National information infrastructure organisations and cyber security compliance in Malaysia / Maslina Daud

Maslina , Daud (2018) National information infrastructure organisations and cyber security compliance in Malaysia / Maslina Daud. PhD thesis, University of Malaya.

	PDF (The Candidate's Agreement) Restricted to Repository staff only Download (1549Kb)
Preview	PDF (Thesis PhD) Download (4Mb) | Preview

Abstract

The constant increase in cyber security breaches (CSB) has raised concerns globally mainly due to deviant behaviour of employees. Previous studies have claimed that a lack of security technologies and capabilities have contributed to these breaches. Despite increasing cyber security investment, organisations continue to experience security breaches. In light of the non-excludability of cyber security as a public good, this study seeks to examine factors that stimulate cooperation to comply with security requirements to prevent security breaches. However, little work has examined the relationship between non-excludability of cyber security and cooperative behaviour to achieve cyber security compliance (CSC) in organisations. Hence, this thesis presents an in-depth analysis of cooperation to address CSC in critical national information infrastructure (CNII) sectors in Malaysia. Specifically, this study aims to: i) investigate factors that influence employees' cooperative behavioural intentions (ITC) in achieving CSC; ii) analyse the mediation effect of organisational security practices by employees' cooperative behaviour in promoting CSC; and iii) identify the effectiveness of cyber security governance instruments implemented at organisational, sectoral and national levels in Malaysia. A representative sample of 155 organisations with 69.7 % from a population of 220 from these sectors participated in this study. The important CSC factors were included: effective security awareness (ESA), technical capability (TC), security role (SR) and institutional role (IR) (which constitute cooperation), top management commitment (TMC), structured security processes (SSP), security investment (SI) and organizational, sectoral and national governance instruments sectoral and national governance instruments. Various statistical methods including binary logistic regression, Karlson Holm and Breen method and ordinal logistic regression were deployed to answer each research question. The findings were subsequently confirmed by face-to-face interviews. The findings show that ESA (OR = 2.561, p = 0.04), SR for top management (OR = 3.224, p = 0.06) and middle management (OR = 2.759, p = 0.020) and IR (OR = 1.528, p = 0.044) significantly predict ITC. Employees’ ITC can be strengthened by instilling a sense of belongingness through ESA and internalisation of IR to behave altruistically to achieve a common goal. The findings also show that large workforce organisations (OR = 0.342, p = 0.026) are less likely to contribute to ITC, indicating that opportunistic behaviour looms strongly in large groups. Furthermore, ITC contributed significantly (OR = 0.067, p = 0.001) to employees’ cooperation in organizations. The results also show that cooperation partially mediates the relationship between both TMC (OR = 0.222, p = 0.002) and SSP (OR = 1.555, p = 0.006) with CSC, where SSP has stronger mediation effect (30.63 %) than TMC (16.67 %). This study also shows how inter-related tasks embedded in security processes require cooperative and collective efforts to promote CSC, in which security information and knowledge are transferred in a structured and systematic manner. Finally, this thesis shows that cyber security governance instruments implemented in organisations (OR = 2.469, p = 0.000) and at national level (OR = 4.242, p = 0.003) are more likely to be more effective than across sectors in achieving CSC in organisations.

Actions (For repository staff only : Login required)