Faculty Reflections on University Information Security Policy

Abstract

Employee noncompliance of information security policy (ISP) is causing organizations more and more money in the battle against cybersecurity threats. Three popular theories within employee compliance and ISP research were used to create a conceptual framework to help explain the employees’ reflections, namely: protection motivation theory, deterrence theory and neutralization theory. A case study with faculty members from University of Gothenburg was conducted to see how the faculty members reflect when it comes to the ISP at their workplace and their own protection behavior. Semi-structured interviews were held digitally with six participants. The result indicate that faculty members rarely reflect on their protection behavior, they were unaware what the ISP was and even though they believed the threat of a cyberattack was medium to high, they still engaged in behavior they know could expose the university to unnecessary risk. This research can help the university and other government agencies to structure their Security Education, Training and Awareness (SETA) to match the employees’ behavior on IT security and help bring awareness of the knowledge and ideas employees have of information security.