Information & Computer Security

Establishing information security policy compliance culture in organizations

Eric Amankwa, Marianne Loock, Elmarie Kritzinger,
Article information:
To cite this document:
Eric Amankwa, Marianne Loock, Elmarie Kritzinger, "Establishing information security policy compliance culture in
organizations", Information & Computer Security, https://doi.org/10.1108/ICS-09-2017-0063
Permanent link to this document:
https://doi.org/10.1108/ICS-09-2017-0063
Downloaded on: 23 September 2018, At: 08:49 (PT)
References: this document contains references to 0 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 3 times since 2018*
Access to this document was granted through an Emerald subscription provided by emerald-srm:380143 []
For Authors
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service
information about how to choose which publication to write for and submission guidelines are available for all. Please
visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of
more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online
products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication
Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.

*Related content and download information correct at time of download.

 Establishing information security policy compliance culture in organizations

Abstract:

Purpose

This research aimed to establish that employees’ non-compliance with Information Security
Policy (ISP) could be addressed by nurturing information security policy compliance culture
through the promotion of factors such as supportive organizational culture, end-users
involvement and compliance leadership to influence employees’ attitudes and behaviour
intentions towards ISP in organizations. Secondly, to develop a testable research model that
might be useful for future researchers in predicting employees’ behavioural intentions.
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

Design/methodology/approach

In view of the study’s aim, a research model to show how three key constructs can influence
the attitudes and behaviours of employees towards the establishment of Security Policy
Compliance Culture (ISPCC) was developed and validated in an empirical field survey.

Findings

The study found that factors such as supportive organizational culture and end-user
involvement significantly influenced employees’ attitudes towards compliance with ISP.
However, leadership showed the weakest influence on attitudes towards compliance. The
overall results showed that employees’ attitudes and behavioural intentions toward ISP
compliance together influenced the establishment of ISPCC for ISP compliance in
organizations.

Practical Implications

Organizations should influence employees’ attitudes towards compliance with ISP by

providing effective ISP leadership, encouraging end user involvement during the draft and
update of ISP, and nurturing a culture that is conducive for ISP compliance.

Originality/value

The study provides some insights on how to effectively address the problem of non
compliance with ISP in Organizations through the establishment of Information Security
Policy Compliance Culture which has not been considered in any past research.

Keywords: Information Security Policy, Compliance Leadership, Organizational

Culture, Model, User Involvement
 1. Introduction

Information security breaches in organizations continue to be on ascendency (McCormac et

al. 2017) despite the huge investment in technical solutions and this is due to the lack of
attention paid to the behaviour of employees in organizations (Ifinedo, 2012). Crossler et al.
(2013) suggest strengthening of employees’ security behaviour intentions in line with
security policies as an approach for dealing with the prevailing security breaches in
organizations. Security policy according to SANS (2014) is defined as "a document that
outlines specific requirements or rules that must be met, in the information/network security
realm, policies are usually point-specific, covering a single area". Alotaibi, et al. (2016)
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

explained that organisations should establish a set of information security policies, and
distribute same amongst all employees. Additionally, all personnel in organisations should be
able to understand the information security policies of their employers as a way of ensuring
information security.

However, existing anecdotal evidence from various studies have revealed that despite the
existence of security policies to protect information assets, employees often do not comply
with such documents (Vance et al., 2012; Ponemon Institute, 2016). Arguably, the human
factor is still the weakest link and greatest source of vulnerability in the information security
chain, causing significant increase in the number of security breaches. Information security
awareness is an area that is often associated with information security policy compliance and
a large number of studies are regularly conducted in an effort to address the human factor in
information security. To address the human factor, previous studies have been focused on
raising, monitoring and managing employees’ levels of security awareness (Alnatheer, 2014;
Da Veiga, & Martins, 2015; Parson et al. 2014). The need to enhance employees’ awareness
in line with security policy is therefore imperative for a security policy compliance culture in
organizations. Conversely, Da Veiga (2016) empirically investigated the influence of
information security policy on information security culture by comparing the culture of two
groups of employees. The overall information security culture was found to have improved
significantly overtime in those organizations where employees read the information security
policy. In another study, Alhogail (2015) proposed a framework for developing an effective
information security culture that incorporates preparedness, responsibility, management,
society and regulations. Similarly, Sherif et al. (2015) proposed five variables that could
influence information security culture, namely, information security behaviour, top
management support, security education and awareness, information security policy and
 acceptance. These factors are however not solely capable of propelling employees security
behaviour intentions towards compliance with ISP for the establishment of information
security policy compliance culture (ISPCC) in organization. Therefore, other important
factors to such as security policy compliance leadership, organizational culture and user
involvement need to be considered and investigated. The potential of these factors in the
establishment of ISPCC in organization needs to be investigated. An ISPCC is defined as the
extent to which every employee follow information security rules and procedures in their
daily activities and demonstrates attitudes, behaviour intentions, assumptions, beliefs and
values that contributes to the protection of information.
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

This research aims to establish that employees’ non-compliance with ISP can be addressed by
nurturing information security policy compliance culture through the promotion of supportive
organizational culture, end-users involvement and compliance leadership in organizations.
Secondly, to develop a testable research model that might be useful for future researchers in
predicting employees’ behaviour intentions. The research has the significance of improving
employees’ attitudes and behaviours intentions in line with information security policy
compliance.

The remainder of the paper is structured as follows: background to describe the two main
theories from which the constructs are derived is provided. This is followed by description of
the study’s main concepts and hypothesis formulation based on theories discussed in the
earlier in the paper. Next, the research methodology and results and discussion of the field
survey conducted in the study are presented. The implications and conclusions of the research
study are discussed, followed by the recommendations.

2. Theoretical Background

With technology permeating every facet of businesses today, issues of security cannot be
ignored by any organisation. This research presents the establishment of Information Security
Policy Compliance Culture (ISPCC) as an effective approach to address the problem of non
compliance with ISP in organizations. Concepts in the involvement theory and theory of
organizational behaviour were applied to develop a research model that shows how security
compliance leadership of security managers, end-users involvement in the development of
security policy and supportive organizational culture can serve to nurture a holistic ISPCC for
ISP compliance in organizations. This research presents a novel contribution since no prior
research has investigated these constructs with regards to the establishment of ISPCC in
 organisations. Thus, findings from this research can serve as a starting point for future
information security researchers.

The next section explains the theories from which the constructs investigated in this study
have been derived.

2.1.Involvement theory

Involvement theory (Astin, 1999) discusses the amount of physical and psychological energy
that a person devotes to a particular task. Involvement theory was introduced by Astin (1999)
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

to understudy factors in the college environment that affected students’ persistence in college
and has since been widely adopted by previous researchers in psychological and management
research. Previous researchers have examined the role of involvement features related to
information security policy compliance including security knowledge sharing, collaboration,
intervention and experience (Safa et al. 2016; Kearney and Kruger, 2016). Astin (1999)
described quantitative and qualitative features of Involvement theory. In his description, the
number of ISP seminars and workshops in which the employees participated and the amount
of time they spent participating in the activities defines quantitative features (i.e. physical
energy) whereas positional leadership role experience defines qualitative features (i.e.
psychological energy). Research has found that employees, who served on committees
responsible for drafting and implementing security policies showed positive behaviour
intentions compared to those who did not serve. This study investigates whether end-users
involvement (both quantitative and qualitative) with ISP can influence their attitudes towards
compliance.

2.2.Organizational Behaviour Theory

Organizational behaviour theory is the investigation of human conduct inside an
organizational situation. This implies that, organizational behaviour makes inquiries
concerning for what valid reason people carry on the way they do in workplaces. McGregor
(1960) explained that leaders make assumptions about their workers and these presumptions
control the beliefs they hold toward their staff. In a similar fashion, Schein (2004) clarified
that culture characterizes leadership. However, as the organization keeps running into
complex troubles, as its condition changes to the point where some of its suspicions are no
longer legitimate, leadership becomes an integral factor yet again.

Leadership and organizational culture are applied in the context of information security to
investigate whether security policy compliance leadership of security managers and
 organizational culture can have any influence on employees’ attitudes towards compliance
with security policies.

3. Conceptual Framework and Hypotheses Formulation

3.1.Supportive Organizational Culture
Schein (2004) defines Organizational Culture as a pattern of shared presumptions that groups
learn as they tackle issues of external adaptation and internal integration, which has
functioned well enough to be viewed as legitimate and therefore, to be taught to new
individuals as the right way to see, think, and feel in connection to those issues. Similarly,
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

Deshpande and Webster (1989) defined organizational culture as an arrangement of shared

suppositions and comprehensions about organization working. Organizational culture has
information security culture as a subset; therefore the foundation of information security
culture is reliant on the current organizational culture (Alhogail and Mirza, 2014). In
accordance with this, information security practices should become a part of the
organizational culture so as to accomplish a safe environment for information resources.
Organizational culture shapes the dispositions and practices of employees by recommending
what the organization and its employees should, can and can't do with regards to information
resources (Thompson et al. 2006). The connection between organizational culture and
information security culture has been established in existing literature (Ashenden, 2009;
Chang and Lin, 2007; Lim et al. 2009; Ruighaver et al.2007) and in all cases organizational
culture is found to have significant effect on information security culture. Nonetheless, the
connection between organizational culture and information security policy compliance is yet
to be established. Keeping in mind the goal to accomplish compliance with information
security policies, unsafe security practices by employees must be limited. This can be
accomplished if information security practices become an internal part of the culture that
exists in an organization (Korovessis, 2015). Organizational culture determines what
behaviour is adequate in an organization. When this behaviour is learned and comprehended
by all employees they create convictions and assumptions that are shared among them and
turn into the standards on how their jobs should be performed. That is, satisfactory behaviour,
such as, compliance with security policies should be reflected at the espoused values of the
organization's culture, which will be internalized to become part of their shared tacit
assumptions (Korovessis, 2015). Da Veiga (2016) clarified that organizational culture is one
of the components that influence information security policy compliance in organizations.
 This position is likewise articulated in the extant literature. For instance, Knapp et al. (2009)
opined that the effective implementation of information security policy is affected by the
current organizational culture, as it influences the perceptions employees have about
information security. On the premise of this discussion, we hypothesize that:

H1. Supportive organizational culture has a significant effect on employee’s attitude

towards information security policy compliance.

3.2.Information Security Policy Compliance Leadership

Leadership refers to the utilization of non-coercive influence to direct and arrange the
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

exercises of gathering individuals toward objective fulfilment (McLean and Smits, 2003). In
light of how leaders motivate followers, we can group leadership into two classifications;
transformational leadership and transactional leadership (Pawar and Eastman, 1997).
Transactional leaders are people being responsive to the necessities of others, who follow
them in return for the satisfaction of these necessities (Jung and Avolio, 1999; Waldman et al.
2001). By differentiation, transformational leaders are the individuals who by the drive of
their own capacities are fit for having significant and unprecedented impacts on followers. In
the information security context, information security managers’ may be transformational or
transactional leaders seeking to secure sensitive and critical information assets to protect the
business, customers, employees, and investors from eminent security threats. To achieve
information security, business stakeholders especially employees are expected to comply
with information security policies on daily basis. However, since followers (employees)
always look up to their leaders (security managers) for directions, their beliefs, attitudes and
behaviour intentions toward ISP compliance may be highly dependent on what leaders
portray. Upon the aforementioned explanations, we postulate that:

H2. Security policy compliance leadership of security managers has a significant effect on
employee’s attitude towards compliance with security policies.

3.3. End-Users Involvement with Security Policy Development

Involvement is defined in this study as the extent to which end users participate in the process
of drafting or updating security policies. It is not enough to have security policies in place,
organizations will have to take steps in ensuring that drafted security policies are accepted
and complied with by end users. Previous studies have explained that, involvement influences
 attitude and can manifest in different forms (Safa et al. 2016). When user are involved in the
process of security policies development, they tend to feel that they are part of the ‘law-
makers’ and will do everything possible to comply and also encourage compliance behaviour
intentions among each other. The concept of user involvement has been largely investigated
in software development and ERP implementations. Bano and Zowghi (2013) argued that, for
successful implementation, all team members participate in the development process, content
of specification documents be based on real user requirements and that users must be
involved throughout the development process. In addition, the lack of user involvement is
one of the reasons for most projects failures. In a literature survey, Bano and Zowghi (2013)
found that user involvement positively contributes to system success. User involvement
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

increases employees’ levels of commitment which may significantly affect their attitudes
towards information security policy compliance (Safa et al. 2016). In view of this, the
following hypothesis is proposed:

H3. End-User involvement in the development of information security policy has a

significant effect on attitude towards compliance with security policies.

Attitudes can be infectious and can influence the behaviour intentions of those around them.
Organizations should along these lines perceive that it is conceivable to influence an
employee's attitude and, thus, his or her behaviour intentions. A positive work environment
with good leadership style, supportive organizational culture, and user involvement in
security decisions can all help reinforce specific security behaviour intentions.

In the field of information security, previous studies have established that employee’s attitude
towards information security compliance leads to actual compliance with the policies
(Siponen et al., 2014). In addition, Ifinedo’s (2014) research concluded that attitude towards
compliance has the greatest effect on information security policy compliance. We therefore
postulate that:

H4. Employees’ attitude towards security policy compliance has a positive effect on
information security policy compliance behavioural intention.

In line with Schein’s (2004) definition of organizational culture, Da Veiga and Eloff (2010)
defined information security culture as “the attitudes, assumptions, beliefs, values and
knowledge that employees use to interact with the organisation's systems and procedures at
any point in time”. This interaction results in acceptable or unacceptable behaviour evident in
 artefacts and creations that become part of the culture in the organisation to protect its
information assets.” We therefore propose two final hypotheses of the study:

H5. Employees’ attitude towards security policy compliance has a positive effect on the
establishment of information security policy compliance culture.

H6. Behavioural intention of employee has a significant effect on the establishment of

information security policy compliance culture.

Information Security Policy Compliance Culture (ISPCC)

CONSTRUCTS
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

Security Policy
Supportive Organizational compliance
Culture H5 Culture
H1
Attitude towards
ISP Compliance Leadership H2 security policy H4 H6
compliance
Security Policy
H3
User Involvement compliance
Behavioural
intention

Fig 1: Research Model

Following the preceding discussions (conceptual framework) and hypotheses formulation, a

research model is presented in Fig 1. It can be seen from the model in Fig 1 that, the research
stems from three main constructs which are used to investigate employees’ attitudes towards
information security policy. Based on their attitudes further deductions are made about their
behavioural intentions towards compliance with information security policies. These
behavioural intentions of employees together with their attitudes also lead to the creation of
compliance culture that becomes part of the way things are done in the organisations.

4. Research Methodology
4.1.Data Collection Procedures
 In view of the study’s aim, the research model (in Fig 1) developed as part of this study, to
show how these constructs can influence the attitudes and behaviour intentions of employees
toward the establishment of security policy compliance culture was validated using a field
survey. Survey is considered suitable for this research since factors such as attitudes and
behaviour intentions are not verifiable by means other than self reporting (Podsakoff and
Organ, 1986).

A total of five hundred (500) questionnaires were distributed to employees of Ghanaian

companies from banking, insurance, education, hospitality, IT/Telecoms, the essential
services (medical, water, and electricity) and other sectors. Only Organizations that have
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

information security policy explicitly defined in a formal document or implicitly defined in

other policy documents were considered for selection.

The study utilized two main approaches during the collection of data. First, hard copies of the
questionnaires were physically given to participants to complete within seven (7) days. A
total of 115 questionnaires were returned from the 180 questionnaires administered in the
manual process. Second, the electronic copy of the questionnaire was hosted over our
University mail system for a period of two months (i.e. March 1 - April 30). Link to the
questionnaire was emailed to participants who had agreed to take part in the survey. The
online system yielded a total of 320 responses. However, eleven questionnaires were rejected
due to incomplete and inconsistent responses.

4.2.Operationalization of the Constructs

A total of 25 questions on a five points likert scale ranging from strongly disagree (1) to
strongly agree (5) was developed based on the variables under study (end-user involvement,
leadership, supportive organizational culture, employees attitudes and ISP compliance
culture). Specifically, 19 questions were developed from the study’s main variables and 6
other questions to capture demographic information of respondents. Some items (questions)
were adopted from previously validated studies (Ifinedo, 2012; Herath and Rao (2009); Da
Veiga and Martins, 2015; Safa et al. 2016). Table 1 provides an extract of the questions used
in the study’s instrument.

Insert Table 1 here

 From Table 1 above, questions for end user involvement, ISP compliance leadership and
supportive organizational culture were developed and tested purposely to measure their
effects on employees’ attitudes and behaviour intentions towards the establishment of
information security policy compliance. The measures for attitude towards compliance
(ATC), ISP compliance behavioural intentions (ISP_BI) and information security policy
compliance culture (ISPCC) were adapted from previously tested research studies of Ifinedo
(2012), Herath and Rao (2009), Da Veiga and Martins, (2015), Safa et al. (2016).

To ensure that all participants understood and interpreted the questions in similar fashion
without any ambiguity, the questionnaire was pilot tested with 20 participants purposefully
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

selected from the researchers’ place of work. All 20 participants were able to complete the
questionnaire without a need for explanation of wording or clarification of ambiguity. Thus,
participants understood and interpreted the questionnaire in the same manner. Final version
of the questionnaire was then printed.

The study considered 424 questionnaire responses for data analysis after deleting all
incomplete and inconsistent responses. Demographic information of the survey’s participants
is presented in Table 2.

Insert Table 2 here

4.3.Statistical Data Analysis

Structural Equation Modeling (SEM) is acknowledged as a suitable approach for this kind of
research (Hair et al., 2011). SEM is a second-generation multivariate data analysis method
that is used in research to test theoretically supported linear and additive causal models
(Wong, 20113). There are two sub models in a structural equation model; the inner model
specifies the relationships between the independent and dependent latent variables, whereas
the outer model specifies the relationships between the latent variables and their observed
indicators (see Fig. 1). Approaches to SEM include Covariance-Based SEM (CB-SEM) and
Partial Least Squares (PLS) which focuses on the analysis of variance and can be carried out
using PLS-Graph, VisualPLS, SmartPLS, and WarpPLS. Therefore PLS-SEM was employed
as the approach for data analysis in this study due to its suitability for validating predictive
models with smaller samples (Chin et al. 2003). This study employed SmartPLS version 3.2.6
developed by Ringle et al. (2015) as the tool for data analysis.
 From the research model in Fig 1, the three derived constructs (that is, end-user involvement,
ISP compliance leadership and supportive organisational culture) are the latent variables of
the model and can be measured by several items. Latent variables are variables that are not
directly observed but are rather inferred from other variables that are observed. These latent
variables can, however, be modelled by using a measurement model and a structural model,
which are the two main models of the PLS-SEM approach (Ifinedo, 2012). These models are
discussed in relation to data analysis in this research.

4.3.1. The Measurement Model

The measurement model also called the outer model represents the relationships between the
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

observed data and latent variables (unobservable variables). The outer measurement model is
essential for assessing reliability and validity levels of a study’s constructs.

To ensure the reliability of measurement models, Hair et al. (2011) suggest that indicator
loadings should be 0.7 or higher. However, for internal consistency reliability, Hair et al.
(2011) and Wong (2013) recommend that composite reliability for each construct in the study
should be equal or above the 0.7 level. Moreover, to assess the validity of measurement
models, the use of convergent and discriminant validity are largely recommended in PLS
SEM (Hair et al. 2011; Wong, 2013). For convergent validity, the Average Variance
Extracted (AVE) value of 0.50 is recommended as acceptable (Henseler et al. 2015) and it
indicates that a latent variable is able to explain more than half of the variance of its
indicators on average. However, with discriminant validity, Henseler et al. (2015)
recommend that the AVE of each latent variable should be higher than the construct’s highest
squared correlation with any other latent construct (Fornell–Larcker’s, 1981 criterion) and an
indicator’s loadings should be higher than all of its cross loadings (Hair et al. 2011).

4.3.2. The Structural Model

The structural model also called the inner model, presents the relationships among the latent
variables. Latent variables in a structural model are divided into exogenous and endogenous.
Exogenous latent variables are variables with no predecessors in the structural model and all
others are endogenous. In this study, three exogenous and three endogenous latent variables
are presented in the research model in Fig 2. The structural model is essential for evaluating
the path coefficients (β) and the squared R (R2) to present information about the path significance of
hypothesized relationships and the strength of the relationship is specified by the values of the path
 coefficients. To this end, Hair et al. (2011) explained that the primary evaluation criteria for the
structural model (Inner model) are the squared R (R2) measures and the level and significance of the
paths coefficients. According to Hair et al. (2015), the squared R (R²) values of 0.75, 0.50, or 0.25
for endogenous latent variables in the structural model can be described as substantial,
moderate, or weak, respectively.
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

5. Results and Discussion

5.1.Evaluation of the Measurement Model

In line with the validation guidelines from Hair et al. (2011) for measurement models, this
study made use of convergent validity, discriminant validity (Sarstedt et al., 2014; Henseler et
al. 2015), and reliability. These properties are the main indicators for examining the
psychometric properties and building blocks for validating a model (Ifinedo, 2012, Hair et al.
2017).

The reliabilities (indicator and composite reliability) for the study’s constructs presented in
Table 3 were significantly adequate.

Insert Table 3 here

From table 3, indicator loadings below the 0.7 threshold were dropped in line with Hair et al.
(2011) recommendation. The construct, attitude towards compliance with ISP, had its
indicator three (ATC_3) dropped because it had a loading below 0.7. Other constructs such as
ISP compliance culture, user involvement, supportive organizational culture and compliance
leadership had indicators ISPCC_3, USINV_4, SOC_3 and leader_4 respectively dropped.
Moreover, the indicator reliability and composite reliability values are all above the
recommended 0.7 threshold, implying that the survey tool is appropriate for measuring each
construct individually.

In addition, the study’s AVE for each latent variable is also adequate as shown in table 4.
This implies the establishment of convergent validity. Tables 4 present figures for the
establishment of discriminant validity using Fornell–Larcker (1981) criterion.
 Insert Table 4 Here

From Table 4, the AVE for the construct ISP Compliance Behavioural Intention is found to
be 0.800; hence its square root becomes 0.894. This number is larger than the correlation
values in the column on which the construct appears and also larger than those in the row.
Similar observations can be made for the other constructs presented in Table 4; hence
discriminant validity using Fornell-Larcker (1981) Criterion is established. Additionally, the
average variance extracted (AVEs) for the constructs are all above the recommended 0.5
threshold to establish convergent validity (Henseler et al. 2015). The AVE values from Table
4 ranged from 0.542 to 0.831, and in no case was any correlation between the constructs
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

greater than the squared root of AVE. Therefore the overall results showed that the study’s
constructs were psychometrically adequate for this study.

5.2.Evaluation of the Structural Model

The structural model was evaluated based on Hair et al. (2011) evaluation criteria for
structural models (Inner model). This study utilized the values of path coefficients and
squared R. This is largely because, structural model uses the path coefficients (β) and the
squared R (R2) to present information about the path significance of hypothesized
relationships and the strength of the relationship is specified by the values of the path
coefficients.

Results from the structural model evaluation are presented in Table 5 and Fig 2. From the
analysis of data in Fig 2, the squared R values are 0.548, 0.646 and 0.727 for the endogenous
latent variables; that is for attitude towards security policy compliance, security policy
compliance behavioural intentions and security policy compliance culture respectively. This
means that the three endogenous latent variables significantly explain 54.8% of the variance
in attitude towards compliance with ISP. Also, attitude towards compliance with ISP
significantly explains 64.6% of the variance in security policy compliance behavioural
intentions, whereas security policy compliance behavioural intentions and attitude towards
compliance together significantly explain 72.7% of the variance in security policy
compliance culture. The coefficients of determination (R2) values for the endogenous latent
variables as presented in Fig 2 show the results of the structural model’s evaluation.
 A holistic Information Security Policy Compliance sub
CONSTRUCTS Culture (ISPCC)
Security Policy
Supportive Organizational compliance Culture
Culture (R2=0.727)
0.149 Attitude towards 0.648
security policy
ISP Compliance Leadership 0.021 0.804 0.240
compliance

(R2=0.548) Security Policy

Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

0.626
User Involvement compliance Behavioural
intention (R2=0.646)

Fig 2: Results of SmartPLS 3.2.6 Structural Equation Model Analysis

Table 5 on the other hand shows the results of the two-tailed test with a significance level of
5%. This was computed to ascertain if the path coefficients of the inner model are significant
or not. The path coefficients are significant if the T-Statistics is larger than 1.96 for a 5%
significance level (Hair et al. 2011; Wong, 2013). From Table 5, the T-Statistics for all
hypothesized paths are above the recommended 1.96 threshold except H2 (i.e. Leadership ->
ATT_Compliance) which has a T-value of 0.274. This is also visually presented in Fig 2 with
a path coefficients (β) value of 0.021 Therefore the outer model loadings are highly
significant.

Insert Table 5 Here

From fig 2 and Table 5, the hypothesized path relationship between User Involvement and
Attitude towards compliance is statistically significant. The hypothesized path relationship
between Supportive Organization Culture and Attitude towards compliance is also
statistically significant. However, the hypothesized relationship between Leadership and
Attitude towards compliance is not statistically significant. This is because its standardized
path coefficient (0.021) is lower than 0.1 and its T-value is less than 1.96. In view of this
 finding, we conclude that User Involvement is a strong predictor of attitude towards
compliance with ISP and supportive organizational culture is a weak predictor but leadership
does not predict attitude towards compliance with ISP directly.

Additionally, the path coefficient indicates that attitude towards compliance has strong effect
on behavioural intention (0.804) and also has a strong effect on ISP compliance culture
(0.648). From fig 2 and Table 5, the hypothesized path relationships between attitude
towards compliance and behavioural intention and also between attitude towards compliance
and ISP compliance culture are statistically significant. It can also be concluded that attitude
towards compliance is a strong predictor of behavioural intention and ISP compliance culture
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

whereas behavioural intention weakly predicts ISP compliance culture.

5.3.Discussion

The aim of this study was to establish that employees’ non compliance with ISP could be
addressed by nurturing information security policy compliance culture through the promotion
of supportive organizational culture, end-users involvement and compliance leadership in
organizations. To the best of our knowledge, this is one of the primary studies that investigate
the ISP compliance attitudes towards the establishment of ISP Compliance Culture (ISPCC)
in organization based on factors such as end user involvement, supportive organizational
culture and leadership.

It was shown from the results of the data analysis that two out of the three constructs are
influential in building positive attitudes towards information security policy compliance
culture in organizations (ISPCC). Fig 2 provides the estimates of the path coefficients and a
summary of the results of hypotheses. As hypothesized from the theory of organizational
behaviour and the existing information security research literature, supportive organizational
culture could have a significant effect on employees’ attitudes towards compliance (H1) and
this is confirmed in the survey results shown in Fig 2 and Table 5. This finding is in line with
the results of the study by Parsons et al. (2015). This means that employee’s intention to
comply with ISP and attitude towards the establishment of ISPCC is significantly impacted
by the existence of favourable information security culture within the organization. This
implies that improving the existing information security culture of the organization will have
a positive influence on the behaviour intentions of users, which in turn should also improve
compliance with ISP to nurture compliance culture. Employees are likely to comply with ISP
 once they perceive it as a lifestyle which is part of the organizations shared tacit assumptions,
values and beliefs within organization. When employees’ attitudes towards ISP compliance
are improved and compliance culture is established, the risk to the organization’s information
assets and data is eventually mitigated (Parsons et al. 2015). This also implies that the
thoughts, beliefs, and behaviour intentions of employees with regard to information security
policy and procedures may be further improved via the organization’s information security
culture.

Contrary to this, the prediction that leadership (H2) has a significant effect on employees’
attitudes towards ISP compliance was not supported in this study. Even though there is a
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

positive effect as reported in Fig 2 and Table 4, the effect is not significant enough to support
the hypothesis. This could mean that some other factors must be at play and also the
relationship might be more complex than a linear relationship. Further, the study’s results
showed that end users involvement (H3) in the process of developing information security
policy significantly influenced their attitudes towards ISP compliance. This corroborates the
findings in Alhogail and Mirza (2014) that users should be involved in the information
security decision making process to increase their sense of ownership. The finding is also in
line with the results of the study conducted by Bano and Zowghi (2013) who argued that
users should be involved in the information security decision making process through various
channels to increase their awareness and sense of ownership of the existing information
security policies. Involving users in the information security decision making process, such as
drafting of policies, spurs commitment (Alhogail and Mirza, 2014). As a result a mechanism
of providing feedback on the existing information security policy is created and thereby
mitigates the problem of shadow security (Kirlappos et al. 2015). In addition, the results of
the statistical tests showed that employee’s attitude towards compliance with ISP (H4) had
significant influence on their behavioural intentions. This confirms the findings of previous
studies (Ifinedo, 2014; Safa et al., 2016). Finally, hypotheses H5 and H6 were also found to
have positive effects on ISP compliance culture. Overall, the independent latent variables
accounted for a significant proportion of the variance in ISP compliance culture (R2 = 0.727).

6. Implications, Conclusions and Recommendation

6.1.Implications for Practice
 This research proposed the establishment of Information Security Policy Compliance Culture
as a novel approach to address employees’ noncompliance with ISP, by investigating the
effects of leadership, end user involvement and supportive organizational culture on attitudes.
First, we found that compliance leadership had no significant influence on employees’
attitudes towards compliance. This implies that the compliance intentions of subordinate
employees may not necessarily increase with the existing of compliance leadership in the
organization. Nonetheless, management could encourage compliance from peers by
identifying and tasking all leaders (managers or heads of departments) across the organization
to demonstrate ISP compliant behaviour intentions to motivate their peers. Employees have
been shown to display the tendency to act consistently with peer behaviour (Hwang et al.,
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

2017), therefore management should nurture a security culture that motivates the compliance
of peers.

Second, the results of the study showed that involving end users in the process of developing
ISPs could have significant influence on attitudes towards compliance. Therefore,
organizational management should provide a platform to solicit for end users views on
existing security policies and during the drafting of new policies. Management could task all
unit heads or managers to discuss at workshops or seminars the rules and procedures for
safeguarding information assets with the aim to ensure user involvement. Employees should
be encouraged to report challenges with the existing ISPs and suggest possible solutions to
circumvent the challenge while protecting information assets.

Third, the results of the study indicated that management could leverage existing
organizational culture to influence employees’ attitudes towards compliance with ISP.
Management should ensure that existing information security policy reflects the
organization’s vision and strategies of information security. Management could then promote
the ISP through awareness campaigns in the form of seminars, workshops and publication on
web portals. Management can then establish a system for monitoring compliance and
deviations from the approved rules and procedures and this would shape employees
behaviour intentions towards compliance with ISP. Over a period of time the majority of
employees will share the IS values, perceptions and policy principles as enshrined in the ISP
document, causing a compliance culture to emerge.

Further, employees’ attitudes towards compliance with ISP and behavioural intentions have
statistically shown positive influence on the establishment of information security policy
 compliance culture in organizations. Given this result, management should introduce
awareness and training programs that emphasize the importance of compliance with ISP.
Also, management should clearly define employees’ roles and responsibilities in respect of
information security. Further, effective activity monitoring in respect of ISP compliance
should be put in place to ensure proper accountability of assigned roles and responsibilities.
Finally, management could appoint an individual responsible for compliance checking in the
organization. Implementing these recommendations will therefore nurture a culture where
employees illustrate attitudes, behaviour intentions, assumptions, beliefs and values that
conducive for the protection of information assets in the organization.
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

Finally, in line with the proposed research model and results from the field survey, this study
suggests that management consider addressing the problem of employees’ non compliance
with ISP by establishing Information Security Policy Compliance Culture (ISPCC) in
organization. To do this, management should involve end-users during the development of
new and revision of existing ISP, encourage all in leadership positions to demonstrate
leadership support during ISP implementation and nurture a culture that is conducive for ISP
compliance in the organization. Management should also convince employees that complying
with ISP to protect information assets is one of the performance factors for promotions and
other rewards. Therefore opportunities should be provided for all employees to better
understand existing ISP and accompanying security practices and implications.

6.2.Conclusion and Recommendation

This research investigated the effects of factors such as supportive organizational culture,
end-users involvement in the process of security policy development and compliance
leadership on the establishment of ISPCC for ISP compliance in organizations. Factors such
as end user involvement and supportive organizational culture significantly influenced
employees’ attitudes towards compliance with ISP; whereas, leadership showed the weakest
influence on attitudes towards compliance. The overall result showed that, attitudes towards
compliance and ISP compliance behavioural intentions of employees together influenced the
establishment of ISPCC for actual compliance in organizations. This study also provided a
testable research model that future researchers could develop by investigating the effects of
other factors such as personality types, motivation and sanctions on employees’ attitudes
towards the establishment of ISPCC for actual compliance with ISP in organizations.
 The results from the paper are however based on quantitative data collected from Ghanaian
companies that have information security policies either explicitly or implicitly defined.
Considering environmental differences, the same results may be not achieved in other
environments. It is therefore recommended that similar investigations are carried out in other
parts of world by means of qualitative nethods.

This study also recommends organizational variables for security enhancement, including end
user involvement, supportive organizational culture, positive attitude and behaviour
intentions towards ISP compliance and a culture of compliance as crucial components to
increase employees’ compliance with information security policies.
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

References

Alhogail, A., 2015. Design and Validation of Information Security Culture Framework.
Compt. Human Behave, 49(0), pp. 567-75.

Alhogail, A. & Mirza, A., 2014. A Framework of Information Security Culture Change.
Journal of Theoretical and Applied Information Technology, 64(2), pp.540–549.

Alnatheer, M.A., 2014. A conceptual model to understand information security culture, Int. J.
Soc. Sci. Hum. 4, pp. 104–107.

Alotaibi, M., Furnell, S. & Clarke, N., 2016. Information Security Policies : A Review of
Challenges and Influencing Factors. In The 11th International Conference for Internet
Technology and Secured Transactions (ICITST-2016) Information. IEEE, pp. 352–358.

Ashenden, D., 2009. Information Security Management: A Human Challenge? Info. Secur.
Tech. Rep., 13(4), pp. 195-201.

Bano, M. & Zowghi, D., 2013. User Involvement in Software Development and System
Success : A Systematic Literature Review. In proceedings of EASE ’13. Porto de
Galinhas, Brazil: ACM New York, USA, pp. 125–130.

Bulgurcu, B., Cavusoglu, H. & Benbasat, I., 2010. Information security policy compliance:
anempirical study of rationality-based beliefs and information security awareness. MIS
Quarterly, 34(3):523e48

Chang, S. & Lin, C., 2007. Exploring organizational culture for information security
management. Ind. Manag. Data Syst., 107(3), pp. 438–458.
 Chin, W., Marcolin, B. & Newsted, P., 2003. A partial least squares latent variable modeling
approach for measuring interaction effects: results from a Monte Carlo simulation study and
an electronic-mail emotion/adoption study. Information Systems Research, 14(2), pp.189–
217.

Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. & Baskerville, R., 2013.
Future directions for behavioural information security security research. Computers &
Security,32:90–101.

Da Veiga, A., 2016. Comparing the information security culture of employees who had read
the information security policy and those who had not Illustrated through an empirical
study. Information & Computer Security, 24(2), pp.139–151.
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

Da Veiga, A. & Eloff, J. 2010. A framework and assessment instrument for information
security culture. Computers & Security, 29(2), pp. 196–207.

Da Veiga, A. & Martins, N., 2015. Information security culture and information protection
culture: A validated assessment instrument. Computer Law & Security Review.

Deshpande, R., and Webster, F.E. 1989. Organizational culture and marketing defining the
research agenda. Journal of Marketing (53:1), JAN, pp 3-15.

Fornell ,C. & Larcker, D.F., 1981. Evaluating structural equations models with unobservable
variables and measurement error. Journal of Marketing Research, 8(1):39e50

Hair, J. F., Ringle, C. M., & Sarstedt, M., 2011. PLS-SEM: Indeed a silver bullet. Journal of
Marketing Theory and Practice, 19(2), pp. 139–151.

Hair, J. F., Hult, G. T. M., Ringle, C. M., and Sarstedt, M. 2017. A Primer on Partial Least
Squares Structural Equation Modeling (PLS-SEM), 2nd. Ed., Sage: Thousand Oaks.

Henseler, J., Ringle, C. M., and Sarstedt, M. 2015. A New Criterion for Assessing
Discriminant Validity in Variance-based Structural Equation Modeling. Journal of the
Academy of Marketing Science, 43(1): 115-135

Hepler, J., 2015. A good thing isn’t always a good thing: dispositional attitudes predict non-
normative judgements. Pers. Individ. Dif., 75(0), pp.59-63.

Hirschi, T., 1969.Causes of delinquency. University of Califonia press.

Hwang, I., Kim, D., Kim, T. & Kim, S., 2017. Why not comply with information security?
An empirical approach for the causes of non-compliance. Online Information Review, 41(1),
pp. 2-18.Ifinedo, P., 2012. Understanding information systems security policy compliance:
An integration of the theory of planned behaviour and the protection motivation theory.
Computers & Security, 31(1), pp.83–95.
 Ifinedo, P., 2014. Information systems security policy compliance: An empirical study of the
effects of socialisation, influence, and cognition. Information and Management, 51(1),
pp. 69–79.

Jung, D.I. & Avolio, B.J., 1999. Effects of leadership style and followers' cultural orientation
on performance in group and individual task conditions," Academy of Management Journal
(42:2), Apr, pp 208-218

Kearney, W.D. & Kruger, H.A., 2016. Theorising on risk homeostasis in the context of
information security behaviour. Information & Computer Security, 24(5), pp.496–513.

Kirlappos, I., Parkin, S. & Sasse, M.A., 2015. “ Shadow Security ” as a tool for the learning
organization. SIGCAS Computers & Society, 45(1), pp.29–37.
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

Knapp, K.J., Morris, R.F., Marshall, T.E. and Byrd, T.A. (2009), “Information security
policy: an organizational-level process model”, Computers & Security, Vol. 28 No. 2009, pp.
493-508

Korovessis, P., 2015. Establishing an Information Security Awareness and Culture. PhD
Thesis, Plymouth University.

Lim, J.S., Maynard, S. & Ahmad, A., 2009. Exploring the Relationship between
Organizational Culture and Information Security Culture. In in the Proceedings of the
7th Australian Information Security Management Conference. Perth, Western Australia:
Edith Cowan University Research Online Australian, pp. 88–97.

McBride, M., Carter, L. and Warkentin, M., 2012. The role of situational factors and
personality on cybersecurity policy violation. Research Brief, Institute for Homeland
Security Solutions, pp.1–13.

Mccormac, A. et al., 2017. Individual differences and Information Security Awareness.

Computers in Human Behavior, 69, pp.151–156.

McGregor, D., 1966. Leadership and motivation. Cambridge, MA: M.I.T. Press.McLean, E.
R. & Smits, S. J., 2003 .A role model of IS leadership. Americas Conference on Information
Systems, Tempa, FL,

Parsons, K.M et al., 2014. Determining employee awareness using the Human Aspects of
Information Security Questionnaire ( HAIS-Q ). Computers & Security, 42, pp.165–176.
Available at: http://dx.doi.org/10.1016/j.cose.2013.12.003.

Parsons, K.M. et al., 2015. The Influence of Organizational Information Security Culture on
Information Security Decision Making. Journal of Cognitive Engineering and Decision
Making.

Pawar, B.S., & Eastman, K.K., 1997. The nature and implications of contextual influences on
transformational leadership: A conceptual examination. Academy of Management Review,
22(1), pp. 80-109.
 Podsakoff, P. M. & Organ, D., 1986. Self-Reports in Organizational Research: Problems and
Prospects. Journal of Management, 12(4), pp. 531-544.

Ponemon Institute, 2016. 2016 State of End Point Security. The Ponemon Institute LLC.
Available at: https://cdn2.hubspot.net/hubfs/150964/2016_State_of_Endpoint_Report.pdf
[Accessed on 12/05/2016]

Ringle, C. M., Wende, S., and Becker, J.-M., 2015. SmartPLS 3. Boenningstedt: SmartPLS
GmbH, http://www.smartpls.com.

Ruighaver, A. B., Maynard, S. B., and Chang, S., 2007. Organisational security culture:
Extending the end-user perspective. Computer & Security, 26(1), pp. 56-62.

Safa, N.S., von Solms, R. & Futcher, L., 2016. Human Aspect of Information Security in
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

Organisations.pdf. Computer Fraud & Security, February, pp.15–18.

SANS, 2014. Infonnation Security Policy Templates. [Online]. Available at:

http://www.sans.org/security-resources/pol icies/general. [Accessed on 17/06/2016]

Sarstedt, M., Ringle, C.M., Henseler, J. and Hair, J.F., 2014. On the emancipation of PLS-
SEM: a commentary on Rigdon (2012). Long Range Planning, Vol. 47 No. 3, pp. 154-160.

Schein, E. H., 2004. Organizational Culture and Leadership, 3rd Edition. San Francisco, CA,
Jossey-Bass.

Sherif, E., Furnell, S. and Clarke, N., 2015. An identification of variables influencing the
establishment of information security culture. The Human-Computer Interaction (HCI)
Conference – Human Aspects of Information Security, Privacy and Trust (HAS), LNCS
9190, pp. 436-448.

Siponen, M., Mahmood, M.A. & Pahnila, S., 2014. Information & Management Employees ’
adherence to information security policies : An exploratory field study. Information &
Management, 51(2), pp.217–224.

Thomson, K., Van Solms, R. & Louw, L., 2006. Cultivating an organisational information
security culture. Computer Fraud and Security, Vol. 2006 No. 10, pp. 7-11.

Vance, A., Siponen, M. & Pahnila S., 2012. Motivating IS security compliance: insights from
habit and protection motivation theory. Inform Manage, 49(3), pp. 190–8.

Waldman, D.A., Ramirez, G.G., House, R.J., and Puranam, P., 2001.Does leadership matter?
CEO leadership attributes and profitability under conditions of perceived environmental
uncertainty. Academy of Management Journal (44:1), Feb, pp 134-143

Wong, K.K., 2013. Partial Least Squares Structural Equation Modeling (PLS-SEM)
Techniques Using SmartPLS. Marketing Bulletin, 24(1), pp.1–32.
 TABLE 1: Extract of Survey Questions
Constructs Indicators Survey Questions Adapted
From
End User USNINV_1 I am aware of the existing security policies because I have Developed for
Involvement participated in a number of seminars and workshops that this study
(USINV) discussed the content of ISP documents
USNINV_2 I understand all aspects of the existing security policy
document because I was part of the committee that drafted
the policies
USNINV_3 I am likely to follow security policies when my concerns
in respect of the existing security policies are addressed.
USNINV_4 I consider user involvement as an effective approach to
encourage users to follow security policies.
ISP Compliance LEADER_1 Security managers often emphasize the importance of Developed for
compliance with security policies.
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

Leadership this study

(LEADER) LEADER_2 Information security policy is given a higher priority by
security managers.
LEADER_3 Organizational top management (including security
managers) have always demonstrated compliance with
information security policies.
LEADER_4 Security awareness and training programs that emphasize
the importance of compliance with security policies exist
in the organization
Supportive SOC_1 A mechanism for monitoring security policies exists in the Developed for
Organizational organization. this study
Culture (SOC) SOC_2 I believe it is necessary for the Organization to have an
officer to monitor compliance with information security
policy.
SOC_3 Following security policy is a key part of my everyday
duties and responsibilities.

Attitude ATC_1 Following security policy is beneficial Ifinedo

Towards (2012); Da
Compliance ATC_2 Following security policy is necessary Veiga and
with ISP (ATC) ATC_3 Following security policy mitigates the risk of security Martins
breaches. (2015);
Safa et al.
(2016)

ISP Compliance ISP_BI_1 I am certain I will adhere to security policy Herath and
Behavioural ISP_B2 It is my belief that security policy should be complied Rao (2009);
Intention with at all times. Safa et al.
(ISP_BI) (2016)
ISPCC_1 I believe the existing security policies is enough to protect Herath and
my personal and organizational information systems. Rao (2009);
ISPCC_2 I am prepared to follow security policies that protect Da Veiga and
ISP compliance organizational information systems Martins
Culture (ISPCC) (2015);
ISPCC_3 It is my responsibility to protect organizational Safa et al.
information and information systems in my custody. (2016)
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)
 Table 2: Respondents' Demographic Information
Variables Options Frequency Percentage
Male 385 90.8
9.2
Gender Female 39
20 -30 115 27.1
31 -40 248 58.5
41 -50 46 10.8
Age Ranges 51 and Above 15 3.5
Diploma 52 12.3
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

Bachelor 215 50.7

Educational Master 152 35.8
Background PhD 5 1.2
Top Management
Personnel 94 22.2
Mid-Level Personnel 140 33.0
Position Junior Staff 190 44.8
Banking 88 20.8
Insurance 70 16.5
Education 75 17.7
Hospitality 25 5.9
IT/Telecoms 80 18.9
Organizational Essential Services 55 12.9
Sectors Others 31 7.3
Defined Explicitly 250 58.9 Formatted: Font color: Red
Availability of Defined Implicitly 164 38.7 Formatted: Font color: Red
formal ISP I don’t know 10 2.4 Formatted: Font color: Red
TOTAL 424 100%
 Table 3: Results of Reliability Test of the Measurement Model

Composite
CONSTRUCTS Indicators Loading Mean S.D.
Reliability

ATC_1 0.912 4.521 0.549

Attitude Towards Compliance ATC_2 0.910 4.550 0.556

0.907
with ISP
ATC_3 Dropped 4.963 0.570

ISP_BI_1 0.898 4.509 0.591

Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

ISP Compliance Behavioural

0.889
Intention ISP_BI_2 0.891 4.547 0.512
ISPCC_1 0.821 4.401 0.566
ISPCC_2 0.929 4.397 0.671
ISP compliance Culture 0.869
ISPCC_3 Dropped 4.646 0.525

USINV_1 0.701 4.373 0.682

USINV_2 0.733 4.618 0.630
USINV_3 0.872 4.561 0.515
End User Involvement 0.814

USINV_4
Dropped 4.421 0.693

SOC_1 0.835 4.540 0.552

SOC_2 0.774 4.524 0.697
Supportive Organizational
0.807
Culture
SOC_3 Dropped 3.962 1.134

LEADER_1 0.701 4.439 0.681

ISP Compliance Leadership LEADER_2 0.810 4.427 0.672 0.780

LEADER_3 0.731 4.394 0.672

LEADER_4 Dropped 4.613 0.642

Indicator with loadings less than 0.7 were dropped from the model
ISP: Information Security Policy
S.D.: Standard Deviation
 Table 4: Results of Validity Analysis

Constructs AVE 1 2 3 4 5 6
Attitude Towards Compliance
0.831 0.911
with ISP
ISP Compliance Behavioural
0.800 0.804 0.894
Intention
ISP compliance Culture 0.769 0.841 0.761 0.877
ISP Compliance Leadership 0.542 0.625 0.609 0.611 0.736
Supportive Organizational
0.677 0.649 0.624 0.811 0.715 0.823
Culture
End User Involvement 0.596 0.758 0.735 0.716 0.725 0.771 0.772
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)
 Table 5: Results of Hypotheses Tests
T- P
Number Hypothesized Path β Results
Values Values
ORG_Culture -> ATT_Compliance 0.149 2.321 0.020
Leadership -> ATT_Compliance 0.021 0.274 0.784
User_INV -> ATT_Compliance 0.626 8.472 0.000
ATT_Compliance -> ISP Behavioral Intent 0.804 27.568 0.000
ATT_Compliance -> ISPCC 0.648 5.675 0.000
ISP Behavioral Intent -> ISPCC 0.240 2.085 0.037

ORG_Culture: Supportive Organization Culture

ATT_Compliance : Attitude towards compliance with ISP
Downloaded by University of Sunderland At 08:49 23 September 2018 (PT)

User_INV: End User Involvement

ISP Behavioral Intent: Information Security Policy Compliance Behavioural Intention
Leadership: Information Security Policy Compliance Leadership
ISPCC: Information Security Policy Compliance Culture