Information security governance: differences in perceptions of policymakers and employees

Naik, Amit Annasaheb (2019) Information security governance: differences in perceptions of policymakers and employees. Doctoral thesis, Northumbria University.

Text (Doctoral Thesis)
naik.amit_phd_14037258.pdf - Submitted Version

Download (5MB) | Preview


There is a magnitude of technical controls which do more than half the job of securing the organisation. The rest falls on the employees. Employees are considered the weakest link in the security chain of the organisation this is primarily because they are the easiest to compromise. This could be due to external motivators, such as become a victim of social engineering or personal emotional motivators, such a disgruntled employee. It is most often the case that an employee gets blamed for a security breach. Security researchers fight from both employees and managements side and blame each other for being the problem. It is necessary to address this gap between policymakers and employees. And this study attempts to do that.

Two studies were conducted. The 1st study was a qualitative semi structured interview. From which I created a conceptual model. This model was used in preparing the 2nd study, which was a quantitative survey. The data from the survey was then used to create Structural equation model using SPSS and AMOS.

Differences in their perceptions of policymakers and employees and postulated relationship of these differences (constructs) with constructs of Protection Motivation Theory. Which we then confirmed using Structural equation model.

Key finding was usability of a tailored policy was used as a moderator to see its effect on all the relationship constructs. Use of a tailored policy dampened the relationships Perception of information security (POIS) and Threat appraisal (TA), between POIS and Coping appraisal (CA), between POIS and Behavioural intent (BI), and POIS and Actual behaviour (AB). It also dampened the relationship between perception of organisational interventions (POOI) and BI. It strengthened the relationship between, POOI and TA, POOI and CA, POOI and AB. Use of a tailored policy dampened the relationship between, TA and BI, but strengthened between CA and BI, CA and AB and TA and AB.

This research addresses these differences between policymakers and employees, across different organisations with varying organisational security levels, viz. low, medium and high security organisations and posits that through a tailored security policy security compliance behaviour can be improved.

Item Type: Thesis (Doctoral)
Uncontrolled Keywords: policy making, protection motivation theory (PMT), tailored policy, security behaviour, organisation security interventions
Subjects: C800 Psychology
N100 Business studies
Department: Faculties > Health and Life Sciences > Psychology
University Services > Graduate School > Doctor of Philosophy
Depositing User: John Coen
Date Deposited: 11 Feb 2022 08:50
Last Modified: 16 Dec 2022 13:15

Actions (login required)

View Item View Item


Downloads per month over past year

View more statistics