collaboration formation in organizations. IET Inf. Secur. 12(3), 238–245 (2018)CrossRefGoogle Scholar
  27. 27.
    Lembcke, T.-B., Masuch, K., Trang, S., Hengstler, S., Plics, P., Pamuk, M.: Fostering information security compliance : comparing the predictive power of social learning theory and deterrence theory. In: Twenty-Fifth Americas Conference on Information Systems, pp. 1–10, August 2019Google Scholar
  28. 28.
    Aurigemma, A., Panko, R.: A composite framework for behavioral compliance with information security policies. In: Proceedings of the 45th Hawaii International Conference on System Sciences (HICSS), pp. 3248–3257 (2012)Google Scholar
  29. 29.
    Siponen, M., Mahmood, M.A., Pahnila, S.: Employees’ adherence to information security policies: an exploratory field study. Inf. Manage. 51(2), 217–224 (2014)CrossRefGoogle Scholar
  30. 30.
    Drechsler, A., Hevner, A.: A four-cycle model of is design science research : capturing the dynamic nature of IS artifact design. In: Parsons, J., Tuunanen, T., Venable, J.R., Helfert, M., Donnellan, B., Kenneally, J. (eds.) Breakthroughs and Emerging Insights from Ongoing Design Science Projects: Research-in-progress papers and poster presentations from the 11th International Co, pp. 1–8 (2016)Google Scholar
  31. 31.
    Peffers, K., Tuunanen, T., Niehaves, B.: Design science research genres: introduction to the special issue on exemplars and criteria for applicable design science research. Eur. J. Inf. Syst. 27(2), 129–139 (2018)CrossRefGoogle Scholar
  32. 32.
    Cooper, D.R., Schindler, P.S.: Business Research Methods, 12th edn. McGraw-Hill/Irwin, New York (2014)Google Scholar
  33. 33.
    Prat, N., Comyn-Wattiau, I., Akoka, J.: Artefact evaluation in information systems design-science research—a holistic view. In: PACIS 2014 Proceedings (2014). Accessed 15 Mar 2017
  34. 34.
    Parsons, K.M., Young, E., Butavicius, M.A., Robert, M.: The influence of organizational information security culture on information security decision making. J. Cogn. Eng. Decis. Mak. 9, 117–129 (2015)CrossRefGoogle Scholar
  35. 35.
    Alnatheer, M., Nelson, K.: Proposed framework for understanding information security culture and practices in the Saudi context. In: The 7th Australian Information Security Management Conference, pp. 5–47, December 2009Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Eric Amankwa
    • 1
    • 2
    Email author
  • Marianne Loock
    • 2
  • Elmarie Kritzinger
    • 2
  1. 1.Department of ICTPresbyterian University College GhanaAbetifiGhana
  2. 2.School of ComputingUniversity of South AfricaPretoriaSouth Africa

Personalised recommendations