Towards analysing the rationale of information security non-compliance: Devising a Value-Based Compliance analysis method

2017 | Journal of Strategic Information Systems | Citations: 0

Authors: Kolkowska, Ella; Karlsson, Fredrik; Hedström, Karin

Abstract: Employees’ poor compliance with information security policies is a perennial pro ... Expand

Abstract: Employees’ poor compliance with information security policies is a perennial problem. Current information security analysis methods do not allow information security managers to capture the rationalities behind employees’ compliance and non-compliance. To address this shortcoming, this design science research paper suggests: (a) a Value-Based Compliance analysis method and (b) a set of design principles for methods that analyse different rationalities for information security. Our empirical demonstration shows that the method supports a systematic analysis of why employees comply/do not comply with policies. Thus we provide managers with a tool to make them more knowledgeable about employees’ information security behaviours. Collapse

Topics: data security healthcare data electronic health record implicit knowledge information security practice

Methods: qualitative interview design principle literature study design process personal interview

Theories: value-based compliance theory social action theory