Perception of employees concerning information security policy compliance : case studies of a European and South African university

Abstract

This study recognises that, regardless of information security policies, information about institutions continues to be leaked due to the lack of employee compliance. The problem is that information leakages have serious consequences for institutions, especially those that rely on information for its sustainability, functionality and competitiveness. As such, institutions ensure that information about their processes, activities and services are secured, which they do through enforcement and compliance of policies. The aim of this study is to explore the extent of non-compliance with information security policy in an institution. The study followed an interpretive, qualitative case study approach to understand the meaningful characteristics of the actual situations of security breaches in institutions. Qualitative data was collected from two universities, using semi-structured interviews, with 17 participants. Two departments were selected: Human Resources and the Administrative office. These two departments were selected based on the following criteria: they both play key roles within an institution, they maintain and improve the university’s policies, and both departments manage and keep confidential university information (Human Resources transects and keeps employees’ information, whilst the Administrative office manages students’ records). This study used structuration theory as a lens to view and interpret the data. The qualitative content analysis was used to analyse documentation, such as brochures and information obtained from the websites of the case study’s universities. The documentation was then further used to support the data from the interviews. The findings revealed some factors that influence non-compliance with regards to information security policy, such as a lack of leadership skills, favouritism, fraud, corruption, insufficiency of infrastructure, lack of security education and miscommunication. In the context of this study, these factors have severe consequences on an institution, such as the loss of the institution’s credibility or the institution’s closure. Recommendations for further study are also made available.