عوامل تعیین کننده هماهنگی اولیه با سیاست های امنیت اطلاعات Determinants of early conformance with information security policies

INTRODUCTION At present, one of the most valuable assets of an organization is its information. In fact, organizations place a major focus on maintaining the security and accuracy of their information systems (IS) because cyber-related security threats continue to increase in both number and magnitude (Berger 2011-2012). Access controls constitute a particularly important area of concern for organizations (Cluley 2013) as “insecure remote access software/policies and weak passwords tied as the vulnerability most exploited by criminals in 2014” (Trustwave 2015). Although security controls specific to the prevention of unauthorized access are continually evolving, individuals asked to accept and implement new policy changes are not always compliant. In fact, many individuals procrastinate or resist such changes, and as a result of their late conformance or nonconformance, they are often seen as the weakest link in security (Anderson and Agarwal 2010; Guo et al. 2011). According to Willison and Warkentin (2013), most information security (InfoSec) research focuses on noncompliant behaviors. Nonconformant users (i.e., those who procrastinate or, in the most severe cases, intentionally resist the change) pose serious threats to their organizations. In contrast, individuals who choose to conform with new policies early present several benefits for organizations. For example, early conformers are less costly to support than late or nonconformers who create last minute rushes to security changes that may crash the system, overload the help desk, or cause hotline traffic jams. In fact, much can be learned by focusing on individuals who are not only compliant with but also conform to policy requirements early in the process. By studying what motivates these individuals to conform early, new insights can be obtained that are currently missing from our understanding of individuals’ perceptions and behaviors related to security policies. To avoid both voluntary and involuntary nonconformant behavior, some institutions use technological means to enforce some or part of their information security policies. Unfortunately for these institutions, reactions to mandatory and technology-enforced security policy changes are varied. They range from immediate acceptance and compliance from early conformers to costly resistance and complete nonconformance (Brown et al. 2002). In certain cases, mandating enforcement of coercive security policy changes (e.g., forced password changes, required password strength, and automatic security updates) may act as a precipitating event or catalyst for negative attitudes and undesired behaviors (Nurse et al. 2014). This can be detrimental and costly to an organization if all users procrastinate and delay their compliance until or after the deadline. For example, if the entire population of users waits until the last minute, the organizations needs to increase information technology (IT) support personnel to handle the increased volume of calls. Failure to handle all cases may prevent users from the timely performance of some operational tasks, even leading to the incapacity of users to perform all work tasks. This could trigger a chain reaction of subsequent curative administrative tasks at high organizational costs. Conversely, early conformance by users to newly implemented security policies can better protect organizations and reduce unnecessary costs. The faster the users adopt the mandated and eventually technology-enforced policy change, the more likely issues related to its implementation are identified and dispersed over time. This allows the IT team to handle the change without any temporary surge in resources and with less impact on the organization’s overall operations.