A Composite Framework to Promote Information Security Policy Compliance in Organizations

Abstract

Information security policy (ISP) noncompliance continue to impede information security in organizations. This paper consolidates the strength of previous studies into an effective single solution. The paper, first, synthesizes the existing literature and groups relevant ISP compliance factors into user involvement, personality types, security awareness and training, behavioral factors, and information security culture. Secondly, a generic framework that guides the development of frameworks for ISP compliance in organizations was developed based on the literature review. The generic framework categorized elements required for developing an ISP compliance framework into structure, content and outcome elements. Thirdly, the generic framework was applied to develop a composite ISP compliance framework that proposes the establishment of ISP compliance as a culture in organizations. Finally, the results of the expert review assessment showed that the proposed composite ISP framework was suitable, structurally sound and fit for purpose.