Eric Amankwa

Information security policy (ISP) noncompliance continue to impede information security in organizations. This paper consolidates the strength of previous studies into an effective single solution. The paper, first, synthesizes the existing literature and groups relevant ISP compliance factors into user involvement, personality types, security awareness and training, behavioral factors, and information security culture. Secondly, a generic framework that guides the development of frameworks for ISP compliance in organizations was developed based on the literature review. The generic framework categorized elements required for developing an ISP compliance framework into structure, content and outcome elements. Thirdly, the generic framework was applied to develop a composite ISP compliance framework that proposes the establishment of ISP compliance as a culture in organizations. Finally, the results of the expert review assessment showed that the proposed composite ISP framework was ...

Information security policy (ISP) noncompliance is a growing problem that accounts for a significant number of security breaches in organizations. Existing strategies for changing employees' behavior intentions towards compliance have not been effective. It is therefore imperative to identify other effective strategies to address the problem. This article investigates the effect accountability constructs on employees' attitudes and behavior intentions towards establishing ISP compliance as a culture. In addition, the authors validate a testable research model for predicting employees' compliance behavior intentions in a field survey involving 313 employees from selected Ghanaian companies. The overall effect showed that measures of accountability significantly influenced employees' attitudes and behavior intentions to ISP compliance while the establishment of ISP compliance culture largely depended on the existence of a conducive information security culture and posi...

The use of models has been one of the prevalent approaches to enhancing information security education and awareness in existing literature. Models provide step by step problem solving opportunities and are thus essential in security education and awareness activities. This paper categorized models for enhancing security education and awareness based on their stakeholder domains into: End-Users, Institutions and Industry domains. Analysis of literature on information security education and awareness indicates that approaches for enhancing end-users' security knowledge do exist, as do models for promoting organizational security knowledge in the industry domain. However, only one model was found to exist for enhancing security knowledge of employees in the institutions domain. This paper therefore describes a gap identified in the existing information security education and awareness models and presents the required relevant characteristics for developing information security education and awareness models for bridging the gap (in the institutions domain). The paper also evaluates and compares characteristics of existing models in order to identify the most relevant characteristics for a new model and makes a presentation to that effect. This was done through a review of existing literature on information security education and awareness models and a comparative analysis of models identified in the three domains.

The importance of information security education, information security training, and information security awareness in organisations cannot be overemphasised. This paper presents working definitions for information security education, information security training and information security awareness. An investigation to determine if any differences exist between information security education, information security training and information security awareness was conducted. This was done to help institutions understand when they need to train or educate employees and when to introduce information security awareness programmes. A conceptual analysis based on the existing literature was used for proposing working definitions, which can be used as a reference point for future information security researchers. Three important attributes (namely focus, purpose and method) were identified as the distinguishing characteristics of information security education, information security training and information security awareness. It was found that these information security concepts are different in terms of their focus, purpose and methods of delivery.

The rapidly evolving security threats and risks in tertiary institutions must be met with a knowledgeable security workforce. Those on the front lines must demonstrate working knowledge of information security core skills and workplace competencies. However, analysis of existing literature revealed that employees within tertiary institutions lack the requisite knowledge on how to ensure information confidentiality and integrity. A major reason accounting for the lack of knowledge on the part of employees in tertiary institutions is the lack of effective models to guide the design and development of information security education and awareness campaigns. In recognition of this deficiency, this paper proposed a model for enhancing information security knowledge among employees of tertiary institutions. The proposed information security education and awareness model provides a practical map of the skills and knowledge that is needed to emphasize and enhance information security among employees. The model shall be used by information security trainers to develop effective information security education and awareness campaigns. Adopting the model provides immediate and long-term Information security benefits for Tertiary Institutions as well as the educational sector as a whole.