Information and Knowledge Management www.iiste.org ISSN 2224-5758 (Paper) ISSN 2224-896X (Online) Vol.10, No.5, 2020 39 Exploring the Factors That Contribute Towards Information Security Policy Compliance Culture Erick O. Otieno * Agnes N. Wausi Andrew M. Kahonge The University of Nairobi. Abstract There is over-reliance on information systems to run virtually all aspects of modern institutions. This has put more burden on information security managers to come up with more robust and efficient ways to enhance information security policy compliance. Therefore, despite existing efforts in the area of information security management, there remains a critical need for more research to be done. The existing research has also concentrated on hypothesis testing rather than a qualitative approach. So, there is an existential methodology gap that can give another alternative result that still needs to be covered. That is why we embarked on exploring the factors that influence information security compliance in organizations. The research was conducted in two universities with a diverse population. The research design was exploratory, encompassing qualitative in-depth case interviews with grounded theory as the analysis strategy. A total of 20 interviews were conducted and each analysis was done after every few batches of interviews in line with grounded theory principles. A theoretical model was generated and discussed. Implications for the research were also discussed and recommendations made. The study found individual factors, organizational factors, and external influence to be important factors in strategizing how to increase compliance with policies. The results also showed that practitioners need to factor in a combination of elements in their strategies in order to enhance compliance with information security policies. Keywords: Information Security Policy Compliance Culture, Theoretical Model, Grounded Theory, Information systems security DOI: 10.7176/IKM/10-5-05 Publication date:August 31 st 2020 1. Introduction Numerous attempts have been made to provide solutions concerning policies to provide guidance and frameworks on information security management. Despite heavy investment by institutions on ensuring robust policies, processes, and control, incidents of internally induced breaches still exist. Extant studies indicate that internal parties and stakeholders account for about 80% of information security breach incidents. A case in point is the study by (SANS Institute, 2017) which found that malicious employees accounted (43%) while (39%) of insider cases emerged as error or negligence from non-malicious counterparts. As a mitigation measure, after the necessary policies, processes and controls have been put in place, two questions should arise: Have we invested equally in policy compliance strategies? Can information security culture be the silver lining towards mitigation of internally instigated breaches? ICT Policies are not made because of mistrust by information security managers towards those who interact with information assets. On the contrary, the policies are made to offer guidance and a framework on how to protect those who interact with the ICT assets and the organizational information systems assets. Since policies are heavily dependent on human interactions to succeed, we emphasize that “People are at the center of policies”. This is especially true because for any mitigation to be effective, those who are expected to adhere must be seen, and be felt to be doing exactly that through full compliance with the requirements. How then do we inculcate a culture of ICT policy compliance? Besides processes, controls, and policies, compliance culture is increasingly being considered as an important component in information security mitigation strategies. Many recent studies, such as (Ifinedo, 2014), (AlKalbani, et al., 2017), (Amankwa, et al., 2018) and (Sommestad, et al., 2019), have begun to consider information security policy compliance as part of information security management strategies. However, there is minimal coverage of information security culture as a way of information security policy compliance culture. Further, most of these studies have applied methodologies that draw from existing theories and models. For example, a study by (Ifinedo, 2014) applied an empirical study approach that considered socialization, influence, and cognition. Another study by (Safa, et al., 2016) also applied hypothesis testing to generate a model for information security compliance in organizations. Such an approach is also seen in (AlKalbani, et al., 2017). The authors approached their study from the hypothesis testing point of view while looking at institutional aspects of information security policy compliance. In the study by (Amankwa, et al., 2018) the authors factored in variables from the involvement theory and organizational behavior theory to develop their hypothesis. Taking a similar approach was the study by (Sommestad, et al., 2019), in which the authors considered variables emerging from a meta-analysis information security behavior test. However, in our study we considered a different methodological approach, that of using grounded theory, to study information security policy compliance culture.