An analysis of cyber-security policy compliance in organisations

Abstract

n the contemporary digital landscape, cyber-attacks and incidents have placed cyber-security at the forefront of priorities in organizations. As organizations face cyber risks, it becomes imperative to implement and comply with various cyber-security policies. However, due to factors such as policy complexity and resistance from employees, compliance can be a challenging task. The study investigated the variables that affect an organization's adherence to cyber-security policies. A case study design was chosen as part of a qualitative approach to answer the research question. For data gathering, semi-structured interviews were performed, and existing documents were also considered when available to supplement interviews. The gathered data was meticulously organized, coded, and analyzed using the Actor-Network Theory perspective, with a focus on its four moments of translation: problematization, interessement, enrolment, and mobilization. The analysis revealed that insider threats and phishing attempts are the two cyber threats that affect organizations, behavioral challenges and enforcement limitations are factors influence and contribute to the non-compliance of cyber-security policy, phishing exercises and policy development process are used to enforce cyber-security policies. The study concludes that both insider Threats, involving staff or internal end-users, and Phishing Attempts perpetrated by external individuals, pose significant risks to organizations. Despite awareness initiatives, behavioral challenges persist among internal end-users, which complicate adherence to available security measures. A one-size-fit cyber-security policies are sometimes inadequate due to the diversity in business sectors, necessitating a tailored solution. Periodic phishing exercises serve to evaluate the readiness of internal end-users or staff, and identify areas for improvements. Ultimately, for effectiveness, cyber-security policies development process should follow a collaborative and inclusive approach where organization stakeholders will be participating.