Information security standards and policies compliance by Nigerian banks.

Abstract

The modern banking sector is highly dependent on customer information to carry out its daily business. Such information is thus an asset which must be protected from threats; hence banks have adopted policies and standards in this regard. The Nigerian banking sector is characterised by on-going information security breaches. The reasons include low levels of individual and corporate compliance with information security standards and policies and procedures (ISSsPs), as well as the fact that banks focus on data usage optimisation rather than the privacy and security of customer information. This study examined the extent to which Nigerian bank employees comply with information security standards and policies and whether or not a relationship exists between the level of compliance and information security breaches. The theories of planned behaviour, protection motivation and self-efficacy were employed to identify the factors that motivate such compliance. The results show that all the motivational factors influence employee behavioural intention (EBI) to comply with ISSsPs. In the same vein, employee behavioural intention was found to influence such standards and policies. Hypotheses were also developed to investigate the mediating effect of EBI on the relationship between motivational factors and ISSsPs. The analysis showed that EBI has a partial mediation effect on the relationship between motivational factors and compliance with ISSsPs. The analysis of the effect of the motivational factors on ISSsPs revealed that the perceived severity of a penalty has a significant influence on compliance with ISSsPs. Certainty of detection was then regressed on employee intention to comply with ISSsPs and the results show that it has a significant effect. Furthermore, it was established that normative beliefs, the perceived effectiveness of information security standards, an awareness of information security threats, and perceived bias have a positive influence on an employee’s intention to comply with ISSsPs. The study also investigated the relationship between the compliance rate and experience of information security breaches. The analysis showed that there is a positive relationship between banks reviewing their ISSsPs and their experience of information security breaches. Thus, the more banks experience information security breaches, the more they review their standards. It was found that Nigerian banks review their information security codes and standards at least once a year. Finally, the study proposes and validated an employees’ compliance framework that has the potential to significantly improve employees’ compliance with ISSsPs, thus mitigating the effects of information security threats on Nigerian banks.