Factors Influencing Employees on Compliance with Cybersecurity Policies and Their Implications for Protection of Information and Technology Assets in Saudi Arabia
In the current digital era, it is difficult to preserve the confidentiality, integrity, and availability of an organization’s information and technology assets against cyber attacks. Organizations cannot rely solely on technical solutions for defense, since many cyber attacks attempt to exploit non-technical vulnerabilities such as how well employees comply with the organization’s cybersecurity policies. This study surveyed 245 randomly selected employees of government organizations in the Kingdom of Saudi Arabia with an electronically distributed questionnaire about factors that influence employees’ compliance with cybersecurity policies. The study found that ethical factors had the most influence on employee compliance with cybersecurity policies, followed in decreasing order of influence by legislative factors, technical factors, and administrative factors.
References
[1]
Brodny, J. and Tutak, M. (2022) Analyzing the Level of Digitalization among the Enterprises of the European Union Member States and Their Impact on Economic Growth. Journal of Open Innovation: Technology, Market, and Complexity, 8, Article 70. https://doi.org/10.3390/joitmc8020070
[2]
Antunes, M., Maximiano, M., Gomes, R. and Pinto, D. (2021) Information Security and Cybersecurity Management: A Case Study with SMEs in Portugal. Journal of Cybersecurity and Privacy, 1, 219-238. https://doi.org/10.3390/jcp1020012
[3]
de Reuver, M., Sørensen, C. and Basole, R.C. (2018) The Digital Platform: A Research Agenda. Journal of Information Technology, 33, 124-135. https://doi.org/10.1057/s41265-016-0033-3
[4]
International Data Corporation (2020) Cybersecurity and Its Impact on Digital Saudi. https://resources.trendmicro.com/rs/945-CXD-062/images/Cybersecurity-and-its-Impact-on-Digital-Saudi.pdf
[5]
National Cybersecurity Authority (2018) Essential Cybersecurity Controls. https://www.nca.gov.sa/ecc-en.pdf
[6]
Alsemairi, S.S. (2022) The Reality of Cybersecurity and Its Challenges in Saudi Arabia. Scientific Journal of King Faisal University: Basic and Applied Sciences, 23, 66-74. https://doi.org/10.37575/b/cmp/210075
[7]
Scholl, M.C., Fuhrmann, F. and Scholl, L.R. (2018) Scientific Knowledge of the Human Side of Information Security as a Basis for Sustainable Trainings in Organizational Practices. Proceedings of the 51st Hawaii International Conference on System Sciences, Hawaii, 3-6 January 2018, 2235-2244.
[8]
Ifinedo, P. (2014) Information Systems Security Policy Compliance: An Empirical Study of the Effects of Socialization Influence and Cognition. Information & Management, 51, 69-79. https://doi.org/10.1016/j.im.2013.10.001
[9]
Triplett, W.J. (2022) Addressing Human Factors in Cybersecurity Leadership. Journal of Cybersecurity and Privacy, 2, 573-586. https://doi.org/10.3390/jcp2030029
[10]
Koohang, A., Anderson, J., Nord, J.H. and Paliszkiewicz, J. (2020) Building an Awareness-Centered Information Security Policy Compliance Model. Industrial Management & Data Systems, 120, 231-247. https://doi.org/10.1108/IMDS-07-2019-0412
[11]
Sulaiman, N.S., Fauzi, M.A., Wider, W., Rajadurai, J., Hussain, S. and Harun, S.A. (2022) Cyber—Information Security Compliance and Violation Behaviour in Organisations: A Systematic Review. Social Sciences, 11, Article 386. https://doi.org/10.3390/socsci11090386
[12]
Gwebu, K.L., Wang, J. and Hu, M.Y. (2020) Information Security Policy Noncompliance: An Integrative Social Influence Model. Information Systems Journal, 30, 220-269. https://doi.org/10.1111/isj.12257
[13]
VMware (2021) Saudi Arabia Security Insights Report 2021. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-report-global-security-insights-report-saudi-arabia.pdf
[14]
Ifinedo, P. (2012) Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory. Computers & Security, 31, 83-95. https://doi.org/10.1016/j.cose.2011.10.007
[15]
AlGhamdi, S., Win K.T. and Vlahu-Gjorgievska, E. (2022) Employees’ Intentions toward Complying with Information Security Controls in Saudi Arabia’s Public Organisations. Government Information Quarterly, 39, Article ID: 101721. https://doi.org/10.1016/j.giq.2022.101721
[16]
Alanazi, T.S., Anbar, M., Ebad, A.S., Karuppayah, S. and Al-Ani, H.A. (2020) Theory-Based Model and Prediction Analysis of Information Security Compliance Behavior in the Saudi Healthcare Sector. Symmetry, 12, Article 1544. https://doi.org/10.3390/sym12091544
[17]
Koohang, A., Nowak, A., Paliszkiewicz, J. and Nord, J.H. (2020) Information Security Policy Compliance: Leadership Trust Role Values and Awareness. Journal of Computer Information Systems, 60, 1-8. https://doi.org/10.1080/08874417.2019.1668738
[18]
Addae, J.A., Simpson, G. and Ampong, G.O.A. (2019) Factors Influencing Information Security Policy Compliance Behavior. 2019 International Conference on Cyber Security and Internet of Things, Accra, 29-31 May 2019, 43-47.
[19]
Connolly, L.Y., Lang, M. and Wall, D.S. (2019) Information Security Behavior: A Cross-Cultural Comparison of Irish and US Employees. Information Systems Management, 36, 306-322. https://doi.org/10.1080/10580530.2019.1651113
[20]
Alqahtani, M.A. and Braun, R. (2021) Examining the Impact of Technical Controls, Accountability and Monitoring towards Cyber Security Compliance in E-Government Organizations. https://doi.org/10.21203/rs.3.rs-196216/v1
[21]
International Telecommunication Union (2008) X.1205: Overview of Cybersecurity. https://www.itu.int/rec/T-REC-X.1205-200804-I
[22]
Jeong, J., Mihelcic, J., Oliver, G. and Rudolph, C. (2019) Towards an Improved Understanding of Human Factors in Cybersecurity. 2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC), Los Angeles, 12-14 December 2019, 338-345. https://doi.org/10.1109/CIC48465.2019.00047
[23]
Communications and Information Technology Commission (CITC) (2007) Anti-Cyber Crime Law. https://laws.boe.gov.sa/BoeLaws/Laws/LawDetails/25df73d6-0f49-4dc5-b010-a9a700f2ec1d/2
[24]
Hamburg, I. (2021) Interdisciplinary Training and Mentoring for Cyber Security in Companies. In: Cruz-Cunha, M.M. and Mateus-Coelho, N.R., Eds., Handbook of Research on Cyber Crime and Information Privacy, 356-371. https://doi.org/10.4018/978-1-7998-5728-0.ch018
[25]
Sullins, J. (2023) Information Technology and Moral Values. https://plato.stanford.edu/archives/spr2021/entries/it-moral-values
[26]
Sekaran, U. and Bougie, R. (2016) Research Methods for Business: A Skill Building Approach. 7th Edition, John Wiley & Sons, West Sussex.
[27]
Sekaran, U. (2003) Research Methods for Business: A Skill Building Approach. 4th Edition, John Wiley & Sons, West Sussex.
[28]
Sekaran, U. and Bougie, R. (2010) Research Methods for Business: A Skill Building Approach. 5th Edition, John Wiley & Sons, Haddington.
[29]
Borena, B. and Bélanger, F. (2013) Religiosity and Information Security Policy Compliance. Americas Conference on Information Systems (AMCIS), Chicago, 15-17 August 2013, 2848-2855.
