Investigating Factors That Influence Employee Compliance to Information Security: A Case of Independent Electoral and Boundaries Commission

Abstract

Information security is one of the major challenges for organizations that critically depend on information systems to conduct their businesses. Many organizations recognize that their employees, who are often considered as the weakest link in information security, can be a great resource as well to fight against information security related risks. The general objective of the study was to investigate factors that influence employee compliance to information security and was guided by the following specific objectives in order to fulfill its objective. These were; to investigate whether employee information security perceptions influence their compliance; to determine whether employee information security awareness influences compliance; and to determine whether deterrence and preventive measures influence employee compliance to information security. The research design adopted by this study was descriptive in nature. The dependent variable of the study was information security compliance while the independent variables of the study were employee perceptions, awareness and: deterrence and preventive measures with regard to information security compliance. The population consists of 98 Independent Electoral Boundaries Commission (IEBC) employees at the support level. A sample size of 79 support level employees was selected to represent the total population. The sampling technique used was probability sampling, that is, proportionate stratified random sampling. Questionnaires were used as the primary data collection tool alter they had undergone a pretest and then distributed to the selected sample. The data collected in this study was analyzed using descriptive statistics to provide simple summaries in form of tables and figures. The data collected was analyzed using SPSS for windows to generate tables, figures and explore relationships between responses to different questions. The findings regarding the first objective indicated the employees strongly agreed that information security policies are important and add value to the organization also that the procedures are too much to follow. Also according to the findings, the employees agreed that information security policies have a role and are relevant to their work and that following Information security policies would have positive effect on their work performance. Further findings showed that respondents strongly agreed that information security is used by top management to produce the intended security behaviour and to ensure compliance. Regarding the second research question, the employees strongly agreed that they have full knowledge of consequences of noncompliance with IS policy in the organization and that they are aware of the regulations prescribed by IS policy of the organization and know the liabilities as prescribed in the IS policy to improve IS of the organization. Further findings indicated that employees disagreeing that they are aware about the cost of potential information security problems and threats and also to have received formal training on information security treats. Findings concerning the last research question showed that employees strongly agreed that they do not engage in information security violation because consequences are potentially bigger than rewards as and also agreed that they do not engage in information security violation because the risk of punishment is high and penalties for violations arc severe. Findings also indicated that employees agreed that information security breach can lead to suspension from duties and also that information security breach can lead to dismissal from employment. The conclusion made am that employees are likely to comply with information security if their perceptions regarding information security policies are positive and thus organizations should link information security to its objectives so that employees perceive information security to be important and relevant to their work. The perception that information security policies are authority from top management can also be a root of potential adversarial relationship between management and other organizational groups. Compliant behaviour is enhanced when employees are aware and understand what their roles in the policies; therefore, security managers need to ensure that there is a connection between what employees know and they need to be told not only what to do but also made aware why they should do it. Deterrent and preventive measures ensure compliance because they make employees avoid unwarranted security behaviours as they find them infeasible. The recommendations that were made to improve further information security complaint behaviour, are that the organization should integrate wholly information security procedures to form a routine that is value adding so that the employees do not feel that information procedures are too much to follow. The study also recommends that the organization should make employees aware of the implications that may occur in any information security problems and give formal training on information security threats so that this awareness can make employees comply with information security. Lastly, the organization should make more use of preventive measures to deter potential information security abusers or violators because acts as a first line of defense unlike deterrence measures which arc more of secondary measures that organizations use to elicit compliance of information security from its employees.