Insider threat to information security is increasingly becoming a challenge to information security managers. One of the biggest challenges is not a lack of strong and robust policies, but that of ensuring full or highest rate of compliance with the policies. This is more compounded by the threats posed by insiders who have unfettered access to information systems assets. It is no surprise then that despite heavy investments in ensuring information security infrastructure, institutions still face the highest rates of information security breaches. Numerous studies have been conducted to provide insights and models on information security mitigations. However, very few studies have considered the policy compliance culture phenomenon. Among those who have considered the mixed methodology approach, none of the scholarly studies have considered grounded theory methods. The overall objective was to establish the relationship existing between organizational culture and information security compliance culture. As part of the Specific objective, the study intended to; 1) explore the relationship that exists between organizational culture and the actual information security compliance culture in universities in Kenya, 2) explain the relationship that exists between organizational culture and the actual information security compliance culture in universities in Kenya through theory generation, 3) and validate the theoretical model that predicts information security compliance culture.
The study employed an exploratory sequential mixed-method research design. This followed the QUAL-Quan principles. The population of this study was the Universities in Kenya. The study was divided into two phases namely, the model development phase and the model validation phase. The model development phase was designed to achieve two objectives namely: exploring the factors that impact information security compliance culture and explaining the relationships between the emerging factors and information security compliance culture through theory generation. The model validation phase was designed to test and validate the emergent theory through a semi-structured questionnaire. The model development phase adopted a grounded theory methodology while the model validation phase adopted the survey questionnaire approach.
The resulting theory was analysed and discussed in terms of model development and model validation. In the model development phase, several themes emerged which upon consolidation, were grouped into 4 main thematic groupings namely, demographic-oriented themes, organizational-oriented themes, individual-oriented themes, and information security compliance culture-oriented themes. The organizational oriented themes were further sub-grouped into the organizational level factors and moderating factors. The same was also done for individual-oriented themes to generate the individual-level factors and the factors moderating the individual-level factors. The study thereafter generated a theoretical model that explained a relationship between organizational initiatives, independent behavioral trends, management support, individual demographic interventions, and external organizational interventions towards information security compliance culture (ISCC). The model validation phase produced findings that supported the emergent theoretical model by having factor loadings that significantly supported the model among other parameters that were tested.
The study makes a main theoretical model contribution which is highlighted based on the model developed in phase one and the validated theoretical model. The model is adaptable to future researchers interested in covering information security compliance studies. The other contribution that this study makes is the methodological contribution which is also discussed in line with the efficiency of the procedures this study efficiently adopted. Further, the application of mixed methods as adopted in this study will provide insights to future information systems researchers to consider when deciding on how to conduct behavioral related studies. In terms of practice, the emergent theoretical model will be beneficial to practitioners in formulating checklists geared towards strengthening information security compliance regimes within their policy directions. This study is important because it provides a theoretical direction and methodological directions for future exploration of information security-related studies.
Keywords: Insider Threats, Information Security, Compliance Culture, Mixed Methods, Grounded Theory