Student Name: Kumar Dangi Student ID: S Master of Information Technology (Software Engineering)

Transcription

1 A comparative study and analysis between the PP model and Current Security Compliance models A comparative study and analysis between the PP model and Current Security Compliance models Student Name: Kumar Dangi Student ID: S Master of Information Technology (Software Engineering) School of Engineering and IT Faculty of EHSE Charles Darwin University Darwin October 2015 Thesis supervisors Dr Jamal El- Den Dr Peter Shaw Unit Coordinator Dr Kamal Debnath Kumar Dangi (s264185)

2 NAME: Kumar Dangi COURSE TITLE: Master of Information Technology (Software Engineering) SPECIALISATION: Software Engineering THESIS TITLE: A comparative study and analysis between the PP model and Current Security Compliance models THESIS SUPERVISORS: Dr Jamal-el-Den and Dr Peter Shaw Abstract Keywords: Information Security, Compliance, Positive psychology, Behavioural theory, Positive traits We live in an age where information and security are the two pivotal elements of human society. The security of the information, therefore, has now been an area of great concern and its importance been intensified exponentially. Organizations develop, formulate and update security compliance policies and standards to ensure that every bit of information is well protected and under the umbrella of security policies and high scrutiny of organizational care. The past researches conducted in the domain of human behavioural studies highlights the fact that internal threats are more pressing and detrimental than the external threats. Thus, internal threats predominantly is the outcome of poor user security behaviour and sometimes, due to poor security compliance policies of the organization. In this research, we draw, explore and analyse on literature in the area of behavioural compliance theories such as General Deterrence theory, Protection motivation theory (PMT), Theory of Planned Behaviour (TPB), Rational Choice theory and Job Demands-Resource Model (JR-D). We proposed the PP model (Positive Traits, Personal Strength), which shows the requirements for employees information security compliance. The introduced PP (Positive Traits, Personal Strength) model is a framework that is based on two main personal positive characteristics namely, the employee s positive traits (courage, interpersonal skills, wisdom, positive experience, leadership skills) and personal strengths (self-efficacy, expertise, optimism). We strongly believe that organizations identification

3 A comparative study and analysis between the PP model and Current Security Compliance models and awareness of these traits within their employees would result during the development of security policies would result in sustainable employees security compliance. Acknowledgement I would like to extend my deepest gratitude and thanks to my supervisors Dr Jamal El-Den and Dr Peter Shaw and unit coordinator Dr Kamal Debnath. Especially, I am very obliged and thankful to the reviews, corrections and suggestions provided by my first supervisor Dr Jamal El-Den. This research paper would have never been complete without your constant support, supervision and constructive suggestion. Your guidance and expertise has ignited a spirit of research in me and helped me successfully complete it. I would also like to thank my university and its learning resources that helped in every step of my work. Particularly, the library resources and the workshops provided by the university always instilled confidence and motivation in me. I would like to thank my family whose love and encouragement made my work exciting and comfortable in so many ways. Lastly, I would like to thank my wife Kalpana who always stood by me in good and bad times encouraging and cheering me up. Kumar Dangi Charles Darwin University, October 2015 Kumar Dangi (s264185)

4 Table of Contents LIST OF FIGURES... LIST OF TABLES... Abbreviations Introduction Aim and Scope of the thesis Research approach or methodology Background Theory of planned behavior Social cognitive theory Social bond theory Literature Review Positive Psychology Relation between personal strength and security compliance Self-efficacy Knowledge Management and Expertise IS Security Knowledge Management Positive Organizational Behavior and Security Compliance Research Framework Conceptual Model Top management and Organizational Policies Individual Cognition Organizational culture Introduction to Information Security Governance A practical approach for ISG Business Software Alliance Information security policy: An organizational-level process model Information Security Governance... 29

5 A comparative study and analysis between the PP model and Current Security Compliance models 11.5 ISACA ISO/IEC Standards ITGI User Security Behavior An analysis of security behavior theories General Deterrence Theory Protection Motivation Theory Rational Choice Theory Job Demands-Resources Model The PP (Positive Traits, Personal Strength) model Conclusion and Recommendation Appendices Appendix A- Glossary Appendix B- Search Terms References: Kumar Dangi (s264185)

6

7 A comparative study and analysis between the PP model and Current Security Compliance models LIST OF FIGURES FIGURE 1 POSITIVE PSYCHOLOGY IN RELATION TO OTHER PSYCHOLOGY (HEFFERON AND BONIWELL, 2011) FIGURE 2 SELF-EFFICACY IN INFORMATION TECHNOLOGY (RHEE ET AL., 2009) FIGURE 3 SPIRAL OF ORGANIZATIONAL KNOWLEDGE CREATION (NONAKA, 1994) FIGURE 4 CONCEPTUAL MODEL OF SECURITY COMPLIANCE FIGURE 5 FACTORS INFLUENCING USER SECURITY BEHAVIOUR (LEACH, 2003) FIGURE 6 THE PP MODEL LIST OF TABLES TABLE 1 HISTORY OF PSYCHOLOGY TABLE 2 THEORIES APPLIED IN SECURITY POLICY COMPLIANCE TABLE 3 GAP BETWEEN THE EXISTING THEORIES AND PP MODEL Kumar Dangi

8 Abbreviations ATB: Attitude Towards Behavior CDU: Charles Darwin University COBIT: Control Objectives for Information and Related Technology COM: Computer Monitoring CSE: Computer Self-Efficacy CSI: Crime Scene Investigation CVF: Competing Value Framework GDT: General Deterrence Theory InfoSec: information security IS: Information System ISACA: Information Systems Audit and Control Association ISG: Information Security Governance ISO: International Organization for Standardization ISO/IEC: International Organization for Standardization and International Electro technical Commission IT: Information Technology ITGI: Information Technology Governance Institute JD-R: Job Demands-Resource) PBC: Perceived Behavioural Control PMT: Protection Motivation Theory PP: Positive Traits, Personal Strength RCT: Rational Choice Theory SBT: Social Bond Theory SCT: Social Cognitive Theory SE: Security Efficacy SN: Subjective Norms TPB: Theory of Planned Behavior TRA: Theory of Reasoned Action USB: Universal Serial Bus

9 A comparative study and analysis between the PP model and Current Security Compliance models 1. Introduction According to the report by 2010/2011 Computer Crime and Security Survey, it has been revealed that 45.6 per cent of the respondent from major government agencies said that they have encountered at least one security attack per year. This report presented a lack of visibility in terms of severity, degree of the attack and prevention mechanism. The research from industry suggests that more than 75 per cent of the cost of security failures usually stem from the activity of the insider of the organization. Similarly, a research on the security breaches during 1997 to 2003 revealed that there is a 53 per cent increase in security breaches as reported by the respondents(silic and Back, 2014). These data suggests that effective InfoSec is the demand of today s world. Information Security, also known as InfoSec, is the way to preserve the information from unauthorized access, use, disclosure, perusal, recording, disruption or destruction. It includes any form of data either physical or electronic. Confidentiality, integrity and availability are the basis of information security. In lack of any one of these elements security of information becomes incomplete and is vulnerable to threat. Confidentiality means the information should be safe wherever it is stored and should not be disclosed maintaining complete privacy. Some practical real world example includes our credit card information in the bank, the record of patient in the hospital, etc. If the organization cannot maintain confidentiality it will eventually face a loss of goodwill and its business. Integrity refers to completeness and wholeness of the information. Without integrity information becomes unreliable and loses its value. Integrity of the information can be damaged due to intentional or unintentional breaches of information security. For example: if the information of account holder in the bank is altered, it can be a serious subject of privacy exploitation and bank may face lawsuit. Availability is another important element in information security meaning the information should be easily accessed and available whenever requested or desired by the authorized person. The company or organization responsible for storing information should always be able to make the information available whenever required. For this, a secured backup system should be maintained so that data can be restored in times of emergency situation or some calamity. Thus, all the three components of information should be monitored 24/7 in order to guarantee the security of the information (Jesan, 2006). Kumar Dangi 1

10 Compliance means a formal or informal agreement or acceptance of a certain rule, policy or system. Compliance in the field of security culture is divided into two different classes. One of the approaches discusses the use of sanctions where it focuses about penalties and pressures that is a coercive process of implementing compliance. This approach is closely linked to the deterrence theory where punishment is the solution to adhere people to policy. Another approach is more behavioural and holds belief that compliance and non-compliance are not alone associated wit sanction and expectance of rewards, rather it relies on value-driven organizational culture (Ella et al., 2013). Although most of the organizations have been using security technologies for a long time, still the tools are sometimes not enough or insufficient. Therefore, the area of end-user security behavior and compliance has now gained a new momentum. This thesis will investigate employees compliance to information security systems and helps in modelling a good framework so that the sustained IS can be achieved (Herath and Rao, 2009). 1.1 Aim and Scope of the thesis The aim of this project is to investigate the trend of information security compliance of the employee in an organization and formulate the effective measure or model. There are many incidents that occur in present world about security non-compliance in an organization that poses a serious threat to company/ organization. Therefore, the focus of our research is to develop a model that clearly states that, the compliance policies based on the positive traits and positive personal strength can help achieve a sustainable information security. The aim of this research includes: i) To examine the literature in information security. ii) To review the IS problems in the organizations and possible solutions to it. iii) To investigate the compliance of security and the theories associated with it. iv) To analyze the effect of positive psychology and employees strength in the organization and its subsequent effect on developing security policies. v) To develop a solid conceptual model on security compliance based on positive traits and strength of an employee. vi) To perform a comparative study of PP model (Positive Traits, Personal Strength) and the current existing security compliance models such as General Deterrence Theory (GDT), Protection Motivation Theory (PMT), Job Demands-Resource (JDR) model and Rational Choice Theory (RCT) vii) To conclude the framework suggesting further works that can be expanded in the future.

11 A comparative study and analysis between the PP model and Current Security Compliance models The project will be based on analysing the protection motivation theory and theory of planned behavior analysing the hypothesis and assumptions. It will investigate the current work on the information security and points out the problems in the current theories or framework so that a completely new framework on security compliance can be developed. It will incorporate some widely used security frameworks and build a framework based on employees positive traits and personal strength(ifinedo, 2012). 1.2 Research approach or methodology The research will analyse the current trend on information security and employees compliance towards it. It outlines the problems and limitations in the security compliance models that are discussed in the literature and suggested by the research scholars. A comparative study of current security compliance models and theories will be performed so as to find a better security compliance model/framework that can be applied in the organizations for secured and sustained environment. 2. Background The security compliant behavior is influenced by two factors, namely extrinsic (effect of penalties, social pressures) and intrinsic motivators (perceived value or contribution) (Herath and Rao, 2009). There are other factors such as upper management practices, co-worker socialization, information social climate and self-efficacy, which contribute to security compliance and influences behavior of the employees to a large extent (Mark et al., 2005). Beside these, the variables like deterrents, threat appraisal and normative belief guides the behaviour of the employees. All these factors give a clear overview of the employees perception of security compliance and reasons why employees often ignore security measures in the organization (Workman et al., 2008). Compliance is equally based on ensuring end-user compliance towards security policies as well as its impact on the preventive software measures designed in an organization. This poses another significant issue related to security usability. Whitten and Tygar (1999) suggest that security software is usable if the target employees are: Aware of the their security related task in the organization. Efficient to solve the problems encountered and have the potential to do the task successfully. Conscious and responsible to avoid errors and threat that can create a major security problem in the Kumar Dangi 3

12 organization. Comfortable with the security interface they are handling (Tygar and Alma, 2000). Most of the organizations and companies value information system as one of their greatest asset. These systems are their most valuable organization resources. To protect these assets from misuse or abuse; organizations incorporates security measures like system backup, use of anti-virus, firewalls, encryption keys, monitoring systems, surge protectors, and so on. Therefore, Information security, also known as InfoSec has become a major concern in every organization. The failure and success of organization now depends on employees adherence/compliance to information security policies (Siponen et al., 2010). The research investigates whether the security policies built upon positive psychology that motivates the employees compliance practice on information security. It will be based on some solid behavioural theories and survey as well so that employees sustained security compliance can be further enhanced and help in developing positive organizational behavior (Siponen et al., 2010). 2.1 Theory of planned behavior It is believed that an individual thoughts, feelings, behavior and action are the social influences that results when a person interactions with a group of other people or society. The theory of planned behavior gave rise to the theory of reasoned action (TRA) that suggests that behavior is the outcome of attitude, subjective norms and perceived behavioural control. The attitude refers to positive or negative thought of an individual while engaging in a particular circumstance. Subjective norms refer to idea that a person holds of about behavior that he/she conducts. And perceived behavioural control is the thought of individual to improve the behavior by the resources and efficacy one acquires. The Theory of Planned Behavior is often used to determine and analyse the organization s ethical framework and the compliance behavior of the individual with regard to information system security (Sunil et al., 2008). 2.2 Social cognitive theory The behavior of human is well explained by the theory of social cognitive theory (SCT). It makes the corelation between the social aspect and personal life of an individual. SCT states that when the individual s action is under control of his/her behavior, then there is a possibility of personal growth and development. SCT is categorised into two main factors, viz. locus and self-efficacy (Bandura, 1977). Locus of control can be defined as degree to which the individual perceives in controlling the action that directly or indirectly impacts. If a person has full control on his/her action and belief to control the circumstances that occur eventually, they will have a sense of responsibility in everything that results from their doings. The individual who cannot bear responsibility has the habit of transferring responsibility to

13 A comparative study and analysis between the PP model and Current Security Compliance models others. Self-efficacy is defined as the belief a person holds in his abilities and resources. It determines the person s strength in performing a specific task. Locus and self-efficacy are the effective measures to analyse the safety behavior of an individual (Ajzen, 2002). 2.3 Social bond theory Social bond theory (SBT) defines the bond that an individual has with the society. According to Hirschi (1977), four different kinds of bond usually occur due to socialization, viz. attachment, commitment, involvement and personal norms. According to this theory, these bonds of socialization play an important role in reducing non-compliance or anti-social activities. Attachment refers to bond with society/organizational values. Commitment is the individual s effort and hard work to promote the organization. Involvement is the act of developing intimacy with social groups. Personal norms are the thought and belief of an individual on the social setting he/she dwells. These bonds are essential to have in a person to contribute to the organizational mission (Hirschi, 1977). 3. Literature Review Information security and compliance are the two inseparable elements in any organization that rely on the power of Information. One of the major threat to the information security is the employee themselves who take information just for granted. This leads to the security breaches that may damage the reputation, goodwill and organization as a whole. Therefore, it is the major concern of the organizations in today s world to balance the equation between information security and employees compliance. In order to address this concern, there are multiple approaches to ensure IS security compliance that have been proposed. The information intensive organizations give utmost priority for securing information by using security technologies. Most of the research is mainly focused on the use of technology until now it s been noticed that IS security cannot be achieved using the tools and technologies only. There are three components: people, process and technology which play a vital role in determining the security of IS. According to a recent report on security breach, it says that organizations lose millions of dollars due to employee negligence and non-compliance (Herath and Rao, 2009). Another survey unveils the fact that 60% of IT managers of global companies said that employee misconduct in information system is a threat to InfoSec. The survey done by 2008 CSI Computer Crime and Security reflects another shocking fact that 44% of the respondent reported abuse of information by insider, just behind virus (49%) and other from external sources (Hu et al., 2011). These facts conclude that information security has been top priority and issue of major concern in any organization that is based on information. And employees are the weak Kumar Dangi 5

14 elements and a threat that can seriously deform the organizational security chain. Therefore, employees compliance with a positive psychology and behavior is today s necessity to preserve the information in the organization. The recent research focuses on the human perspective of handling security issues that entirely depends on the end-user, which is quite often referred to as an insider. An insider is the personnel who have the required privileges and authorities in the organization. But due to negligence, ignorance or deliberate intention, the insider pose a threat to information security (Lee et al., 2004). There is lot evidence that supports this fact. One of the survey done by the CSI/FBI reveals that about 64 per cent of the people who were surveyed that it is due to the action of insider the security is being compromised. This behavior of insider led to the concept of deterrence and sanction suggestion that the non-compliant behavior of the employees should be taken seriously and such violations should be treated with punishment so as to deter from such behavior (Straub and Nance, 1990). The employees behavior should be analysed using the rational choice and the crime prevention strategies and the organizational policies should monitor the behavior of the employees so that the effective measures can be implied and change the decision-making ability of the employees. The deterrence and other social theories suggest that there exist the relation between organizational policy, information security and the awareness program and if social relation of people can be improved through organizational practices then information security can be achieved(lee et al., 2004). There is a huge difference in the implementation of strategies between information literature and organizational literature. The information literature primarily focus on the use of sanction to avert the noncompliant behavior of the employee through punishment while the organizational literature targets the use of providing incentives to motivate the conduct of employees (Stajkovic and Luthans, 1997). Although the use of reward and punishment (extrinsic motivation) can work in some situations, intrinsic motivation should be always present in the employees so as to better comply with information security (Tyler and Blader, 2005). The two popular theories on employees security compliance are the Theory of Planned Behavior (TPB) and the Protection Motivation Theory (PMT). Protection motivation theory developed by Rogers expands the health-related model in the domain of social psychology and health (Ifinedo, 2012). This theory has been successfully used in the areas like disease prevention, health promotion, politics and environmental protection since 30 years. This theory constitutes two major concepts, threat appraisal and the coping appraisal. Threat appraisal refers to perceived vulnerability and perceived severity. Perceived vulnerability refers to the probability that a negative event will take place if no one takes measure to prevent it. Perceived severity is the physical and psychological harm that a threat can cause (Siponen et al., 2010).

15 A comparative study and analysis between the PP model and Current Security Compliance models The coping appraisal holds the view of how the individual assess his or her ability to cope and avert from the potential loss or damage that arises from the occurring threat. Coping appraisal has three main elements: a. Self-efficacy: It highlights the ability or judgment of an individual using his abilities and capabilities to adjust or cope with a certain behavior. With regard to our research, it can be referred as skills, abilities and measures taken to protect InfoSec assets and organization as a whole. b. Response efficacy: This factor holds the notion about benefits of the action taken by the employee. Here, it refers the security compliance as a good mechanism to detect a threat. c. Response cost: It emphasizes on the opportunity cost like money, time and effort used in using the recommended behavior (Ifinedo, 2012). Ajzen proposed theory of Planned Behavior (TPB) in 1991 suggesting that the individual behavior is highly influenced by elements such as attitude, subjective norms and perceived behavioural control. The three constituents of TPB are: i. Attitude: It refers to the positive or negative feelings towards engagement in a specific behavior. In our context, this implies attitude towards compliance with information system security. ii. Subjective norms: It is the person s thought or perception of what people important to them really think about them given a certain behavior. iii. Perceived behavioral control: it is the perceived ease or difficulty while performing a specific behavior. TPB is regarded as one of the most predictive persuasion theory and is used to investigate information system ethical behaviors and individual s decision that can be used in developing effective security measures and compliance (Ifinedo, 2012). In the age where technological advancement and information system are booming at an alarming rate, organizations either small or big face some threat and potential damage in their workplace. Organizations are motivated towards safeguarding information and data resources that are their biggest assets. They use tools and measures like anti-virus installation, updating firewalls, maintaining and restricting access controls, monitoring systems, using surge protectors, encryption technology and so on. This approach however may provide technological protection, but the global question is: Is the technology alone can guarantee the security of information? The question poses the fact that there is some other aspect we need to consider as well to maintain a sustainable culture of security. This ultimately and indirectly refers to the employee who is considered a weak as well as strength in the corporate IT companies and organizations. These views are already accepted by the leading researchers like Vroom and von Solms (2004) and Pahnila Kumar Dangi 7

16 et al. (2007) and they posit the view that organization that pay attention to both technical and non-technical aspects to protect their IT assets are more successful in safeguarding the information repository in the organization. Information security, often called InfoSec, is the biggest concern in any business house or organization. But, often employees are considered as a weakest link in safeguarding the information rather than strength. This implies there are some loopholes that need to be adjusted before it s too late. The recent research based on human behavioural theories has come up with two important recommendations: implement security policies and procedures and conduct thorough awareness trainings to the employees and make a way to clear the threat posed by employees by employees themselves (Hu et al., 2011). Here, comes the idea of positive psychology in security compliance that can be the solution to this crippling problem that has plagued the organizations for years. Behavior of the employee in security policy compliance is another aspect to look upon while dealing with information security. Almost every organization has now started developing some policies to determine the behavioural action of an employee so as to conform/stick to the compliance policy. Although the clear and solid policies are implemented, the results are not as expected as it ought to be in the field of information security. The research and surveys in the past that suggests that employees seldom comply or adhere to the policies of information security. Moreover, there are researches ongoing in behavioural information security that investigates the employee intentions in security compliance. In organizational context, there is a theory called Agency theory or principal agent paradigm that deals with influencing the behavior of the employee. This theory applies to different domains where there is asymmetry in information, fear of opportunism and where there is bounded rationality (Herath and Rao, 2009). 4. Positive Psychology Positive psychology is the branch of science that deals with the positive attributes of human being to make life more fulfilled with satisfaction and positivity through happiness. It is oriented towards wellbeing, happiness, creativity and personal strength of an individual and group. It focuses on the belief that wellbeing in an individual will have positive effect on the group he/she dwells thereby creating a win-win atmosphere (Hefferon and Boniwell, 2011). Nowadays, it has applications in many areas of human research that are targeted to improve the thinking pattern of people so that they can be more productive and satisfied with their work. Positive psychology itself is a vast domain which is not only limited in clinical area, but it is gaining popularity in many areas where positive attitude and thinking plays a vital role. Positive psychology is the youngest branch of psychology till date. Its main aim is to help human beings lead healthy and happy life. According to many surveys done in the past, positive psychology has been

17 A comparative study and analysis between the PP model and Current Security Compliance models mainly divided into three orientation of happiness: pleasant life, engaged life and meaningful life. Researches have proved that people obtaining low scores in all the categories are not satisfied with their life and are not motivated towards happiness whereas the people who have a positive perspective on all these three aspects are positively oriented towards life. This concludes that a positive psychology will have a substantial impact on people s life (Carr, 2011). The history suggests that for almost half of the century, Psychologists have researched in psychopathology focusing on the negative side rather than positive side of life. Before World War II, the psychology was targeted in three areas: a. cure mental disorders b. promotes the lives of the general public and c. study highly intelligent people. The war ended but no one actually bothered to observe the soldiers who were psychologically impaired due to the effect of violence and brutal killings. The funding was provided to research in the first area, that is, treatment of mental illness which led to the assumption that human are passive beings (Hefferon and Boniwell, 2011). But scientific or clinical research has now changed its course to a new science of psychology called Positive Psychology. Before the emergence of Positive Psychology, the psychologists Abraham Maslow, Carl Rogers, Erich Fromm formulated the principles and theories of human happiness. These theories have led to the evolution of positive psychology due to correlation between happiness and positive emotions. Martin Seligman in 1998 suggested about Positive Psychology although the term was first used by Maslow in his book Motivation and Personality in The history of positive psychology dates back to great philosophies and ideas posed by the philosophers as shown in the table below. Theory Founder/Contributor Idea Theory of morality, virtue and good life Aristotle Highest good for all humanity is happiness Utilitarian philosophy (greatest happiness principle) Jeremy Bentham, John Stuart Mill Happiness can be measured by assessing the quantity of experienced happiness Emotion William James Emotions come after we have physically acted out Humanistic psychology (late 1950s and early 1960s) Abraham Maslow Focus on mental health specifically positive attributes such as happiness, contentment, ecstasy, kindness, and so on. Kumar Dangi 9

18 Table 1 History of Psychology As there are many disciplines in psychology, it is quite difficult to spot where actually positive psychology really fits in. The figure below shows the place of positive psychology within other disciplines (Hefferon and Boniwell, 2011). Figure 1 Positive Psychology in relation to other Psychology (Hefferon and Boniwell, 2011) Positive Psychology is linked with the organizational behavior of an employee. Jane Henry in 2004 put forward several practices in which the role of positive psychology can be seen clearly. Some of the practices are: a. Job variety: employers should offer multiple opportunity and job variety to engage the employee. b. Intrinsic motivation: Intrinsic motivation of an employee should be enhanced through flexible working schedule, providing meeting and social gatherings and developing their competitiveness through trainings. c. Confidence: increase the confidence level of the staff to achieve quality performance.

19 A comparative study and analysis between the PP model and Current Security Compliance models d. Creativity: positive organization should encourage creative thinking in work. e. Strengths work: focus on strength of the worker rather than their weakness. f. Team building: constant endeavor to build networks among team members. g. Meta-perspective: a balanced perspective (positive or negative) should be maintained by positive organization (Hefferon and Boniwell, 2011). The role of positive psychology helps in shaping the nature of work and workplace environment. There are researches to develop employment relations, which focus mainly on topics like stress, workplace violence, job insecurity, etc. It is a good topic to research that will investigate on the problems in workplace so as to find a good solution. At the same time, more study should be done to improve and develop positive energy in workplace and employees to achieve the objective. The challenges faced by the employee and the employers will reflect the organization internal work atmosphere. As the way and methods of business and the organization structure is changing day by day, there should be some good way based on positive psychology to motivate everyone in the organization(turner et al., 2002). 5. Relation between personal strength and security compliance The two most widely used theories in the field of security compliance are theory of planned behavior (TPB) and the protection motivation theory. Both emphasize on one common element called self-efficacy. Self-efficacy is the individual ability to perform a particular task using his personal strengths like knowledge, experience and expertise to cope with a certain task. For the employees to follow a certain compliance rule or policies, self-efficacy plays an important role. As an instance, let us assume an employee wants to send a confidential mail as a part of his task. If he/she has the knowledge in using encryption tools he would obviously send encrypting the mail and therefore stick to the security of the company which suggests self-efficacy as a major strength an employee should possess(siponen et al., 2010). Providing training can strengthen self-efficacy and education to the employees and the security measures and policies should be clear and defined by the managers and the IT staffs and should be reviewed from time to time. The true security of information lies in the behavior of end user. The social cognitive theory explores the use of self-efficacy in determining the security of the organization (Rhee et al., 2009). Self-efficacy is the self-determination and evaluation of one s ability and skills to mobilize the resources like motivation, experiences and cognitive resources to achieve a task. It is a resource to cope in an adverse situation and is really beneficial to have with the people who are employed in the sectors of information. Kumar Dangi 11

20 Computer self-efficacy (CSE) is a term derived from self-efficacy so that it can be more specifically related to information and technology (Rhee et al., 2009). CSE is the person s expertise in using the computer and its resources. It can be used to investigate the behavior of end user like learning system, implementation of security policies, following organizations compliance standards and legitimate use of information. Some of the popular hypotheses in the area of self-efficacy and the individual behavioural aspect to protect information system are as follows: According to the social cognitive theory, self-efficacy plays an important role in determining behavioural control in times of threatening circumstances. This means that people having a strong SE can find solution to the problems using his/her resources (Bandura and Jourden, 1991). While those with less SE (i.e. less knowledge and resources) have low coping tendency. In the organisational setting people having high SE suggests that they would use more secure software protection systems and act with recommended conscious behavior of an organization. Thus, the proposition follows: 1a. Employee with high level of SE will use more secured software. 1b. Employee with high SE has high level of consciousness in security. Self-efficacy is also related to motivation and how much conscious people are about their task. People having high SE gets involved in various task with great coping skills to solve the problems that ultimately leads to mastery of skills. According to (Zhang and Espinoza, 1998), people having a stronger sense of SE showed greater desire/intention in taking computer courses to improve their skills. Therefore it is believed that: 2. Employee with high SE shows strong determination and effort to safeguard information. Social cognitive theory states that experience is the source of efficacy. Mastery of skills is the result of multiple past experience in a certain job that an individual get involved in. when a person is familiar with the computing skills and has prior experience, this will result in empowering his SE. while person with skills can encounter bad experiences like computer fraud and virus-related incident which lowers his/her own judgement or capability. Thus there are two assumptions regard to experience and security incidents. They are: 3a. SE is directly related to experience. 3b. Incidents in security will have negative effect on SE and will lower it. Apart from past experience, one of the factors that influences self-efficacy is belief. The perceived belief of controllability fosters search of control mechanism. There are two ways of exercising control. One of the way involves use of efficacy to effect change by effort and this is a control that can be initiated at personal level. Another way is about control of problems and it refers to constraints and opportunities to which personal efficacy can be used to tackle problems. Thus it is concluded that:

21 A comparative study and analysis between the PP model and Current Security Compliance models 4. Belief in controlling threats empowers SE. Figure 2 Self-efficacy in information technology (Rhee et al., 2009) According to the theory of planned behavior, the employee behavior and action are deeply influenced by the variables like attitude, subjective norms and perceived behavioural control and these variables can provide an insight on individual behavior (Ifinedo, 2012). This can lead in forming sustained information security measures and policies. Some of the hypotheses made in the security compliance and employees behavioural intentions are as follows: a. Subjective norm has positive impact on employees intention to comply. Subjective norms are the beliefs to conform to an act or policy that is formed on the basis of observation of the environment we live. The environment they work influences employee behavior. People they work with like co-staffs and managers and how they follow the compliance rules and policies motivate their actions. Thus, subjective norms have positive impact on employee behavioral intention. b. Attitude has positive impact on employees intention to comply. If the employee has positive attitude towards security compliance in an organization then the behavioral aspect of employee will be positive as well and vice-versa. So attitude towards security has positive effect on behavioral intention. c. Self-efficacy has positive impact on employees intention to comply. Kumar Dangi 13

22 Self-efficacy is related to the ability and strength of the employee. The employee with high selfefficacy will comply with the rules and policies and use the resources to improve the security. Selfefficacy has a positive effect on employee behavioral intention (Ifinedo, 2012). d. Response cost has negative impact on employees intention to comply. Response cost can be anything negative resulted from employee behavior like expenses, problems related to time, etc. there is a tendency of an employee that if a considerable amount of resource (like time and money) has to be used for certain work, employees do not show interest in following guidelines or security compliance. While, if less resource is needed, they will comply. This suggests that if response cost is reduced, employees likeliness to comply with IS measures will increase. Thus, response cost has negative impact on security compliance and employees behavior towards it. e. Response efficacy has positive impact on employees intention to comply. If the employee has the knowledge and skills regarding the coping mechanism and the effectiveness to stay away from the threat or danger, then he/she will follow the adaptive behavior. While if an employee has no knowledge or confidence in the effectiveness of the measure then he/she will blindly accept the consequence. So, when an employee believes in the organizational information security and its measures to prevent threat, it develops a willingness to comply with it. f. Perceived severity has positive impact on employees intention to comply. As a human we normally adjust our behavior with respect to the situation we face. Similarly, if an employee perceives an information security threat in his organization, then he/she will abide by the rules and compliance policies. While if an employee does not perceive threat, he will be not be concerned in compliance and the policies of the organization. g. Perceived vulnerability has positive impact on employees intention to comply. If the employee finds that the security of the organization is highly vulnerable to threat, then the employee has the intention to strictly comply with security measures. Whereas, if an employee holds the view that the organization is invulnerable to security threat will not comply with security policies and measures.

23 A comparative study and analysis between the PP model and Current Security Compliance models 6. Self-efficacy Numerous researches have been conducted in the field of cognitive science, which has tremendous impact on the human behavior and action. One of the most discussed and supported cognitive elements is selfefficacy. Self-efficacy is defined as the individual judgment of personal strength in dealing with the certain situation and how well the situation is coped and dealt using the knowledge(stajkovic and Luthans, 1998). Empirical research on the relation of self-efficacy and behavior and motivation of human has demonstrated the fact that self-efficacy has positive impact on the behavior of human work tendency and is applied in clinical, educational and organizational domain. According to Bandura (1982), Self-percept s of efficacy influence thought patterns, actions, and emotional arousal. Self-efficacy has been an important attribute in organizational setting. High level of perceived self-efficacy will result in high work performance(bandura, 1982). Psychologists hold the view that self-efficacy is the perception of one s ability to undertake a given task at a certain condition. The social cognitive theory of Bandura strongly demonstrates the tremendous ability that self-efficacy can place in person s way of thinking and action. The theory clearly posits the idea that personality is developed through observation of environment and learning from it and social experience we gain. Accordingly, self-efficacy is developed and acquired through constant effort. People with high self-efficacy solve the problem in a positive prospectus and master them rather falling back. In contrast, people with low self-efficacy face the problem with less confidence and retreat from it (Sousa et al., 2012). Hence, people with high self-efficacy have more commitment, resources required to tackle with problems and skilful which is very beneficial for organization that deals with information and security of data. 7. Knowledge Management and Expertise Nowadays the organizations face many challenges and hurdles due to new technological innovations, growing customer needs and diversified market needs. The companies need to focus on the employee personal growth and knowledge base to continuously improve the learning process to compete in the global market. So, there should be a continuous endeavour to promote the generation and sharing of knowledge within the organizational community and the networks within them. Sharing expertise is beneficial to organization in many ways like: a. To improve the learning process in organization and organizational enhancement through learning experience. b. To solve time-critical problems in the organizations. c. To improve the customer relation and marketing schemes over time. Kumar Dangi 15

24 d. To develop the social capital like trust, shared norms and reciprocity within and beyond organization(wulf and Ackerman, 2003). In an organization, knowledge management is a top priority task rather than just a need. It is a crucial part of the organization that is to be given attention and effort to balance the organizational advancement in scale. Knowledge management is the process of managing the intellectual property to effectively store, retrieve and manage the every bit of information. In general, there are two ways of knowledge management in technological domain. The first way is to place the knowledge in external source, which means placing the information, and data in shared repositories or database. Using this method, information can be easily transferred and reused as it uses some computational technique but it has some limitations and not easy to use often. This is regarded as a traditional approach in knowledge management. The second way of knowledge management is called expertise sharing. As the traditional approach does not fulfil solving the problems related to tacit knowledge, use of expertise sharing is strongly felt. Expertise sharing is using the intellectual resource of the employee using the expertise networks. As expertise sharing is related to cognitive, social, psychological and organizational aspects of human and use of technology as well, it is considered as an effective way of knowledge management over traditional method(wulf and Ackerman, 2003). Although many companies and organizations that value their information expend lot of efforts and money in knowledge management and expertise, they do not gain much success compared to tireless effort. A survey done by Ernst and Young on 431 US and European companies deduced the fact that only 13 per cent of the respondents believe that they actually share the knowledge within the organization effectively(wulf and Ackerman, 2003). This survey posits that there are some loopholes and limitations that hinder the effective dissemination and harnessing of knowledge and expertise sharing. There are many limitations to obstruct the knowledge and expertise sharing, but if we are to mention the major limitations, we can focus on the issues of cognitive and motivational limitations. a. Cognitive aspect: It is the limitation in expertise sharing which holds the view that regardless of experts motivation, the way they represent, store and process the knowledge can be obstruction in expertise sharing. The experts mentally represent and store the knowledge and as their expertise sharpens, it becomes more abstract. The skillful expert will solve the problem indulging them in the root and conceptual base of the task whereas the less skillful expert will try to hit-and-trial the problem making the problem more problematic and time consuming(wulf and Ackerman, 2003). The skillful experts usually build the abstract representation of knowledge and simplify it using

25 A comparative study and analysis between the PP model and Current Security Compliance models their expertise. Their representation mechanism may hinder the sharing of expertise as people with less expertise and knowledge may fail to retrieve the knowledge shared by them. b. Motivational aspect: Motivational limitation is another factor that will block the knowledge and expertise sharing. The problems like competition as a disincentive will contribute to the motivational limitation(wulf and Ackerman, 2003). The motivational problem, indeed, rise from the internal structure and operating environment of every company/organization. The organization has the tradition of placing the competition between various groups or individual in the expectation of increasing job efficiency. Some of the examples to set the employee in so-called race of competency are rewards, promotion, incentives, etc. although this can internally motivate the individual to achieve better than other, it can restrict the sharing of knowledge and expertise with the individual of less expertise. One person s reward can be another person s failure which is often called sum-zero game(wulf and Ackerman, 2003). Therefore, motivational limitation is a big setback in expertise sharing. 8. IS Security Knowledge Management Knowledge management in information system is a crucial part in any organization because it the hub of security. The security of the information is usually handled by use of sophisticated technology but technology alone is insufficient to safeguard the information because human is the driving factor in operation of the security. The human factor poses a real threat and a subject to consider greatly in securing the information. The information security knowledge management depends on the knowledge creation mechanism. The creation of knowledge is still an ad-hoc process in the organization. Knowledge creation takes place in the organization through expert hired from other organizations or the experts within the company(belsis et al., 2005). Either way, the security of the company falls in jeopardy of security threat. The knowledge creation theory developed by Nonaka and Takeuchi in 1995 states that, human knowledge is built and developed through social interaction of tacit and explicit knowledge. This process of interaction gives rise to Knowledge Creation. The interaction of tacit and explicit knowledge can take place in four different ways. They are: a. Socialization: People meet, communicate and exchange the knowledge in different social setting like seminar, workplace, and job training workshops, etc. where the actual exchange of knowledge can occur. The exchange of tacit knowledge can happen when a person closely works with skilled person or through observation. Kumar Dangi 17

26 b. Externalization: Here the conversion of tacit knowledge to explicit takes place through analogies and metaphor models. c. Combination: the combination process takes place through meeting and documents, presentation, workshops where the knowledge combines and becomes more structured. d. Internalization: The explicit knowledge becomes tacit in internalization process. When a person expresses his/her views and thoughts in a particular area, internally the knowledge will expand on the subject over time and the doubts on subject matter slowly fades away clearing the confusion between theoretical knowledge and experience (Belsis et al., 2005). According to Nonka, these four processes form a spiral model of knowledge transformation forming a continuous cycle as shown in the figure below. Figure 3 Spiral of Organizational Knowledge Creation (Nonaka, 1994) 9. Positive Organizational Behavior and Security Compliance

27 A comparative study and analysis between the PP model and Current Security Compliance models The theories and ideas of positive organizational scholarship (POS) are used in development and implementation of effective organizational strategies. POS provides an insight to understand the relation of organizational strategy and its employees, its impact on human behaviour on workplace and subsequently provides a vision to analyse why some strategy are more productive than the rest (Cameron et al., 2003). The role of positive psychology in improving positive organizational behaviour is undebatable and has gained more popularity in the recent time (Seligman et al., 2005). Nowadays the companies or organizations direct their strategies to increase positive traits or attributes (e.g. trustworthiness, loyalty, resilience) in employees to achieve their business goals and maintain sustainability (Fryer, 2004). Since positive psychology focuses on human strengths like positive traits and personal strength for organizational prosperity, it is believed to create positive impact to develop organized system that values potential in their employees (Peterson and Spiker, 2005). Positive organizational behaviour is defined as the study and application of positive human strengths and psychological capacities for a healthy organizational environment (Luthans, 2002). According to Luthans (2002), there exists a never-ending relationship between work and happiness; positive organizational culture and its performance; and employees attributes and their performance. Therefore, an assurance of employees feelings such as happiness, gratification and satisfaction can help in achieving organizational strategy. Positive psychology is the science of improving quality of life through comprehensive study of positive experiences of an individual, positive traits and positive organizational culture (Seligman and Csikszentmihalyi, 2000). The success of organization depends on many factors. Among them, employees behaviour; their traits such as creativity, innovation, commitment; and personal strengths of an employee tremendously influences the potential of the workforce. The organizations should be aware that understanding and application of positive organizational behaviour in the work environment with a clear thought of employees positive traits and strength will help to succeed in the organizational venture in the long run. The history suggests that the research in the past were more directed to the negative side of organizational behaviour such as violence in the workplace, organizational failures, and like (Cameron et al., 2003). While the organizational behaviour was more interested in the concepts like uncertainty management, disorganization theory and chaos theory; POB put forward the concept of positive aspect of work; positive traits of employee and their interdependency which contributes equally in the development of good work environment. Kumar Dangi 19

28 Based on the fact that POB applies in the organizational setting with a positive outcome and succeeded in realizing the positive employees traits to maximum for a better organizational career, we suggest that the employees security compliance behaviour can be improved through positive organizational behaviour. If the organization embraces the positive traits and strengths of an employee and develop a organizational culture and security compliance policies, a better security compliance can be achieved. 10. Research Framework 10.1 Conceptual Model Information security is often observed from the view of the behavior of the employees and the technologies implemented by the organization. This alone cannot assure the security of the organization completely. Besides, there are other factors responsible for the effectiveness of information security culture. They are top management action, employees psychology (positive traits) and social background of the employee. According to the Theory of Planned Behavior, the individual behavior is influenced by the belief system he/she holds and the security of the organization relies on it. Apart from the individual behavior, top management policies and organization culture also determines the compliance to security in the organization (Hu et al., 2012). The relation between management of the organization (policies), employees strength (positive traits and personal strength) and policy compliance is shown in the figure below:

29 A comparative study and analysis between the PP model and Current Security Compliance models Figure 4 Conceptual model of security compliance This model helps to analyse the fact why does some employee follow the policies and rules of the organization and some don t and why some employee has greater sense of responsibility and is more accountable. The top management level of the organization comprises of the policies, standards, rules and regulations, compliance criteria, etc., which form the basis for organizational culture. The managerial efforts and the organizational culture help in shaping the behavior and their belief system which is very essential for sustainable development of the organization which in turn will create positive intention to comply with the policies Top management and Organizational Policies Top management influences the behavior of the employee and their intention to comply with the security policies. There are three mechanisms through which top management can significantly change the employees attitude towards security compliance (Hu et al., 2012). They are: a. Legitimacy mechanism: By initiating solid policies, plans and programs having clear strategy, vision and goal; top management provides legitimacy to their plans and policies. Top management participation helps in delivering the legitimacy of the plans and policies to the managers and employee in the organization. Therefore, legitimacy can encourage the employee to comply with the rules and policies. Kumar Dangi 21

30 b. Commitment: If the top-level management of the organization shows the commitment towards its goal, strategy, planning, policies and its implementation; it sends a positive signal for the employee working in an organization and can establish accountability and commitment in their work. c. Fairness and justice mechanism: This mechanism is based on the psychology of human behavior which suggests that, the organization which operates with fairness and justice will stimulate positive attitudes in an employee mind about the organization. Top management participation in the organizational policy and plan will provide freedom to express idea and opinion, design unbiased and fair policies and implement better organizational procedure, rules and policies (Hu et al., 2012). The employee behavior towards information security is based in the action and communication of top management. Educating the employee about the roles and responsibilities regarding security is one of the crucial task of the management body. The organization should be able to present a well-defined policies and communication regarding security like educating through security awareness campaign, training, seminars and reminders which help in increasing responsibility and judgment in employee, thereby enabling proactive actions in regard to security of the organization. The management can enforce policies to monitor the employees daily internet-usage, track the network activities and implement auto-security verification and validation programs to avoid security breaches. Computer monitoring (COM), therefore, can be a useful tool in improving the security culture within the organization(d'arcy and Greene, 2014). Thus, strong security culture of the management can enhance positive commitment in security compliance. Hence, a hypothesis can be proposed as: H1. Good management policies and security culture increases employees intention to comply. The role of top management is felt strong when implementing the rules and policies regarding compliance. Top management should implement the policies to strengthen the employees strength. As we know the organizational policy has a direct influence with the employees strength (positive traits and personal strength), the policies should encourage and stimulate positivity in the employees behavior towards compliance. The positive psychology, positive traits and personal strength (e.g. expertise, experience, knowledge) are the strength of the employee in any organization. If the policy can be made incorporating the employees strength, then we can completely change the way employee compliance is usually looked upon Personal Strength and Positive Traits: Strength determines the consequence of the situation. The conscientious person with a strong personality is more careful in work than the conscientious person with a weak personality(dalal et al., 2015). The employee having a strong personal strength is more likely to comply with the security policies of the organization. Therefore, the organizational policies that are

31 A comparative study and analysis between the PP model and Current Security Compliance models implemented considering the personal strength of an employee positively influence the compliance behavior. Knowledge, expertise, self-efficacy, experience and positive organizational behavior of an employee are the positive trait of an employee in an organization. Top management policies incorporating the positive trait while formulating security policies can serve as a catalyst in compliance intention of an employee. Conversely, if the policies are built without considering the employees positive traits and personal strength, then employees fail to comply with the organizational policies. So, we propose a hypothesis as: H2: Employees intention to comply increases if the organizational policies are based on employees positive traits and personal strength. Moreover, the organization policy can be implemented in two different ways so that better compliance can be achieved. One of the methods is to formulate the policies and plans to positively engage the employee. Here we are referring the employee with more experience, more expertise and more knowledge and high self-efficacy. The policies made by the organization can serve as a motivation to achieve productivity and better work life. Hence, we posit a hypothesis: H3. Organizational policies designed to positively engage the employees increases security policy compliance in the organization. Another method is to implement the policies to make the employees comply with the compliance policy of the organization. Here we are pointing to the employees who are less experienced, has less expertise and has low self-efficacy and the policies of the top management should serve as a guideline for the employees to achieve better performance in the work place. Thus, compliance can be achieved in the organization with good organization policies and employees strength. So, a hypothesis is being proposed as: H4. Organizational policies designed to induce the employee intention to comply and based on personal strength of an employee will increase security policy compliance. Based on the employee qualities i.e. positive traits and personal strength, the organizational policies can be developed to make the employee comfortable with the policies. The employees qualities like self-efficacy, knowledge, expertise, positive traits; cognitive qualities and personal strength should be well understood before implementing organizational policies. If these qualities are well analysed, then the organization can develop effective plan and policies that can internally motivate and empower the behavior of the employee. Thus, we propose a hypothesis: H5. If the employees qualities are well addressed while implementing organizational policies, then positive employee compliance can be achieved. Kumar Dangi 23

32 Likewise, organizational policy is directly related to security policy compliance because only good organizational policy can assure the development of better security policy compliance. The policies should educate, train, motivate and psychologically influence the employee concept on the security. The organizational policies should make the employee feel that the policies are not a restriction, instead a path to successful organizational career. Thus, we propose a hypothesis: H6: Better organizational policies helps to achieve better security policy compliance. We concluded in H2a and H2b that intention to comply with the policies varies with the organizational policies and it may either increase or decrease the compliance based on how organizational policy is addressed with employee qualities like positive traits and personal strength. The employee qualities form the basis for developing security policy. For an example: let us assume a company X has employees with poor skills, knowledge, expertise and personal strength while a company Y has better employees in terms of positive traits and personal strength. In both the scenario the security policies should be developed for compliance but in the company Y, better security policies could be developed and the employees can be more comfortable with the policies. Thus, we posit a hypothesis: H7: Employees qualities like positive traits and personal strength induce the organization to form better security policy compliance. Other factor which affects the security compliance behavior of the employee in the organization are discussed below: 10.4 Individual Cognition Employee compliance behavior to the policy of the organization is well demonstrated in the Theory of Planned Behavior proposed by Ajzen in According to the Theory of Planned Behaviour, employees behavior is driven by the intention to carry out his/her interest. Intention influences the personal behavior and motivation of a person (Ajzen, 2005). As TPB framework suggests, intention is affected by three factors: a. Attitude towards the behavior (ATB): It refers to the employee attitude to determine whether the task to perform is good or bad. b. Subjective norm (SN): It refers to the impact of the social circles on the behavioral aspect of the employee. c. Perceived Behavioral Control (PBC): It refers to the level of ease or difficulty to perform a behavior and awareness of the resources to achieve it. There are numerous studies carried out on information security (e.g., Taylor & Todd 1995; Ajzen, 2005) regarding individual behavior that supports the TPB framework and the factors influencing the employees

33 A comparative study and analysis between the PP model and Current Security Compliance models tendencies to comply. Some of the logical deductions made by the TPB in the information security of the organization are: i. If there is a strong positive attitude towards compliance, the intention to comply will be stronger as well. ii. iii. If there is a strong subjective norm towards compliance, the intention to comply will be stronger as well. If there is a strong perceived behavioral control, the intention to comply will be stronger (Hu et al., 2012) Organizational culture Culture is an important element of organization as it drives the organizational action and strategy. The articles in corporate security strongly suggest that security is not a technological issue alone; instead it is a management issue. The organization security culture has a direct influence in security practices, Therefore owning a security product does not solve the security issues in the organization (von Solms and von Solms, 2004). The culture is in many ways like an operating system of an organization since it helps to guide employees thoughts, actions and feelings (Hagberg and Heifetz, 1997). The practices and system by which the organization operate helps to define the culture paradigm of the organization (David and Fifield, 1999). Since the employees have the tendency to resist the change and new methods, organization face problems while introducing and implementing new technology, business processes and change in management (Cooper, 2000, David and Fifield, 1999). The implementation of new security policies and policy-based security plan often clash with the employees work ethos and experience they have practiced for years. The trait of organizational culture, therefore, is an important aspect of successful organization to ensure information security; and since culture fosters shared values, norms and beliefs, there is a need of balance between organizational culture and management of information security. For the quantitative study of organizational culture and its impact on the behavior of the employee, the Quinn s (1988) value-based organizational culture framework is widely used. Quinn s framework focuses on the four cultural value orientations. In the context of our research, we will use Van Muijen et al. s (1999) model, which is the adaption of Quinn s (1988) original CVF (Competing Value Framework). According to this model, there are four basic values in the organizational culture. They are: 1. Support orientation- it refers to the support gained through group work and team co-operation for individual growth. 2. Innovation orientation- it refers to the creative and open environment of the Kumar Dangi 25

34 organization that helps to boost the work productivity of an employee. 3. Goal orientation-refers to the process motivated towards accomplishment of a task and focus on the priority of a job and accountability in the organization and 4. Rule orientation- refers to overall rules and regulation, structure, formal communication and authority in the organization that influences the behavior of the employee. These values form the four quadrants with two opposing orientation poles (flexibility versus control and external versus internal)(van Muijen et al., 1999). In our research we would be investigating the two values of the organization culture i.e. goal orientation and rule orientation since it has more importance in the context of security compliance and policies and security compliance behavior is primarily targeted to make the individual comply the rules rather than dealing with the creativity and support. According to the study suggested by Chang and Lin (2007), value related to control has more influence in the security compliance environment. Goal orientation in the organization culture reflects the collective organizational goal, responsibility and accountability of the employee. Goal oriented employee are more motivated towards a given task, seek challenges and shows competency in the job provided. Goal orientation helps in developing good attitude, subjective norm and self-efficacy while following the compliance and policies of the organization and this leads to propositions like: i. Strong goal orientation in organizational culture will stimulate strong positive attitude in security compliance. ii. Strong goal orientation in organizational culture will stimulate strong subjective norms in security compliance and iii. Strong goal orientation in organizational culture will stimulate strong perceived behavioral control in security compliance. Similarly culture of rule orientation has similar propositions in regard to compliance of the policies and rules of the organization. Rule orientation is related to the authority and compliance. It assumes that with a strong rule orientation through effective designed security policies and training of employees, the organizational stability can be achieved. It suggests that with the clearly stated rules and policies, compliance can be better achieved. Like goal orientation, rule orientation has similar propositions: i. Strong rule orientation in organizational culture will stimulate strong positive attitude in security compliance. ii. Strong rule orientation in organizational culture will stimulate strong subjective norms in security compliance and

35 A comparative study and analysis between the PP model and Current Security Compliance models iii. Strong rule orientation in organizational culture will stimulate strong perceived behavioral control in security compliance. There are other two propositions made in the culture of goal and rule orientation. They are: i. Strong goal orientation in organizational culture will stimulate strong intention to comply with the security policies. ii. Strong rule orientation in organizational culture will stimulate strong intention to comply with the security policies. 11. Introduction to Information Security Governance Information Security is a process that involves the entire company or organization and no longer regarded as a technical issue that can be assessed and managed through hardware changes(pasquinucci, 2007). For the effective implementation of IS, the concept of securing the information should reach the governance level and the top management personnel should be aware of the threats, opportunities and multiple strategies to monitor and continuously manage security. Nowadays, amalgamation of IT in the corporate executive level comprises of two reasons. One is security breach control(hardy, 2006) and another is to add competitive advantages to the company itself. In this regard, public entities have equal involvement since higher IT security helps in forming a better trust relation between administration and its subordinates. According to the recent research conducted by European Union, there is a gap between security and privacy, which should be fixed in the area of electronic governance and policy modelling. Information Security Governance (ISG) is a solution to problems related to policy management. It is an area that encompasses the entire policy management process. There is no specific definition, which entails the overall concept of ISG but generally it comprises of leadership, organizational structure and process that helps achieving information security. It can be defined as a process that helps in the establishment and maintenance of a framework to help InfoSec align with business objectives along with the laws, regulations and policies to manage risk. Kumar Dangi 27

36 ISG framework needs to be followed and applied if companies want a secured environment for the information they hold. Some of the ISG frameworks are discussed below A practical approach for ISG De Oliveira Alves et al., 2006 suggest a framework, which discuss about metrics and indicators to track evolution and maturity of information security in an organization. This approach includes corporate governance indicators like Balance Scorecard and governance best practices like COBIT and ISO/IEC The practical implementation of ISG has five stages and it primarily focuses on task activities, details of task and allocation of task and responsibility of the task to perform Business Software Alliance The Information Security Governance Task Force is formed by the Business Software Alliance and has two white papers where the ideas and concepts regarding legislation and guidelines are formulated so that the organization can easily understand and implement. These papers has highlighted on two things. First, the IT security should be dealt in corporate governance issue following best practices and standards like ISO/IEC and a framework should be developed specifying each management role and their functions, objectives, and measures (BSA, 2003). Second, the framework suggest the ideal model which details functions of stakeholders involved in the security process. This model comprises of five basic steps, viz., Initiating, Diagnosing, Establishing, Acting and Learning. And, the appropriate tools should be present for assessment and verification of the implementation process (von Solms, 2005) Information security policy: An organizational-level process model This model emphasizes on the policy mechanism of ISG where methodology incorporates data collection through interviews, questionnaires, surveys and expert counseling(knapp et al., 2009). It is also commonly referred as information security policy model where a set of process is interrelated and is implemented in recurring cycle. Although the model has similarities to government proposals wherein internal and external influences affect the overall policy making of a company; the attention is given to training and awareness of policies in overall process of policies implementation.

37 A comparative study and analysis between the PP model and Current Security Compliance models 11.4 Information Security Governance There are many researchers proposing the views and reasons in the field of Internet security governance (ISG)(Posthumus and von Solms, 2004). Most of the studies try to frame a standard framework to distinguish the two faces of ISG: governance and management. The approach proposed by Posthumus and Solms in 2006 describes more on ISG and Information Security Management and suggests as an integral part of corporate governance. The Corporate Governance is similar to Direct-Control Cycle modelling where steps in every cycle involve three management levels, strategic, tactical and operational (von Solms and von Solms, 2006). The Direct-Control Cycle is applicable to many dimensions of Information Security and is integrated with standards like COBIT and ISO/IEC ISACA The generic model proposed by the Information Systems Audit and Control Association (ISACA) is centred around tackling problems in Information Security and is based on system theory where input and output are the processes involved and operate as a complete function unit. The tetrahedral structure of the model has four elements in its vertices (Organization Design and Strategy, People, Process and Technology) and six dynamic interconnections (Governing, Culture, Enabling and support, Emergence, Human factors and Architecture) among them that hold its elements (ISACA, 2009) ISO/IEC Standards The International Organization for Standardization (ISO) is a body that deals and frames a wide range of standards, worldwide proprietary, industrial and commercial standards. The protection of the Information, development of a framework to manage the security of the information asset and assessment of information is controlled by ISO/IEC 27000, which mainly deals with Information Security Management Systems. The standards often provide a stringent security and guideline for protection of security risk. Beside management issues, there are proposals that discusses about the information security governance issues. As an instance, the paper by Solms in 2005 extensively focuses on COBIT. According to the paper, the COBIT covers IT Governance issues but it does not focus on the details on how to achieve it. This is where, the role of ISO/IEC family comes handy since it covers both information security and details about things(von Solms, 2005). Kumar Dangi 29

38 11.7 ITGI ISACA established IT Governance Institute (ITGI) and developed COBIT to research on IT governance. COBIT 4.1 has 34 processes and all these are categorized under four main domains mainly control objectives, metrics, maturity models and management guidelines of process. Beside IT Governance, COBIT has processes related to Information Security Governance like assessing and managing IT risks, ensuring of continuous service delivery, observe system security issues and communication of management missions and objectives. Information Security Governance plays an important role by providing the framework which helps in information security management and defining a criteria to achieve security in most of the organization. This implies that the management of the organization should implement compliance policies based on the frameworks mentioned above aligning with organization strategy. As every organization differs from one another with respect to business objective, management strategy and security measures they follow; it is not always guaranteed that the ISG approaches should fit in the organizational periphery. But, frameworks provide them with best possible practices to ensure better security policy-making. 12. User Security Behavior Most of the organizations nowadays are reliant on the sensible security behavior of the employees. Although organizations try to formulate and model best possible security policies, standards and compliance model, there is no guarantee that these measures spell out exactly when and what to do in each and every situation an employee encounters. Therefore, organizations that value their security policies cannot entirely depend on their employees to make sensible security decisions in every steps of their task no matter how small or critical the job involves. Whether diligently checking a transaction before it is released, being careful what they say over the telephone to an external caller, selecting a non-trivial password, or thinking twice before opening an unexpected and out-of- context attachment, staffs continually have to make day-to-day security decisions. Everyday an employee face in a situation where they have to take a correct security decision, which otherwise would cost an organization a huge loss. Whether, an employee performs a daily

39 A comparative study and analysis between the PP model and Current Security Compliance models transaction, answering calls, choosing a non-trivial password or opening an attachment, security decision has to taken logically and in according to the company s policies and compliance standards. A single out of thousand decisions taken wrongly can lead to critical security breach. According to the study conducted by Information Security Forum, November 200, more than 80 per cent of the security failures are due to poor security behavior of the employee rather than poor security solutions(leach, 2003). Hence, improving user security behavior can prevent future security disaster and therefore, lead to secure information environment in the organization. Figure 5 Factors influencing user security behaviour (Leach, 2003) The security threat is one of the most prevailing risks that every organization in today s world faces and is the biggest concern of all. Among various factors that affect organization, internal security threat is one of them. Comparatively, companies face threat by their own staff or employee who has privileges of security authorization compared to the external people who do not have the access to IT facilities. The internal threat covers both user errors and omission. It is due to employees negligence or sometimes a deliberate act. The behaviours of user in performing such action involves: Errors like opening an odd-looking.exe file shared by unknown person in an or sharing the password with the friends. Kumar Dangi 31

40 Negligence on applying security procedures. E.g. Employees failing to do regular backup of data or IT support personnel resetting the password on the strength of a phone call. Users negligence in complying with the security procedures and risk involved like leaving the system unattended without logging off. Deliberately neglecting the security process. Example: sending a confidential outside the company without any security protection or IT support employee who does not keep infrastructure patched. Another deliberate attack may include security information being compromised to other rival companies due to personal dispute with the employers. Nowadays, the organization encounters a serious threat due to the poor and unacceptable behaviour of the employees, which is highly detrimental to the company. The behaviour of the employees should be analysed and studied through various interlocking techniques and improving security culture of the company. Since, employees in the company are the biggest source of security threat, a systematic and standard procedure should be developed by the organization to ease the security process and strengthen the information security as a whole. 13. An analysis of security behavior theories 13.1 General Deterrence Theory General Deterrence Theory (GDT) has been extensively used to study the compliance behaviour of the employees in the organizations. GDT refers to the use of negative enforcement strategy (punishment) to avoid the unwanted or unsecured behaviour by increasing punishment certainty and severity(straub and Welke, 1998, Straub, 1990). Some scholars argue that rewards (incentive and motivation) if used as the positive enforcement strategy would help in achieving better compliance behaviour. Similarly if a reward is combined with sanction, it influences employee s cost-benefit assessment of compliance with regard to non-compliance behaviour(bulgurcu et al., 2010). If viewed from an angle of control prospective, both reward and punishment are the dominant factors of control mechanism to achieve organizational security compliance (Kathleen, 1985). For the effective implementation, control mechanism depends on how they are implemented or put into practice. However, till date there has been no studies conducted to analyse the interaction effect between punishment and rewards in the subject of security compliance and policies. There are some contrasting findings in the security compliance literature. The effect of reward in security policy compliance in organizations seem

41 A comparative study and analysis between the PP model and Current Security Compliance models inconsistent: reward policy does not work in influencing employees intention to comply(mikko et al., 2014), while some studies reveals reward as a positive tool in engaging employees towards security compliance (Bulgurcu et al., 2010). Although, use of punishment and reward has been a pretty interesting subject in the domains like social psychology and organizational management, there is no clear working evidence to support it actually works in the IS security compliance literature(fehr and Schmidt, 2007, Andreoni et al., 2003) Protection Motivation Theory Protection Motivation Theory (PMT) explains how the security behaviour is driven by fears and employees respond to threats or dangers. An individual involves a cognitive process in response to the threat. How the threats are perceived (threat appraisal factors) is based on three factors: rewards or benefits (intrinsic or extrinsic motivation of increasing or avoiding uncompliant behaviour), severity of the threat and vulnerability (an individual s perception of magnitude of threat susceptibility). PMT also mentions about the coping appraisal of an individual in response to threat. They are: response efficacy (individual perception of benefits of coping the threat by eliminating the threat), response cost (perception of implementing security behaviour) and self-efficacy (the ability of an employee to follow security behaviour). Although PMT has been applied in IS domain due to its general nature, there is no evidence of full implementation of all the coping and threat appraisal (Anthony et al., 2012) Rational Choice Theory Another approach that explains security compliance behaviour of an employee in an organization is Rational Choice Theory (RCT) developed by Becker. He proposes that an offence is being analysed two parameters, costs and benefits before it is being carried out. The Rational Choice Theory is applied in multiple context to help and understand deviant or non-compliant behaviour of an offender such as theft, drunk-driving and juvenile delinquency(becker, 1968). Paternoster and Simpson give the redefinition of RCT in 1996 which suggests that the theory consist of two basic premises of consideration before an offence is made: a) balancing cost and benefit of offending 2) offender s perceived or subjective expectation of reward and cost. In simple terms, the first premise suggests an offender analyse multiple consequences of behavior and select the one with the best outcome, whereas, the second premise suggests the deviant or non-compliant behavior is the result of offender s choice based on his/her analysis of rewards and cost (Paternoster and Simpson, 1996). The non-compliant security behavior of an employee can be better viewed from the prospective of Rational Choice Theory since employees tend to assess costs and benefits in their routine tasks putting the organization into serious jeopardy. For example: browsing Kumar Dangi 33

42 unidentified websites, use of portable USBs to transfer files and download of non-work related software are the deviant behaviours that exposes the security of an organization towards high vulnerability and threats(li et al., 2010) Job Demands-Resources Model The JD-R (Job Demands-Resource) is the widely used model in many domains to analyse the risk, safety and job satisfaction in diverse organizational setting (Bakker and Demerouti, 2007). The model proposes the fact that, with every work there is some stress associated with it (Bakker et al., 2005). The work stress is generally categorised into two categories: job demands and job resources. Job demands require physical or mental effort related to physical, psychological or social aspect of the job and has a certain physical or psychological cost. While, job resources are the physical, psychological and social job aspects that is essential to perform the job, lessen job demands and related costs and eventually helps to attain personal development(bakker and Demerouti, 2007). The JD-R model proposes that when job demands are high and job resources are limited, a job stress occurs (Demerouti et al., 2001).. Many scholars have supported this proposition by weighing job demands and job resources on one scale while burnout, exhaustion and health problems on the other(bakker et al., 2005). Burnout and engagement are the two outcomes of JD-R model. Burnout is referred as a negative effect of job demand that can affects the employee psychologically and is an exhaustion of mind when job demand is high. Work engagement is defined as positive psychological element that occurs when there is high availability of job resources. It is a positive and fulfilling state of mind filled with vigour, dedication and absorption(hu et al., 2013). The security demands and resources are the determinants of security compliance of employees in organization. If the organizational security resources are availed to ease the work of employees security task and procedures, then job burnout reduces in work environment, as a consequence work engagement and security compliance increases. Literature Theory Research variables and constructs Advantages Limitations

43 A comparative study and analysis between the PP model and Current Security Compliance models Mark et al., 2005 Organizational climate Organizational security climate affects employees security compliance behaviour. Organizational security climate is the sum of underlying security values, beliefs and principles that employees hold in an organization within a security framework that organization implies. - Can provide direction and certainty; reduce conflict and confusion in times of emergency. - Unifies individual effort behind the vision of the organizational security culture. -If the organizational climate is weak and vulnerable; the negative outcomes has to be shared by every individual. Straub and Welke, 1998; Straub, 1990 ; Bulgurcu et al., 2010 General Deterrence Theory (GDT) The use of positive (rewards) and negative (punishment) enforcement strategy in compliance policies -Designed to prevent crime in the general population. -Deters people from unacceptable behaviour. - it is based on an incomplete understanding of crime causation -Increases in the certainty of apprehension of offenders conviction and punishment have been found to have possible effects on crime reduction Anthony et al., 2012 ; Siponen et al., 2010 Protection Motivation Theory (PMT) The effect of sanction, coping appraisal and threat appraisals -Widely used in changing health related behaviours. -Persuading consumers using less energy. -does not consider all the environmental and cognitive variables such as the impact of social norms. -Used in social marketing campaigns (e.g., stop smoking campaign) Becker, 1968; Paternoster and Simpson, 1996 Rational Choice Theory Two premises for offence: costs and benefits -A prototype for a more deductive approach to analysis in domains like -human social action and interactions are complex, many of Kumar Dangi 35

44 politics, human psychology and so on. -Used in gaming applications, coalition building and public good. the theories examined earlier may provide better guides to how these take place. -Theorists of rational choice argue that macro level structures and institutions can be explained from the modes of individual social action. But there are problems or aggregation of individual to societal level phenomena. Demerouti et al., 2001; Bakker et al., 2005 JD-R (Job Demands- Resource) model Job burnouts (negative psychological effect): it occurs when job demand is high, engagement (positive psychological effect): it occurs when there is high availability of job resources. -Instead of focusing solely on negative outcome variables (e.g., burnout, ill health, and repetitive strain) the JD-R model includes both negative and positive indicators and outcomes of employee well being. -One potential limitation of the JD-R model is that it focuses solely on the psychosocial work environment as the antecedent of health-related and motivational outcomes and dismisses the factors not related to work. (Ajzen, 2002) Theory of Planned Behaviour Behavioural intent: Intention of an individual to perform a security compliant behaviour. Subjective norms: The individual expectation or belief of other people that leads to perceived social pressure in complying security policies. -This theory has been very effective in predicting healthrelated behaviours such as smoking, exercise, safe sex, and etc. researchers have been able to predict how people will react to these things or change their lifestyle, which helps in finding -Compared to affective processing models, the theory of planned behaviour overlooks emotional variables such as threat, fear, mood and negative or positive feeling and assessed them

45 A comparative study and analysis between the PP model and Current Security Compliance models Perceived behavioural controls: The perception about the factors that ease or hinder the security behaviour. ways to improve health. in a limited fashion. Perceived controllability: The individual sense of control over security policies enforcement. Attitude towards compliance: The extent to which an individual has appraisal (favourable or unfavourable) to security policies. Perceived sanction severity: The impact/effect of penalty over disobedience to security compliance policies. (Bandura, 2001) Social cognitive theory Self-efficacy: The individual perception of his/her ability to perform task or security behaviour. -Concerned with important human social behaviours. -Focused on important theoretical issues, e.g., role of reward in learning, the stability of behaviour. -Not a fully systematized, unified theory; loosely organized. -Maturation and changes over the lifespan ignored. Table 2 Theories applied in security policy compliance Kumar Dangi 37

46 Existing theory Theory of Organizational Climate General Deterrence Theory Protection Motivation Theory Rational Choice Theory JD-R (Job Demands-Resource) model Theory of Planned Behaviour Social Cognitive Theory PP (Positive Traits, Personal Strength) model It strengthens the organizational security climate because of mutual participation of employees and organization. Instead of focusing on the likelihood of noncompliant behaviours and use of penalty and reward; the model is fairly shared by employees and organizations and; include positive characteristics of both. No use of threat, persuasion and sanction; the model suggests continuous improvements and analysis of positive traits and strength of employees to develop the compliance model for a comfortable organizational scenario. No predetermined analysis of cost and benefit involved. Instead the model suggests the compliance models to meet the best interest of employees and their positive traits and strength so that there is no need of deduction to be made by employees before any undertaking security compliance behaviour. Contrast to work and resource assessment; PP model is not limited to these two factors. It is multidisciplined approach that suggests positive psychology of employees to be a major priority in compliance policies development. As opposed to TPB where emotional variables are overlooked, PP model is based on emotional, social, and psychological traits of employees. Social cognitive theory fails to include maturation and changes that might occur in individual s selfefficacy; whereas PP model proposes the employees self-efficacy will be analysed, processed and highly observed to create a better security compliance policies. Table 3 Gap between the existing theories and PP model 13.5 The PP (Positive Traits, Personal Strength) model Employee s personality traits and strengths would have major impacts on shaping the security compliance policies of the organization. Many research on these personality variables such as Big Five model, optimism, perceived control, repressive coping and wellbeing are currently being conducted. However, a very few research is available on how these variables function together to achieve people s wellbeing in

47 A comparative study and analysis between the PP model and Current Security Compliance models human life (Jibeen, 2014). The Five Factor Model is one of the most adopted models as it describes the person s personality traits levels. It is based on five basic personal traits that balance a person s emotional and social life. This model provides a standard framework to study other specific personality construct and covers a comprehensive taxonomy of human personality (Sanjay et al., 2003, McCrae and John, 1992). The five dimensions of human personality are listed as neuroticism, extraversion, openness to experience, agreeableness and conscientiousness conceptualize personality (Costa et al., 1987). Positive psychology is another domain of looking at human wellbeing, which recently caught the attention of businesses and researchers alike. According to Martin E. P. Seligman, Positive psychology is a science of positive subjective experiences (well being, contentment, hope, optimism), positive individual traits (courage, interpersonal skill, future mindedness, talent, wisdom) and positive organizations commitment)(seligman and Csikszentmihalyi, 2000). Particularly, optimism is the traits, which are the most studied and researched, construct within this domain in the last 10 years (Seligman et al., 2005). It proposes that positive thoughts/thinking influences human reaction, behavior and their action towards negative situation or environment. According to Buss, personality traits is the sum of individual qualities or resources that help in solving adaptive problems. The introduced PP (Positive Traits, Personal Strength) model is a framework that is based on two main personal positive characteristics namely, the employee s positive traits (courage, interpersonal skills, wisdom, positive experience, leadership skills) and personal strengths (self-efficacy, expertise, optimism). We propose that organizations identification and awareness of these traits within their employees would result during the development of security policies would result in sustainable employees security compliance. This proposal is based on the findings in recent research that these personality variables could be employed in many areas in life and lead to better human life. Accordingly, this study argues that it could also be applicable to many organizational setting for better institutional future, hence to organizational security policies as well. Prior research mostly focused on the notions of rewards, penalties, use of sanctions, fear appraisals coping appraisals, and cost-benefit analysis as discussed in widely adopted models such as protection motivation theory, general deterrence theory and rational choice theory. We propose the PP model as a new approach to looking on how organizations could increase employees security compliance by building their policies based on employees personal positive traits. We argue that the PP model would significantly improve the employee s security behavior towards security policies. The central proposition of our model lie on our belief that the organizational policies makers awareness of their employee s positive traits and personal strength lead to policies which could be more acceptable by Kumar Dangi 39

48 the employees and consequently increase in adoption and compliance with the policies. Organizational security compliance and policies mechanisms are always prone to threats and vulnerability because organizations hold a deep-rooted belief that, employees are the weakest link in security. A debatable issue here could be whether the it is the employees who are to be blamed for the failure in security adoption and/or compliance or is it the organizational policies which are developed, enforced and are expected to be adhered to by employees without any considerations of the employees traits and strengths? We are hoping that such model would minimize the level of uncertainty regarding how to improve the employees compliance. We believe that the PP model would be the drive for mutual happiness between the security management and the employees in the organization.. As we discussed so far, the fundamental basis of the model is, the application of employees positive traits and personal strength in the development of the organizational security compliance policies. Therefore, if a systematic and holistic approach can be developed to analyze the employees personal traits and strengths; there would be high possibility of achieving better employees security compliance. It is to be recommended that the organization could resorts to psychologists on permanent basis who would constantly study the employees behavior, traits and strength. This would result in two benefits: 1) avoidance of future security non-compliance behavior 2) development of policies to positively motivate and engage towards compliance.

49 A comparative study and analysis between the PP model and Current Security Compliance models Figure 13.1 The PP model Figure 6 The PP model As it can be seen from the figure above, employees are the main focus of the organizational developed security policies. The identification and implementation of the employees personality traits, positive traits and personal strength, directly influence the security policies of the organization and vice-versa. The employees positive traits (courage, interpersonal skills, wisdom, positive experience, leadership skills) and personal strength (self-efficacy, expertise, optimism) if analyzed and processed with high degree of care and attention, organization can timely manage and maintain the integrity of the security. The regular process of data collection, analysis and monitoring of the employees personality helps in the development of effective organizational policy. However, the organizational policy does not solely rely on employee s positive traits and personal. Organizations have their own security policies and compliance standards that facilitate the process of employee compliance in many ways. For example: organizations adopt latest hardware and software technologies to insure the security of the information and lessen the burden of employee compliance. The security of the information have gained a momentum after 1960s when security concerns were just about the security of the physical security components of the system; example: the printouts in the top organizations were circulated in a protected environment. Thereafter, with the advent sophisticated technologies, organizations started integrating IT services and shifted from a closed environments to complex environments that functions in connected and distributed network of security facilities (von Solms, 1996). There is a paradox that states that, Information security is a technological problem with a technological solution. This statement, in the current context holds a little significance since security is more about managing risk not alone a technological agenda (Whitman et al.). In addition, some limitations organizational policies are implemented with a fair objective of insuring security. The security policies are designed without the intervention of the employees and follow some security standards. This process eliminates the need of employees compliance and reduces the burden of security compliance. However, the organizational policy is not sufficed with its security measures; there are always some levels of expectations regarding employees engagement in the fulfilment of the information security. The process where the organizations expect the employees to comply involves reduction of need of compliance for employees since organizational policies will be based on their positive traits and personal strength and increase in the intention to comply, as the employee s will be acquainted with the organizational security policy that supports their traits and strength. Kumar Dangi 41

50 The reduction of the employees requirements to comply with the security policies reduces employee s security engagement. The employees solely rely on the organizational security measures and implementations in the workplace, thereby; employee s need not be worried about the security and risks issues. On the other hand, employee s intention to comply increases their security engagement. The employees feel comfortable with the organizational policies based on their positive traits and personal strength, therefore, they are more likely to engage in following security behaviours and measures to protect their organizational asset. This creates a seamless environment within the organization, which in fact, is the essence of sustainable security compliance. As a result, the employee s satisfaction with the organizational security policies is achieved. 14. Conclusion and Recommendation The employees interaction and reactions towards organizational information technological tools, systems and policies is unpredictable. There are various factors which influences employees decision towards compliance with the organizations diverse policies and procedures. Human psychology and reactions are complex and dynamic in nature. While the organizations security compliance policies remains rigid and still adopts the traditional approach of punishments and rewards. So how can we expect the employees to practice the same old approach knowing that humans are so complex and dynamic? Therefore, the difference in personality of the employees, positive personality traits and strengths should be fairly acknowledged in the process of formulating security policies and gradually modified to meet the interest of the employees. Social factor greatly influences pattern of employees security behavior. People have the tendency to follow group norms. If the group considers security compliance seriously and practices security behavior, an individual is more likely to follow policies. Conversely, if the group follows risky approach in security practices, an individual will undertake risk and become offensive in following compliance (Seligman and Csikszentmihalyi, 2000). Password sharing behavior is an example of group norms. An individual is more likely to share his/her password to their intimate friends to be a sign of trust while they refuse to share to person they do not trust. Similar norms may exist in the organization, which is highly critical and can jeopardize the company. A social effect, which is commonly known as bystander effect, also influences the individual perception and response to risk. This effect suggests that as the number of people present increases in the organization, there exist shift of responsibility that ultimately decreases the responsibility for security compliance.

51 A comparative study and analysis between the PP model and Current Security Compliance models Majority of research in psychology are inclined to study the negative emotions and experiences of an individual and applied in medical domain to a large extent. It has been proven a success in solving the fuzzy concepts such as schizophrenia, anger and depression. We believe that application of positive psychology in study of security compliance can create a radical change in the organizations security compliance and how it has been perceived for such a long time. The study of employees traits and strength will allow psychologists to understand and draw a roadmap of sustainable security compliance in the organization(seligman and Csikszentmihalyi, 2000). The organizations should devise a policy model that encompasses positive security behaviors through trainings, awareness campaigns, and improvements in security technology (software and hardware both) in unison with employees positive personal characteristics. By referring personal characteristics of an employee we refer to skills, efficacy, knowledge, expertise, positive past experience and cognitive attributes (emotional, mental and intellectual) gained within a given timeframe. The organizations expectations regarding employees compliance with security measure should not very high as based on most of the current research. Most of such attempts did either fail or are not followed as expected. We strongly believe that a different approach is vital which is based on building the policies with minimal employees interference. This can be achieved by building policies based on the employees positive traits and personal strength. This will require the top management to introduce a complete study of these traits and strength. This also requires that the experts in the field of psychology and human management who are able to identify most of the employees traits and strengths. Hence, the organization should develop the policies on employees positive traits and personal strength to gain sustainable security compliance. 15. Appendices 15.1 Appendix A- Glossary Anti-virus - a program or software used to combat the harmful piece of code or program Balance Scorecard a strategic planning and management system or tool used in businesses and organizations COBIT Control Objectives for Information and Related Technology (COBIT) is a framework designed for management of Information Technology and governance Cognitive - a conscious mental behavior like understanding, thoughts, recalling, etc. Kumar Dangi 43

52 Compliance - an act of confirming or agreement to a specified rules or requirement Confidentiality - a process of hiding the information or preserving the information to maintain its secrecy Deterrence punishment method to deter people from offending Efficacy skill or ability to achieve a desired result or outcome Encryption - a process of hiding information Expertise - a highly proficient mastery over certain skills Explicit - a clear and straightforward meaning of a subject Firewall - a program used to prevent from unauthorised people to connect to the network Information - a fact that gives knowledge on certain subject Integrity - completeness or wholeness of information to make it meaningful Intrinsic - an internal essence of a subject or behavior Knowledge management - storing and preserving the information/knowledge of an organization to achieve its goal and objective Locus - the central point of origin Positive Psychology - Positive psychology is the branch of science that deals with the positive attributes of human being to make life more fulfilled with satisfaction and positivity through happiness Psychology - a science that deals with people s mind and behavior Sanction - a forceful or coercive way of making the people or system obey the rules or regulation Schizophrenia a mental disorder that is characterized by abnormal social behavior and failure to recognize what is real Self-efficacy - a personal belief on his/her abilities Sustainable capacity to endure Tacit knowledge - a knowledge that cannot be expressed by verbal or written means Trait - a characteristic or attribute of a specific subject 15.2 Appendix B- Search Terms Keyword Title Database Year Information Organizations' information security policy compliance: CDU Summon 2012 security compliance stick or carrot approach? Information Security ACM Digital Library 2006

53 A comparative study and analysis between the PP model and Current Security Compliance models Understanding information systems security policy compliance: An integration of the theory of planned behaviour and the protection motivation theory An Empirical Investigation of Factors Influencing Information Security Behavior ScienceDirect 2012 EBSCO Host 2008 Compliance with Information Security Policies: An Empirical Investigation IEEE Xplore Digital Library 2010 Positive psychology Information security selfefficacy Positive Psychology: Theory, Research and Applications Self-efficacy in information security: Its influence on end users' information security practice behavior ProQuest 2011 ScienceDirect 2009 Self-efficacy mechanism in human agency EBSCO Host 1982 Self-efficacy: Toward a unifying theory of behavioral EBSCO Host 1977 change Self-efficacy and work-related performance: A metaanalysis. EBSCO Host 1998 Personal Values, Autonomy, and Self-efficacy: Evidence from frontline service employees Wiley Online Library 2012 Theory of planned behavior Knowledge Management Information security behavior Perceived Behavioral Control, Self-Efficacy, Locus of Control, and the Theory of Planned Behavior Wiley Online Library 2002 Sharing Expertise: Beyond Knowledge Management ProQuest 2003 Encouraging information security behaviour s in organizations: Role of penalties, pressures and perceived effectiveness ScienceDirect 2009 Personality Strength and Situational Influences on Behaviour A Conceptual Review and Research Agenda Sage Journals 2014 Organizational culture Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture Wiley Online Library 2012 Information Security A Dynamic Theory of Organizational Knowledge Creation Security, risk analysis and governance: a practical approach JSTOR 1994 ScienceDirect 2007 Kumar Dangi 45

54 Governance General Deterrence Theory Protection Motivation Theory Rational Choice Theory Using IT governance and COBIT to deliver value with IT and respond to legal, regulatory and compliance challenges BSA Task Force Unveils Industry Framework for Information Security Governance Information security policy: An organizational-level process model New ISACA business model Coping with Systems Risk: Security Planning Models for Management Decision Making IS Security Policy Violations: A Rational Choice Perspective Motivating IS security compliance: Insights from Habit and Protection Motivation Theory Social Class And Delinquency: An Empirical Utilization Of Rational Choice Theory With Cross- Sectional Data Of The 1990 And 2000 German General Population Surveys (Allbus) Sanction Threats and Appeals to Morality: Testing a Rational Choice Model of Corporate Crime ScienceDirect 2006 ScienceDirect 2006 ScienceDirect 2009 Academic 2009 OneFile JSTOR 1998 Academic OneFile 2012 ScienceDirect 2012 Sage 2006 JSTOR 1996 Job Demands- Resource Model Job demands-resources model EBSCO HOST 2001 Work orientations in the job demands-resources model Emerald Insight 1986 References: AJZEN, I Perceived Behavioral Control, Self Efficacy, Locus of Control, and the Theory of Planned Behavior. Journal of Applied Social Psychology, 32, AJZEN, I Attitudes, personality, and behavior, Berkshire, Open University Press. ANDREONI, J., HARBAUGH, W. & VESTERLUND, L The Carrot or the Stick: Rewards, Punishments, and Cooperation. The American Economic Review, 93, ANTHONY, V., MIKKO, S. & SEPPO, P Motivating IS security compliance: Insights from Habit and Protection Motivation Theory. Information & Management, 49, 190. BAKKER, A. B. & DEMEROUTI, E The Job Demands-Resources model: state of the art. Journal of Managerial Psychology, 22,

55 A comparative study and analysis between the PP model and Current Security Compliance models BAKKER, A. B., DEMEROUTI, E. & EUWEMA, M. C Job Resources Buffer the Impact of Job Demands on Burnout. Journal of Occupational Health Psychology, 10, BANDURA, A Self-efficacy: Toward a unifying theory of behavioral change. Psychological Review, 84, BANDURA, A Self-efficacy mechanism in human agency. American Psychologist, 37, BANDURA, A Social cognitive theory: An agentic perspective. Annual Review of Psychology, 52, BANDURA, A. & JOURDEN, F. J Self-Regulatory Mechanisms Governing the Impact of Social Comparison on Complex Decision Making. Journal of Personality and Social Psychology, 60, BECKER, G. S Crime and Punishment: An Economic Approach. Journal of Political Economy, 76, BELSIS, P., KOKOLAKIS, S. & KIOUNTOUZIS, E Information systems security from a knowledge management perspective. Information Management & Computer Security, 13, BULGURCU, B., CAVUSOGLU, H. & BENBASAT, I Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness? Management information systems, 34, CAMERON, K., DUTTON, J. & BOOKS24X, I Positive Organizational Scholarship: Foundations of a New Discipline, US, Berrett-Koehler Publishers. CARR, A Positive psychology: The science of happiness and human strengths, Routledge. COOPER, R. B Information Technology Development Creativity: A Case Study of Attempted Radical Change. MIS Quarterly, 24, COSTA, J. P. T., MCCRAE, R. R. & ZONDERMAN, A. B Environmental and dispositional influences on wellbeing: longitudinal follow-up of an American national sample. British journal of psychology (London, England : 1953), 78 ( Pt 3), 299. D'ARCY, J. & GREENE, G Security culture and the employment relationship as drivers of employees security compliance. Information Management & Computer Security, 22, DALAL, R. S., MEYER, R. D., BRADSHAW, R. P., GREEN, J. P., KELLY, E. D. & ZHU, M Personality Strength and Situational Influences on Behavior: A Conceptual Review and Research Agenda. Journal of Management, 41, DAVID, A. & FIFIELD, N Re-engineering change in higher education. Information Research: an international electronic journal, 4, 56. DEMEROUTI, E., BAKKER, A. B., NACHREINER, F. & SCHAUFELI, W. B The job demands-resources model of burnout. Journal of Applied Psychology, 86, ELLA, K., GURPREET, D., HANDELSHÖGSKOLAN VID ÖREBRO, U. & ÖREBRO, U Organizational power and information security rule compliance. Computers & Security, 33, 3. Kumar Dangi 47

56 FEHR, E. & SCHMIDT, K. M Adding a Stick to the Carrot? The Interaction of Bonuses and Fines. The American Economic Review, 97, FRYER, B / Accentuate the positive. Harvard Business School Press. HARDY, G Using IT governance and COBIT to deliver value with IT and respond to legal, regulatory and compliance challenges. Information Security Technical Report, 11, HEFFERON, K. & BONIWELL, I Positive Psychology : Theory, Research and Applications, Maidenhead, Berkshire, England, McGraw-Hill Education. HERATH, T. & RAO, H. R Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47. HIRSCHI, T Causes and Prevention of Juvenile Delinquency. Sociological Inquiry, 47, HU, Q., DINEV, T., HART, P. & COOKE, D Managing employee compliance with information security policies: the critical role of top management and organizational culture. Decision sciences, 43, HU, Q., SCHAUFELI, W. B. & TARIS, T. W Does equity mediate the effects of job demands and job resources on work outcomes?: An extension of the job demands resources model. Career Development International, 18, IFINEDO, P Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers and Security, 31, ISACA An introduction to the business model for information security. Database and Network Journal, 39, 6. JESAN, J Information security. Ubiquity U6, 2006, 2-2. JIBEEN, T Personality Traits and Subjective Well-Being: Moderating Role of Optimism in University Employees. Social Indicators Research, 118, KATHLEEN, M. E CONTROL: ORGANIZATIONAL AND ECONOMIC APPROACHES. Management Science (pre- 1986), 31, 134. KNAPP, K. J., FRANKLIN MORRIS, R., MARSHALL, T. E. & BYRD, T. A Information security policy: An organizational-level process model. Computers & Security, 28, LEACH, J Improving user security behaviour. Computers & Security, 22, LEE, S. M., LEE, S.-G. & YOO, S An integrative model of computer abuse based on social control and general deterrence theories. Information & Management, 41, LI, H., ZHANG, J. & SARATHY, R Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems, 48, LUTHANS, F The Need for and Meaning of Positive Organizational Behavior. Journal of Organizational Behavior, 23, MARK, C., IRENE, W. & ATREYI, K Perceptions of Information Security in the Workplace: Linking Information Security Climate to Compliant Behavior. Journal of Information Privacy & Security, 1, 18.

57 A comparative study and analysis between the PP model and Current Security Compliance models MCCRAE, R. R. & JOHN, O. P An introduction to the five-factor model and its applications. Journal of personality, 60, MIKKO, S., MAHMOOD, M. A. & SEPPO, P Employees' adherence to information security policies: An exploratory field study. Information & Management, 51, NONAKA, I A Dynamic Theory of Organizational Knowledge Creation. Organization Science, 5, PASQUINUCCI, A Security, risk analysis and governance: a practical approach. Computer Fraud & Security, 2007, PATERNOSTER, R. & SIMPSON, S Sanction Threats and Appeals to Morality: Testing a Rational Choice Model of Corporate Crime. Law & Society Review, 30, PETERSON, S. J. & SPIKER, B. K Establishing the positive contributory value of older workers: a positive psychology perspective. Organizational Dynamics, 34, 153. POSTHUMUS, S. & VON SOLMS, R A framework for the governance of information security. Computers & Security, 23, RHEE, H.-S., KIM, C. & RYU, Y. U Self-efficacy in information security: Its influence on end users' information security practice behavior. Computers & Security, 28, SANJAY, S., OLIVER, P. J., SAMUEL, D. G. & JEFF, P Development of Personality in Early and Middle Adulthood: Set Like Plaster or Persistent Change? Journal of Personality and Social Psychology, 84, SELIGMAN, M. E. P. & CSIKSZENTMIHALYI, M Positive Psychology: An Introduction. American Psychologist, 55, SELIGMAN, M. E. P., STEEN, T. A., PARK, N. & PETERSON, C Positive Psychology Progress: Empirical Validation of Interventions. American Psychologist, 60, SILIC, M. & BACK, A Information security. Information Management & Computer Security, 22, SIPONEN, M., PAHNILA, S. & MAHMOOD, M. A Compliance with Information Security Policies: An Empirical Investigation. Computer, 43. SOUSA, C. M. P., COELHO, F. & GUILLAMON-SAORIN, E Personal values, autonomy, and self-efficacy: evidence from frontline service employees. International journal of selection and assessment, 20, STAJKOVIC, A. D. & LUTHANS, F A Meta-Analysis of the Effects of Organizational Behavior Modification on Task Performance, The Academy of Management Journal, 40, STAJKOVIC, A. D. & LUTHANS, F Self-efficacy and work-related performance: A meta-analysis. Psychological Bulletin, 124, STRAUB, D. W., JR Effective IS Security: An Empirical Study. Information Systems Research, 1, STRAUB, D. W. & NANCE, W. D Discovering and Disciplining Computer Abuse in Organizations: A Field Study. MIS Quarterly, 14, Kumar Dangi 49

58 STRAUB, D. W. & WELKE, R. J Coping with Systems Risk: Security Planning Models for Management Decision Making. MIS Quarterly, 22, SUNIL, H., WILLIAM, H. & BETH, C An Empirical Investigation of Factors Influencing Information Security Behavior. Journal of Information Privacy & Security, 4, 3. TURNER, N., BARLING, J. & ZACHARATOS, A Positive psychology at work. Handbook of positive psychology, TYLER, T. R. & BLADER, S. L Can Businesses Effectively Regulate Employee Conduct? The Antecedents of Rule following in Work Settings. The Academy of Management Journal, 48, VAN MUIJEN, J. J., AL, E. & VAN MUIJEN, J. J Organizational Culture: The Focus Questionnaire. European journal of work and organizational psychology, 8, VON SOLMS, B Information Security governance: COBIT or ISO or both? Computers & Security, 24, VON SOLMS, R Information security management: The second generation. Computers & Security, 15, VON SOLMS, R. & VON SOLMS, B The 10 deadly sins of information security management. Computers & Security, 23, VON SOLMS, R. & VON SOLMS, S. H Information Security Governance: A model based on the Direct Control Cycle. Computers & Security, 25, WHITMAN, M., FENDLER, P., CAYLOR, J. & BAKER, D. Rebuilding the human firewall ACM, WORKMAN, M., BOMMER, W. H. & STRAUB, D Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior, 24, WULF, V. & ACKERMAN, M. S Sharing Expertise: Beyond Knowledge Management, MIT Press. ZHANG, Y. & ESPINOZA, S Relationships Among Computer Self-Efficacy, Attitudes Toward Computers, and Desirability of Learning Computing Skills. Journal of Research on Computing in Education, 30,