Encouraging employee compliance with information security policies in cloud computing in Hong Kong

Abstract: Cloud computing with its ubiquitous, flexible and on-demand consumption model has been growing at an exponential rate and represents a major investment for organizations whose business models require constant transformation. However, cloud computing introduces security challenges at all levels, from data to applications, hosts and networks and organizations are increasingly vulnerable to cyber-attacks and data breaches from outside the organization as well as insider’s intentional or unintentional misbehaviour not in compliance with an organization’s security policies. Insider security threats are the most dangerous as they are the trusted and privilege users of the organizations and their problems are the most difficult to detect. Investigation of factors affecting employees’ behaviour in protecting their organization’s valuable assets: the information is thus very important in an organization’s defence against harmful insiders’ non-compliant behaviour. Existing literature, however, generally focuses on technical and operational protections and provides little account of human misbehaviour. This study aims to address this gap by investigating influencing factors affecting employees’ protection intention and behaviour in their organizations. This study adopts an integrated theoretical model from Siponen, Mahmood, & Pahnila (2014) that is grounded on Protection Motivation Theory (Rogers, 1983) and Theory of Planned Behaviour (Ajzen & Fishbein, 1980; Ajzen, 1991) but expands to the full nomology of both theories to enhance the rigor of the research. The theoretical model is then empirically tested with 256 employees from various industries involved in cloud computing in Hong Kong. The research model is found to explain a significant proportion of the variance of Intention to Comply with Cloud/Information Security Policies (52 percent) and Actual Compliance Behaviour (61 percent). The findings suggest that employees’ compliance intention and perceived ease of compliance are the most significant influencers of compliance behaviour. When employees have the right compliance attitude, are positively motivated by their management and peers, have faith in their organizations’ and their own ability to protect their organizations and find the compliance costs tolerable, their intention to comply with their organizations’ cloud/information security policies increases significantly. The results show that employees’ perception of the security threats has a moderate effect on compliance intention but their perception of vulnerability to security breaches and rewards of non-compliance have no impact on their intention to comply with cloud/information security policies. This study reveals a general lack of awareness of cloud/information security threats and the consequences of non-compliance. The results call for continuous Security Education, Training and Awareness (SETA) on cloud/information security policies and awareness programs to be in place to augment employees’ understanding of the cyber security threat, especially as a result of the open concept of cloud computing, and their organizations’ ability to respond to these threats; to increase employees’ skills and confidence level to defend their organizations (and themselves) from security threats; to promote the right attitude towards conforming to organizations; and to create peer pressure from senior management and co-workers towards compliance behaviour. This study enriches the understanding of the motivational factors underlining information security policies compliance behaviour and will be useful for academia and industry practitioners involved in encouraging cloud/information security policy compliance behaviour. References: Ajzen, I. (1991). The theory of planned behavior. Organizational behavior and human decision processes, 50(2), 179-211. Ajzen, I., & Fishbein, M. (1980). Understanding Attitudes and Predicting Social Behavior. Englewood Cliffs, N.J.: Prentice Hall. Rogers RW. (1983). Cognitive and physiological processes in fear appeals and attitude change: a revised theory of protection motivation. New York: Guilford Press. Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees' adherence to information security policies: An exploratory field study. Information & Management, 51(2), 217-224.