Information security policy compliance behaviour model for Malaysian federal public sector agencies

Abstract

Organizations leverage information security policies (ISP) to prevent information security incidents, but employees often fail to comply with them. as such, the Malaysian public sector has a comprehensive ISP in the form of circulars, policies, procedures, frameworks, and strategic plans. however, ISP compliance among Malaysian public sector employees remains low, with limited studies found in extant research. hence, this research aims to develop and validate a new model of factors that influence ISP compliance behaviour among Malaysian federal public sector agency employees. the research started with the identification of problems through conducting interviews with the relevant agencies and knowledge gaps by reviewing existing isp literature. then, a systematic literature review (SLR) was performed and analysed to identify the influencing factors of ISP compliance behaviour. a conceptual model was developed using factors from the theory of planned behaviour, social bond theory, protection motivation theory, and several other factors from literatures. next, the survey instrument items were developed, their content validated by nine experts, and a pilot test was conducted with 30 respondents. subsequently, data collection was conducted through email among 27 federal agency employees in Putrajaya and Kuala Lumpur, Malaysia. as a result, 360 valid responses were analysed to validate the conceptual model using ‘partial least square-structured equation modelling’ analysis. the model validation revealed that ‘attitude’, ‘perceived behavioural control’, ‘perceived response efficacy’, ‘perceived punishment severity’, ‘attachment’, ‘commitment’, ‘belief’, and ‘perceived benefit’ have positive effects on ISP compliance intention with p-value < 0.05. however, five factors, namely ‘subjective norm’, ‘threat severity’, ‘threat vulnerability’, ‘awareness training’ and ‘involvement’ were found to be non-significant towards ISP compliance intention with p-value > 0.05. these research findings were used to develop ISP compliance guidelines for the Malaysian public sector. the ISP compliance guidelines were reviewed by three ISP practitioners. overall, this research contributes theoretically, contextually, and practically towards ISP compliance, especially in the context of the Malaysian federal public sector agencies.