Using Galois lattice to represent and analyze information security policy compliance

Abstract

Employees' noncompliance with the information security policy results in a large number of information security incidents in organizations. The information security managers need to understand and manage the noncompliance behaviors of employees. The representation and pattern of the information security noncompliance or compliance will help managers to gain insights on, and to counter effectively the threats originated from the employees. This study proposes a Compliance Galois Lattice Diagram (CGLD) for visually representing and analyzing the employees' compliance patterns. Six compliance patterns, namely, compliance outlier, compliance core and peripheral, compliance subgroup, compliance partition, multiple compliance containment and compliance equivalence, have been obtained from the CGLD. A comparative analysis of these patterns and the structural features identified from the network generated by the UCINET software reveals that fairly good consistency has been reached between them.