Cyber Information Security Compliance and Violation Behaviour in Organisations

March 6, 2023

The Malaysia Cyber Security Strategy 2012-2024 report states that Malaysia may face economic losses of up to RM51 billion due to cyber threats[1]. Because of the constantly increasing volume and sophistication of cyberattacks, cyber security is needed to help protect our data and systems from threats.

Acknowledging this, Dr. Walton Wider, a senior lecturer from the Faculty of Business and Communication (FBC) at INTI International University, conducted a research in collaboration with fellow academics from Universiti Malaysia Pahang, Universiti Tenaga Nasional Malaysia, and Widad Universiti College (WUC), which revealed the prevalence of systematic implementation of cyber security and information security (CIS) policies in an organisation.

“As digital technology evolves, human elements continue to make cyber security vulnerable despite sophisticated cyber security systems and physical defences in an organisation. Further study is necessary, primarily from theoretical viewpoints, to better understand behavioural aspects that influence CIS policy,” said Dr. Walton Wider who is also Head of Programme at the university.

The study, titled “Cyber-Information Security Compliance and Violence Behaviour in Organisations: A Systematic Review”, stated that three theories are widely used to comprehend compliance and violation behaviour of CIS in the organisation. The theories that are crucial in determining gaps in the CIS context are the Protection Motivation Theory (PMT), Theory of Planned Behaviour (TPB), and General Deterrence Theory (GDT).

“Humans are prone to participate in a cyberattack without consciously knowing it, therefore, poor and dangerous security practises in an organisation should be identified to prevent the cyberattack,” he said.

Based on the study, strengthening one’s cyber security may include the adoption of antivirus software, antispyware software, cloud-based backup systems, and identity theft avoidance services.

“If security surveillance and awareness are not imposed at the personnel level, even the most advanced security system would not be able to protect an organisation,” said Dr. Walton, adding that organisations should strive for a deeper understanding of the critical risks of CIS.

When asked about other strong factors influencing cyber security policies, he stressed that an organisation’s top management plays a critical role in the norms, values, and beliefs of employees concerning security policies.

“Undoubtedly, subordinates would follow their leaders every step of the way. Top management provides motivation as well as pressure on employees’ compliance intentions, which encourages them to conform to CIS security policies. It is safe to say that they would be more willing to participate in cyber security practices if their leaders did the same,” he said.

Dr. Walton added that the role of gender in cyber security in an organisation contributes to the critical issue of interest.

“Men tend to be risk-takers, while women are more concerned about the risks. Many researchers discovered that women are significantly impacted by perceived control and risk to privacy, especially when using social networking sites to share information,” he said.

According to his research, the recurrence of CIS breaches has become a norm which makes it crucial for organisations to ensure their employees understand security policies.

“Cyber threats have escalated at an alarming rate. The need for security policies should not be questioned by any organisation,” he said.

To conclude, Dr. Walton said that organisations need to invest in cyber security training.

“We need to quickly safeguard our business because every second matters. Knowing what to expect from cyber threats and the risks and consequences could solve many critical issues,” he said.

Dr. Walton Wider, a senior lecturer from INTI International University’s Faculty of Business and Communication (FBC), conducted a study with a team of academicians on the prevalence of the systematic implementation of cyber security and information security (CIS) policies in an organisation.