Empirical Study on the Influence of Security Control Management and Social Factors in Deterring Information Security Misbehaviour

Complying with the security rules and standard is important to safeguard valuable information in the organisation. Failure to prevent security breaches costs the organisation huge losses and bad reputation. Technical solutions are abundant but nonetheless still unsuccessful to deter information security incidents. The root cause of incompliance is humans as they are the weakest link of security chain. This paper examines the information security control management particularly on information security awareness, training and education, risk analysis and management, information security policies and procedures as well as physical security monitoring, and cognitive factors which give impact towards the employees’ information security compliant behaviour in the organization. Based on convenient sampling, a survey was conducted to employees of public and private sectors in Malaysia who are the Software as a Service (SaaS) cloud users. Data was collected online and was analysed using PLS-SEM. Result shows that information security control management and cognitive factors have high significant impact in deterring information security misbehaviour in the context of cloud users.


Introduction
The emerging of cloud computing has uplifted the information technology to the more advanced level. Cloud environment offers 3 service models i.e.: Infrastructure as a service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) [49].
IaaS is the lowest level of cloud adoption in the organisation. The service provider only offers the network, storage, servers and virtualisation, when an organisation decides to adopt IaaS. However, with PaaS, the IS department of the organisation can fully focus on applications and data since every other service will be managed by selected vendors or providers. The real cloud adoption is with SaaS since all services is taken care of by the providers. The organisation can instead fully pay its attention to the core of their business to achieve competitive advantage. In the SaaS cloud environment, everything is served in and around the cloud to which people are not required to bring their own storage devices, since data can be saved in the clouds.
Nevertheless, study shows that security is a major hindrance of cloud adoption [1], [2]. Even though scientists have come up with an abundant of technical solutions to solve information security problems,

Relevant Theories
From the social or organisational perspective, it was observed that past security behaviour researches adapted behavioural theories (e.g.: Social Cognitive Theory (SCT), Theory of Planned Behaviour (TPB), Protection Motivation Theory (PMT) or Organisational Culture Theories (e.g.: Hofstede's Organisational Culture Theory, Detert Organisational Culture, Schein Organisational Culture), depending on the target of research, whether the individual or the organisation. Out of these organisational culture models, most of ISC scholars used Schein's Organisational Model [58] compared to other organisational models. However, [4] argued that the uses of this model did not provide strong theoretical foundations.
The adoption of various theories from social sciences field indicates that research in security behaviour is still in its infancy [50] and needs further exploration before it comes to maturity.
Adapting Social Cognitive Theory (SCT), as well as extended deterrent theory (DT) as our framework, this study will examine the impact of security control management (SCM), personal values (PV), environment (ENV) and employees' behaviour (BHV) towards information security compliance behaviour (ISCB). SCT is a three dimensional complementary model that is used to determine human behaviour which consists of cognitive or personal factors, environmental factors and behavioural factors [8]. The theory founder [8] further accentuates that "expectations, beliefs, selfperceptions, goals and intentions give shape and direction to behaviour. What people think, believe, and feel, affects how they behave [8], [9]. He nevertheless argued that behaviour cannot easily change the environment much like it is influenced by the environment unless the behaviour first change itself.
The DT of punishment can be traced to the early works of classical philosophers such as Thomas Hobbes (1588-1678), Cesare Beccaria (1738-1794), and Jeremy Bentham (1748-1832) [10]. Rooted from school of criminology, DT advocates that individual choose to commit crime when the benefits of the action outweigh the costs [11]. Deterrence has been indicated significant in decreasing negative practices and has likewise been observed to be a viable instrument in administration [12]. In Information System (IS) research, DT has been extended by integrating some security control as a measure to deter security breaches [13].

SCM and Security Behaviour
To ensure successful information security in the organisation, the SCM is vital. Past scholars have highlighted on the important roles of SCM in making sure that employees act according to the standards and procedure, and rules and regulations [14], [15].
Security awareness [16]- [18], as well as security training and education [16], [17], [19], [20] are among the most basic factor needed in inculcating information security culture in the organization which must be given much attention by the top management. Employees must be aware that their behaviour must always in accordance to the rules and regulations to avoid security breaches that may occur accidently or intentionally. However, in today's technology advancement where threats are rising almost from any angle, security awareness is still lagged behind [21]. The lack of security awareness causes security incompliance in the cloud environment, which makes outsourcing arrangement of IT services becomes more complex [22]. Without proper security education, training and awareness (SETA) programmes, people do not know if they have committed security breaches. It was found out that SETA programmes has positive influence on managing and deterring security behaviour [15].
In addition, the organisations that have proper information security policies and procedures (SPP) are better at guiding employees to good security behaviour. Research shows that complying with organisation security policy can shape and mitigate the risk of employees misbehaviour [23]. However, employees must be aware of the information security policies in place in order to have an effective deterrence factor [15]. It is also a critical factor to consider setting up ethical conduct policy [24] in building up security culture in the organisation. It is argued that previous research in ISCB did not give attention on ethical conduct due to different organisations have different kinds of values and culture [17].
Another security control is risk analysis assessment and management (RAM). The organization will be able to identify areas that are highly critical for information security and to improve the security effectiveness. Information is secured with the three triads of information system -confidentiality, integrity and availability. However, in nowadays computing, cloud computing for instance, has exposed information to more security risks and challenges issues. Information is at risks of the existence of vulnerability and threats. It is claimed that organizations which have security RAM in place are being more aware of their losses due to security breaches [17].
The fourth factor for SCM is physical security monitoring (PSM) which is essential to control the security behaviour of employees in the organisation [13]. While technical threats are easier to detect and rectify, the human threats are proven to be difficult to identify. Thus, the uses of PSM activities are said to be effective in controlling the behaviour of the employees with regards to the safety of information.

PV, ENV, BHV and Security Behaviour
Past research examined how PV have been a significant driving factor in complying with security regulations. This includes their attitude [25], [26], security knowledge [18], [27], [28], religious and ethical beliefs [29], [30] as well as level of trust [29], [31]. Humans act according to their habitual conducts. When human do things repeatedly over and over again, these actions become a habit and are stored in the subconscious minds.
Depending on the individual preference towards an object (person, event, thing, time, activity), attitude can be expressed positively or negatively. Attitude has been proven to have a positive effect on employee security compliance behaviour [25] and self-efficiency in attitude help cultivates ISCB [16].
The ENV plays an important role is shaping a positive behaviour of a person. This can be either internal or external environment that influence from within and outside organisation. As an individual, people tend to adapt themselves to the particular situation for the fact that they are unable to change the environment alone. In this situation, the government plays an important role to ensure the information security is at the highest priority.
The Personnel Data Protection Act 2010 was enacted by the Malaysian Government for this reasons. It was suggested that the enforcement of the act will help shaping the behaviour of the people with regards to information security [32]. The influence of regulation with regards to information security culture should be empirically tested [5]. Another ENV element is social norms. Individuals' behaviour are very much shaped by their ENV such as peer influence. The colleagues and immediate supervisor, other departments' behaviour, the mechanism for rewarding good behaviour and punishing bad behaviour are constructing factors which influence the security behaviour of the employees in the organisation [12], [16]. It is argued that among others, ENV factors that influence the security behaviour of people are still yet to be explored [33], [34], [3].
BHV is the conduct of a person towards a particular situation which is based upon the ENV as well as the personality traits one owns. The BHV elements which includes skills, practice and self-efficacy (SESE) of employees are formed gradually in such a long span of time and cannot be obtained overnight. ISCB research found out that security conscious behaviour has a significant impact towards the safety of information in the organisation [14], [28], [34]. Practitioners and researchers alike recognise the positive influence insiders' behaviour can have on information systems security [48]. Good security behaviour will result in security compliance thus reduce security breaches. In long term this good behaviour will become norms which exhibit security culture of the organisation.
The skills to measure risks and recognise threats are crucial for information safekeeping. Those who possess lower skills in recognizing and detecting threats are more vulnerable to the attacks. Good security practice will likely reduce security incidents as users take all the precaution steps to comply with security policies and procedures. Experience in information security context means one's familiarity with the skills or knowledge in the field of information security, which were acquired over a period of time through actual exercise and apparently has enhanced better ability or grasp in behaving according to the security rules and regulations [35]. Using social bond theory [36], [23] found out in their study that the experience and involvement of employees have significant effect on their attitude towards complying with security policy. Self-efficacy is a person's certainty of his or her ability to perform required behaviours to achieve certain accomplishments [37].
Self-efficacy is a form of self-evaluation that can be the most influential apparatus of human agents in motivating and regulating human behaviour. Many studies in information technology and information systems adoption in various domains claimed that self-efficacy is an influencing factor for users to adopt such technology and systems. Self-efficacy has been found to have a significant relationship towards information security behaviour of the employees [12], [25], [38], [39].
Hence, we posit the hypotheses below as shown in the following diagram:

Methodology
The survey instruments were adapted from the work of [18], [27], [40], [41] for cognitive factors using reflective measurement. The security control management instruments were adapted from [15] using formative measurement. All items were measured on a 5 points Likert-scale from 1-strongly disagree to 5-strongly agree. A pilot study was conducted to test the reliability of the questions hence producing the result as in article [47]. The survey was conducted online to professionals in the organisations in Malaysia from October to December 2016 to 1000 potential respondents at various organisations from public and private sectors. Google doc was used as the platform of the survey. Potential respondents were contacted through Facebook, and email messages to which the link of the survey was attached to the messages. Convenience sampling was used as the sampling method. Respondents were informed about the purpose of the study and given option to quit answering at any time.
Screening questions were asked to identify the correct respondents. Respondents were asked about the usage of mobile devices such as laptops or smartphones for their job-related tasks. Respondents were also questioned about their exposure to cloud applications such as cloud storage, social media networks as well as email applications. Altogether, there were 410 people responded to the questions. Screening the missing data, 396 data was useful for empirical analysis. Partial Least Square (PLS) was used to analyse the ICSB model.

Findings
Descriptive analysis was conducted to identify the background of the respondents. Female respondents outnumbered male respondents by 26% where 251 female respondents participated in this study compared to male (145). There were two big majority age groups, each at the range of 31-40 (39.4%) and 41-50 (33.6%), followed by 21-30 (23.5%), 61-70 (2.5%), 20 and below (0.8%) and 51-60 (0.5%). With regards to education background, two majority groups are from degree (41%) and master's degree holder (35.4%), followed by PhD (11.9%), diploma (8.4%) as well as high school level (3.3%). Their working experiences vary, from below 5 and years (33.7%), 5 to 7 years of experience (23%), 11 to 15 years (16.9%), 16 to 20 years (16.9%) and only 15% have experience more than 25 years. Around 46.2% of the respondents are from the public sector, 43.7% from the private sector and the rests are from NGO. Respondents were also asked with regards to their exposure to the SaaS applications as part of screening valid respondents. Majority of the respondents were exposed to the usage of SaaS applications such as email and social media. The result of their SaaS exposure is summarized as below: The PLS evaluation of measurement model analysis of formative exogenous latent variables takes 3 steps as suggested by [42] such as examining the convergent validity, the presence of collinearity among indicators, and the significance and relevance of outer weights. Prior to that, the content validity has been achieved by referring the scales to the subject-matter experts and industrial professionals through a pilot study, as well as through conducting an EFA analysis.
The convergent validity can be examined by looking at the value of path coefficient which must be above 0.80 or at least 0.64 [42]. The analysis shows the value of path coefficient for each exogenous construct is above 0.80, which indicates that the formative scales exhibits a sufficient convergent validity of the scales. To examine collinearity issues, the variance inflation factor (VIF) values was referred. Analysis shows that some of the indicators have VIF values above the threshold 5.0 hence, the bootstrapping procedure was further conducted to examine the significance and relevance of the indicators. For this analysis, the outer weight and outer loading values must be significant respectively.
The result of formative measurement assessment shows that PSM 35, PSM 36 and PSM 37, RAM26, SETA24, SPP15, SPP16, SPP17 and SPP18 were dismissed from the scale because the VIF are above the threshold value of 5.0. The outer weight and outer loading were further examined to all indicators and those items were found to be insignificant and hence resulting items dismissal. The final formative constructs (PSM, RAM, SETA, SPP) were having convergent validity.
Next is the measurement of reflective scales for exogenous latent variable of SESE and PRCTC as well as endogenous latent variables of BHV, ENV, SCM and ISCB. The reflective measurement specifically analyse for the reliability and validity, convergent validity as well as discriminant validity. The composite reliability values for reflective endogenous latent variable are above 0.70 demonstrate that all reflective constructs have high levels of internal consistency reliability according to [43]. Convergent validity assessment builds on the AVE value as the evaluation criterion. The AVE values of BHV (0.823), ENV (0.55), PV (0.702), ISCB (0.806) and SCM (0.887) are well above the minimum requirement level of 0.5, as suggested by [42]. Thus the measure of the reflective constructs has high levels of convergent validity.
Finally, the discriminant validity assessment was conducted using the Fornell-Larcker criterion and the result revealed that there were no discriminant validity problem. The PLS structural model analysis involves five steps of assessment as suggested by [42] which includes assessment for collinearity, significance and relevance, level of R², the effect size f², as well as predictive relevance Q² and effect size q². The result of structural collinearity assessment shows that VIF tolerance value for all sets of predictors are below the threshold 5.0 which indicates no collinearity problem in the structural model. The bootstrapping procedure was conducted to assess the significant of path coefficients. Table 2 exhibits the results of path coefficients of ISCB model. The result clearly shows that all paths are significant at least at 5%, except for H1, H5, H12 and H14 which are not significant.

Discussion dan Conclusion
Driving by the aim of the study, we examined the influencing factors of information security compliant behaviour of SaaS cloud users. All results for information security control management factors are consistent with [15] and [44] except for SETA programmes. Contradict to SETA programmes, the security policy and procedure (SPP), the risk analysis and management (RAM), together with physical security monitoring (PSM) have significant impact to the security control management of information security. A clear information security policy and procedures is vital for it becomes a guidance of what can or cannot be done legally and ethically.
In addition, the results also suggest that the management should emphasize on the PSM more intensively for the fact that this is an effective deterrent factor to prevent information security breaches, which is consistent with [13] result. This perhaps includes the access management system as well as constant monitoring through computer surveillance to inculcate good information security behaviour.
Furthermore, the RAM is a proactive solution, which is crucial not only for correcting information security incidents but also for preventing potential security issues. Organisations which have RAM in place are taking advance step ahead in deterring security breaches to ensure that information is safely protected as well as to avoid substantial losses due to security compromise. Nevertheless, it is quite a surprise that SETA programme is found to be insignificant towards driving good information security behaviour of the users, which is contradict to [13] and [14]. SETA programme has been found to be a salient factor to shape good security behavior of the users as reported in studies [15] and [46]. The contradicting result is most probably due to insufficient security awareness training and education being conducted at the public and private sectors in Malaysia.
Despite SETA is being insignificant to SCM, SCM has significant impact towards the security environment but not to the personal values of employees. Nevertheless, the environment significantly influences the personal values of employees, indicating that the environment is the mediator of the SCM and personal values. The skills, experience and self-efficacy have significant impact to the behaviour of the employees and this is consistent with the results of [25], [39]. Self-efficacy has been proven to be a substantial factor in many security behaviour research to which users believe that their abilities in complying with security regulations as well as utilizing security measures are important in keeping good security behaviour [45]. Without these, employees are unable to distinguish between the good and bad security conduct. Overall, the security control management, the personal values and the behaviour of the employees play a significant role in establishing ISCB.
Similar to other researches which utilised purposive research samplings, the result of this study is not generalizable to all contexts and settings. Whilst much care and effort have been taken prior to conducting this study in terms of making certain the validity of the questions through a pilot study, the researcher has no ability to control the responses given by the respondents as their answers are subject to their own perceptions and judgements. This ISB study was carried out in the context of SaaS cloud environment users, for which the technical issues of SaaS are totally borne by the service providers, hence the suitability of this model for PaaS or IaaS applications remains unknown. In future research, if this model is to be used for PaaS and IaaS context, the technological factors might be taken into consideration.
This study contributes to the knowledge of ISCB through the extension of the SCT and extended DT theories in the context of SaaS cloud users, as well as the development of integrated of an ISCB model. The findings from this study could be enhanced from a different perspective by using a case study method to provide an in depth explanation of the phenomenon. A case study is suggested to be conducted at the public organisation to assess the security compliance behaviour using this model both for external validation as well as for understanding the actual phenomena of information security.
This study can also be replicated to the private sector as well as other domain such as healthcare and banking sectors as these group have the most classified information of patients and clients.