Bring Your Own Device Security Policy Compliance Framework

Proliferation of Bring Your Own Device (BYOD) has instigated a widespread change, fast outpacing the security strategies deployed by organizations. The influx of these devices has created information security challenges within organizations, further exacerbated with employees’ inconsistent adherence with BYOD security policy. To prevent information security breaches, compliance with BYOD security policy and procedures is vital. This book aims to investigate the factors that determine employees' BYOD security policy compliance by using mixed methods approach. Security policy compliance factors, BYOD practices and security risks were identified following a systematic review approach. Building on Organizational Control Theory, Security Culture and Social Cognitive Theory, a research framework positing a set of plausible factors determining BYOD security policy compliance was developed. Next, with a purposive sample of eight information security experts from selected public sector organizations, interviews and BYOD risk assessments analysis were performed to furnish in-depth insights into BYOD risks, its impact on organizations and recommend control measures to overcome them. This led to the suggestion of four control measures to mitigate critical BYOD security risks such as Security Training and Awareness (SETA), policy, top management commitment and technical countermeasures. The control measures were mapped into the research framework to be tested in the following quantitative phase. The proposed research framework was tested using survey results from 346 employees of three Critical National Information Infrastructure (CNII) agencies. Using Partial Least Squares – Structural Equation Modelling (PLS-SEM), the framework's validity and reliability were evaluated, and hypotheses were tested. Findings show that perceived mandatoriness, self-efficacy and psychological ownership are influential in predicting employees’ BYOD security policy compliance. Specification of security policy is associated with perceived mandatoriness, while BYOD IT support and SETA are significant towards self-efficacy. Unexpectedly, security culture has been found to have no significant relationship to BYOD security policy compliance. Theoretical, practical, and methodological contributions were discussed and suggestions for future research were recommended. The analysis led to a number of insightful findings that contribute to the literature and the management, which are predominantly centered on traditional computing. In view of the ever-increasing BYOD threats to the security of government information, it is imperative that IT managers establish and implement effective policies to protect vital information assets. Consequently, the findings of this study may benefit policymakers, particularly in the public sector, in their efforts to increase BYOD security policy compliance among employees.

Introduction.- Bring Your Own Device.- Theoretical Framework and Hypotheses Development.- Research Methodology.- Analysis, Results and Discussion.- Conclusion and Future Work.

Rathika Palanisamy

Rathika Palanisamy holds the position of Principal Assistant Secretary in the Information Technology Division, Ministry of Finance, Malaysia. She completed her doctoral degree at the Department of Computer Systems and Technology, Faculty of Computer Science and Information Technology, University of Malaya, Malaysia in 2023. Her research contributes to understanding the complexities of BYOD implementation, emphasizing the need for comprehensive strategies that address both technical and human behavioral aspects to enhance security policy compliance in organizations. Her current research interests include Information Security Risk Management, Artificial Intelligence Security Governance and Integration of Information Security in Enterprise Architecture.

Azah Anir Norman

Azah Anir Norman is an associate professor and currently the Deputy Dean of Development, Faculty of Computer Science and Information Technology, University of Malaya (UM), Malaysia. She earned her undergraduate degree at Universiti Kebangsaan Malaysia (UKM) and her master's degree in electronic commerce security from Royal Holloway University of London in the UK in 2004. She completed her Ph.D. from the University of Malaya (UM) in 2014. She specializes in information security management systems (ISMS), secure applications for ICT, privacy and human elements in security, information security governance, security on social platforms, and e-commerce security. She is also very interested in topics pertaining to Islamic ICT (such as Halal and Quran Authentication), Design Thinking, and Teaching & Learning Innovations. Azah Norman published numerous academic papers in reputable ISI and SCOPUS publications in the fields of information security governance, information security management, information security systems, information security & trust, information security & privacy, information security education awareness, information security & assurance, and information security policy & governance. Before entering the academic world, she worked as a Consultant at MSC Trustgate.com, a subsidiary of MDEC and a partner of VeriSign Inc. in the USA. In Trustgate, she provided Internet Security implementation consultation to numerous top 500 companies. Prior to becoming the consultant at Trustgate, she worked at VeriSign Inc. in Silicon Valley, San Jose, California, in 2001. As a specialist in information security management systems, she is also part of an expert in the working group WG/G/5-1 Information Security Management System, Department of Standards, Malaysia, and the International Organisation for Standardisation (ISO). She belongs to the Association of Information Systems (AIS) and the MyAIS (AIS Malaysia Chapter), an organization that promotes excellence and knowledge progress in the field of information systems research and practice.  She is also a secretary at the Cybersecurity Academia Malaysia Association (CSAM), a national association that promotes cybersecurity teaching, awareness, and research in Malaysia. She received a prestigious award from the Royal Academy of Engineering of the United Kingdom (RAENG) as the Leader of Innovation in 2018.