The risk of users’ negative behaviours influence on information security compliance policy in organizations

Abstract

The focus of information security has traditionally been on technological issues, and organizations have long been using technological controls to protect information assets. In spite of all these efforts there is still a significant level of non-compliance to information security compliance by employees in organizations. Information security also comes in non-technical forms that the technical controls cannot fully address without the cooperation of employees. This study investigates the factors influencing end-user resistance to information security compliance in organizations. The study reviews the related literature to understand why and how end-user resistance develops. The paper adopted the qualitative research methodology which enabled the researcher to investigate end-users’ attitudes towards information security compliance in the organization; using a single case study. The study results indicate that end-user resistance is mainly a result of lack of training and awareness of information security policies in the organization. The study contributed to our understanding of end-user resistance of information security in organizations. It also contributed to the emerging body of knowledge on behavioural issues of information security in organizations