Call for Paper - Upcoming Issues

Information Security Policy Compliance Model for the Federal Public Sector in Malaysia

International Journal of Electronics and Communication Engineering
© 2025 by SSRG - IJECE Journal
Volume 12 Issue 11
Year of Publication : 2025
Authors : Finlyson Anak Ludan, Zulaiha Ali Othman, Noridayu Adnan, Lokman Mohd Fadzil, Muhammad Mustaqiim Roslan
10.14445/23488549/IJECE-V12I11P118
pdf
How to Cite?

Finlyson Anak Ludan, Zulaiha Ali Othman, Noridayu Adnan, Lokman Mohd Fadzil, Muhammad Mustaqiim Roslan, "Information Security Policy Compliance Model for the Federal Public Sector in Malaysia," SSRG International Journal of Electronics and Communication Engineering, vol. 12,  no. 11, pp. 216-227, 2025. Crossref, https://doi.org/10.14445/23488549/IJECE-V12I11P118

Abstract:

An Information and Communication Technology (ICT) security policy is essentially an organization s protection
against security risks. Nonetheless, these policies only demonstrate value when implemented with enforceability. Thus, a
reference and a guide are needed as critical elements for the organization's security stra tegic implementation. Through key
components ’ identification and measurement that incentivize employees' policy compliance, this article proposes an
acceptable ICT security policy compliance model for Malaysia's federal public sector with fifteen variables developed based
on relevant models. SPSS Pearson descriptive correlation analysis based on 204 Sarawak's federal government respondents
indicates three most important factors: discerned usefulness, morality, and awareness; and three least important factor s:
punishment, maladaptive reward, and discerned severity, which stand out from the proposed model's 13 key base
components. The proposed Malaysia federal sector ICT security policy will be subsequently implemented via the ICT security
policy enforcement m odel.

Keywords:

Information and Communication Technology, ICT Security Policy, Compliance Model.

References:

[1] Fahad Mazaed Alotaibi et al., “A Novel Administration Model for Managing and Organising the Heterogeneous Information Security Policy Field,” Applied Sciences, vol. 13, no. 17, pp. 1-18, 2023.
[CrossRef] [Google Scholar] [Publisher Link]
[2] Mampu, “General Circular Number 3 Year 200,” Pekeliling, vol. 369, no. 1, pp. 1689-1699, 2000.
[Publisher Link]
[3] Saqib Saeed, “Digital Workplaces and Information Security Behavior of Business Employees: An Empirical Study of Saudi Arabia,” Sustainability, vol. 15, no. 7, pp. 1-20, 2023.
[CrossRef] [Google Scholar] [Publisher Link]
[4] Hussain Aldawood, and Geoffrey Skinner, “Reviewing Cyber Security Social Engineering Training and Awareness Programs—Pitfalls and Ongoing Issues,” Future Internet, vol. 11, no. 3, pp. 1-16, 2019.
[CrossRef] [Google Scholar] [Publisher Link]
[5] Mansour Naser Alraja, Usman Javed Butt, and Maysam Abbod, “Information Security Policies Compliance in a Global Setting: An Employee's Perspective,” Computers & Security, vol. 129, pp. 1-16, 2023.
[CrossRef] [Google Scholar] [Publisher Link]
[6] Incidents Statistics, MyCert, Cybersecurity Malaysia, 2020. [Online]. Available: https://www.mycert.org.my/portal/statistics-content?menu=b75e037d-6ee3-4d11-8169-66677d694932&id=3f99acd3-953d-463a-9018-bf5d85781124
[7] Efthymia Metalidou et al., “Human Factor and Information Security in Higher Education,” Journal of Systems and Information Technology, vol. 16, no. 3, pp. 210-221, 2014.
[CrossRef] [Google Scholar] [Publisher Link]
[8] Anthony Vance, Mikko T. Siponen, and Detmar W. Straub, “Effects of Sanctions, Moral Beliefs, and Neutralization on Information Security Policy Violations across Cultures,” Information & Management, vol. 57, no. 4, pp. 1-47, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[9] Faheem Ahmed Shaikh, and Mikko Siponen, “Information Security Risk Assessments Following Cybersecurity Breaches: The Mediating Role of Top Management Attention to Cybersecurity,” Computers & Security, vol. 124, pp. 1-8, 2023.
[CrossRef] [Google Scholar] [Publisher Link]
[10] Anthony Vance, Mikko Siponen, and Seppo Pahnila, “Motivating IS Security Compliance: Insights from Habit and Protection Motivation Theory,” Information & Management, vol. 49, no. 3-4, pp. 190-198, 2012.
[CrossRef] [Google Scholar] [Publisher Link]
[11] Salvatore Aurigemma, and Raymond Panko, “A Composite Framework for Behavioral Compliance with Information Security Policies,” 2012 45th Hawaii International Conference on System Sciences, Maui, HI, USA, pp. 3248-3257, 2012. [CrossRef] [Google Scholar] [Publisher Link]
[12] Abdullah Almuqrin et al., “Enforcing Information System Security: Policies and Procedures for Employee Compliance,” International Journal on Semantic Web and Information Systems, vol. 19, no. 1, pp. 1-17, 2023.
[CrossRef] [Google Scholar] [Publisher Link]
[13] Janine L. Spears, and Henri Barki, “User Participation in Information Systems Security Risk Management,” MIS Quarterly, vol. 34, no. 3, pp. 503-522, 2010.
[CrossRef] [Google Scholar] [Publisher Link]
[14] Burcu Bulgurcu, Hasan Cavusoglu, and Izak Benbasat, “Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness,” MIS Quarterly, vol. 34, no. 3, pp. 523-548, 2010.
[CrossRef] [Google Scholar] [Publisher Link]
[15] Sushma Mishra, and Gurpreet Dhillon, “Information Systems Security Governance Research: A Behavioral Perspective,” 1st Annual Symposium on Information Assurance, Academic Track of 9th Annual NYS Cyber Security Conference, New York, USA, pp. 18-26, 2006.
[Google Scholar]
[16] Benedikt Lebek et al., “Employees' Information Security Awareness and Behavior: A Literature Review,” 2013 46th Hawaii International Conference on System Sciences, Wailea, HI, USA, pp. 2978-2987, 2013.
[CrossRef] [Google Scholar] [Publisher Link]
[17] Sadaf Hina, Dhanapal Durai Dominic Panneer Selvam, and Paul Benjamin Lowry, “Institutional Governance and Protection Motivation: Theoretical Insights into Shaping Employees’ Security Compliance Behavior in Higher Education Institutions in the Developing world,” Computers & Security, vol. 87, pp. 1-42, 2019.
[CrossRef] [Google Scholar] [Publisher Link]
[18] Farkhondeh Hassandoust, and Angsana A. Techatassanasoontorn, Chapter 7 - Understanding Users' Information Security Awareness and Intentions: A Full Nomology of Protection Motivation Theory, Cyber Influence and Cognitive Threats, Academic Press, pp. 129-143, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[19] Ahmad Al-Omari, Omar El-Gayar, and Amit Deokar, “Security Policy Compliance: User Acceptance Perspective,” 2012 45th Hawaii International Conference on System Sciences, Maui, HI, USA, pp. 3317-3326, 2012.
[CrossRef] [Google Scholar] [Publisher Link]
[20] Philip Menard, Gregory J. Bott, and Robert E. Crossler, “User Motivations in Protecting Information Security: Protection Motivation Theory Versus Self-Determination Theory,” Journal of Management Information Systems, vol. 34, no. 4, pp. 1203-1230, 2017.
[CrossRef] [Google Scholar] [Publisher Link]
[21] Waleed Al-Ghaith, “Extending Protection Motivation Theory to Understand Security Determinants of Anti-virus Software Usage on Mobiles Devices,” International Journal of Computers, vol. 10, pp. 125-138, 2016.
[Google Scholar] [Publisher Link]
[22] Eunice Kim et al., “Predicting Selfie-Posting Behavior on Social Networking Sites: An Extension of Theory of Planned Behavior,” Computers in Human Behavior, vol. 62, pp. 116-123, 2016.
[CrossRef] [Google Scholar] [Publisher Link]
[23] Kim-Kwang Raymond Choo et al., “Employees’ Intended Information Security Behaviour in Real Estate Organisations: A Protection Motivation Perspective,” Americas' Conference on Information Systems (AMCIS), pp. 1-11, 2015.
[Google Scholar] [Publisher Link]
[24] Nader Sohrabi Safa et al., “Information Security Conscious Care Behaviour Formation in Organizations,” Computers & Security, vol. 53, pp. 65-78, 2015.
[CrossRef] [Google Scholar] [Publisher Link]
[25] Bartlomiej Hanus, and Yu “Andy” Wu, “Impact of Users’ Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective,” Information Systems Management, vol. 33, no. 1, pp. 2-16, 2016.
[CrossRef] [Google Scholar] [Publisher Link]
[26] Princely Ifinedo, “Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory,” Computers & Security, vol. 31, no. 1, pp. 83-95, 2012.
[CrossRef] [Google Scholar] [Publisher Link]
[27] Edgar Erdfelder, Franz Faul, and Axel Buchner, “GPOWER: A General Power Analysis Program,” Behavior Research Methods, Instruments, & Computers, vol. 28, pp. 1-11, 1996.
[CrossRef] [Google Scholar] [Publisher Link]
[28] Franz Faul et al., “G*Power 3: A Flexible Statistical Power Analysis Program for the Social, Behavioral, and Biomedical Sciences,” Behavior Research Methods, vol. 39, pp. 175-191, 2007.
[CrossRef] [Google Scholar] [Publisher Link]
[29] Mark N.K. Saunders, Philip Lewis, and Adrian Thornhill, Research Methods for Business Students, 7th ed., Pearson Education, pp. 1-768, 2016.
[Google Scholar] [Publisher Link]
[30] George A. Johanson, and Gordon P. Brooks, “Initial Scale Development: Sample Size for Pilot Studies,” Educational and Psychological Measurement, vol. 70, no. 3, pp. 394-400, 2010.
[CrossRef] [Google Scholar] [Publisher Link]
[31] Kakali Bhattacharya, Fundamentals of Qualitative Research: A Practical Guide, 1st ed., Routledge, pp. 1-220, 2017.
[CrossRef] [Google Scholar] [Publisher Link]
[32] Darren George, and Paul Gallery, IBM SPSS Statistics 23 Step by Step: A Simple Guide and Reference, 14th ed., pp. 1-400, 2016.
[CrossRef] [Google Scholar] [Publisher Link]
[33] Amirali Faridi et al., “Adoption of Water and Soil Conservation Practices: Theoretical Frameworks and Attitudinal Components,” AGROFOR International Journal, vol. 5, no. 2, pp. 5-14, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[34] Dana Rad et al., “A Radial Basis Function Neural Network Approach to Predict Preschool Teachers’ Technology Acceptance Behavior,” Frontiers in Psychology, vol. 13, pp. 1-11, 2022.
[CrossRef] [Google Scholar] [Publisher Link]
[35] Insook Cho, “Frameworks for Evaluating the Impact of Safety Technology Use,” Healthcare Informatics Research, vol. 29, no. 2, pp. 89-92, 2023.
[CrossRef] [Google Scholar] [Publisher Link]
[36] Eiman Negm, “Internet of Things (IoT) Acceptance Model – Assessing Consumers' Behavior toward the Adoption Intention of IoT,” Arab Gulf Journal of Scientific Research, vol. 41, no. 4, pp. 539-556, 2023.
[CrossRef] [Google Scholar] [Publisher Link]
[37] Meggy Hayotte et al., “The French eHealth Acceptability Scale Using the Unified Theory of Acceptance and Use of Technology 2 Model: Instrument Validation Study,” Journal of Medical Internet Research, vol. 22, no. 4, pp. 1-11, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[38] Samar Rahi, “What Drives Citizens to get the COVID-19 Vaccine? The Integration of Protection Motivation Theory and Theory of Planned Behavior,” Journal of Social Marketing, vol. 13, no. 2, pp. 277-294, 2023.
[CrossRef] [Google Scholar] [Publisher Link]
[39] Reny Nadlifatin et al., “The Measurement of University Students’ Intention to Use Blended Learning System through Technology Acceptance Model (TAM) and Theory of Planned Behavior (TPB) at Developed and Developing Regions: Lessons Learned from Taiwan and Indonesia,” International Journal of Emerging Technologies in Learning, vol. 15, pp. 219-230, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[40] I. Al-Shanfari et al., “Determinants of Information Security Awareness and Behaviour Strategies in Public Sector Organizations among Employees,” International Journal of Advanced Computer Science and Applications, vol. 13, no. 8, pp. 479-490, 2022.
[CrossRef] [Google Scholar] [Publisher Link]
[41] Hamidreza Shahbaznezhad, Farzan Kolini, and Mona Rashidirad, “Employees’ Behavior in Phishing Attacks: What Individual, Organizational and Technological Factors Matter?,” Journal of Computer Information Systems, vol. 61, no. 6, pp. 539-550, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[42] Nisreen Ameen et al., “Employees’ Behavioural Intention to Smartphone Security: A Gender-Based, Cross-National Study,” Computers in Human Behavior, vol. 104, pp. 1-35, 2020.
[CrossRef] [Google Scholar] [Publisher Link]
[43] Puspadevi Kuppusamy et al., “Systematic Literature Review of Information Security Compliance Behaviour Theories,” Journal of Physics: Conference Series: 2nd International Conference on Recent Advancements in Science and Technology, Putrajaya, Malaysia, vol. 1551, pp. 1-14, 2020.
[CrossRef] [Google Scholar] [Publisher Link]