Influencing employees compliance behavior towards Information Security Policy

Transcription

1 Influencing employees compliance behavior towards Information Security Policy The Telesur case By Billey B. Best (Suriname) Supervised by: Prof. Vincent Feltkamp, PhD. This paper was submitted in partial fulfillment of the requirements for the Masters of Business Administration (MBA) degree at the Maastricht School of Management (MsM), Maastricht, the Netherlands, February 20, Maastricht School of Management FHR Lim a Po Institute for Social Studies P.O.Box 1203 P.O.Box BE Maastricht Paramaribo The Netherlands Suriname Paramaribo, February 2014

2 This page is intentionally left blank ii

3 Acknowledgements Participation in this MBA program would not be possible if some very special people within Telesur didn t believe in me. It was a very time consuming, stressful, but also interesting period during this program. Not only for my work environment is this study a plus, but also for my own development and benefit. I believe that there is a God who opens doors which we should enter when given and I would like to first thank Him for this opportunity given. Further I would like to thank my employer Telesur and in particular the CEO of Telesur Drs. Dirk Currie and the Director of Commerce Mr. Kenneth Muringen MBA for choosing me and believing me being able to successfully complete this MBA Finance program. Also great acknowledgement for the effort and precious time spent by Dr. Vincent Feltkamp for supervising and guiding me during the thesis period. I m very thankful for Dr. Vincent Feltkamp as time for supervising and guiding students is very scarce. Further great thanks goes out to all students supporting me during the thesis period especially the buddy group members with whom most time was spent with. Encouraging each other during this period was much appreciated. I would also like to thank all Telesur colleagues who participated in the survey. Finally, very special gratitude goes out to my wife and to my very young son who needed my presence and fatherhood most in this phase of his life. I m very thankful for my family supporting me during this very difficult period having almost no quality time and almost no time for socializing regularly. Very special thanks to everyone else not mentioned who has supported me during this study. Sincerely yours, Billey Best February 2014 iii

4 Abstract Many companies today rely on the information about customers to be able to do business. This information has become a strategic asset which should be protected (Muhire, 2012, p. 4). Protecting this strategic asset requires certain security measures to be taken. Because of the increasing security issues generally (Bailey, Kevin, 2013, p. 3), protecting this strategic asset involves information security challenges as well. Assigning different security roles and functions, implementing information security awareness sessions and training and working on a particular information security climate and culture are some of the measures taken to decrease the risks of not protecting this strategic asset. While professionals and engineers from Information Technology departments work on technical solutions to mitigate these risks (Kayworth & Whitten, 2010, p. 1), managers seek managerial solutions. Creating a supportive climate and social environment and allocating budgets for the mitigation of information security risks and implementing Information Security Policies (Corpuz & Barnes, 2010, p. 3) are some of the managerial measures. Managers have also been working on other motivational and social factors such as sanctions, rewards, intrinsic benefits, normative beliefs, self-efficacy, awareness, organizational culture and others. Of these, an Information Security Policy is one measure which some Information Technology based companies have implemented. But this policy cannot stand on its own, as employees need to comply with it (Bulgurcu, Cavusoglu, & Benbasat, 2010, p. 3). Assessment of the factors influencing the compliance behavior of employees is the main objective of this study. Telesur as Telecommunication Company also has to deal with these information security challenges especially since the telecommunications market in Suriname has been liberalized. An information security policy was implemented but to what extent employees comply with this policy and which factors influence their compliance behavior was not clear. Of the different motivational, organizational and social factors, Sanctions, Self-efficacy, Information Security Awareness and Organizational Climate were chosen to test the significant influence towards Compliance. As previous study showed, all these variables influenced the compliance behavior of employees. Sanctions and Self-efficacy had different outcomes with positive and negative results in different studies. Information Security Awareness was generally positively related with the compliance behavior of employees. Organizational climate also had different outcomes related to compliance behavior. As mentioned earlier, the objective of this study was to find out which and how these (four) factors influence the compliance behavior of employees within Telesur. The study was deductive of nature using previous tested questionnaires to test the hypotheses. The test was done in three groups: staff members and managers as one group, CAO employees as another group and the complete set of responses as also one group. The initial aim was to have separate groups for staff members and for managers, but because of the low number of these two categories and the low response rate, the researcher chose to combine these two categories into one group. The results of the tests showed that sanctions didn t influence employees compliance behavior within Telesur. Further for self-efficacy, employees didn t judge themselves as capable and having the skills and knowledge to comply with the information security policy on their own. On the other hand, information security awareness significantly influences the compliance behavior of these employees, while the support from managers and among CAO employees influences overall the compliance behavior within Telesur. These two factors explain for approximately 25% of the variances in actual compliance behavior which gives space for iv

5 further study in finding more factors explaining more the variances in the compliance behavior. It was also found, that awareness also influences self-efficacy positively and sanctions negatively, meaning that increasing awareness will overall have positive effects on Information Security issues. For management it is recommended to educate employees in the field of information security, share information regarding vulnerabilities and other security issues and plan information security awareness sessions to further increase the compliance behavior and thus decrease potential costs due to security issues (Kayworth & Whitten, 2010, pp. 2-3). Also management can further work on a supportive climate regarding security issues. Keywords Information Security Policy, Information Security Awareness, Self-Efficacy, Sanctions, Actual Compliance Behavior, Organizational Climate, CAO employees, Co-workers socialization, Staff members and Managers v

6 Table of contents Acknowledgements... iii Abstract... iv List of figures... viii List of tables... ix List of abbreviations... x Chapter 1 Introduction General Background to research Research objective Theoretical framework Research Questions Research methodology Scope and limitations Expected contribution Chapter overview... 5 Chapter 2 Literature Review General Sanctions Self-efficacy Information Security Awareness Perceived Organizational Climate A deeper look into the Safety climate constructs used for Organizational Climate related to information security Actual compliance behavior Theoretical framework Chapter 3 Research Design and Methodology Security within Telesur Sample design Item design Reliability and validity of the questionnaire Items of the questionnaire Chapter 4 Analysis and Finding Data Preparation (recoding and Principal Component Analysis) and Reliability vi

7 4.3 Descriptive Statistics Correlations Regressions and hypothesis Chapter 5 Conclusions and Recommendations Conclusions Recommendations Bibliography Appendix A Measurement Items Appendix B Testing Assumptions Appendix C Component Principal Analysis C1 PCA on the full dataset of 113 responses C2 PCA on the 64 CAO employees C3 PCA on the 49 Staff members Appendix D Descriptive Statistics D1 Cross tabs Gender x ACB D2 Cross tabs Function x ACB D3 Cross tabs Education x ACB D4 Cross tabs Age x ACB D5 Cross tabs Tenure x ACB Appendix E Correlations E1 Correlations between latent variables for the complete Dataset E2 Correlations between latent variables for the CAO employees Dataset E3 Correlations between latent variables for the total Staff and Managers Dataset Appendix F Multiple Regressions Complete Dataset Appendix G Multiple Regression CAO employees as a stratum Appendix H Regression Analysis Staff and Managers as a stratum Appendix I Moderation Analysis I1 Moderation analysis for the complete set of All responses I2 Moderation analysis for the complete set of CAO employees I3 Moderation analysis for the complete set of Staff and Managers Appendix J Regressions with Stata for Demographic variables J1 Regression analysis with Stata for demographic variables J2 Regression analysis with Stata for demographic variables and interaction vii

8 List of figures Figure 1 The Security Action Cycle, source (Straub & Welke, 1998)... 7 Figure 2 Conceptual model (Bulgurcu B., 2008)... 8 Figure 3 Research model from (Vance, 2010) including deterrence and neutralization factors Figure 4 Results for the proposed research model from (Herath & Rao, 2009, p. 12) Figure 5 Structural model (Bulgurcu, Cavusoglu, & Benbasat, 2010, p. 18) Figure 6 Conceptual model Figure 7 Final model viii

9 List of tables Table 1 Telesur employees overview Table 2 Pilot test reliability results, 10 samples Table 3 Response rate Table 4 Complete Dataset 113 responses Table 5 CAO employees Dataset 64 responses Table 6 Staff and Managers Dataset 49 responses Table 7 Correlations with ACB (Spearman) α = 0.5, 2-tailed Table 8 Hypotheses testing Table 9 Regression of ISA on Self-efficacy ix

10 List of abbreviations ACB Actual Compliance Behavior BYOD Bring Your Own Device CAO Collective Labor Agreement, mostly line-level and work floor employees and bureau chiefs CWS Co-workers Socialization DSP Direct Supervisor Practices GDT General Deterrence Theory GISA General Information Security Awareness ICT Information Communication Technology IEC International Electro-technical Commission IS Information Systems ISA Information Security Awareness ISA Information Security Awareness ISMS Information Security Management System ISO International Standards Organization ISP Information Security Policy ISPA Information Security Policy Awareness IT Information Technology IVISSP Intention to violate Information System Security Policy LSOCQ Litwin & Stinger Organizational Climate Questionnaire MIS Management Information Systems (Internal IT department of Telesur) NEN Netherlands Standards Institute OC Organizational Climate P&O Human Resource Department of Telesur PC Personal Computer PCA Principal Component Analysis POC Perceived Organizational Climate RCT Rational Choice Theory RQ Research Question SEC Security Department of Telesur ST&M Staff members and Middle managers Telesur Telecommunications Company of Suriname TPB Theory of Planned Behavior UMP Upper Management Practices VPN Virtual Private Network WSS Work Safety Scale x

11 Chapter 1 Introduction 1.1 General Information is a strategic asset in today s Information Technology based enterprises and securing this asset involves specific Information Security challenges (Kayworth & Whitten, 2010, p. 163) (Muhire, 2012, p. 4). Enterprises have been implementing different measures such as Information Security Policies (ISP), assigning different Security roles and professionals and other measures to control these challenges and the increasing number of cyber attacks (Bailey, Kevin, 2013, p. 3). The implementation of a sound and effective ISP is a challenge in itself, especially when employees are required to comply with. Corpuz and Barnes defined ISP as information security program goals, assigned responsibilities and sets of security control requirements that are continually reassessed and updated based on evolving corporate business and risk management objectives (Corpuz & Barnes, 2010, p. 1). Several studies have been conducted to increase employees compliance with ISP. Focus has been on Sanctions, Rewards, Information Security Awareness, Training, Motivational factors such as Self-Efficacy, Attitude, Social factors such as Organizational Culture and Climate and other areas. Literature shows that different variables influence or have an impact on the adherence or compliance behavior of employees with ISP as researched by different researchers (Hadasch, Mueller, & Maedche, 2012), (Liang & Xue, 2010), (Pahnila, Siponen, & Mahmood, 2007, pp. 2-3, 8), (Herath & Rao, 2009, pp. 4-5, 9-12, 14), (Bulgurcu, Cavusoglu, & Benbasat, 2010, pp. 5, 7, 10, 18-20), (Chan, Woon, & Kankanhalli, 2005, pp. 4-5, 7, 17-19) and others. While IT specialists are working on the implementation of different security solutions to combat cyber-attacks, mitigate vulnerabilities and minimize information security risks, managers have been dealing with other issues such as increasing employees awareness about the need and importance to comply with ISP (Bailey, Kevin, 2013, pp. 3, 5), a challenging task in itself. Apart from technology and policy, it s becoming evident that social and organizational factors also need to be considered when seeking the right mix for effectively implementing an ISP (Kayworth & Whitten, 2010, p. 2). The social perspective brings in organizational culture and climate insights to be addressed. General questions regarding organizational and social aspects are: can other employees influence each other s compliance behavior? Do the acts of supervisors and managers influence the way employees act towards ISP compliance? What should the security culture and climate be like within the company? Should management work more on Information Security Awareness or should the focus be more on deterrence techniques such as sanctions or better rewards? These issues are key in today s enterprises dealing with securing their valuable strategic information assets (Kayworth & Whitten, 2010, p. 8) and will be addressed in this study. Furthermore it is not always clear as to what extent employees comply with the guidance and procedures of the ISP and what losses companies may incur in case of security breaches. With risk assessment and impact analysis, costs can be quantified to some extent. But to minimize these costs it is important to know which appropriate actions management should take in terms of Information Security. As mentioned earlier, previous 1

12 researchers have conducted studies in these areas, but one area of specific study that received very little attention, is on the influence organizational culture and climate has on employee s own judgment of skills, knowledge and capabilities towards compliance with ISP. This type of intrinsic motivation is called Self- Efficacy. With Self-efficacy, Organizational Climate and Actual Compliance Behavior, Information Security Awareness and Sanctions will also be studied as previous research has shown that the results can be positive and negative in different sectors as described in chapter 2. While Governance, Risk and Compliance are related when implementing Enterprise Risk Management in an organization, the focus in this research will be on the compliance part. These issues are also present within the Telecommunications Company of Suriname (Telesur) and will be researched as such. 1.2 Background to research The Telecommunications Company of Suriname (Telesur) is a fully government owned company which was the incumbent telecommunications operator and a monopolist before Telesur delivers Internet, mobile and landline telecommunication services of which mobile and Internet services have been deployed nationwide the last 5 years. After 2007, the Surinamese government decided to liberalize the Telecom sector and Telesur had to implement different measures to prepare and enter the open market as competitive as possible. It was a drastic change process and many employees had to change their working styles and attitudes. Employees on all levels were trained to understand what was going on and how to cope with the new business environment. Information Security (IS) was always of importance within Telesur, but with the liberalization of the Telecommunication sector, information became a very important and even strategic asset. The new market situation required Telesur to compete with two competitors, Digicel en Uniqa and to implement more stringent security measures for Information and Information Systems. Securing information systems is one part of the task. Getting employees to comply with security policies and other measures is another very important part of the task, as employees were accustomed to work in a monopolistic culture and climate. Because of the new competitive environment, employees needed to handle sensitive and private information as secure as possible. This change would require employees to give-up al lot of flexibility, for example limit the use of different kinds of removable media and devices (nowadays called Bring Your Own Device (BYOD)) which were used on enterprise systems and also on systems outside of the enterprise where IT had no control over. There was a need for management to broaden and strengthen the Information Security Policy (ISP) enterprise wide. In the past 4 years it has been very difficult to implement stringent policies because of the expected resistance which management and IT could face. Because of the potential resistance, certain policies - such as disabling certain drives to read and write from computer systems - could not be implemented. 2

13 The problem here was a lack of understanding of what effects the implementation of Information Security Policy within Telesur could have on employees overall positive or negative compliance behavior and possible resistance. In other words, there was a gap between the implementation of ISP and the outcome of it. Investigating sanctions, self-efficacy and Information Security Awareness (ISA) -positively or negatively influencing the compliance behavior of employees towards ISP within Telesur - and the influence of perceived organizational climate ( as the moderating variable) on the relationship between self-efficacy and compliance behavior, were the main focus of this research. This research is about how effective ISP can be implemented within Telesur. The results of this research should give answers and guidance to management for effective implementation of ISP and compliance. 1.3 Research objective The results of this study and such the objectives should show the positive or negative influence of Sanctions, Self-efficacy and Information Security Awareness (ISA) towards the Actual Compliance Behavior (ACB) of employees and the effect of Organizational Climate on the relationship between Self-Efficacy and ACB. These results should give managers of Telesur guidance in the effective implementation of ISP in order to minimize risks of the company regarding Information Security (IS), its investments and its customer s assets from being stolen or being compromised. 1.4 Theoretical framework In this study, different theories are analyzed for the basis of the constructs in the framework, namely the theory of planned behavior, the theory of reasoned action, the general deterrence theory and the self-efficacy theory. To find out which constructs in the conceptual model influence employees compliance behavior towards ISP, antecedents of these constructs were studied. A total of five variables or constructs were used in this study. Of these five constructs, three (3) were independent, one (1) a moderating variable and one (1) the dependent variable. The research questions (RQ s) cover the main variables of the framework. Actual Compliance behavior is the actual act to be performed when complying with ISP. Figure 6 in chapter 2 shows the conceptual model of this framework combining the different factors and their proposed relationships. 1.5 Research Questions The main questions to this research were; 1. Do Sanctions, Self-efficacy and Information Security Awareness (ISA) positively or negatively influence employees behavior towards compliance with Information Security Policy (ISP) within Telesur? 2. Do employees Perceived Organizational Climate influence the relationship between Self-Efficacy and the Actual Compliance Behavior? 3

14 In the second question focus was on the moderating effect of Perceived Organizational Climate (POC) on the relationship between self-efficacy and actual compliance behavior. 1.6 Research methodology This study has a deductive approach. A survey instrument, in this case a 5-Point Likert-scale questionnaire was designed for this study, mainly with items adopted from previous studies. The data was analyzed descriptively with cross tabulations and with correlations and regressions to identify and measure the relationship between different variables influencing employees behavior towards the overall compliance with ISP by accepting or rejecting the hypotheses. There were approximately 812 (see table 1, Chapter 3), fixed employees at Telesur. These employees were from different levels in the company consisting of technicians and administrative workers, day workers and shifters, junior and senior staff members, supervisors and sub-departmental managers, departmental managers and directors. The groups of employees are considered to react differently on questions about information security policy compliance and are also considered a heterogeneous population of the company. There were also employees under contract but information about these workers was not consistent and they were not available per corporate . For this reason, this group was excluded from this research. Furthermore, a cross section of the population was used to collect the data. The samples consisted of employees from different levels up to Middle Managers. Higher management members and top managers were not included in this research because it wasn t clear whether they were ever sanctioned or could be sanctioned at all. The sampling method was Stratified Sampling, consisting of a number of CAO employees, staff members and a number of middle managers, a total of 784 members. The three sampled strata had a total of 113 respondents, of which middle management 18, staff members 31 and CAO employees 64. The questionnaire was sent to a total of 300 employees. The methodology was to identify the issue and develop a research idea followed by the research questions and literature review. Then the research model was developed with the constructs and variables. Then a pilot study was conducted. The data from this pilot study was used to eventually improve the questionnaire. The questionnaire was then sent to 300 employees. With the number of responses from the different strata, the sample sizes were recalculated for better accuracy. Then the data was gathered and analyzed. These results were analyzed and conclusions were drawn. Analysis was done with descriptive and inferential statistics, using IBM s SPSS AMOS, Microsoft Excel, Stata and XLSTAT. 1.7 Scope and limitations This research was about Information Security Policy Compliance and factors influencing it. In the description the researcher could refer to various issues to build up a case to research. The focus though was on removable 4

15 storage devices and laptops, but specifically on USB memory drives, as these were mainly referred to in the case for the questionnaire, but also because of limited information available for other devices as smart phones, cameras, tablets and others. It should be mentioned that many devices (BYOD) can contribute to the risk of losing sensible and strategic corporate information, but issues regarding removable USB memory devices were at hand. Because of this, the theoretical part of the study was limited to mainly USB memory devices. 1.8 Expected contribution This study will help managers to better and efficiently implement Information Security Policy in their organization, taking into account the climate within the company and factors that influence employees compliance behavior towards ISP. 1.9 Chapter overview This thesis begins with an introduction of the research topic in chapter 1. In the second chapter, literature research is being reviewed on previous studies on the different distinguished variables. Chapter 3 deals with the methodology, the research design, the sampling, data collection and analysis method used. In chapter 4, the gathered data is presented and analyzed and the findings are discussed in chapter 5. In the last chapter, conclusions are drawn and recommendations are given based on the results from this research. 5

16 Chapter 2 Literature Review 2.1 General In this chapter, previous studies on the different topics in this research were discussed. The topics to be reviewed were Sanctions, Self-efficacy, Information Security Awareness (ISA), Perceived Organizational Climate (POC) and Compliance behavior. The theories these factors were built on, were reviewed in order to provide a better understanding and to further build on the hypotheses. Studied theories in literature were: the Theory of Planned Behavior, (Ajzen I., 1991), the Theory of Reasoned Action (Ajzen & Madden, 1986), Rational Choice Theory, (McCarthy, 2002), Expectancy Value Theory, (Fishbein & Ajzen, 1975), General Deterrence Theory, Protection Motivation Theory, Information Security Awareness, Agency theory, Triandis Behavioral Framework, Social Cognitive Theory, (Bandura A., 1982) and other theories. In the following paragraphs the literature was reviewed in the following sequence, Sanctions, Self-efficacy, ISA, POC and Compliance Behavior. At the end of each paragraph, the hypothesis was mentioned. This chapter ends with the theoretical framework for this study. 2.2 Sanctions Sanctions are often used by IT managers as a response to employees computer abuse or when they violate the rules and guidelines prescribed in the company s Information Security Policy (Kankanhalli, Teo, Tan, & Wei, 2003, pp. 4-5). In Information Security Policies (ISP) sanctions are one of the measures taken to discipline employees when they purposeful or even unconsciously or accidently violate information security policy in corporations. Sanction is a factor from the General Deterrence Theory (GDT) from the discipline of Criminology. According to Williams & Hawkins the deterrence theory implies a psychological process whereby individuals are deterred from committing criminal acts only if they perceive legal sanctions as certain, swift, and/or severe (Williams & Hawkins, 1986). Straub & Nance described deterrence as passive, administrative controls that take no active role in restricting the use of system resources (Straub & Nance, 1990). The concept of deterrence has been used in Criminology as a means to control crime. Theory assumes that individuals take into account the rational choice to commit a crime. The thinking behind this is that if the crime behavior lowers while the severity of the punishment to the individual is increased, the more effective deterrence will be, because for the individual it becomes more expansive to commit the crime, but as such also possible gained benefits from a committed crime then shows deterrence will be less effective according to (Williams & Hawkins, 1986), citing Piliavin et al (1986). Becker induced a model to determine how to combat crime. In his model, Becker looked into the relation between the crime behavior and the costs of committing those crimes and used different insights including number of crimes, deterrence and punishment to further built the model (Becker, 1968). Based on their research, Straub & Nance found several areas system administrators should look into to improve computer security (Straub & Nance, 1990). These areas are increased attention to detection, frequently reporting of serious abuse incidents, preferential treatment and equal disciplinary actions for all 6

17 levels to have their policies to be effective in deterring violators of security policies. According to the study of Higgins et al computer abuse can be reduced with factors from the Deterrence Theory (Higgins, Wilson, & Fell, 2005). Straub & Welke induced a model called The Security Action Cycle visualizing subsequent lines of defense when an abuser choose to ignore a deterrent as a sanction or else, showed in figure 1 (Straub & Welke, 1998). When the abuser ignores the deterrence mentioned in ISP in terms of sanctions, the next line of defense is prevention. Prevention is the active countermeasure that should be mentioned in ISP as different access control actions. If also these countermeasures are circumvented, the next line of defense is to detect the abusive action. Certain action can be detected by proactive implemented countermeasures as antivirus programs and active firewall log analyzers. The last action is to remedy the eventual destructive result of such abusive actions and if detected enforce the sanctions mentioned in the ISP. The deterrence feedback makes employees aware of the possible consequences of abusive behavior. In their research Straub & Welke mentioned that security awareness and sanctions were basic in the general deterrence theory. Based on the research questions of their study, they studied two propositions (Straub & Welke, 1998, pp. 8-9). Figure 1 The Security Action Cycle, source (Straub & Welke, 1998) According to proposition one, instead of the implications of the Security Action Cycle, managers see computer security as loss prevention and to mitigate damage. Surprisingly to the researcher of this study, managers seldom turned to the enforcement of deterrents. Proposition two found support in that awareness training significantly influence subsequent security planning (Straub & Welke, 1998, p. 26). Except for empirical studies, different quantitative studies have been done on this subject. Bulgurcu studied the antecedences of an employees compliance with ISP in their organization. In this research, Bulgurcu looked into different factors from the Theory of Planned Behavior as Benefit of compliance, Cost of compliance, 7

18 Cost of non- compliance, Intrinsic benefit, Safety of resources, Rewards, Intrinsic Cost, Vulnerability of resources, Sanction, Normative beliefs, Self-efficacy, Attitude and also Information Security Awareness with Intention to comply as dependent variable (Bulgurcu B., 2008). In this study, all hypotheses where supported and found Intrinsic benefit, safety and rewards to be antecedents of benefit of compliance while Intrinsic cost, vulnerability and sanctions to be antecedents of Cost of non-compliance. Further, Benefit of compliance, Cost of compliance, cost of non-compliance and ISA were found to be antecedents of Attitude. Lastly normative beliefs, Attitude and self-efficacy were found to be antecedents of Intention to comply. In this study, Sanctions, Self-efficacy and ISA were brought in relation to compliance. Figure 2 shows the conceptual model of the study done by Bulgurcu (Bulgurcu B., 2008). Figure 2 Conceptual model (Bulgurcu B., 2008) After the antecedents study, Bulgurcu et al studied the relationship between the different factors mentioned in the antecedents study Bulgurcu and found sanctions and self-efficacy to significantly influence compliance behavior, while ISA significantly influence the attitude of the employees in compliance related beliefs (Bulgurcu, Cavusoglu, & Benbasat, 2010) (Bulgurcu B., 2008). In their study, Herath & Rao further studied factors from different theories but with a focus on compliance behavior and their results suggest that the severity of penalties imposed (sanctions) to more important to the existence and visibility of detection mechanisms (Herath & Rao, 2009, p. 13). An interesting result of previous review was that the hypothesized result of sanctions to negatively influence compliance behavior didn t always give the same results (Kankanhalli, Teo, Tan, & Wei, 2003, p. 14) and (Pahnila, Siponen, & Mahmood, 2007, pp. 7-8). This argument gives more support for further research in different environments on the impact of sanctions on the intention to comply or actual compliance behavior of employees. As Pahnila et al mentioned and found, intention to comply had a strong 8

19 significant influence on actual compliance behavior with a β of at a p of (Pahnila, Siponen, & Mahmood, 2007, pp. 5, 7). Here Sanction was brought in direct relation with actual compliance, because if one s intention to comply is high, that person will comply. What is different from other studies mentioned earlier is, that in the study of Pahnila et al, Sanction didn t significantly influence compliance behavior (Pahnila, Siponen, & Mahmood, 2007, pp. 7-8). One possible reason for these different results for Sanction and rewards was the population selected from one organization. An interesting information gathering method used by Pahnila et al who referred to the items used in the study of Higgins et al was by using believable scenarios instead of students samples, because these students may not have experienced sanctions or rewards. In this study, researcher used scenarios to assess the Sanction relationship with actual compliance behavior (Pahnila, Siponen, & Mahmood, 2007, p. 5) (Higgins, Wilson, & Fell, 2005, p. 7). The items for this study were adopted from Vance according to the scenario using unencrypted portable media from (Vance, 2010, p. 146). The items were modified to the following Sanction factors, reprimand, lose respect, jeopardize future promotion, transfer to another department, suspension, demote and penalties according to criminal law. A total of 7 items were used to assess sanctions. In his study titled, Why do employees violate IS Security policies? Vance extensively used scenario based questionnaires to measure deterrence factors (Vance, 2010). In that research four studies were conducted to investigate violation of IS policies. Four theories were used in that research, whereas in the second study Neutralization theory was used to investigate the influence of it on the model with Sanctions (formal and informal) and Shame as independent variables on intention to violate IS Security policy (IVISSP) as dependent variable. The third study used Rational Choice Theory to investigate the relationship between the independent variables formal and informal sanctions, perceived benefits and Moral beliefs on intention to violate IS Security Policy. Elaborating on the second study of Vance, first the Deterrent factors were assessed in relation to IVISSP in three organizations in Finland and found that Informal Sanction was the only significant factor to influence and explain the variance in IVISSP (Vance, 2010, pp ). Then the Neutralization factors were added to the model. People use neutralization techniques to justify unethical and socially incorrect acts believing that the performed acts don t pose any harm. The results showed that the neutralization factors significantly affect IVISSP, but also impacted the effect of Informal Sanction on IVISSP which wasn t significant anymore. To improve generalizability, the study population was broadened to respondents from 47 countries and found formal and informal sanction insignificant while shame significantly influenced IVISSP. Overall the conclusion was that when neutralization factors are included, sanctions do not significantly affect IVISSP. Figure 3 shows the model used in the second study with the deterrent and neutralization factors included. 9

20 Figure 3 Research model from (Vance, 2010) including deterrence and neutralization factors In the third study, two factors from Rational Choice Theory (RCT) were included in the study of the relationship between informal and formal sanction and IVISSP. These factors were moral beliefs and perceived benefits. According to Vance, RCT supports the fact that individuals perform utilitarian calculations when making a decision to commit a crime, while benefits and sanctions are taken into account (Vance, 2010, p. 78). The results of this study showed that the effect of sanctions were not significant, while the RCT variables significantly influenced IVISSP. In both studies in the research of Vance, hypothetical scenarios were used to gather the data for the research (Vance, 2010). As mentioned and found from the review of the literature describing Sanctions, the effects of sanctions on compliance behavior are mixed, thus it would be interesting to find out how sanctions would affect the compliance behavior within Telesur. The researcher postulated the following hypothesis: H1. Sanctions influence the actual compliance behavior of employees towards ISP within Telesur As mentioned earlier 7 items from Vance will be used to test this hypothesis (Vance, 2010). 10

21 2.3 Self-efficacy Self-efficacy to comply is defined as an employee s judgment of personal skills, knowledge, or competency about fulfilling the requirements of the ISP in the study of Bulgurcu et al (Bulgurcu, Cavusoglu, & Benbasat, 2010, p. 7). In his study regarding the self-efficacy theory, Bandura et al studied the generality of self-efficacy by relating self-efficacy with avoidance behavior using several stimuli of treatments for self-efficacy (Bandura, Adams, Hardy, & Howells, 1980). Several individuals who were affected by snake phobias were brought in contact with snakes to test their behavior and performance aspects. In their study Bandura et al researched whether different treatments predicted behavioral and performance aspects providing evidence for the generality of self-efficacy in relation to behavioral aspects (Bandura, Adams, Hardy, & Howells, 1980, pp ). In his later research Bandura found that several factors can affect the relationship between self-efficacy and action which further stand as foundation in this research where the moderating effect of OC was studied on the relation between self-efficacy and compliance behavior (Bandura A., 1982, p. 4). In his study of self-efficacy Stone tested the effect of overconfidence in relation to initial self-efficacy and found that self-efficacy can be judged by overconfidence (Stone, 1994, pp. 5-6). This study was important when assessing the relationship between self-efficacy and actual compliance behavior, with regards to the way the questionnaire or a scenario is designed. Also security personnel or those already familiar with certain security issues could give biased answers to the questionnaire from studies regarding self-efficacy and so this study (Stone, 1994, pp. 4, 19). Several researchers studied the relation between self-efficacy and compliant behavior such as Chan et al and found that increasing employees self-efficacy and their perception of information security climate can stimulate compliance behavior (Chan, Woon, & Kankanhalli, 2005). As Chan et al found, there were more factors that influence actual compliance behavior than self-efficacy and perception of informational security climate, which have at least the same antecedents of organizational climate, explaining 26.5% of the variance in compliance behavior (Chan, Woon, & Kankanhalli, 2005, p. 17). In his study Warner found contrasting results to other studies previously mentioned and also Vance and Bulgurcu et al (Vance, 2010, pp. 23, 105, 106, 112) (Bulgurcu, Cavusoglu, & Benbasat, 2010, p. 19) (Warner, 2009, p. 79). Results of those studies showed that self-efficacy didn t have a significant effect on information security uses within organizational context. Because of the availability of computer systems and the broader usage the roles, self-efficacy in usage of information systems is becoming less significant (Warner, 2009, pp ). These contrasting results in previous studies gave more support in assessing self-efficacy in different environments than previously studied. Bulgurcu used the Theory of Planned Behavior (TPB) to study factors from this theory in relation with behavior (Bulgurcu B., 2008, p. 17). The TPB states that behavioral beliefs which represent subjective probability, behavior will produce a given outcome influencing individual s attitude towards behavior (Bulgurcu B., 2008, p. 17) citing (Ajzen I., 1991). From the TPB, Bulgurcu used the construct perceived behavior control and further operationalized it with Self-efficacy to comply and Self-efficacy NOT to comply. This was an interesting study trying to know if employees have the self-efficacy not to comply, if they really don t comply. The results 11

22 showed that the hypothesis regarding self-efficacy not to comply towards the intention to comply was supported significantly bringing forward the importance of the negative effect of self-efficacy (Bulgurcu B., 2008, pp. 17, 33). This gave more support to this study as to assess the relationship between self-efficacy and actual compliance behavior within Telesur. This was important because employees who are confident and have the skills and knowledge how to act can choose to not comply with the ISP. Not researched in this study is whether these employees with the capabilities not to comply can influence other employees to lower their intention to comply. McBride, Carter & Warkentin conducted a study to test several factors in relation to the intention to violate cyber security policy and found that employees with a low selfefficacy are more likely to violate cyber security policies (McBride, Carter, & Warkentin, 2012, pp. 12, 15-16). This was an important finding as it stresses the importance of boosting employees self-efficacy. Herath & Rao studied the impact of self-efficacy in an organizational perspective with resource availability as antecedent and found that awareness and training significantly influences self-efficacy positively and suggest managers should support training and awareness (Herath & Rao, 2009, pp. 9, 12). The study also showed that self-efficacy influences the attitude towards security policies positively, which didn t influence policy compliance. The model of (Herath & Rao, 2009, p. 12) is shown in figure 4. Figure 4 Results for the proposed research model from (Herath & Rao, 2009, p. 12) Based on the above review of literature regarding self-efficacy and compliance behavior, the following hypothesis was formulated: H2. Self-efficacy influences the actual compliance behavior of employees towards ISP within Telesur 12

23 To test this hypothesis, three slightly modified items were used for Self-efficacy according to Vance with the scenario for using unencrypted portable media and three other items from Herath & Rao were added to test the hypothesis (Vance, 2010, p. 152) (Herath & Rao, 2009, p. 18). A total of 6 items was used to assess selfefficacy. 2.4 Information Security Awareness As mentioned earlier, Telesur implemented an information security policy that is updated every year. This policy consists of several areas of the environment to be controlled. Lately this policy was upgraded according to the guidelines in ISO But if employees lack awareness about the ISP, even the best designed and structured information security policy will fail (Peltier, 2004, p. 25). Especially in ICT organizations dealing with information about customers, information owners need to implement the right tools to ensure availability, confidentiality and integrity of the information. Information security awareness is one of the four tools or control areas, information owners can use to safeguard this information (Peltier, 2004, p. 276). As reviewed earlier in the sanction part of this study, Straub and Welke conducted empirical study on coping with system risks in which they mainly focused on managers (Straub & Welke, 1998). And apart from Sanctions Straub & Welke also assessed Information Security Awareness aspects and suggested certain steps - put in guidelines - which managers should take to change the security environment in their organization. Guideline 1.3 describes the guidelines to effectively implement information security awareness training with actions such as; - Train new employees on common information security issues, - Teach participants the Principles of the Security Action Cycle (deterrence, prevention, detection, remedies and the deterrence feedback, (Straub & Welke, 1998, p. 9)) as mentioned in the Sanction part in this study, - Share information about security vulnerabilities and, - Review the ISP with employees. Also employees - who are longer in the organization - should receive updated training and awareness sessions to keep up with the development in the information security sector. Bulgurcu, Cavusoglu, and Benbasat studied ISA as an antecedent of different variables under the construct Outcome Beliefs of employees which were mediated by factors under the construct named Beliefs about overall assessment of consequences towards attitude to comply (Bulgurcu, Cavusoglu, & Benbasat, 2010, pp. 10, 18). They defined Information Security Awareness (ISA) as an employee s general knowledge about information security and his cognizance of ISP of his organization. In their study Bulgurcu et al (2010) operationalized Information Security Awareness with General ISA (GISA) and ISP Awareness (ISPA). GISA was defined as an employee s overall knowledge and understanding of potential issues related to information security and their ramifications, while ISPA was defined as an employee s knowledge and understanding of the requirements prescribed in the organization s ISP and the aims of those requirements 13

24 (Bulgurcu, Cavusoglu, & Benbasat, 2010, p. 10). While the relationship between GISA and ISA and ISPA and ISA were not hypothesized, Bulgurcu et al found that GISA and ISPA significantly influenced ISA and were considered to be antecedents of ISA (Bulgurcu, Cavusoglu, & Benbasat, 2010, p. 18). They also found a significant positive relationship between ISA and Attitude to Comply. Although Bulgurcu et al (2010) found that industry type didn t significantly affect intention to comply, it was interesting to study the intention to comply in a specific organization with a certain culture and climate. In this study, Organizational Climate was assessed as the moderating variable. Bulgurcu et al further found that outcome beliefs of employees influence their beliefs about overall assessment of consequence which in turn positively impact attitude to comply, suggesting that ISA programs should be designed to reinforce employees outcome beliefs which in turn influences employees belief sets about compliance with ISP (Bulgurcu, Cavusoglu, & Benbasat, 2010, p. 20). The positive results from the study from Bulgurcu et al (2010) supported implementation of training and security awareness programs which in turn helps to create a security-aware culture and which will then improve information security. Although in their study outcome beliefs where not tested in relation to self-efficacy, Bulgurcu et al suggested that also the employees self-efficacy will be improved, which in turn will impact intention to comply. Figure 5 shows the structural model from Bulgurcu et al, slightly adjusted after the model in the study of Bulgurcu (2008) (Bulgurcu B., 2008, p. 22) (Bulgurcu, Cavusoglu, & Benbasat, 2010, p. 18). Figure 5 Structural model (Bulgurcu, Cavusoglu, & Benbasat, 2010, p. 18) In an earlier study Bulgurcu studied the same antecedents of attitude and intention to comply, but with ISA directly assessed with attitude and perceived fairness instead of outcome beliefs and assessments of consequences (Bulgurcu, 2009, p. 3). In that study evidence of ISA significantly influencing Attitude towards Intention to Comply was already found (Bulgurcu, 2009, p. 5) validating that ISA is a key factor in employees compliance behavior. Other researchers conducted studies where information security awareness was directly 14

25 tested towards behavior of employees. Stephanou studied the results of end-user security awareness training on employees compliance behavior (Stephanou, 2008, pp. 20, 24). The results of the study showed that training employees actually increased the knowledge about security, but there was no significant evidence that security trainings influenced compliance behavior. So information security training was not the only factor to influence security behavior significantly. This was very important information towards this study because other factors were taken into account as antecedents of actual compliance behavior to study influencing factors towards information security compliance. Puhakainen & Siponen further supported the aim of this study with their research to improve employees compliance behavior through ISA training (Puhakainen & Siponen, 2010). In Puhakainen & Siponen s empirical study, the findings showed that not only employees should be trained to increase their compliance behavior, but the training and information security communication should be planned and implemented continuously (Puhakainen & Siponen, 2010, p. 18). This study was conducted in a small company consisting mainly of college and university degree employees from whom can be expected to be able to cope with changing environments. Interesting would be the results of the study of the relationship between ISA and actual compliance in a company consisting of employees with different educational levels and not accustomed to change. Further a number of studies have been conducted where ISA was directly tested with compliance behavior and results showed that training positively and strongly influenced ISA and ISA in turn influenced compliance behavior (Muhire, 2012, p. 23), (Waly, Tassabehji, & Kamala, 2012, p. 9). In the study herein ISA was assessed directly towards Actual Compliance Behavior. The items used in the questionnaire were from (Muhire, 2012). The hypothesis to test the impact of ISA on Actual Compliance Behavior is proposed below: H3. Information Security Awareness influences the actual compliance behavior of employees towards ISP within Telesur 2.5 Perceived Organizational Climate The fourth variable to study in this research had to do with the perceptions of employees of their work environment (Hellriegel & Slocum, 1974, pp. 2-3). Organizational culture gives a picture of employees perception as to how business is being done within Telesur, but as other MBA graduates already found (Karsters, 2011, p. 51), there wasn t a dominant culture within the company and this result would not assist in the perception - forming of the employees about how things are going within Telesur. Different scholars such as Hellriegel & Slocum defined Organizational climate as a set of attributes which can be perceived about a particular organization and/or its subsystems, and that may be induced from the way that organization and/or its subsystems deal with their members and environment (Hellriegel & Slocum, 1974, pp. 1-2). On the other hand, Patterson defined culture as a set of shared values and norms held by employees that guide their interactions with peers, management and clients (Patterson, et al., 2005, pp. 2-3). Although different studies suggest that culture and climate are similar (Patterson, et al., 2005, p. 2), other found that 15

26 they are different concepts and even have overlapping dimensions (Chan, Woon, & Kankanhalli, 2005, p. 5) (Wallace, Hunt, & Richards, 1999, p. 4). Chan et al citing Reichers & Schneider and James & Jones described climate as observable practices and procedures which manifest the culture of the organization, because these practices and procedures are closer to the surface while culture is embedded within the organizations norms beliefs and values (Chan, Woon, & Kankanhalli, 2005, p. 5) (Reichers & Schneider 1990) (James & Jones 1974). According to Chan et al, climate gives researchers visibility in the underlying culture of an organization. Wallace et al also talked about more empirically accessible elements while assessing climate, while culture is a more implicit concept (Wallace, Hunt, & Richards, 1999, p. 4). Supporting the choice in this study for Organizational Climate instead of Organizational Culture, climate is more about shared perceptions while culture is more about shared assumptions. Assessing the culture within the organization would give insight about the established values and believes, while assessing climate would give a perception about the employees, about the way they experience the way things are going within the company. Further support to use Organizational Climate instead of Organizational Culture in the research herein was found in the study of (Dugo, 2007, p. 39) citing a summary of (Bock, Zmud, Young-Gu, & Lee, 2005, p. 4) where organizational climate was more quantitative related while on the other hand organizational culture studies are more qualitative related. Researchers could use climate measures to identify certain issues employees are dealing with and help managers to take corrective actions to improve compliance behavior. This study will assess the moderating effect of organizational climate on the relation between self-efficacy and actual compliance behavior. Several studies have been conducted to find dimensions and antecedents of Organizational climate. One of the widely used studies on Organizational Climate was conducted by Litwin and Stringer (1968) (Hellriegel & Slocum, 1974, p. 3) developing a number of dimensions to measure Organizational climate. The questionnaire, called the Litwin and Stringer Organizational Climate Questionnaire (LSOCQ), consists of nine measurable dimensions of the work environment that can influence employees motivation and behavior (Rogers, Miles, & Biggs, 1980, p. 3). Litwin and Stringer defined the nine scales as follows (Rogers, Miles, & Biggs, 1980, pp. 3-4) and Form B (Muchinsky, 1976, pp. 3-4, 18-21): 1. Structure. About the feelings of employees regarding constraints, rules, regulations and procedures, red-tape and channels and the atmosphere. 2. Responsibility. The feeling about given room by superiors to do your job. 3. Reward. The feeling of being rewarded for the job well done and fair HR policies. 4. Risk. How risk taking in the job and organization is perceived. 5. Warmth. The feeling of being part of the organization and social groups. 6. Support. The feeling that one is receiving support from co-workers and superiors. 7. Standards. The perception of how the organization deals with goals and performance and the challenges to reach those. 8. Conflict. The perception of conflict handling within the organization from management and co-workers. How does the organization deal with conflicts? 9. Identity. Experience of the team spirit and being part of it. 16

27 Many researchers tested the validity of the dimensional structure of the measurement instrument called LSOCQ and criticized the validity of the instrument (Sims Jr. & Lafollette, 1975, p. 18) (Muchinsky, 1976, p. 2). Most other studies where the Litwin and Stringer Organizational Climate Questionnaire were tested against validity found only five or six factors reliable. Muchinsky found Structure, Rewards, Warmth, Support and Identity reliable factors to measure Organizational Climate in their study comparing their test to the results of Sims & Lafollette (Sims Jr. & Lafollette, 1975, p. 11) (Muchinsky, 1976, p. 12). Added on the critics the identification of a number of climate dimensions in the past years brought confusion in the choice of instruments to assess Organizational Climate (Patterson, et al., 2005, p. 3), (Hellriegel & Slocum, 1974, p. 2) and (Warner, 2009, p. 34). The studies mentioned above regarding Organizational Climate were from a behavioral and motivational perspective. There were other perspectives used by researchers to study Organizational Climate, such as that of James & Jones (1976) cited by (Chan, Woon, & Kankanhalli, 2005, p. 7), (Zohar, 1980) and others. Zohar developed the concept of safety climate as of which safety is considered an adjective of Organizational Climate (Zohar, 1980, p. 1). Zohar adopted the definition of Organizational Climate given earlier as a perception from employees about their work environment. Although the research of Zohar wasn t in the wake of Information Security, there was some analogy as safety and information security seek the same goals such as try to reduce potential loss (Chan, Woon, & Kankanhalli, 2005, pp. 5-6). (Zohar, 1980, p. 6) found support for two of his hypotheses namely the assessment of safety climate in relation to general safety level in organizations, where he suggest from his findings that managerial influence plays a key role in the safety climate perception of employees. James & Jones cited by Chan et al developed cross-level (horizontal) and top-down (vertical) characteristics referring to co-workers socialization, upper management practices and direct supervisor practices respectively (James & Jones 1976) (Chan, Woon, & Kankanhalli, 2005, p. 7). Upper management practices (UMP), direct supervisor practices (DSP) and co-workers socialization (CWS) were tested as antecedents of Information Security Climate in the organization (Chan, Woon, & Kankanhalli, 2005, pp. 8-9). The results of the study showed that UMP, DSP and CWS were positively related to Information Security Climate and explained 60.4% of the total variance in employees perception of climate (Chan, Woon, & Kankanhalli, 2005, p. 18). One remarkable result from the study was the high significant relationship between co-workers and peers socialization and their perception of the information security climate. Peers and co-workers had significant influence on their peers and co-workers regarding information security climate. In the same study information security climate was also studied in relation to compliance behavior, but together with self-efficacy both constructs explained only 26.5% of the variance in compliance behavior, suggesting that future research should incorporate other constructs (such as habits) in the model to find a better explanatory power. Warner also used these three antecedents of Information Security Climate in his study and found that upper management and direct supervisor practices and co-workers & peer socialization can influence the perception of employees within their organization (Warner, 2009, p. 67). The researcher of the study herein was of the opinion that organizational safety climate factors as upper management practices, direct supervisor practices and coworkers and peer socialization would better explain the perception of the employees in the organization 17

28 than the motivational and behavior factors from Litwin and Stringer (1973) and others mainly due to the application of the organizational safety climate factors in relation to security compliance behavior A deeper look into the Safety climate constructs used for Organizational Climate related to information security As mentioned earlier in his study Zohar found that a higher safety level in the organization leads to a better safety climate perceived by the employees (Zohar, 1980, pp. 2-3, 6). Zohar studied safety climate in industrial organizations and highlighted management practices in relation to workers performance and the attitudes of managers towards safety and found that when managers are clearly involved in safety improvements, safety programs will succeed. Zohar further suggests that management should delegate some executive power to Safety officers to be able to enforce policy, which will in turn positively influence the perception of workers towards safety in the organization. Hofmann & Stetzer conducted a similar study, but related to role overload and practices at management, cross-level and group level (social aspects) to influence the frequency of unsafe behaviors (Hofmann & Stetzer, 1996, pp. 3, 7, 9). Hofmann & Stetzer also investigated management influences in terms of commitment to safety and suggested that upper management and supervisors (managers directly in charge of work teams) should address safety more when communicating with groups (Hofmann & Stetzer, 1996, pp. 8, 13). In his other study testing the effect of group climate on accidents, Zohar made a distinction between managerial and supervisory practices and referred to supervisory practices with group-level practices and subunits which supervisors manage (Zohar D., 2000, p. 1). Zohar further suggests that top management should be responsible for policy and procedures while supervisors for the (implementation) practices accordingly on subunit level (Zohar D., 2000, p. 8) and (Zohar D., 2002, p. 5). Zohar found that safety climates differ per subunits, but are also formed from the subunits. The implementation of upper and supervisor practices and co-workers or employees socialization was further used in many studies (Zohar & Luria, 2005, p. 10), (Zohar., 2007, pp. 3-4), (Kankanhalli, Teo, Tan, & Wei, 2003, p. 8) and others. Although not in safety climate perspective, Lee & Lee also used the concepts of co-worker, social groups and senior management influences in computer abuse perspective (Lee & Lee, 2002, pp. 5-6). These concepts were further tested in the so called Work Safety Scale (WSS) measure mentioned in the study of Hayes et al and tested the safety factors including UMP, DSP and CWS with different dependent factors including compliance with safety behavior and found a significant relationship between those variables (Hayes, Perander, Smecko, & Trask, 1998, pp. 12, 14). Chan et al used these concepts of organizational climate in their research in relation to compliance behavior (Chan, Woon, & Kankanhalli, 2005, p. 7). UMP was defined as the usual actions performed by management observed by employees while DSP was defined as the repeated actions performed by direct supervisors perceived by employees (Chan, Woon, & Kankanhalli, 2005, p. 8). CWS was defined as the daily interactions of individuals with each other in an organization (Chan, Woon, & Kankanhalli, 2005, p. 9). As mentioned earlier safety and security strive to achieve similar goals, such as to reduce the probability that issues occur due to non-compliance behavior and such reduce costs related to incidents in these fields (Chan, Woon, & 18

29 Kankanhalli, 2005, p. 7). Chan et al used these constructs as a single measure to investigate the relation between perceived information security climate and compliant behavior. Important to mention is that Chan et al assessed the items from these three constructs as reflective, namely direct supervisor practices and coworkers and peers socialization while upper management practices was formative (Chan, Woon, & Kankanhalli, 2005, pp ). All items were found reliable and were used in their study. In their study all three constructs where positively related to perceived information security climate of which co-worker socialization strongly. Further Chan et al found that perceived information security climate predicts compliance behavior, although together with self-efficacy only explain 26.5% of the variance in compliance behavior. Chan et al suggest researchers should incorporate other constructs in future studies to increase the variances the antecedents create in the dependent variable. Hu et al also studied these factors in relationship to information security compliance while assessing the critical role of top management (Hu, Dinev, Hart, & Cooke, 2012, pp. 16, 17). Hu et al incorporated organizational culture in their model and found no significant relationship between organizational culture and compliance behavior. These results made it interesting to study as they are not the same in all environments. Hu et al suggest that top management should stimulate a certain culture to reach a better compliance behavior towards information security (Hu, Dinev, Hart, & Cooke, 2012). As culture and climate are related, or climate as antecedent for culture or both having overlapping factors, these finding give further basis for the study herein. One of the most recent studies where organization climate was researched in relation to information security compliance behavior was conducted by Jaafar & Ajis (2013). In their study, Jaafar and Ajis also found a strong significant relationship between co-workers socialization and information security compliance behavior while the relationship between the other two constructs from organizational climate and information security climate were not significant (Jaafar & Ajis, 2013, p. 7) although perceptions of the management of army units was significant. The study was conducted in a military environment and it is possible that the perception of employees of their upper management and direct supervisor practices didn t influence their compliance behavior because motivated or not employees should comply with information security policies because of the character of a military organization enforcing policies and sanctions when non-compliance is discovered. Another recent study of organizational climate in relationship to compliance behavior was conducted by Goo et al (2013). Mainly top management practices and other variables as antecedents to information security climate were assessed in relation to information security compliance behavior. Goo et al found support for their hypotheses including the first one relating information security climate with intention to comply with information security policy (Goo, Yim, & Kim, 2013, pp. 10, 20). Goo et al suggest that further study should be conducted by exploring the moderating or mediating relationship between the constructs used in their study. Co-workers socialization was also used as an antecedent of safety climate along with upper management and direct supervisor practices as mentioned earlier to form organization climate (Chan, Woon, & Kankanhalli, 2005, p. 18), (Jaafar & Ajis, 2013, p. 7), (Zohar., 2007, p. 6), (Hofmann & Stetzer, 1996, pp. 3, 7, 9), (Lee & Lee, 2002, p. 4), (Chan, Woon, & Kankanhalli, 2005, p. 7) and (Hu, Dinev, Hart, & Cooke, 2012, p. 24). The antecedents from Information Security Climate used by Chan et al and which were improved by Jaafar & Ajis were adopted in the study herein (Chan, Woon, & Kankanhalli, 2005, pp. 8-9) (Jaafar & Ajis, 2013, p. 10). There were a total of 13 items to assess Organization Climate. 19

30 Lin & Lin studied the moderating effect between organizational support in relation to behavior and found support for their hypothesis, but not for the direct effect on certain behaviors (Lin & Lin, 2011, pp. 5, 10). The results were not consistent with other studies in Lin & Lin study as underlined (Lin & Lin, 2011, pp ) which gave further basis to test the moderating effect in other environments. The hypothesis of the moderating effect of organization climate on the relation between self-efficacy and compliance behavior is proposed as follows: H4. Organizational Climate moderates the relationship between self-efficacy and the actual compliance behavior of employees towards ISP 2.6 Actual compliance behavior This study can be considered as a study of behavioral science as the actual behavior of employees was studied as a dependent variable for sanction, self-efficacy, and information security awareness and organizational climate as moderating variable. The result of the study should show whether the behavior of employees can be influenced with the factors mentioned above. Although actual compliance behavior has an information security tint in it, it was the behavior factor that was being predicted. In literature reviewed regarding compliance behavior, almost all researchers referred to the study of Ajzen investigating the theory of planned behavior (Ajzen I., 1991). According to Ajzen behavior stems from the theory of reasoned action and the theory of planned behavior (Ajzen I., 1991, pp. 3, 4). Ajzen suggested that one s actual behavior should be a result from the intention to perform a certain behavior. These intentions have to do with motivation. To be able to accurately predict behavior, the antecedents of the dependent variable must be studied in relation to the context of the expected behavior. The antecedents further must remain stable, also the accuracy of perceived behavioral control. But when the subjects have control over their decision to perform a certain behavior, intention is sufficient in predicting behavior (Ajzen I., 1991, p. 9). As reviewed in literature above, intention to comply was strongly related to actual compliance behavior (Pahnila, Siponen, & Mahmood, 2007, pp. 5, 7). (Chan, Woon, & Kankanhalli, 2005, pp ) used self-efficacy and information security climate to predict compliance behavior and found that these two constructs only explained 26.5% of the variance in compliance behavior, suggesting that other researchers should add other factors to the model. The researcher of the present study added information security awareness as third predictor. The assessment of this construct should show if information security awareness could improve the explanation of the variance in compliance behavior. It was also the purpose of researcher to measure the actual compliance behavior of employees. The items developed by Chan et al in table 2 were adapted to measure actual compliance behavior (Chan, Woon, & Kankanhalli, 2005, p. 11). There was no hypothesis for the dependent variable. 20

31 2.7 Theoretical framework As mentioned in chapter one, different theories were used as a basis for the present study. The study should indicate which factors positively or negatively influence actual compliance behavior with information security policy. To conduct this research, five variables or constructs reviewed in the previous paragraphs were studied. Of these five constructs, three (3) were independent; one (1) a moderating factor and one (1) the dependent variable. The variables are defined as follows: Independent variables: - Sanctions. Defined as tangible or intangible penalties, such as demotions, loss of reputation, reprimands, monetary or nonmonetary penalties, and unfavorable personal mention in oral or written assessment reports incurred by an employee for noncompliance with the requirements of the ISP (Bulgurcu, Cavusoglu, & Benbasat, 2010, p. 10). General deterrence theory (Williams & Hawkins, 1986) and the theory of criminal behavior (Becker, 1968, p. 3) - Self-efficacy to comply. An employee s judgment of personal skills, knowledge, or competency about fulfilling the requirements of the ISP (Bulgurcu, Cavusoglu, & Benbasat, 2010, p. 7) citing (Bandura A., 1982). Self-efficacy theory (Bandura, Adams, Hardy, & Howells, 1980) and (Bandura A., 1982). - Information Security Awareness. Defined as an employee s general knowledge about information security and his cognizance of the ISP of his organization (Bulgurcu, Cavusoglu, & Benbasat, 2010, p. 10). General Deterrence Theory (Straub & Welke, 1998, p. 8). Moderating variable: - Perceived Organizational climate. Employees experiences and perceptions of the climate in the organization they work for (Patterson M. G., et al., 2005, pp. 1-3). Organizational Climate Theory, (Zohar D., 2000, p. 3) Dependent variable: - Actual Compliance behavior. In this research the actual act when complying with ISP is meant (Ajzen I., 1991). Actual Compliance will be measured to assess into what extend employees comply with information security policy. The theory of planned behavior (Ajzen I., 1991), (Ajzen & Madden, 1986). The first two variables used, Sanctions and Self-efficacy, were motivational factors which were reviewed from literature of different researchers (Bulgurcu, Cavusoglu, & Benbasat, 2010), (Pahnila, Siponen, & Mahmood, 2007), (Siponen, 2000), (Vance, 2010), (Al-Omari, Deokar, El-Gayar, Walters, & Aleassa, 2013). The review from previous literature showed that the findings were mixed with factors that directly influence employees compliance behavior while other studies showed no significant influence on compliance behavior. 21

32 The third variable used in this research was Information Security Awareness (ISA) as factor from this construct directly influenced compliance behavior. The factors adopted from previous research were General ISP, ISP Awareness and ISP Quality, (Bulgurcu, Cavusoglu, & Benbasat, 2010), (Siponen, 2000), (D Arcy, Hovav, & Galletta, 2009), (Herath & Rao, 2009), (Peltier, 2004) and (Pahnila, Siponen, & Mahmood, 2007). The fourth variable was Organizational Climate adopted from different researchers (Chan, Woon, & Kankanhalli, 2005), (Yoo, Huang, & Lee, 2012), (Hong & Kaur, 2008), (Putter, 2010) and others mentioned in the literature review above. Organizational climate is different from Organizational culture, (Wallace, Hunt, & Richards, 1999). The focus towards climate instead of culture was to have the impact of the perceptions of the respondents on compliance behavior. The factors from perceived organizational climate (POC) used were upper management practices, supervisor practices and co-workers and peers socialization from Chan et al, which were improved by Jaafar & Ajis. They were measured as one construct, Organizational Climate (OC) (Chan, Woon, & Kankanhalli, 2005, p. 11) (Jaafar & Ajis, 2013, p. 10). In this study, the moderating effect of OC on the relationship between Self-efficacy and actual compliance behavior were investigated. The researcher wanted to assess whether the decision of employees confident to comply with the information security policy, could be altered by the way they perceive the climate within the company. The fifth variable was the dependent variable, actual compliance behavior (Chan, Woon, & Kankanhalli, 2005) and (Ajzen I., 1991) as described in paragraph 2.6. Figure 6 shows the conceptual model of this framework combining the different factors and their proposed relationships to be researched in this study. Figure 6 Conceptual model 22

33 The above mentioned independent variables have all been tested before in relationship with Actual Compliance behavior and were used to build the conceptual model with perceived organizational climate as moderating factor on the relationship with self-efficacy and compliance behavior. 23

34 Chapter 3 Research Design and Methodology 3.1 Security within Telesur Telesur consisted of two departments responsible for security within the organization. The department Security (SEC) was responsible for the whole security within the organization including physical and information technology security. SEC was also responsible for audits internal and external. The department named Management Information Systems (MIS) was responsible for the information and network security of the internal network it supports and maintains. MIS implemented an Information Security Policy with the purpose to safeguard the investments made by the organization, safeguard information on information systems, and prevent the violation of property rights (copyrights) and to protect the good name of the company. The Information security policy consisted of the following fields: 1. Acceptable and Internet usage policy. Guidelines and procedures regarding acceptable use of mail for Telesur business purposes, mailbox and attachment sizes, sending of mail to all employees, forwarding mails containing instructions to forward further, harassment and fraudulent acts. Further the use of the Internet only for work related activities, guidelines regarding streaming and webconferencing and download of music and videos. 2. Access control, user ID s and Passwords. Description of identification, authorization and authentication process and guidelines for use of usernames and passwords for Active Directory, and Virtual Private Network (VPN) connections. 3. Physical security. Guidelines regarding storage and safeguard of IT systems containing sensitive information or systems that could give access to corporate resources. 4. Protection of copyrights and license agreements. Guidelines regarding usage of acquired enterprise software, using or making of illegal copies of software, books and articles and the usage of illegal or cracked software. 5. Usage of wireless networks. Guidelines regarding the usage of wireless networks with access to corporate resources and wireless networks primarily for internet usage. Further prohibited activities on these networks. 6. Usage of remote access applications and webinars. Guidelines regarding access to VPN services and the use of webinar tools require installation on client systems. 7. Security scans. Activities about regular security scans performed by the IT department and the mandate to remove unwanted applications or block further user access to the network resources. 8. Removable storage media. Guidelines regarding the use of CD s DVD s and memory devices and the use of certain hardware encrypted drives when transporting business critical and sensitive information within or out of the company boundaries. 9. Disciplinary actions. The measures taken when not complying with the guidelines specific for copyright materials according to applicable regulations. 24

35 All chapters of the policy were covered by a description of the responsibility for managers, the IT department (MIS), the employees and were applicable to the Human Resource department (P&O) and the overall security department (SEC). After various studies and workshops it was suggested to implement a more stringent and overall information security aspects covering policy. It was chosen to adapt the information security standard ISO as research, seminars and workshops showed many organizations based their organization information security policy on this standard (Ma & Pearson, 2005, pp. 2, 8), (Tsohou, Kokolakis, Lambrinoudakis, & Gritzalis, 2010, pp. 2-3) and (Gillies, 2011, p. 3). ISO stems from the root standard ISO and is preferred over ISO 27001, as ISO seems more practical to implement as Information Security Policy when paraphrased and defined as a policy compared to ISO ISO is named the Code of Practice, while ISO defines the mandatory requirements for Information Security Management Systems (ISMS) (IsecT Ltd., 2013). Moving from the previous Information Security Policy to a version that was adapted to the guidelines and principles in ISO took a long process. NEN-ISO/IEC was rewritten, paraphrased and defined in terms accustomed to the Telesur environment and is used as Security Charter for MIS. From the Security Charter the new Information Security Policy was developed. NEN-ISO/IEC consists of several fields. For the purpose of this study the former version for this standard was used (ISO / IEC, 2005), known as ISO/IEC 17799:2005, which was renumbered to ISO/IEC to be compatible with the numbering series (ISO Directory, 2013). This standard includes: - Risk assessment and treatment. This section described the risk assessment process including identification, quantification and prioritization to make available enough information for management to decide which mitigation, reduction or other measures to choose. The assessment can be done at different levels, from the whole organization down to a specific service. - Security policy. This chapter describes the format of the information security policy document including different statements including management support, explanation of policies principles and other descriptions within, responsibilities, reference documents etc. It further states how and when this information security policy document should be reviewed and what the reviews should contain. - Organization of information security. This chapter describes what management should do to commit to the information security such as provide appropriate resources and direction, direct information security awareness assign roles and responsibilities etc. In these chapter different elements regarding the confidentiality and non-disclosure of information is covered, in terms of agreements. Methods for communication with different partners and customers are described. - Asset management. This chapter describes the identification of all important assets of which an inventory should be kept. All assets should have an owner responsible for it and protect it. Rules for acceptable use of the assets should be in place and applicable to all parties, internal, contractors and third parties. Information is also seen as asset and should also be classified and protected accordingly. - Human resources security. Describes rules and guidelines organizations should take when employing new personal and for already employed personal. Roles and responsibilities should be clear, also for third parties and contractors. When dealing with information of the organization 25

36 employees, contractors and third parties should sign specific agreements to at least assign responsibilities for action. The employment process is described, but also the different processes during employment. Different guidelines during termination of contract or change of employment, such as return of assets and termination of access right are also covered in this chapter. - Physical and environmental security. This chapter covers the security aspects for the environment containing information and information systems. It describes guidelines for securing these environments against unauthorized access, damage and interference to the different rooms and buildings of the organization. It describes perimeter control, entry control, influences due to external and environmental threats, equipment and cabling security and how to properly dispose equipment - Communication and operations management. Describes guidelines for management and operation of information processing facilities. Documented procedures should be handled as formal document and be subject to change management. This chapter further describes guidelines for the segregation of duties and separation of different facilities to prevent unauthorized modification and access and changes to systems. It further covers measures to be taken to protect operational systems against malware and unauthorized code. Further describes guidelines for the backup of information and software on servers and client systems. It further describes guidelines for proper management of the security of the network such as access control to network services and monitoring, auditing and protection of the network. This chapter also describes media handling ad specifically to the research regarding sanction in the present study it also describes the management of removable media devices, when in use, stored and transported, in the last case including the use of encryption to protect the confidentiality, integrity and authenticity of information. Further a number of other techniques are mentioned in order to properly protect information on these devices. Also security considerations for electronic commerce are described including confidentiality and integrity when performing (on-line) transactions and payments. It further describes controls and guidelines for proper management of systems by administrators with identification and authentication, access to systems and applications and password management. The last paragraph of this chapter describes guidelines and controls for use of mobile devices and communication including physically protecting these devices, back-up of critical information, encryption techniques and virus protection. Also training is mentioned to increase the awareness of employees regarding the use of mobile devices and different risks correlatively. - Information system acquisition, development, and maintenance. This chapter described guidelines enterprises should follow to incorporate security aspects from the beginning when designing or implementing information systems including operating systems, applications, services and the infrastructure of the business. Measures include the use of cryptography to protect corporate information, protection of source code and system test data and other critical processes. Further measures should be taken to keep up to date with operating system and application updates through vulnerability management. - Information security incident management. This chapter describes guidelines for the effective reporting and management of discovered security incidents or events, but also security weaknesses found or discovered while working with information systems of the organization or from third parties 26

37 effecting the organization. These learning experiences can be further used for awareness sessions for employees. - Business continuity management. This chapter describes guidelines and controls to manage critical business process in a wake of a natural disaster or another catastrophe of such nature. Systems, applications, personal, contractors, third parties, processes and other business critical resources should be identified and configured or designed in such a matter that when nature strikes, the critical business processes can be provided further to the customers stakeholders to minimize impact on the business financially and image wise. With a proper conducted risk assessment business processes can be identified with there with their appropriate probability and impact on the business in the wake of an interruption. With this assessment a business continuity strategy is developed which leads to the business continuity plan. This chapter further describes the business continuity framework, how it should be further tested, maintained and re-assessed. - Compliance. The last chapter covers compliance with local and international regulations, agreements and contracts with vendors and local jurisdiction. Further the compliance part with the information security policy linking the essence of the present study. As control it is stated Users should be deterred from using information processing facilities for unauthorized purposes (ISO / IEC, 2005, p. 114). This links the sanction part from the Deterrence Theory for the study herein. As mentioned earlier, this standard was rewritten at some points to fit as the Information Security Charter of Telesur for the internal network from where the Information Security Policy is built on, depending on the risk assessment outcomes. Overall Sanctions, Awareness and Management practices were an integral part of ISO and most Information Security Policies of companies. The issue for the questionnaire was which method to use to assess employees perception about sanction. The researcher didn t expect employees to give objective answers, as employees may not have been encountering sanctions or even witness sanctions of their co-workers. In previous studies about compliance behavior which included Sanctions as independent variable, scenarios were often used (Vance, 2010, p. 146). Different scenarios were possible based on the security issues identified and the most applicable scenario should be applied in the questionnaire regarding Sanctions. For the most applicable scenario to use in the assessment of Sanctions, several questions were asked to officials and officers from the Security department (SEC) and the Human Resource department (P&O). The answers to these questions should guide the researcher to the construction of the Sanction related scenario most applicable, contributing the most for this research and thus the questions with regards to the chosen scenario. The same questions were presented to these officers and official and are as follows: 1. Are there cases known of non-compliance to information security policy? 2. Are sanctions performed when non-compliance with information security policy is detected? 3. If sanctions are enforced or practiced, what are the different levels of punishment? 4. On which level sanctions are implemented if question 3 is valid, only at workers level or also at junior, senior and management? 5. What type of non-compliance is practiced most by employees: 27

38 a. Users leaving their PC or Laptop un-locked and accessible by others. b. Users carrying information on unencrypted USB drives outside the company c. Users allowing third parties to work on their laptops when outside of the company d. Users writing down there passwords visible to others e. Users sharing sensitive information to third parties f. Users visiting non-prohibited and malware dangerous websites g. Users sending sensitive information using to third parties 6. Are there also other cases of non-compliance to ISP than above mentioned? 7. In case of a sanction practiced, on what bases are these sanctions? ISP, civil law, employment agreement or other regulations Answers to these questions showed that there were cases of non-compliance with information security policy and people have been sanctioned. Sanctions range from reprimands, suspensions and even demotion from current function level. Regarding the questions of which type of violations were known or most common, no clear information could be given by the officers. Also users won t make publically clear that they have done such practices as this could be to their disadvantage. Other cases known of non-compliance were stolen laptops and leaking of customer information to third parties. Regarding the stolen laptops, these cases were due to nonchalance and even suspect behavior of those employees knowing they should safeguard their laptops when carrying it outside the company. If the information on these stolen laptops wasn t encrypted, the consequences could be costly for the company. Although written in the information security policy, sanctions were subject to applicable rules and regulations, the HR department didn t use any specific regulation or rule to apply sanctions. One measure taken to prevent unauthorized access to information on these laptops was the encryption of the hard drives when the laptops are turned off. This was only the case for certain laptops as certain employees were given permission by their manager to buy other than standard supported laptops. The number of laptops used in the organization is 55% or more of all the desktops and laptops in the company. Furthermore, users were using all kinds of USB drives to transport work related and personal information. The Information Security Policy stated that to transport sensitive information, a specific hardware encrypted USB drive - available upon request at the Service desk - should be used. Although the use of this drive was not enforced by limiting USB ports of laptops and desktops to only accept these specific USB drives, the usage of USB ports was monitored. The use of unencrypted USB drives could pose an even bigger threat to information Security, because it was easy to transport huge quantities of information in and out of the company. So, although sensitive information was brought on laptops outside of the companies, the laptops managed by the internal department were drive locked (encrypted) when turned off and minimized data theft when stolen. According to the description above, the researcher chose the scenario of Vance which described the case an employee takes information on a USB drive outside of the company to assess the sanctions part of the questionnaire (Vance, 2010, p. 146). The USB case was of a greater problem than stolen laptops, because the risk of losing confidential and business critical information in case of theft of a laptop was smaller than for users who use different unencrypted USB memory drives on both business systems and their personal systems, although hardware encrypted USB memory drives were available. The scenario of Vance didn t use the word unencrypted USB drives, but this was included in the scenario to bring it more in line with the 28

39 Information Security Policy within Telesur. The last sentence of the scenario in paragraph 3.3 states Peter copies the corporate database to his portable USB drive and takes it off company premises. This sentence was modified to: Peter copies the corporate database to his unencrypted portable USB drive and takes it off company premises. The next paragraph will describe the sample design. 3.2 Sample design Telesur had 812 employees working within the company. There were also temporary workers at Telesur, but this group of workers was not included in the questionnaire. As can be seen in table 1, there were 4 main departments within Telesur, with each department headed by a director of which the General Directorate is headed by the General Director. The interviews with the officials showed that sanction was not applied to employees higher than Middle Management; even at Middle Management there are no cases known of sanctions due to non-compliance of the Information Security Policy. Because it was possible to form different groups the researcher chose to use stratified simple random sampling in first instance, using three groups of employees: CAO employees, staff members and Middle management. This would make three strata assuming that all three would hold different or slightly different views on compliance with Information Security Policy. The first stratum would be CAO employees, the second stratum staff members and the third middle managers. Management and Top Management were excluded because it isn t likely that sanctions would be applied to them. Another sampling method would be by department. There were four departments namely, Finance, Commercial affairs, Operations and General Directorate. In this case, CAO employees and staff members would be forming one stratum per department. Middle management, management and top management would be excluded, because no known compliance issues were filed. There were instances in which middle managers have been subjected to sanctions not because of noncompliance of ISP, but for other reasons or misconduct. One could argue that sanctions, in case of noncompliance of ISP, would be advisable also for middle managers and thus adding middle managers to the sampling strata would be useful. But a middle manager may react differently compared to CAO employees and therefore it would not be practical to put them both in one stratum. Another possibility was to combine Staff members and Middle managers in one stratum, assuming that there would be variability in the responses per group as employees from the financial department would think differently compared to employees from the operations department, because they should be aware of the confidentiality issues and other precautions when dealing with financial information. This was also the case for the employees from the other departments. Within the groups or strata, variability could be low while the groups vary from each other and this could lead to greater precision of the intervals (Anderson, Sweeney, & Williams, 2011, pp. CH on CD). For the purpose of this study, researcher chose to work with three vertical strata namely: - Middle managers, a total of Staff members with a total of 59 employees. - CAO employees with a total of 678 employees. 29

40 Table 1 Telesur employees overview Segment Director of Finance Director of Comm. Aff. Dir. of Operations General Director Total Employees Top Management Management Middle Management Staff members CAO empl Total employees Source: Telesur HR Department 47 Middle Managers, 59 Staff Members and 678 CAO employees make a total population of 784 employees from which samples were taken. The questionnaire used a 5-point Likert-scale and the data was treated confidentially (Anderson, Sweeney, & Williams, 2011, pp ). The Likert-scale data was treated as continuous (Bartlett, Kotrlik, & Higgins, 2001, p. 2). The way in which the questions per variable or construct were designed, made it impossible for a proportion of the population. Formula 1 (Anderson, Sweeney, & Williams, 2011, p. 317) for estimating the population mean was used to calculate sample sizes instead of the formula for population proportion. Because no previous research was done within Telesur in this field, a pilot study was conducted to retrieve standard deviations of all 5 constructs in order to calculate reliable sample sizes for these constructs. Actually the pilot was not conducted for all three strata separately or equally, so the Standard Deviation from the pilot could not be used to further calculate the sample sizes for all strata. Cochran and Bartlett et al proposed four assumptions to choose from when the Standard Deviation is not available; these are (1) the two steps method, (2) a pilot study, (3) data from previous study and (4) an estimate based on mathematical assumptions (Cochran, 1977, p. 78) (Bartlett, Kotrlik, & Higgins, 2001, p. 3). The second method was already applied as described above. The first two-steps method was then chosen, as it suits the Likert scale (Bartlett, Kotrlik, & Higgins, 2001, p. 3). This method gave the maximum standard deviation where no previous data was available. The maximal standard deviation was computed as follows: firstly the Standard deviations were calculated for every variable using the scale number and the number of standard deviations per scale. Once calculated, the standard deviations can be used to calculate the sample sizes for all variables, from which the largest should be chosen for further calculations (Cochran, 1977, p. 81). In this Study, a 5-point Likert scale was used for all 30

41 variables and the standard deviations are all for the four points from the scale as the center (mean) of the 5- point Likert-scale was 3, leaving 2 points on each side of the mean, making at 4 standard deviations. The maximum standard deviation was then calculated as σ = 5/4 = Secondly, the Margin of Error was calculated using an estimated first E of 6,67% and the number of values of the Likert scale. The new E becomes: E = 5 * 6.67% = 33.34% (assuming a deviation from the mean of ± 1). With a confidence level of 95% (1.96) using formula 1, n = 55 (Anderson, Sweeney, & Williams, 2011, p. 318) (Cochran, 1977, p. 78). Only one sample size was calculated for all variables in this case. The issue then was that the sample size of 55 was more than the populations of the strata Middle Managers and Staff-members. If n 0 represents the calculated sample size of 55 and N the populations, then (Cochran, 1977, p. 78) and (Bartlett, Kotrlik, & Higgins, 2001, p. 4) states that if n 0/N 5%, then formula 2 can be used to correct the sample size according to the population. Using formula 2, the sample sizes were corrected for the three strata as follows: - Middle managers population was 47. New n1 = 25 - Staff-members population was 59. New n2 = 29 - CAO employees population was 678. New n3 = 51. With over sampling of 50% n3 becomes 77. Also it is recommended to increase the sample size by 40% or 50% especially when mailing the questionnaire (Bartlett, Kotrlik, & Higgins, 2001, p. 4). Middle Managers and Staff-members sample sizes are already greater than 50%, because the questionnaire was sent to the whole population. Only for CAO employees an oversampling of 50% is applied up to 77. Formula 1. Zα/2 is the confidence interval, σ the standard deviation, E the margin of Error and n the sample size. Formula 2. In this formula n 0 is the sample size to be corrected and N the population. 3.3 Item design Reliability and validity of the questionnaire Reliability is about the consistency of test results when the test is reproduced. Data gathered at a certain point in time with a questionnaire should give the same results when conducted under similar conditions at another moment in time. If this is the case, the measurement instrument can be called reliable. The reliability was 31

42 measured or estimated with the repeatability by doing the same test if reproduced under the same conditions and consistency. The consistency can be measured using different methods of which the Cronbach s coefficient Alpha is the most used. With this coefficient, the inter-item reliability between variables of a construct was measured. A construct with an inter-item Cronbach alpha score > 0.7 was considered a reliable construct. Additionally, it is important to have enough variability in terms of easiness of questions to be answered (from easy to difficult questions) or else, if the questions are all too difficult for example, the reliability could be affected (Thanasegaran, 2009, p. 3) Validity differs from reliability as the focus is not on the results, but on the extent to which the construct or variable measures what ought to be measured by the questionnaire. However, reliability is one condition for validity of a construct. Better said, a questionnaire or measurement instrument measures what it claims to measure if it is to be valid. The validity of a measurement finds its basis in theoretical foundations of the constructs used, in this case content validity and the theoretical relationship between variables, in this case construct validity. If respondents clearly understand the questions, the accuracy of responses could be increased which in turn will positively impact questionnaire s validity and reliability (Tafti, Cheraghvandi, Marashian, Emami, & Mokri, 2009, p. 2). All factors used in the questionnaire of the present study have a theoretical basis and the items were tested in previous studies with high reliability and validity. For this study, a pre-test or pilot was conducted to test the reliability of the constructs. The questionnaire was sent to 10 respondents and the results were tested with SPSS for reliability Cronbach alpha. The results of the test are in table 3, pilot test reliability results. Item 1 from Self-Efficacy was reversely coded. Table 2 Pilot test reliability results, 10 samples Variables # items Cronbach α Sanctions Self-efficacy (.838 if item 2 was deleted) ISA Organizational Climate (.795 if item 2 is deleted) Actual Compliance behavior (.837 if item 6 is deleted) Source: Researcher s generated data As mentioned earlier, the inter-items Cronbach Alpha score of the variables should be higher than 0.7. It can be seen in table 2 that the inter-item reliabilities of Self-efficacy and Organizational Climate can be improved by deleting 2 items, but because of the low sample size of the pilot, the researcher chose not to delete items yet and conducted the assessment first to see if the reliability of the variables would improve by increasing sample sizes. Also item 1 of Self-Efficacy was negatively coded. The Pilot study was conducted with Lime Survey hosted by Management Courses at while the complete survey was sent out with Free Online Surveys, 32

43 3.3.2 Items of the questionnaire The questionnaire used contains items adopted from previous studies related to this study. A total of 39 items composed the questionnaire with a scenario for two constructs. The questions where translated from English into Dutch by a certified interpreter and another Dutch language specialist. Where applicable, some minor adjustments were made to the questions and the scenario. Sanctions Modified items from Vance according to the scenario using unencrypted portable media from (Vance, 2010, pp. 146, 147). The items were adjusted to the following Sanction factors, reprimand, lose respect, jeopardize future promotion, transfer to another department, suspension, demote and penalties according to criminal law. A total of 7 items will be used to assess sanctions. Unencrypted portable media scenario. Peter is working on a report that requires the analysis of sensitive data. Because of the sensitive nature of corporate data, the company has an information security policy prohibiting the copy of corporate data to unencrypted portable media, such as USB drives. However, Peter will travel for several days and would like to analyze the corporate database on the road. Peter copies the corporate database to his unencrypted portable USB drive and takes it off company premises (Vance, 2010, p. 146). The items are in Appendix Measurement Items. Self-efficacy Three slightly modified items for Self-efficacy according to Vance with the scenario for using unencrypted portable media were used (Vance, 2010, pp. 152, 154). Further three items from Herath & Rao (Herath & Rao, 2009, p. 18). A total of 6 items will be used to assess self-efficacy. Scenario based on using unencrypted portable media. The same scenario used at sanctions will be used for self-efficacy. The items are in Appendix A Measurement Items. Information Security Awareness Part of the questionnaire from Muhire was used, specifically questions 3 as is and 4 modified to I will instead of I intend to, with a total of 7 items (Muhire, 2012, p. 26). These questions better relate ISA to Actual Compliance Behavior. The items are in Appendix A Measurement Items. Organizational Climate (OC) The items used here were chosen so that the researcher could assess if certain behavior or acts from colleagues affected or moderated the relation between self-efficacy and actual compliance behavior. These items were chosen from upper management (UMP), supervisor (SP) and co-workers practices (CP) from Chan 33

44 et al, which were improved by Jaafar & Ajis (Chan, Woon, & Kankanhalli, 2005, p. 11) (Jaafar & Ajis, 2013, p. 10). The latter were used, a total of 13 items. The items are in Appendix A Measurement Items. Actual Compliance behavior (ACB) Items to measure Actual compliance behavior were adopted from Chan et al table 2. A total of 6 items were used (Chan, Woon, & Kankanhalli, 2005, p. 11). The items are in Appendix A Measurement Items. There were a total of 39 items for this research. 34

45 Chapter 4 Analysis and Finding As mentioned in chapter 3, the survey was first piloted by sending it out to 10 respondents. There were no significant issues or suggestions regarding the questionnaire. The questionnaire was therefore not adjusted and was then sent out to 300 employees of which 106 Staff members and Middle managers as a group (stratum) and the remaining 194 to CAO employees. The response rate from previous MBA students within Telesur was approximately 30% after 3 work weeks. In table 3 an overview of the response rate per stratum is given taken from 18 days inclusive two weekends. The last row Staff and Managers shows the calculations for the combined groups of Staff members and Middle managers. Table 3 Response rate Strata Population (sent to) Sample size Responses Resp. rate Middle Managers 47 (all) % Staff members 59 (all) % CAO employees 678 (194) % Total 784 (300) % Staff and Managers 106 (all) % Source: Researcher s generated data In this chapter the data gathered from the survey is analyzed statistically with descriptive statistics (frequencies) and inferential statistics (correlations and regressions). Before the data was analyzed, the dataset was prepared, cleaned and where necessary recoded to get negatively worded statement answers in the positive direction. The data was recoded and analyzed with Principal Component Analysis (PCA). Then a new reliability analysis was done for the remaining variables per latent variable. After the reliability analysis the data was explored with descriptive statistics followed by correlation analysis and finally with multiple regression analysis. 4.2 Data Preparation (recoding and Principal Component Analysis) and Reliability The data was prepared for PCA to see which items per component highly correlate (r > 0.6) with each other forming the best components or latent variables for the model (Field A., 2009, pp. 628, 638) (SAS Institute Inc., 2013, p. 5), by assessing the correlations between variables and loadings. As mentioned earlier the negatively worded items were first reversed. These items were from the following latent variables: - Sanctions none - Self-Efficacy item Self1 - ISA none - Org. Climate item OCCP2 - Act. Compl items ACB2 to ACB6 35

46 After reverse wording of items which needed it, Principal Component Analysis (PCA) was performed. Conducting a PCA requires the data to comply with several assumptions similar to parametric data for correlation analysis (Field A., 2009, pp , 650). Assumptions for Parametric Data are; normally distributed data, homogeneity of variances, Interval data and Independence (Field A., 2009, p. 133) (SAS Institute Inc., 2013, p. 55). Because some latent variables didn t comply with at least the requirement for normally distributed data, see paragraph 4.4 Correlations, the researcher herein opted for a program that uses non-parametric tests for PCA. SPSS and SAS utilize Pearson correlation for Factor Analysis and PCA (Field A., 2009, p. 628). XLSTAT and R can also apply Kendall and Spearman correlation analysis for PCA which are appropriate for nonparametric PCA. XLSTAT was chosen for PCA analysis because it was easier to learn and use than R. Appendix C1 to C3, PCA, shows the matrixes for the three groups, first the complete data set, second the CAO employees and third for the total Staff (staff members and managers). XLSTAT was installed as an Add-in for Microsoft Excel. The following settings were used in XLSTAT version selected from Microsoft Excel, XLSTAT add-in tab, Analyzing data, Principal Component Analysis and the following settings: - General, Observations/variables table, PCA type Spearman, Sheet and variable labels, - Options, Rotation Oblique because correlations between Components was assumed and Oblimin was chosen as Promax is more complex and for large sample sizes, further Number of factors 5 to cover 5 variables, and Kaiser normalization with Tau equal to zero for moderate correlations between components (Field A., 2009, p. 644) (SAS Institute Inc., 2013, p. 8), - Outputs, Descriptive, Correlations, test significance 5%, eigenvalues, factor loadings and Variables/factors correlations. After the PCA was conducted, items with Component loading < 0.6 were deleted as Components with at least 4 item loading > 0.6 should be good enough for Factor Analysis and in this case PCA regardless of the sample size (Field A., 2009, p. 647) (Stevens, 2002, p. 395). From the remaining items composite variables were created using the transform and compute function in SPSS. The MEAN function and the scores were used to calculate the average per latent variable and for Actual Compliance Behavior an extra composite variable was created using the SUM of the scores to conduct Cross tabulation tests, see Appendix D Cross tabs for the results and analysis in the next paragraph. In Appendix C, PCA, the reader can observe the different items deleted for the three groups by following the item sequence number and the original number of items per variable in table 2. One requirement for statistically significant PCA, is a data set of at least 50 responses with loading > (Stevens, 2002, p. 294) or 100 responses with loadings > For this reason staff members and middle managers were combined to form a new stratum with a total of 48 responses, slightly below the 50 for valid PCA forming a total of three groups. After the PCA a new reliability analysis was conducted for the remaining items per variables of which the results are shown in table 4 for the complete set, Table 5 for the CAO employees and table 6 for the total Staff members. All Alpha s were 0.8 after PCA. 36

47 Table 4 Complete Dataset 113 responses Latent Variable mean St. Deviation Cronbach A. items Sanctions Self-Efficacy Infor. Sec. Awareness Organizational Clim Actual Compliance Source: Researcher s generated data Table 5 CAO employees Dataset 64 responses Latent Variable mean St. Deviation Cronbach A. items Sanctions Self-Efficacy Infor. Sec. Awareness Organizational Clim Actual Compliance Source: Researcher s generated data Table 6 Staff and Managers Dataset 49 responses Latent Variable mean St. Deviation Cronbach A. items Sanctions Self-Efficacy Infor. Sec. Awareness Organizational Clim , Actual Compliance Source: Researcher s generated data 4.3 Descriptive Statistics The questionnaire was designed with demographic questions to have an overview of the respondents their age, education level, work experience, number of years in the company, function level and gender and to assess their compliance behavior descriptively. Appendixes D1 to D5 show the descriptive statistics for Gender, Function, education levels (starting at Master level or equivalent (MSc/MBA), Bachelor level or equivalent (BSC/HBO), Upper secondary level (VOS/MBO) and Lower secondary level (MULO/LBO)), Age and Tenure, only for the complete Dataset. These demographics were compared to the actual compliance behavior of employees using Cross tabulations in SPSS. For this analysis an ordinal data set for Actual Compliance Behavior was needed and thus a latent variable was created with the SUM function in SPSS. 37

48 From the SUM scale, a new latent variable was created containing three categories: - Noncompliance, scores between recreated to 1 - Neutral for scores that total 18 (6 x 3) were recreated to 2 - Compliance for scores between and 30 were recreated to 3 Appendix D shows that fewer than half (44%) of the employees said to or would comply with Information Security Policy. Further Appendix D1 shows that females seem to comply differently than male, 61% and 33% respectively. The Phi and Cramer s V test were significant for this test with p <.05 just like the Chi-Square results. These results would lead to accept a Hypothesis that Gender influences ACB (Field A., 2009, pp ) (Garth, 2008, p. 64). Further the Phi and Cramer s V tests show that there was a weak relationship between Gender and ACB with a value of The Chi-square, Phi and Cramer s V tests for Function, Age, Tenure and Education level were not significant, with p values all >.05. The results are shown in Appendixes D2 to D5. For these categories the null hypotheses of no relationship cannot be rejected, meaning that there would not be enough evidence to say that function level, age, tenure or education influences ACB. 4.4 Correlations For correlation analysis Spearman s rank order correlations (Pallant, 2005, p. 121) should be used when the data is ordinal (for example Likert-scale). For the correlation analysis Spearman s rank order correlation tests were used instead of Pearson s product-moment coefficient, because the data was not overall valid for normality as can be seen in Appendix B. Several assumptions should be valid for statistical testing, especially for parametric data. Data can be tested for Normality by assessing the Skewness and Kurtosis of the data. But because skewness and kurtosis can give false results especially for large sample sizes the researcher opted to use a Normality test available in SPSS (Field A., 2009, p. 139). This test is done with the Kolmogorov-Smirnov (for large sample sizes) and Shapiro-Wilk (for small sample sizes) tests by testing the distribution as a whole for normally distributed data (Field A., 2009, pp ). Any Significance value below 0.05 shows the data is NOT valid for Pearson s correlation analysis (not normally distributed) (Pallant, 2005, p. 53) (Field, 2005, p. 93). Appendix B Testing Assumptions, shows the results for the Normality tests based on the latent variables created for the complete set after PCA. By assessing the histograms, one could see that at least for sanctions, the data was not normally distributed. 38

49 Examining Appendix B, one can see that none of the latent variables are valid for Pearson s correlation tests except for Organizational Climate. For Non-staff employees and the complete group of Staff members (Staff and Managers) the result is different. When one of the assumptions for parametric test is violated, nonparametric tests should be used for correlation analysis (Garson, 2012, pp. 8, 25). For this reason Spearman s rank order correlation tests was used in SPSS. All tests were non-directional requiring two-tailed tests with the possibility of having positive and negative relationships or no relationships (Field A., 2009, pp. 27, 54). For the strength of the correlations the following assumptions were used: - Scores between 0.1 and 0.29 to be a weak relationship (Pallant, 2005, p. 126) - Scores between 0.3 and 0.49 to be a moderate relationship (Pallant, 2005, p. 126) - Scores between 0.5 and 1 to be a strong relationship (Pallant, 2005, p. 126) Further a negative sign before the coefficient means the opposite direction for the relationship. As can be seen in Appendix E and table 7, for the three groups, Information Security Awareness and Organizational Climate were significant and the relationships were moderate, except OC for the CAO employees, which had a weak relationship. All are in the same direction as ACB, but this doesn t mean causal relationships. Table 7 Correlations with ACB (Spearman) α = 0.05, 2-tailed Stratum Variables Significant Relationship Yes No Strong Moderate Weak Complete data set Sanctions.266 Self-Efficacy.361 ISA OC CAO employees Sanctions.679 Self-Efficacy.908 ISA OC Staff and Managers Sanctions.331 Self-Efficacy.231 ISA OC Source: user generated data Self-Efficacy and Sanction were not significantly related with ACB in none of the strata and also not in the complete set. According to the above results, none of the significant relationships were strong. In the following paragraph the multiple regression applied to the variables with also the assessment of the possible moderating effect of OC on the relationship between Self-Efficacy and ACB was analyzed. 39

50 4.5 Regressions and hypothesis To test if Sanctions, Self-Efficacy, ISA and OC can predict ACB, multiple regression analysis was used in SPSS. To draw conclusions about the population when conducting regression analysis, several assumptions need to be met (Field A., 2009, pp ). These assumptions are checked below: - Categorical or quantitative predictors and dependent variables with continuous and quantitative data. The data from the questionnaire were quantitative and continuous latent or composite variables were created using the compute function with mean (average) in SPSS. - Predictors should have variances. All have variances, there are no predictors with zero variances. - Not too high correlation between variables, or no perfect multicollinearity (Field A., 2009, p. 220). None of the correlations between the variables are above 0.5 as was shown in the correlation analysis. Assessing the coefficient tables in Appendixes F, G and H, one can see that all VIF values were between 1 and 1.1, which is good (Field A., 2009, p. 224). - Residuals should have constant variances, homoscedasticity or no heteroscedasticity. Assessing the scatterplots in Appendixes F, G and H no issues were found as the data was fairly evenly spread in the plot (Field A., 2009, pp ). - Residual terms should be uncorrelated, which was tested with the Durbin-Watson test. Assessing the results in the Appendixes F, G and H one can see that all Durbin-Watson values were between 1 and 2. Values between 1 to 3 should be good (Field A., 2009, pp. 221, 236) - Normally distributed errors (residuals), NOT normally distributed data as was assumed at paragraph correlation analysis. All residuals were normally distributed as can be seen in the histograms, with the means close to zero and standard deviations approximately 1. - Linear relationship between the variables in test. In the P-P plots the values of the dependent variables should lie along a straight line. This can also be tested with Q-Q plots (Field A., 2009, p. 145) (Garth, 2008, p. 65). All dependent variables were close to the straight line while the independent variable was incremented. Although the relationship between OC and ACB wasn t hypothesized, it was also assessed, because the relationship was very significant in all groups. The results of the multiple regression can be seen in Appendix F, G and H. Table 8 summarizes the results from the multiple regression test. All regressions were performed with the stepwise option in SPSS. The hypotheses were as follows: - H1. Sanctions influences the actual compliance behavior of employees towards ISP within Telesur. - H2. Self-efficacy influences the actual compliance behavior of employees towards ISP within Telesur. - H3. Information Security Awareness influences the actual compliance behavior of employees towards ISP within Telesur. - H4. Organizational Climate moderates the relationship between self-efficacy and the actual compliance behavior of employees towards ISP. 40

51 - H5. OC was not planned to be tested for regression directly with ACB, but as moderator in H4. Because of the highly significant results of the test, the researcher opted to also discuss the relationship between OC and ACB. OC influences the actual compliance behavior of employees towards ISP within Telesur. As can be seen in table 8, ISA significantly influences employees to comply with Information Security Policy within Telesur. If the relationship between OC and ACB was also hypothesized, the Null hypotheses for H5 would be rejected meaning that there would be enough evidence to say that OC significantly influences ACB. The hypothesis tests were non-directional requiring two-tailed tests. Because theory showed ISA to significantly influence Self-efficacy, the researcher also conducted a correlation and regression for this relationship. These results were only conducted for the complete set and are shown in Appendix E1 and in table 9. The results showed that there was a significant positive relationship between ISA and Self-efficacy and in table 10 one can also observe that ISA significantly predicts Sanctions, meaning that if ISA is improved there will be less Sanctions. Table 8 Hypotheses testing Stratum, Hypothesis and total R 2 & p Results Complete set R 2 = 25%, p = Beta Significance H 0 rejected or not H1, Sanctions Not rejected H2, Self-Efficacy Not rejected H3, ISA Rejected H4, Interaction term OC x Self-Efficacy Not rejected H5, OC Rejected CAO empl. R 2 = 21%, p = Beta Significance H 0 rejected or accepted H Not rejected H Not rejected H3, ISA Rejected H4, Interaction term Not rejected H Not rejected Staff & Managers R 2 = 24%, p = Beta Significance H 0 rejected or accepted H Not rejected H Not rejected H3, ISA Rejected H4, Interaction term Not rejected H5, OC Rejected Source: user generated data Table 9 Regression of Self-efficacy (dependent) on ISA (independent) Predictor R 2 B Sig. VIF Durbin Watson ISA 6% Source: user generated data Table 10 Regression of Sanctions (dependent) on ISA (independent) Predictor R 2 B Sig. VIF Durbin Watson ISA 15% Source: user generated data 41

52 The researcher of this study also chose to conduct regression analysis tests for the demographic variables Gender, Age, Tenure, Function and Education level. Because dummy variables were needed for these test, Stata was used for the automatic creation of the dummy variables and the regression test. Appendix J, Regression tests for demographic variables, shows the results, first without the interaction variable OC x Self- Efficacy and in the second paragraph of appendix J the interaction variable included. All other independent variables were included to test whether the results were different from the multiple regression test in SPSS and the interaction term conducted with Hayes Process tool in SPSS. Paragraph J1 shows that only Females and the Staff members and CAO employees significantly influenced Actual Compliance behavior positively. All other demographic variables didn t significantly influence ACB and were omitted from the test results in paragraph J. Then the moderating term OC x Self-Efficacy was included in the regression model and Stata also found no significant interaction effect. The reader can observe that also Stata gave similar results for regression tests and the moderating term conducted with SPSS and Hayes Process tool as one can read in the section below and in the appendices covering the regression and moderating results. Moderation For the moderation effect of OC on the relationship between Self-Efficacy and ACB, Hayes Process tool installed in SPSS was used selecting; Menu, Analyze, Regression, Process and Model Number 1 (Hayes A. F., 2012, p. 17). From Options; Generate data, OLS/ML, Heteroscedasticity and Mean were chosen. From conditioning; Mean and Johnson were chosen. Three moderation effects can be observed namely (Elite Research LLC, 2013, p. 1): - Enhancing effect, when the effect of the independent variable on ACB is increased after the moderator is increased - Buffering effect, when the effect of the independent variable on ACB is decreased after the moderator is increased - Antagonistic effect, when the effect of the independent variable on ACB is reversed after increasing the moderator Before one can claim that a moderation has occurred, one should first assess if the interaction effect, OC x Self-efficacy, on ACB is significant (Elite Research LLC, 2013, p. 1) (Kim, Kaye, & Wright, 2001, p. 2). If the interaction has no significant relationship with ACB, moderation did not take place. As can be seen in Appendix I Moderation tests and table 8, in the complete set and in both strata, none of the Interaction terms OC x Self-efficacy were significant for predicting ACB, i.e. all p s > There was no moderating effect of OC on the relationship between self-efficacy and ACB. Figure 7 shows the final model with the results in it. 42

53 Figure 7 Final model for the complete dataset only, dotted lines show not hypothesized relationships 43

54 Chapter 5 Conclusions and Recommendations This study was based on two research questions: 1. Do Sanctions, Self-efficacy and Information Security Awareness (ISA) positively or negatively influence employees behavior towards compliance with Information Security Policy (ISP) within Telesur? 2. Do employees Perceived Organizational Climate influence the relationship between Self-Efficacy and the Actual Compliance Behavior? To be able to answer these questions, literature review was conducted to retrieve knowledge of the underlying theories and antecedents on which the different variables are built on. Based on the theory, items were adapted from previous studies to gather the information which should make it possible to answers these questions and test the hypotheses. Research question 1 yielded 3 hypotheses comparing the three variables, Sanctions, Self-efficacy and Information Security Awareness (ISA) with Actual compliance behavior (ACB). The second research question produced the fourth hypothesis assessing the moderating effect of Organizational Climate (OC) on the relationship between Self-efficacy and ACB. Although not hypothesized, the relationship between OC and ACB was also tested and was also concluded in this chapter, as the results were overall very significant. Also not hypothesized are the moderating effects of the demographic or intervening variables as Gender, Age, Tenure, Function and Education on the relationship between Self-efficacy and ACB. Because of the fast amount of analysis information in the Appendixes the researcher opted to exclude the result of the non-significant intervening variables. Overall these intervening variables had no significant effect on the Self-efficacy x ACB relationship with p > Further Females, Staff members and CAO employees significantly comply differently with ACB than males (for the gender part) and Managers (for the function level part). 5.1 Conclusions The results from the correlation analysis showed that the motivational factors Sanctions and Self-efficacy didn t have a significant relationship with the compliance behavior of employees. On the other hand, the organizational variable Information Security Awareness and the social variable Organizational Climate, which was related to Corporate Culture, both had significant positive relationships with the way employees comply with information security policy within Telesur. Although there was a relationship between the organizational and the social factors with compliance behavior, no conclusion could be drawn upon causal effects. So one cannot claim that a perceived increase of the supportive climate or awareness about information security in the organization will lead to an increase of the compliance behavior of the employees with information security policy, although the relationships were positive. The regression analyses showed that an increase in employee s general knowledge about information security and about the Information Security Policy (ISA) of the company he or she works in as well as the perceptions 44

55 and experiences employees have of the climate (OC) in the organization they work for, will lead to an increase of the compliance behavior towards information security policy. These conclusions cannot be drawn for the motivational variables Sanctions and Self-efficacy. These results were not consistent with some of the literature. The studies from Bulgurcu and Kankanhalli et al showed that sanctions and self-efficacy did influence ACB while Pahnila et al found no significant influence of sanction on ACB (Bulgurcu B., 2008) (Kankanhalli, Teo, Tan, & Wei, 2003) (Pahnila, Siponen, & Mahmood, 2007). In this research there seemed to be no relationship between the variables sanctions and self-efficacy towards the compliance behavior of the employees. Regarding sanctions, it may be possible that employees don t believe in sanctions as mentioned in the Information Security Policy of the company because of past experiences with previous non-compliance cases. Also the researcher found that the company didn t have a culture of practicing sanctions on employees not complying with ISP (paragraph 3.1 from the HR department). The self-efficacy part is not easy to discuss, as intrinsic motivation is a complex variable in itself. Possibly there was a small number of employees being aware of information security issues and possessing skills, knowledge and competency to fulfill the requirements of the information security policy on their own. This conclusion could be supported by the positive relationship found between Information Security Awareness and Self-Efficacy in previous study (Herath & Rao, 2009, pp. 9, 12), but also in this study ISA influenced Self-efficacy. The researcher concludes that employees may lack knowledge and skills which can be boosted by education, training and awareness sessions and if they possess those, their self-efficacy in complying with ISP can be improved, and there will be less Sanctions. Overall Information Security Awareness and Organizational Climate explained 25% (for the complete data set and staff & managers stratum) of the total variations in Actual Compliance Behavior making room for further research to increase the explained variance with other constructs. Answer to research question one: - Information Security Awareness and Organizational Climate positively influence employees compliance behavior with Information Security Policy (ISP) within Telesur. Moderation The employees self-judgment about their skills and ability to comply, could be affected when they perceive a certain supporting behavior from Managers and Coworkers regarding information security acts. Obviously the perception employees had about their managers, supervisors and co-workers social and managerial activities didn t affect their own motivation or judgment when complying with information security policy within Telesur. The conclusion can be drawn that the way employees perceive the climate in the organization didn t affect their self-efficacy to comply with ISP. Answer to research question two: - Employee s Perceived Organizational Climate did not influence the relationship between Self-Efficacy and Actual Compliance Behavior within Telesur. 45

56 Complete set and Strata Regarding the three groups, the complete set of employees and the two strata, CAO employees and staff members and managers as a group, no clear difference was found in the way ISA and OC would influence the compliance behavior of the two strata. For the strata CAO employees OC did not significantly influence ACB, at the 5% significant level, but the observed significance of p = was close to 0.05, our threshold for significance. The reader can decide if he or she finds this relationship significant. A remark at the answers of the research questions was that for CAO employees, OC did not significantly influenced ACB, although for the complete data set of which the CAO employees were part of, OC significantly influenced ACB. Possibly for CAO employees Awareness seemed more important than support from there managers and peers while dealing with Information Security issues or the sample was too small to see the effect clearly. The results from the cross tabulations showed that males comply differently with Information Security Policy than females. Within Telesur two third of females complied with ACB where one third of males did. Further by assessing the levels of Education, age difference, tenure and function level descriptively with compliance behavior of employees within Telesur the researcher concludes that a higher education, higher age, more work experience or a higher position in the company doesn t necessarily change the compliance behavior of employees were for gender difference this conclusion is different. But regression tests conducted for these demographic variable showed that Staff members and CAO employees comply significantly better than Managers with Actual Compliance Behavior as Females also comply significantly better than males with ACB. Overall less than half the employees comply with the company s Information Security Policy. 5.2 Recommendations Further study Based on the literature review the researcher found different antecedents for the measurement of sanctions and self-efficacy. Further study can be done based on other motivational factors as Rewards, Intrinsic benefits, intrinsic costs, Safety of resources, Benefits of compliance, Normative beliefs and others in relation to Actual Compliance behavior. But as Organizational and Climate/Cultural factors influenced the compliance behavior of employees positively, the researcher would recommend assessing other constructs or antecedents of these Organizational and Climate/Cultural factors to explain more of the variances in Actual Compliance Behavior. Other researches could focus on other climate factors such as those from the Litwin and Stinger Organizational Climate Scale (LSOCQ) which contains nine dimensions, but are more linked to motivation (Rogers, Miles, & Biggs, 1980, pp. 3-4) (Muchinsky, 1976) as mentioned in chapter two of the study herein. Further research can be conducted to increase employee s Self-Efficacy by assessing the relationship between Information Security Awareness and Self-Efficacy as previous study in other environments already showed positive relationships (Herath & Rao, 2009, pp. 9, 12). Also the overall quality of the ISP could be assessed in relation with ACB. 46

57 Managerial implications For management within Telesur, researcher recommends to educate the employees and further build on a healthy and consistent supportive climate and social environment. As literature review postulated, training and awareness sessions (Bulgurcu, Cavusoglu, & Benbasat, 2010) in the field of Information Security, sharing of information about security vulnerabilities and reviewing ISP with employees, increases the Awareness of employees in these fields (Straub & Welke, 1998). The Climate in the organization also seems to influence the compliance behavior of employees positively especially on management level, but differently among CAO employees when dealing with information security issues. A higher awareness about information security will lead to a higher compliance with Information Security Policy and compliance with Information Security Policy will lead to decreased security risks and thus lower costs and issues with regards to Information Security. Further, in previous studies in the field of Information Security, awareness and training were positively linked with Self-efficacy (Herath & Rao, 2009, pp. 9, 12) (Bulgurcu, Cavusoglu, & Benbasat, 2010, pp. 22, 30) and could also be researched within Telesur. Finally, researcher would not recommend removing the sanctions from the Information Security Policy because there was not enough evidence to say that Sanctions don t influence employees compliance behavior. 47

58 Bibliography Ajzen, I. (1991). The Theory of Planned Behavior. Organizational Behavior and Human Decision Processes, 50(2), Ajzen, I., & Madden, T. J. (1986). Prediction of goal-directed behavior: Attitudes, intentions, and perceived behavioral control. Journal of Experimental Social Psychology, 22(5), Al-Omari, A., Deokar, A., El-Gayar, O., Walters, J., & Aleassa, H. (2013). Information Security Policy Compliance: An Empirical Study of Ethical Ideology. System Sciences (HICSS), th Hawaii International Conference on (pp ). Washington, DC, USA: IEEE Computer Society. Anderson, D. R., Sweeney, D. J., & Williams, T. A. (2011). Statistics for Business and Economics. International Edition: South Western, Cengage Learning. Australian Bureau of Statistics. (2013). Sample Size Calculator. Retrieved October 12, 2013, from NSS National Statistical Service: nt Bailey, Kevin. (2013, Marc 19). KESB Articles. Retrieved November 25, 2013, from Kaspersky Lab Newsroom Europe: Bandura, A. (1982). The Explanatory and Predictive Scope of Self-Efficacy Theory. Journal of Social and Clinical Psychology, 4(3), Bandura, A., Adams, N. E., Hardy, A. B., & Howells, G. N. (1980, March). Tests of the generality of selfefficacy theory. Cognitive Therapy and Research, 4(1), Bartlett, J. E., Kotrlik, J. W., & Higgins, C. C. (2001). Organizational Research: Determining Appropriate Sample Size in Survey Research. Information Technology, Learning, and Performance Journal, 19(1), Becker, G. S. (1968). Crime and Punishment: An Economic Approach. The Journal ofpolitical Economy, 76(2), Bock, G.-W., Zmud, R. W., Young-Gu, l. K., & Lee, J.-N. (2005, March). Behavioral intention formation in knowledge sharing: examining the roles of extrinsic motivators, social-psychological factors, and organizational climate. MIS Quarterly, 29(1), pp Bulgurcu. (2009). Motivations in Information Security Policy Compliance: An Empirical Study of Information Security Awareness and Perceived Fairness. 15th Americas Conference on Information Systems draft Paper Socio-technical dimensions in IS Security (pp. 1-9). San Francisco, California: Security, Assurance and Privacy (SIGSEC). 48

59 Bulgurcu, B. (2008, July). The antecedents of information security policy compliance. Retrieved august 31, 2013, from circle, the University of British Columbia's digital repository: Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010, september 1). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), pp Chan, M., Woon, I., & Kankanhalli, A. (2005). Perceptions of Information Security in the Workplace: Linking Information Security Climate to Compliant Behavior. Journal of Information Privacy & Security, 1(3), 18. Cochran, W. G. (1977). Sampling Techniques (3th ed.). NY USA: John Wiley & Sons Inc. Corpuz, M., & Barnes, P. H. (2010). Integrating Information Security Policy Management with Corporate Risk Management for Strategic Alignment. Proceedings of the 14th World Multi Conference on Systemics, Cybernetics and Informatics (WMSCI 2010). Orlando, Florida: International Institute of Informatics and Systemics (IIIS). D Arcy, J., Hovav, A., & Galletta, D. (2009, March). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), Dugo, T. (2007, December 15). The insider threat to organizational information security : a structural model and empirical test. Retrieved September 22, 2013, from Auburn University Theses and Dissertations: Elite Research LLC. (2013, december 1). Office of Research and Sponsored Programs. Retrieved from Moderation Mediation: Field, A. (2005). Discovering Statistics using SPSS Second edition. London: SAGE publications. Field, A. (2009). Discovering Statistics using SPSS Third edition (3th ed.). London, California, New Delhi, Singapore: SAGE Publications Ltd. Fishbein, M., & Ajzen, I. (1975). Retrieved August 31, 2013, from Icek Ajzen: Garson, D. G. (2012). Testing Statistical Assumptions. North Carolina: Statistical Publishing Associates. Garth, A. (2008). Analysing Data Using Spss. Retrieved januari 2014, from Scribd: Gillies, A. (2011). Improving the quality of information security management systems with ISO The TQM Journal, 23(4), Godden, B. (2004, January 1). Qualitative & Quantitative Research. Retrieved august 8, 2013, from Market Research & Strategic Planning: 49

60 Goo, J., Yim, M.-S., & Kim, D. J. (2013). A Path Way to Successful Management of Individual Intention to Security Compliance: A Role of Organizational Security Climate th Hawaii International Conference on System Sciences (HICSS) (pp ). Wailea, Maui, HI USA: Florida Atlantic University College of Business. Hadasch, F., Mueller, B., & Maedche, A. (2012, 7 26). Universität Mannheim. Retrieved 7 1, 2013, from Hayes, A. F. (2012, June 2). SPSS Process Documentation. Retrieved December 17, 2013, from MRES Web Resources: Hayes, B. E., Perander, J., Smecko, T., & Trask, J. (1998). Measuring Perceptions of Workplace Safety: Development and Validation of the Work Safety Scale. Journal of Safety Research, 29(3), Hellriegel, D., & Slocum, J. W. (1974, June). Organizational Climate: Measures, Research and Contingencies. The Academy of Management Journal, 17(4), Herath, T., & Rao, R. H. (2009, April 21). Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), Higgins, G. E., Wilson, A. L., & Fell, B. D. (2005). An Application of Deterrence Theory to Software Piracy. Journal of Criminal Justice and Popular Culture, 12(3), Hofmann, D. A., & Stetzer, A. (1996). A cross-level investigation of factors influencing unsafe behaviors and accidents. Personnel Psychology, 49(2), Holloway, J. B. (2012). Leadership Behavior and Organizational Climate: An Empirical Study in a Non-profit Organization. Emerging Leadership Journeys, 5(1), Hong, L. C., & Kaur, S. (2008, June). A Relationship between Organizational Climate, Employee Personality and Intention to Leave. International Review of Business Research Papers, 4(3), Hu, Q., Dinev, T., Hart, P., & Cooke, D. (2012, August). Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture. Decision Sciences Journal, 43(4), IsecT Ltd. (2013, August 30). ISO/IEC 27002:2013 Information technology Security techniques Code of practice for information security controls. Retrieved September 30, 2013, from ISO/IEC 27002: ISO / IEC. (2005). ISO/IEC 17799:2005. Geneva: ISO copyright office. ISO Directory. (2013). Introduction To ISO (ISO27002). Retrieved October 5, 2013, from The ISO Directory: Jaafar, N. I., & Ajis, A. (2013, August). Organizational Climate and Individual Factors Effects on Information Security Compliance Behaviour. International Journal of Business and Social Science, 4(10),

61 Jaafar, N. I., & Ajis, A. (2013, August). Organizational Climate and Individual Factors Effects on Information Security Compliance Behaviour. International Journal of Business and Social Science, 4(10), Kankanhalli, A., Teo, H., Tan, B., & Wei, K. (2003, April). An integrative study of information systems security effectiveness. International Journal of Information Management,, 23(2), Karsters, A. (2011, December 15). Measuring the Organizational Culture at Telesur. Retrieved August 31, 2013, from FHR Lim A Po Institute for Social Studies: Kayworth, T., & Whitten, D. (2010, September). Effective Information Security Requires a Balance of Social and Technology Factors. MIS Quarterly Executive, 9(3), pp Kim, J.-S., Kaye, J., & Wright, L. K. (2001). MODERATING ANDMEDIATING EFFECTS IN CAUSALMODELS. Issues in Mental Health Nursing, 22(1), Kirsch, L., & Boss, S. (2007). The Last Line of Defense: Motivating Employees to Follow Corporate Security Guidelines. ICIS 2007 Proceedings. Montreal, Quebec, Canada: Association for Information Systems ( AIS ). Kootstra, G. J. (2004, May 7). Exploratory Factor Analysis theory and application. Retrieved December 18, 2013, from Seminar in Methodology and Statistics: Lee, J., & Lee, Y. (2002, January). A holistic model of computer abuse within organizations. Information Management &amp Computer Security, 10(2), Lee, M. (2011, December). The effect of employee alignment on business IT alignment in a hierarchical organization. Retrieved August , from FHR Lim A Po Institute for Social Studies: Liang, H., & Xue, Y. (2010, july). Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective. Journal of the Association for Information Systems, 11(7), Lin, J. S.-J., & Lin, S.-C. (2011, January 18). Moderating effect of organizational climate on the relationship of organizational support and SOOCB. African Journal of Business Management, 5(2), Litwin, G. H., & Stringer, R. A. (1968). Motivation and Organizational Climate. Cambridge, MA, USA: Harvard University Press; First Edition. Ma, Q., & Pearson, J. M. (2005). ISO 17799: Best practices In Information Security Management? Communications of the Association for Information Systems, 15, McBride, M., Carter, L., & Warkentin, M. (2012). Exploring the Role of Individual Employee Characteristics and Personality on Employee Compliance with Cybersecurity Policies. Washington DC: Institute for Homeland Security Solutions. McCarthy, B. (2002). New Economics of Sociological Criminology. Annual Review of Sociology, 28,

62 Muchinsky, P. M. (1976). An assessment of the Litwin and Stringer organization climate questionnaire: An empirical and theoretical extension of the Sims and LaFollette. Study. Personnel Psychology, 29(3), Muhire, B. (2012, May). Employee Compliance with Information Systems Security Policy in Retail Industry. Case: Store Level Employees. Retrieved August 30, 2013, from ScholarWorks at UMass Boston: Pahnila, S., Siponen, M., & Mahmood, A. (2007). Employees Behavior towards IS Secur ity Policy Compliance. System Sciences, HICSS th Annual Hawaii International Conference (p. 156). Waikoloa, HI: IEEE Computer Society. Pallant, J. (2005). SPSS Survival Manual A step by step guide to data analysis using SPSS for Windows. Sydney, Australia: Allen & Unwin. Patterson, M. G., West, M. A., Shackleton, V. J., Dawson, J. F., Lawthom, R., Maitlis, S.,... Wallace, A. M. (2005, June). Validating the organizational climate measure: links to managerial practices, productivity and innovation. Journal of Organizational Behavior, 26(4), Peltier, T. R. (2004). Information Security Policies and Procedures: A Practitioner's Reference, Second Edition (2nd Edition ed.). Boca Raton, London, New York, Washington DC, USA: Auerbach Publications. Puhakainen, P., & Siponen, M. (2010, December). Improving employees' compliance through information systems security training: an action research study. MIS Quarterly, 34(4), pp Putter, L. (2010, March). Retrieved August 31, 2013, from TUDelft Institutional Repository: 6e770d60b655/Thesis_Lars_Putter.pdf Rogers, E. D., Miles, W. G., & Biggs, W. D. (1980). The Factor Replicability of the Litwin and Stringer Organizational Climate Questionnaire: An Inter- and Intra-Organizational Assessment. Journal of Management, 6(1), SAS Institute Inc. (2013, december). SAS Books. Retrieved december 2013, from SAS Support Training & Bookstore: Sims Jr., H. P., & Lafollette, W. (1975). An assessment of the Litwin and Stringer organizational climate questionnaire. Personnel Psychology, 28(1), Siponen, M. T. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8(1), Stephanou, A. (2008). The impact of information security awareness training on information security behaviour. Johannesburg: University of the Witwatersrand. Stevens, P. J. (2002). Applied Multivariate Statistics for the Social Sciences, Fourth Edition. New Jersey: Lawrence Erlbaum Associates, Inc, Publishers. Stone, D. N. (1994). Overconfidence in Initial Self-Efficacy Judgments: Effects on Decision Processes and Performance. Organizational Behavior and Human Decision Processes, 59(3),

63 Straub Jr., D. W. (1990, September). Effective IS Security: An Empirical Study. Information Systems Research, 1(3), Straub, D. W., & Nance, W. D. (1990, March 1). Discovering and Disciplining Computer Abuse in Organizations: A Field Study. MIS Quarterly, 14(1), pp Straub, D. W., & Welke, R. J. (1998, December). Coping with Systems Risk: Security Planning Models for Management Decision Making. MIS Quarterly, 22(4), pp Tafti, S. F., Cheraghvandi, A., Marashian, M., Emami, H., & Mokri, B. (2009, January). Measurement of the Validity and Reliability of the Persian Translation of the Saint George Respiratory Questionnaire for Patients with Chronic Obstructive Pulmonary Disease. Open Respiratory Medicine Journal, 3, Thanasegaran, G. (2009). Reliability and Validity Issues in Research. INTEGRATION & DISSEMINATION, 4, Tsohou, A., Kokolakis, S., Lambrinoudakis, C., & Gritzalis, S. (2010). A Security Standards Framework to facilitate Best Practices Awareness and Conformity. Information Management & Computer Security, 18(5), Vance, A. (2010). Why do employees violate is security policies? Insights from multiple theoretical perspectives. Linnanmaa, Oulu, Finland: University of Oulu. Wallace, J., Hunt, J., & Richards, C. (1999). The relationship between organisational culture, organisational climate and managerial values. Victoria, New South Wales, Australia: MCB UP Ltd. Waly, N., Tassabehji, R., & Kamala, M. (2012). Measures for improving information security management in organisations: the impact of training and awareness programmes. UK Academy for Information Systems Conference Proceedings Paper 8 (pp. 1-10). Bradford: UK Academy for Information Systems UKAIS. Warner, J. A. (2009). The Impact of IT Security Psychological Climate on Salient User Beliefs Toward IT Security: An Empirical Study. Florida: ProQuest. Williams, K. R., & Hawkins, R. (1986). Perceptual Research on General Deterrence: A Critical Review. Law & Society Review, 20(4), Yoo, S. J., Huang, W., & Lee, D. Y. (2012). The impact of employee s perception of organizational climate on their technology acceptance toward e-learning in South Korea. Knowledge Management & E- Learning: An International Journal, 4(3), Zohar, & Luria, G. (2005). A Multilevel Model of Safety Climate: Cross-Level Relationships Between Organization and Group-Level Climates. Journal of Applied Psychology, 90(4), Zohar, D. (1980, Februari). Safety climate in industrial organizations: Theoretical and applied implications. Journal of Applied Psychology, 65(1), Zohar, D. (2000, August). A group-level model of safety climate: Testing the effect of group climate on microaccidents in manufacturing jobs. Journal of Applied Psychology, 85(4),

64 Zohar, D. (2002). Modifying Supervisory Practices to Improve Subunit Safety: A Leadership-Based Intervention Model. Journal of Applied Psychology, 87(1), Zohar. (2007, March 30). Safety climate and beyond: A multi-level multi-climate framework. Safety Science, 46(3),

65 Appendix A Measurement Items Scenario unencrypted portable media scenario. Peter is working on a report that requires the analysis of sensitive data. Because of the sensitive nature of corporate data, the company has an information security policy prohibiting the copy of corporate data to unencrypted portable media, such as USB drives. However, Peter will travel for several days and would like to analyze the corporate database on the road. Peter copies the corporate database to his unencrypted portable USB drive and takes it off company premises (Vance, 2010, p. 146). Construct Sanction Sanction Sanction Sanction Sanction Sanction Sanction Self-efficacy Self-efficacy Self-efficacy Self-efficacy Self-efficacy Self-efficacy Item & Source Scenario items How much of a problem would it create in your life if you jeopardized your future job promotion prospects for doing what Peter did? (Vance, 2010) How much of a problem would it create in your life if you receive a reprimand from your manager for doing what Peter did? (Vance, 2010) How much of a problem would it create in your life if you lose respect of your colleagues for doing what Peter did? (Vance, 2010) How much of a problem would it create in your life if you were transferred to another department for doing what Peter did? (Vance, 2010) How much of a problem would it create in your life if you were suspended from work for a month for doing what Peter did? (Vance, 2010) How much of a problem would it create in your life if you were demoted to a lower function for doing what Peter did? (Vance, 2010) How much of a problem would it create in your life if you were to receive penalties according to the criminal law for doing what Peter did? (Vance, 2010) Scenario items Doing the opposite of what Peter did would be difficult for me to do. (Vance, 2010) Doing the opposite of what Peter did would be easy for me to do. (Vance, 2010) Other items I can comply with information security policies by myself. (Vance, 2010) I would feel comfortable following most of the IS security policies on my own. (Herath & Rao, 2009) If I wanted to, I could easily follow IS security policies on my own. (Herath & Rao, 2009) I would be able to follow most of the IS security policies even if there was no one around to help me. (Herath & Rao, 2009) 55

66 ISA ISA ISA ISA ISA ISA ISA OC UMP OC UMP OC UMP OC UMP OC UMP OC SP OC SP OC SP OC SP OC CP OC CP OC CP To me, complying with the requirements of the information security policy (ISP) is necessary (Muhire, 2012) To me, complying with the requirements of the information security policy (ISP) is beneficial (Muhire, 2012) To me, complying with the requirements of the information security policy (ISP) is important (Muhire, 2012) To me, complying with the requirements of the information security policy (ISP) is useful (Muhire, 2012) I will comply with the requirements of the ISP of my company in the future. (Muhire, 2012) I will protect information and technology resources according to the requirements of the ISP of my company in the future. (Muhire, 2012) I will carry out my responsibilities prescribed in the ISP to enhance the information security of my company when I use information and technology in the future. (Muhire, 2012) Management within my organization is very serious about information security. (Jaafar & Ajis, 2013) Information security training is included as part of orientation for new employees. (Jaafar & Ajis, 2013) Information security policies are discussed during my annual evaluation. (Jaafar & Ajis, 2013) Employees in my organization receive updated information or training regarding information security. (Jaafar & Ajis, 2013) My organization educates me on the importance of information security. (Jaafar & Ajis, 2013) My supervisor updates me on changes to information security procedures, e.g., through direct verbal communication or via communication tools. (Jaafar & Ajis, 2013) My supervisor discusses information security issues with me and my co-workers. (Jaafar & Ajis, 2013) My supervisor praises me when I adopt proper information security practices. (Jaafar & Ajis, 2013) My supervisor considers information security compliance as a key factor in assessing my overall performance. (Jaafar & Ajis, 2013) My co-workers take information security seriously. (Jaafar & Ajis, 2013) Co-workers tend to ignore information security procedures when rushing deadlines. (Jaafar & Ajis, 2013) Co-workers discuss information security issues with me. 56

67 OC CP ACB ACB ACB ACB ACB ACB (Jaafar & Ajis, 2013) Co-workers would report breaches of information security to superiors. (Jaafar & Ajis, 2013) I will comply with information security procedures when performing my daily work (Chan, Woon, & Kankanhalli, 2005) I tend to ignore information security procedures that I think are not necessary (Chan, Woon, & Kankanhalli, 2005) I tend to ignore information security procedures in order to complete my work (Chan, Woon, & Kankanhalli, 2005) Sometimes I do not comply with information security procedures when it affects the performance or productivity of my work (Chan, Woon, & Kankanhalli, 2005) I tend to comply with information security procedures only when it is convenient to do so. (Chan, Woon, & Kankanhalli, 2005) I tend to ignore information security procedures when I am busy. (Chan, Woon, & Kankanhalli, 2005) Below the Dutch translated version of the questionnaire above. Scenario onversleutelde draagbare media Peter werkt aan een rapport waarbij het analyseren van gevoelige data vereist is. Wegens de gevoelige aard van bedrijfsgegevens, heeft het bedrijf een informatieveiligheidsbeleid. Dat verbiedt het kopiëren van bedrijfsgegevens naar onversleutelde (niet beveiligde) draagbare media, zoals USB-media. Peter moet echter enkele dagen op reis en zou de data graag tijdens zijn reis willen analyseren. Hij kopieert de data op zijn onversleutelde (niet beveiligde) draagbare USB-schijf en neemt die mee van het bedrijfsterrein af (Vance, 2010, p. 147). Variabele Sanctie Sanctie Sanctie Sanctie Sanctie Sanctie Aspect & Bron Scenario aspecten Hoeveel problemen zou het in je leven creëren als je door te doen wat Peter deed jouw vooruitzichten op een toekomstige promotie in gevaar zou brengen? (Vance, 2010) Hoeveel problemen zou het in je leven creëren als je door te doen wat Peter deed een berisping van je manager zou krijgen? (Vance, 2010) Hoeveel problemen zou het in je leven creëren als je door te doen wat Peter deed het respect van je collega s zou verliezen? (Vance, 2010) Hoeveel problemen zou het in je leven creëren als je door te doen wat Peter deed zou worden overgeplaatst naar een andere afdeling? (Vance, 2010) Hoeveel problemen zou het in je leven creëren als je door te doen wat Peter deed geschorst zou worden voor een maand? (Vance, 2010) Hoeveel problemen zou het in je leven creëren als je door te doen wat Peter deed gedegradeerd zou worden naar een lagere functie? (Vance, 2010) 57

68 Sanctie Hoeveel problemen zou het in je leven creëren als je door te doen wat Peter deed strafrechtelijk zou worden vervolgd? (Vance, 2010) Scenario aspecten Eigeneffectiviteit Het tegenovergestelde doen van wat Peter deed zou voor mij moeilijk zijn. (Vance, 2010) Eigeneffectiviteit Het tegenovergestelde doen van wat Peter deed zou voor mij makkelijk zijn. (Vance, 2010) Andere aspecten Eigeneffectiviteit Ik kan zelfstandig het informatieveiligheidsbeleid naleven. (Vance, 2010) Eigeneffectiviteit Ik zou me op mijn gemak voelen om het grootste deel van het informatieveiligheidsbeleid zelfstandig na te leven. (Herath & Rao, 2009) Eigeneffectiviteit Als ik dat zou willen, zou ik het informatieveiligheidsbeleid gemakkelijk zelfstandig kunnen naleven. (Herath & Rao, 2009) Eigeneffectiviteit Ook als er niemand in de buurt zou zijn om mij te helpen zou ik in staat zijn om het grootste deel van het informatieveiligheidsbeleid na te leven. (Herath & Rao, 2009) ISA Voor mij is het naleven van de eisen van het informatieveiligheidsbeleid (ISP) noodzakelijk. (Muhire, 2012) ISA Voor mij is het naleven van de eisen van het informatieveiligheidsbeleid (ISP) voordelig. (Muhire, 2012) ISA Voor mij is het naleven van de eisen van het informatieveiligheidsbeleid (ISP) belangrijk. (Muhire, 2012) ISA Voor mij is het naleven van de eisen van het informatieveiligheidsbeleid (ISP) nuttig (Muhire, 2012) ISA Ik zal voortaan de ISP-vereisten van mijn bedrijf naleven. (Muhire, 2012) ISA Ik zal voortaan de informatie- en technologiebronnen beschermen volgens de ISP-eisen van mijn bedrijf. (Muhire, 2012) ISA Ik zal voortaan mijn verantwoordelijkheden uitvoeren zoals voorgeschreven in het ISP om de informatiebeveiliging van mijn bedrijf te verbeteren bij het gebruiken maken informatie en technologie. (Muhire, 2012) OC UMP Het management binnen mijn organisatie neemt de informatieveiligheid zeer ernstig. (Jaafar & Ajis, 2013) OC UMP Informatieveiligheidstraining is onderdeel van de oriëntatie voor nieuwe medewerkers. (Jaafar & Ajis, 2013) 58

69 OC UMP Informatieveiligheidsbeleid is onderwerp van gesprek tijdens mijn jaarlijkse evaluatie. (Jaafar & Ajis, 2013) OC UMP Werknemers in mijn organisatie ontvangen up-to-date informatie of training met betrekking tot informatie beveiliging. (Jaafar & Ajis, 2013) OC UMP Mijn organisatie leidt mij op over het belang van informatiebeveiliging. (Jaafar & Ajis, 2013) OC SP Mijn begeleider voorziet mij van recente informatie betreffende wijzigingen in de informatie beveiligingsprocedures, bijvoorbeeld, door middel van directe verbale communicatie of via communicatiemiddelen. (Jaafar & Ajis, 2013) OC SP Mijn begeleider bespreekt informatie beveiliging met mij en mijn collega's. (Jaafar & Ajis, 2013) OC SP Mijn begeleider complimenteert me als ik goede informatiebeveiligingspraktijken toepas. (Jaafar & Ajis, 2013) OC SP Mijn begeleider beschouwt het naleven van informatie veiligheidseisen als een hoofdzaak bij de beoordeling van mijn prestaties. (Jaafar & Ajis, 2013) OC CP Mijn collega s nemen informatie beveiliging serieus. (Jaafar & Ajis, 2013) OC CP Collega s hebben de neiging om informatiebeveiligingsprocedures te negeren als er deadlines in het spel zijn. (Jaafar & Ajis, 2013) OC CP Collega s bespreken informatiebeveiligingsproblemen met mij. (Jaafar & Ajis, 2013) OC CP Collega s zouden inbreuken op de informatiebeveiliging rapporteren aan superieuren. (Jaafar & Ajis, 2013) ACB Ik zal voldoen aan de informatiebeveiliging bij het uitvoeren van mijn dagelijkse werk. (Chan, Woon, & Kankanhalli, 2005) ACB Ik ben geneigd om informatiebeveiligingsprocedures die volgens mij niet nodig zijn te negeren (Chan, Woon, & Kankanhalli, 2005) ACB Om mijn werk af te maken ben ik geneigd om informatiebeveiligingsprocedures te negeren. (Chan, Woon, & Kankanhalli, 2005) ACB Soms leef ik de informatiebeveiligingsprocedures niet na als deze invloed hebben op de prestaties of de productiviteit van mijn werk (Chan, Woon, & Kankanhalli, 2005) ACB Ik ben alleen geneigd om te voldoen aan informatiebeveiligingsprocedures als het handig is om dat te doen. (Chan, Woon, & Kankanhalli, 2005) ACB Ik ben geneigd om informatiebeveiligingsprocedures te negeren als ik bezig ben. (Chan, Woon, & Kankanhalli, 2005) 59

70 Appendix B Testing Assumptions For the complete Dataset Tests of Normality Kolmogorov-Smirnov a Shapiro-Wilk Statistic df Sig. Statistic df Sig. SancComp SelfComp ISAComp OCComp * ACBComp a. Lilliefors Significance Correction *. This is a lower bound of the true significance. 60

71 61

72 62

73 Descriptives Statistic Std. Error SancComp Mean % Confidence Interval for Mean Lower Bound Upper Bound % Trimmed Mean Median Variance.665 Std. Deviation Minimum 1.00 Maximum 5.00 Range 4.00 Interquartile Range.80 Skewness Kurtosis SelfComp Mean % Confidence Interval for Mean Lower Bound Upper Bound % Trimmed Mean Median Variance.482 Std. Deviation Minimum 2.00 Maximum 5.00 Range 3.00 Interquartile Range.63 Skewness Kurtosis ISAComp Mean % Confidence Interval for Mean Lower Bound Upper Bound % Trimmed Mean Median Variance.224 Std. Deviation Minimum 2.71 Maximum 5.00 Range 2.29 Interquartile Range.36 Skewness

74 Descriptives Statistic Std. Error Kurtosis OCComp Mean % Confidence Interval for Mean Lower Bound Upper Bound % Trimmed Mean Median Variance.549 Std. Deviation Minimum 1.00 Maximum 5.00 Range 4.00 Interquartile Range 1.00 Skewness Kurtosis ACBComp Mean % Confidence Interval for Mean Lower Bound Upper Bound % Trimmed Mean Median Variance.472 Std. Deviation Minimum 2.00 Maximum 5.00 Range 3.00 Interquartile Range 1.00 Skewness Kurtosis For Co-workers and Total Staff only the Normality tests are shown below respectively. 64

75 Normality test CAO employees Tests of Normality Kolmogorov-Smirnov a Shapiro-Wilk Statistic df Sig. Statistic df Sig. SanComp SelfComp ISAComp OCComp * ACBComp a. Lilliefors Significance Correction *. This is a lower bound of the true significance. So except for OC no variables were normally distributed. Normality test Staff & Management Tests of Normality Kolmogorov-Smirnov a Shapiro-Wilk Statistic df Sig. Statistic df Sig. SanComp SelfComp ISAComp OCComp * ACBComp a. Lilliefors Significance Correction *. This is a lower bound of the true significance. Also for this stratum except for OC no variables were normally distributed. 65

76 Appendix C Component Principal Analysis C1 PCA on the full dataset of 113 responses. XLSTAT Principal Component Analysis (PCA) - on 1/1/2014 at 12:49:02 AM Observations/variables table: Workbook = Data Set All Standaard zonder Composite met Recode alles.xls / Sheet = Data Set All Standaard zonder C / Range = 'Data Set All Standaard zonder C'!$F:$AH / 113 rows and 29 columns PCA type: Spearman Rotation: Oblimin (Kaiser normalization) / Number of factors = 5 / Tau = 0 Correlations between variables and factors after Oblimin rotation: D1 D2 D3 D4 D5 Sanc3Rec Sanc4Rec Sanc5Rec Sanc6Rec Sanc7Rec Self Self Self Self ISA ISA ISA ISA ISA ISA ISA OCUMP OCUMP OCUMP OCSP OCSP OCSP OCSP OCCP ACB2Rec ACB3Rec ACB4Rec ACB5Rec ACB6Rec Note that the variables which theoretically belong together, indeed load mostly on the same component. 66

77 C2 PCA on the 64 CAO employees XLSTAT Principal Component Analysis (PCA) - on 1/1/2014 at 1:00:19 AM Observations/variables table: Workbook = Data Set CAO employees Standaard zonder Composite met Recode.xls / Sheet = Data Set All Standaard zonder C / Range = 'Data Set All Standaard zonder C'!$F:$AI / 64 rows and 30 columns PCA type: Spearman Rotation: Oblimin (Kaiser normalization) / Number of factors = 5 / Tau = 0 Correlations between variables and factors after Oblimin rotation: D1 D2 D3 D4 D5 Sanc1Rec Sanc3Rec Sanc4Rec Sanc5Rec Sanc6Rec Sanc7Rec Self Self Self Self ISA ISA ISA ISA ISA ISA OCUMP OCUMP OCUMP OCSP OCSP OCSP OCSP OCCP OCCP ACB2Rec ACB3Rec ACB4Rec ACB5Rec ACB6Rec Also in this stratum the variables which theoretically belong together, indeed load mostly on the same factor. 67

78 C3 PCA on the 49 Staff members XLSTAT Principal Component Analysis (PCA) - on 1/1/2014 at 1:16:22 AM Observations/variables table: Workbook = Data Set Staff Standaard zonder Composite met Recode.xls / Sheet = Data Set All Standaard zonder C / Range = 'Data Set All Standaard zonder C'!$F:$AE / 49 rows and 26 columns PCA type: Spearman Rotation: Oblimin (Kaiser normalization) / Number of factors = 5 / Tau = 0 Correlations between variables and factors after Oblimin rotation: D1 D2 D3 D4 D5 Sanc4Rec Sanc5Rec Sanc6Rec Sanc7Rec Self Self Self Self ISA ISA ISA ISA ISA ISA ISA OCUMP OCUMP OCSP OCSP OCSP OCSP ACB2Rec ACB3Rec ACB4Rec ACB5Rec ACB6Rec Also in this stratum the variables which theoretically belong together, indeed load mostly on the same factor. 68

79 Appendix D Descriptive Statistics D1 Cross tabs Gender x ACB Case Processing Summary Cases Valid Missing Total N Percent N Percent N Percent Gender * ACBCompSUMRec % 0.0% % Count Gender * ACBCompSUMRec Crosstabulation ACBCompSUMRec Non Compliance Neutral Compliance Total % compliance Gender Male Female Total Chi-Square Tests Value df Asymp. Sig. (2-sided) Pearson Chi-Square a Likelihood Ratio Linear-by-Linear Association N of Valid Cases 113 a. 1 cells (16.7%) have expected count less than 5. The minimum expected count is Symmetric Measures Value Approx. Sig. Nominal by Nominal Phi Cramer's V N of Valid Cases

80 D2 Cross tabs Function x ACB Case Processing Summary Cases Valid Missing Total N Percent N Percent N Percent Function * ACBCompSUMRec % 0.0% % Count Function * ACBCompSUMRec Crosstabulation ACBCompSUMRec Non Compliance Neutral Compliance Total % compliance Function Manager Staff CAO empl Total Chi-Square Tests Value df Asymp. Sig. (2-sided) Pearson Chi-Square a Likelihood Ratio Linear-by-Linear Association N of Valid Cases 113 a. 2 cells (22.2%) have expected count less than 5. The minimum expected count is Symmetric Measures Value Approx. Sig. Nominal by Nominal Phi Cramer's V N of Valid Cases

81 D3 Cross tabs Education x ACB Case Processing Summary Cases Valid Missing Total N Percent N Percent N Percent School * ACBCompSUMRec % 0.0% % Count School * ACBCompSUMRec Crosstabulation ACBCompSUMRec Non Compliance Neutral Compliance Total % compliance School MSc/MBA BSC/HBO VOS/MBO MULO/MBO Total Chi-Square Tests Value df Asymp. Sig. (2-sided) Pearson Chi-Square a Likelihood Ratio Linear-by-Linear Association N of Valid Cases 113 a. 5 cells (41.7%) have expected count less than 5. The minimum expected count is.53. Symmetric Measures Value Approx. Sig. Nominal by Nominal Phi Cramer's V N of Valid Cases

82 D4 Cross tabs Age x ACB Case Processing Summary Cases Valid Missing Total N Percent N Percent N Percent Age * ACBCompSUMRec % 0.0% % Count Age * ACBCompSUMRec Crosstabulation ACBCompSUMRec Non Compliance Neutral Compliance Total % Compliance Age 18 to to to to to Total Chi-Square Tests Value df Asymp. Sig. (2-sided) Pearson Chi-Square a Likelihood Ratio Linear-by-Linear Association N of Valid Cases 113 a. 8 cells (53.3%) have expected count less than 5. The minimum expected count is.11. Symmetric Measures Value Approx. Sig. Nominal by Nominal Phi Cramer's V N of Valid Cases

83 D5 Cross tabs Tenure x ACB Case Processing Summary Cases Valid Missing Total N Percent N Percent N Percent Tenure * ACBCompSUMRec % 0.0% % Count Tenure * ACBCompSUMRec Crosstabulation ACBCompSUMRec Non Compliance Neutral Compliance Total % Compliance Tenure < > Total Chi-Square Tests Value df Asymp. Sig. (2-sided) Pearson Chi-Square a Likelihood Ratio Linear-by-Linear Association N of Valid Cases 113 a. 8 cells (44.4%) have expected count less than 5. The minimum expected count is Symmetric Measures Value Approx. Sig. Nominal by Nominal Phi Cramer's V N of Valid Cases

84 Appendix E Correlations E1 Correlations between latent variables for the complete Dataset. Correlations SancComp SelfComp ISAComp OCComp ACBComp Spearman's rho SancComp Correlation Coefficient ** ** Sig. (2-tailed) N SelfComp Correlation Coefficient ** * Sig. (2-tailed) N ISAComp Correlation Coefficient **.240 * ** Sig. (2-tailed) N OCComp Correlation Coefficient ** Sig. (2-tailed) N ACBComp Correlation Coefficient **.358 ** Sig. (2-tailed) N **. Correlation is significant at the 0.01 level (2-tailed). *. Correlation is significant at the 0.05 level (2-tailed). Here, we see that both OC and ISA correlate with ACB at the 1% level. While Sanctions and Self don t, in the full set of employees 74

85 E2 Correlations between latent variables for the CAO employees Dataset. Correlations SanComp SelfComp ISAComp OCComp ACBComp Spearman's rho SanComp Correlation Coefficient * * Sig. (2-tailed) N SelfComp Correlation Coefficient * Sig. (2-tailed) N ISAComp Correlation Coefficient * ** Sig. (2-tailed) N OCComp Correlation Coefficient * Sig. (2-tailed) N ACBComp Correlation Coefficient **.262 * Sig. (2-tailed) N *. Correlation is significant at the 0.05 level (2-tailed). **. Correlation is significant at the 0.01 level (2-tailed). Here, ACB was correlated with OC at 5% level and ISA at the 1% level, and not with the other variables, even at the 10% level, for the CAO employees group. 75

86 E3 Correlations between latent variables for the total Staff and Managers Dataset. Correlations SanComp SelfComp ISAComp OCComp ACBComp Spearman's rho SanComp Correlation Coefficient Sig. (2-tailed) N SelfComp Correlation Coefficient * Sig. (2-tailed) N ISAComp Correlation Coefficient * * Sig. (2-tailed) N OCComp Correlation Coefficient * Sig. (2-tailed) N ACBComp Correlation Coefficient *.361 * Sig. (2-tailed) N *. Correlation is significant at the 0.05 level (2-tailed). For the smaller group of staff and managers, the correlation between ACB and ISA & OC was only at the 5% level significant. 76

87 Appendix F Multiple Regressions Complete Dataset REGRESSION /MISSING LISTWISE /STATISTICS COEFF OUTS R ANOVA COLLIN TOL /CRITERIA=PIN(.05) POUT(.10) /NOORIGIN /DEPENDENT ACBComp /METHOD=STEPWISE SancComp SelfComp ISAComp OCComp /SCATTERPLOT=(*ZRESID,*ZPRED) /RESIDUALS DURBIN HISTOGRAM(ZRESID) NORMPROB(ZRESID) /CASEWISE PLOT(ZRESID) OUTLIERS(3). Model Summary c Model R R Square Adjusted R Square Std. Error of the Estimate a Durbin-Watson b a. Predictors: (Constant), OCComp b. Predictors: (Constant), OCComp, ISAComp c. Dependent Variable: ACBComp ANOVA c Model Sum of Squares df Mean Square F Sig. 1 Regression a Residual Total Regression b Residual Total a. Predictors: (Constant), OCComp b. Predictors: (Constant), OCComp, ISAComp c. Dependent Variable: ACBComp Coefficients a Unstandardized Coefficients Standardized Coefficients Collinearity Statistics Model B Std. Error Beta t Sig. Tolerance VIF 1 (Constant) OCComp (Constant) OCComp ISAComp a. Dependent Variable: ACBComp 77

88 78

89 Although the data was distributed fairly over de area, the plot showed some oblique lines which the researcher could not explain. 79

90 Appendix G Multiple Regression CAO employees as a stratum Stepwise REGRESSION /MISSING LISTWISE /STATISTICS COEFF OUTS R ANOVA COLLIN TOL /CRITERIA=PIN(.05) POUT(.10) /NOORIGIN /DEPENDENT ACBComp /METHOD=STEPWISE SanComp SelfComp ISAComp OCComp /SCATTERPLOT=(*ZRESID,*ZPRED) /RESIDUALS DURBIN HISTOGRAM(ZRESID) NORMPROB(ZRESID) /CASEWISE PLOT(ZRESID) OUTLIERS(3). Model Summary b Model R R Square Adjusted R Square Std. Error of the Estimate Durbin-Watson a a. Predictors: (Constant), ISAComp b. Dependent Variable: ACBComp ANOVA b Model Sum of Squares df Mean Square F Sig. 1 Regression a Residual Total a. Predictors: (Constant), ISAComp b. Dependent Variable: ACBComp Coefficients a Unstandardized Coefficients Standardized Coefficients Collinearity Statistics Model B Std. Error Beta t Sig. Tolerance VIF 1 (Constant) ISAComp a. Dependent Variable: ACBComp Excluded Variables b Collinearity Statistics Minimum Model Beta In t Sig. Partial Correlation Tolerance VIF Tolerance 1 SanComp.034 a SelfComp a OCComp.212 a a. Predictors in the Model: (Constant), ISAComp b. Dependent Variable: ACBComp In this part of the regression only ISA was needed to predict ACB. 80

91 Force entry of ISA and OC REGRESSION /MISSING LISTWISE /STATISTICS COEFF OUTS R ANOVA COLLIN TOL /CRITERIA=PIN(.05) POUT(.10) /NOORIGIN /DEPENDENT ACBComp /METHOD=ENTER ISAComp OCComp /SCATTERPLOT=(*ZRESID,*ZPRED) /RESIDUALS DURBIN HISTOGRAM(ZRESID) NORMPROB(ZRESID) /CASEWISE PLOT(ZRESID) OUTLIERS(2). Model Summary b Model R R Square Adjusted R Square Std. Error of the Estimate Durbin-Watson a a. Predictors: (Constant), OCComp, ISAComp b. Dependent Variable: ACBComp ANOVA b Model Sum of Squares df Mean Square F Sig. 1 Regression a Residual Total a. Predictors: (Constant), OCComp, ISAComp b. Dependent Variable: ACBComp Coefficients a Unstandardized Coefficients Standardized Coefficients Collinearity Statistics Model B Std. Error Beta t Sig. Tolerance VIF 1 (Constant) ISAComp OCComp a. Dependent Variable: ACBComp 81

92 A strong deviation from normality was not observed. 82

93 83

94 Appendix H Regression Analysis Staff and Managers as a stratum REGRESSION /MISSING LISTWISE /STATISTICS COEFF OUTS R ANOVA COLLIN TOL /CRITERIA=PIN(.05) POUT(.10) /NOORIGIN /DEPENDENT ACBComp /METHOD=STEPWISE SanComp SelfComp ISAComp OCComp /SCATTERPLOT=(*ZRESID,*ZPRED) /RESIDUALS DURBIN HISTOGRAM(ZRESID) NORMPROB(ZRESID) /CASEWISE PLOT(ZRESID) OUTLIERS(3). Model Summary c Model R R Square Adjusted R Square Std. Error of the Estimate a Durbin-Watson b a. Predictors: (Constant), OCComp b. Predictors: (Constant), OCComp, ISAComp c. Dependent Variable: ACBComp ANOVA c Model Sum of Squares df Mean Square F Sig. 1 Regression a Residual Total Regression b Residual Total a. Predictors: (Constant), OCComp b. Predictors: (Constant), OCComp, ISAComp c. Dependent Variable: ACBComp Coefficients a Unstandardized Coefficients Standardized Coefficients Collinearity Statistics Model B Std. Error Beta t Sig. Tolerance VIF 1 (Constant) OCComp (Constant) OCComp ISAComp a. Dependent Variable: ACBComp Here it turns out ISA and OC are the relevant predictors of ACB. 84

95 85

96 86