SINET:Ethiop. J. Sci.

, 47(1): 17-32, 2024 ISSN: 0379–2897 (PRINT)

© College of Natural and Computational Sciences, Addis Ababa University, 2023 eISSN: 2520–7997

Date received: May 2023; Date revised: April 2024; Date accepted: -August 2024
DOI: https://dx.doi.org/10.4314/sinet.v47i1.2

The Impact of Organizational Culture on Information Security Policy Compliance

Kibrom Ejigu*, Mikko Siponen and Tilahun Muluneh

College of Natural and Computational Sciences, Addis Ababa University, Ethiopia. E-mail:
[email protected]

ABSTRACT: The objective of this study is to explore how organizational culture affects employee
compliance with information security policies. To accomplish this goal, the authors developed a
theoretical model and collected survey data from employees who work in organizations that have
information security policies. We employed a quantitative survey research approach. We
conducted our study at the commercial bank of Ethiopia (CBE). The collected data was analysed
using analysis of moment structures (Cardoso and Ramos) software. The findings show that
organizational culture significantly affects employee compliance with information security policies.
Additionally, the study emphasizes the importance of considering the dominant organizational
culture when trying to embed an information security policy. The contribution of this study lies in
providing empirical evidence of the influence of organizational culture on information security
compliance. To limit the scope of the study, the sample used in this research focuses only on
organizational factors in Ethiopia. It is recommended that future studies be conducted in other
countries to validate the results and ensure the generalizability of the findings. Practically
speaking, creating a culture that supports information security practices is crucial for organizations,
as technical and management measures alone cannot fully address the human aspect of
information security. To better understand and enhance organizational behaviour regarding
information security, companies should examine their organizational culture and how it impacts
the effectiveness of implementing information security policies.

Keywords/Phrases: information security, information security compliance, organizational culture,

developing country, information security compliance model, competing values framework

for security policies and procedures, which can

INTRODUCTION result in significant consequences and
damage(Bulgurcu et al., 2010; Kim and Solomon,
The importance of information as a crucial 2016).
resource for organizations has led to the Information security protection
development of information systems to manage mechanisms can be categorized into technical
their resources. These systems are interconnected and behavioural solutions. Technical solutions
globally to facilitate the quick processing and include the use of passwords, access rights,
sharing of information, but this connectivity also intrusion detection and prevention systems, and
exposes organizations to various security threats. firewalls, among others, while behavioural
These threats can occur during the storage, solutions comprise the development of
processing, and communication of information. information security policies, training and
To maintain the safety of information, awareness programs, and risk monitoring. Some
organizations must implement comprehensive organizations also use punishment and rewards
security mechanisms at all levels of information as behavioural solutions to encourage
management(Bulgurcu et al., 2010). Although compliance and discourage violations of
there is an increasing awareness of the benefits of information security prevention
information system security, most security mechanisms(Assefa, 2021; Ejigu et al., 2021). To
threats come from the unintentional or provide a comprehensive solution to information
intentional actions of employees. Studies show security, organizations develop and implement
that over 80% of security threats come from information security policies (ISP).
insiders, and this is mainly due to the lack of ISP serves as a formal document that
knowledge about information security policies establishes guidelines, procedures, and
implemented in organizations(Alotaibi et al., standards for user behaviour when accessing
2016) .This lack of awareness leads to a disregard organizational information and IT resources. It is

_____________________
*Author to whom correspondence should be addressed.
18 Kibrom Ejigu etal.

crucial for ensuring the security of information rules and guidelines outlined in an
resources and technological devices within an organization's information security policy while
organization(Alotaibi et al., 2016; Amankwa et using the organization's information system
al., 2018). However, despite the existence of clear (Ifinedo, 2014; Siponen et al., 2010). Compliance
ISP guidelines, employees often encounter with the ISP entails using the information system
challenges adhering to the policies outlined in in line with established guidelines when
the document(Alotaibi et al., 2016; Bulgurcu et communicating with colleagues within and
al., 2010). outside the organization (Bulgurcu et al., 2010). It
To fill gaps in the literature, researchers signifies the effectiveness of the implemented
must look into the relationship between information security policy and procedures,
organizational culture and employee compliance while noncompliance indicates a lack of
with information security policies. While earlier acceptance of the policy. It is important for an
research has looked at a variety of factors that organization's information security policy to be
influence compliance behaviours (Arage et al., designed in a way that does not create obstacles
2015; Assefa, 2021; Bulgurcu et al., 2010), the for employees in carrying out their daily
impact of organizational culture on compliance tasks(Antoniou, 2015). Information security
has received less attention(Ejigu et al., 2021). policies establish the standards and guidelines
Besides, several researchers have suggested that for organizations to safeguard their sensitive
further investigation is necessary to explore the data and information assets(Cram et al., 2017).
relationship between organizational culture and These policies depend on employee compliance
its impact on employee information security for their effectiveness (Stafford et al., 2018).
policy compliance behaviour(Solomon and Research shows that employees often violate
Brown, 2021; Tang et al., 2016). This research these policies, driven by a perception of
aims to fill this gap by examining the role of increased productivity(Tarafdar et al., 2014). This
organizational culture in predicting and non-compliance poses challenges to an
promoting information security compliance organization's efforts to maintain robust
among employees. By identifying the unique information security(Xu et al., 2019), even with
contributions of organizational culture in advanced security measures and well-crafted
shaping compliance behaviour, this study will policies. Therefore, a deeper understanding of
provide valuable insights for practitioners compliance behaviour within an organizational
seeking to enhance information security practices context is crucial(Ifinedo, 2014), as it helps
within their organizations.To tackle the research recognize the factors influencing employee
issue at hand, the subsequent research inquiries information security compliance(Hu et al., 2012).
have been formulated:RQ1: How does
organizational culture influence employees' Organizational Culture and Compliance
compliance with information security policies?
The article's structure begins with an According to De Witte and Van Muijen
introduction to the research topic. The second (1999), organizational culture consists of shared
section then provides a brief Literature Review values and beliefs that influence employee
of current research and knowledge gaps. The behaviour and actions within an organization. It
third section then presents the Conceptual includes deeply ingrained norms, values, and
Framework, which serves as the study's customs guiding interactions, decisions, and
foundation. Then, in the fourth section we contributions within the organization.Research
present our hypotheses. The fifth section then has explored the relationship between
describes our research methods. The sixth section organizational culture, information security and
then presents empirical findings. The seventh compliance. Embedding policies in the culture
section then discusses the research implications. has been advocated for promoting compliance.
Finally, the article discusses limitations and Organizational culture has been deemed a more
future research directions. effective driver of compliance change than
traditional policing(Vroom and von Solms, 2004).
Literature Review Incorporating corporate governance and
information security policies into the culture,
Information Security Policy Compliance with senior management involvement, has been
stressed(Von Solms, 2006).
Information security compliance relates According to Karlsson et al. (2022), the
to the extent to which employees adhere to the aspects of organisational culture and information
SINET: Ethiop. J. Sci.,47(1), 2024 19

security policy compliance have been addressed more comprehensive exploration of how
to a very small degree in the current literature. organizational culture interacts with compliance,
However, the studies byErnest Chang (2007),Hu particularly concerning employees' adherence to
et al. (2012), Solomon and Brown (2021), information security measures. This research gap
Karlsson et al. (2022)are valuable exceptions. underscores the importance of investigating the
While prior research has examined the intricate dynamics between specific cultural
relationship between organizational culture and orientations and compliance behaviour, offering
information security, there is a notable research a more nuanced understanding of this
gap and inconclusive findings regarding the relationship.
effects of specific cultural orientations on Conceptual Framework
employee compliance with information security
measures. Ernest Chang (2007) conducted a Competing Values Framework:
study exploring the influence of various ` The literature explores various
organizational culture traits on information dimensions within research on information
security management's effectiveness, focusing on security and organizational culture, including
constructs like confidentiality, integrity, Schein's model and Hofstede's six-dimensional
availability, and accountability. Their findings framework. However, we chose the CVF model,
revealed a positive correlation between as used in prior research(Ernest Chang, 2007; Hu
consistency and effectiveness cultures and the et al., 2012; Karlsson et al., 2022; Solomon and
principles of information security management. Brown, 2021), for several compelling reasons.
However, it is important to note that their study Schein's model, widely used but criticized for
did not investigate employee compliance with vague definitions, oversimplification, and
information security measures. Similarly, neglect of external factors, Hofstede's
Donahue (2011) conducted a survey of framework, while valuable, did not measure
information security managers within US culture individual level and oversimplifies
organizations, shedding light on the impact of diversity(Karjalainen et al., 2013; Vance et al.,
cultures emphasizing cooperativeness and 2020). In contrast, the CVF offers a more
innovativeness. Yet, it's worth highlighting that nuanced, flexible, and context-specific approach,
Donahue's study did not specifically address accommodating the complexities of real-world
employee compliance with information security organizational dynamics and diverse cultural
measures. contexts. Besides, the CVF model, widely
Hu et al. (2012) narrowed their focus to employed in organizational culture
only two cultural orientations outlined in the research(O’Neill et al., 2021), comprises four
competing values framework (CVF) consistency culture types: effectiveness, consistency,
and effectiveness, examining how these cooperativeness, and innovativeness, supported
orientations influence individuals' cognitive by the organizational culture assessment
beliefs regarding information security policies. instrument (OCAI), utilized in over 1,000
Solomon and Brown (2021)research emphasized organizations, indicating organizational
the direct impact of an effectiveness culture on success(O’Neill et al., 2021; Zeb et al., 2021). We
compliance, while notably; they did not find a select the CVF for its integration and
significant impact of a consistency culture on organization of proposed dimensions based on
compliance. Further adding to the complexity of empirical evidence. Our research delves into the
findings, Karlsson et al. (2022)discovered that effects of all CVF components to enhance our
employees perceiving their organizations as understanding of organizational culture's role in
having both consistency and cooperativeness information security compliance. Subsequent
cultures demonstrated a positive influence on sections provide comprehensive definitions of
information security policy compliance. These each component in our model.
inconsistent findings highlight the need for a
20 Kibrom Ejigu etal.

Consistency

Innovativeness
ISP compliance
Effectiveness

Cooperativenes
s

Figure 1: Research Model of ISP Compliance Source: adapted from Ernest Chang and Lin (2007).

highlight the need to explore contextual nuances

Hypotheses and conditions that comprehensively determine
the relationship between consistency culture and
Consistency culture compliance. Subsequent sections will delve into
The consistency culture is based on the these variations, examining potential
values of efficiency, reliability, predictability, contributing factors and offering a nuanced
and standardization through strict adherence to perspective on organizational culture's role in
rules, policies, and procedures. This culture is shaping compliance behaviours. Therefore, the
typical of organizations with an internal focus on following hypothesis is posited:
people dimensions and an emphasis on control
that adopt centralized authority over H1: Consistency culture has a positive influence
organizational processes, respect formal on employees' compliance with the ISP.
hierarchy, and adhere to rules, policies, and
procedures(Di Stefano et al., 2019; Ernest Chang Innovativeness Culture
and Lin, 2007). It is possible that this type of An innovative culture is characterized by
culture may actually have a positive influence on a focus on flexibility and innovation in order to
employees' compliance with ISP. Organizations satisfy stakeholders’ needs. However, it places a
with a consistency culture tend to have greater emphasis on creativity and
centralized authority over processes and respect experimentation to drive growth and
for formal hierarchy, which may promote a sense improvement. The leadership style in an
of order and accountability among employees. innovative culture is often inventive and risk-
Moreover, strict adherence to rules and taking, encouraging employees to explore new
procedures may actually make it easier for ideas and take calculated risks(Di Stefano et al.,
employees to understand and comply with ISP 2019; Ernest Chang and Lin, 2007).
requirements. Additionally, the lack of discretion Research has shown that organizations
among employees throughout hierarchical levels with an innovative culture are more likely to
may make it easier for organizations to ensure have higher levels of organizational
consistent and uniform compliance with ISP commitment, intention to stay, and information
requirements(Ejigu et al., 2021). system service quality. In an innovative culture,
While our initial hypothesis one individuals are motivated to pursue innovation
proposed a positive influence of consistency and change by investing their efforts and
culture on employees' ISP compliance, empirical realizing the benefits that come with it(Di
research reveals a complex landscape. Studies by Stefano et al., 2019; Tadesse et al., 2021). This
Hu et al. (2012) and Solomon and Brown type of culture may also support the social
(2021)indicate a lack of direct association exchange rule of reciprocity by promoting
between consistency culture and compliance mutual reinforcement between parties(Di
intentions, raising questions about the extent of Stefano et al., 2019).
its influence. It's worth noting that the empirical We argue that the emphasis on
evidence isn't entirely conclusive. In contrast, creativity, risk-taking, and open communication
Karlsson et al. (2022)found a positive impact of in an innovative culture may positively influence
consistency cultures on information security employee compliance with ISP policies.
policy compliance. These diverse findings According to Jin and Drozdenko
SINET: Ethiop. J. Sci.,47(1), 2024 21

(2010)employees in an innovative culture may could actually influence employee compliance

feel a sense of ownership and empowerment, with ISP policies.
which could lead to a greater sense of While our hypothesis posits a positive
responsibility and accountability in adhering to influence of an effectiveness culture on
ISP policies. In a study conducted by Karlsson et employees' compliance with ISP policies, the
al. (2022)it was found that employees who empirical landscape reveals mixed findings. Hu
perceive their organizations as having an et al. (2012) did not establish a direct association
innovative culture had a negative impact on between effectiveness culture and compliance,
information security policy compliance. This suggesting a more complex relationship. In
intriguing contradiction prompts us to delve contrast,Solomon and Brown (2021) support our
deeper into the complex interplay of hypothesis, showing a positive impact of an
organizational culture and compliance. While effectiveness culture on compliance. However,
our hypothesis emphasizes the potential benefits Karlsson et al. (2022) present a contrasting
of an innovative culture in fostering a proactive perspective, indicating a negative impact of an
attitude toward compliance, the findings effectiveness culture on information security
byKarlsson et al. (2022) raise questions about the policy compliance. These mixed findings
conditions under which such cultures may have emphasize the need for a comprehensive
divergent effects. exploration of the influence of organizational
Therefore, we propose that an innovative culture on compliance and consideration of
culture may lead to greater employee compliance potential moderating factors.
with ISP policies due to its focus on innovation, In subsequent sections, we will delve
experimentation, and risk-taking, which may into these variations, examine contextual
foster a more proactive and positive attitude nuances, and aim to provide a nuanced
towards compliance. Therefore, the following understanding of the effectiveness culture's
hypothesis is posited: relationship with compliance. Thus, the
following hypothesis is posited:
H2: Innovation culture has a positive influence
on employees' compliance with ISP. H3: Effectiveness culture has a positive influence
on employees' compliance with ISP.
Effectiveness culture
The effectiveness culture emphasizes the Cooperativeness Culture
values of efficiency, goal achievement, and A cooperative culture, also known as a
accountability through strict adherence to collaborative culture, places a high value on
performance standards and objectives. teamwork and group efforts to achieve common
Employees in these organizations are driven to goals. The leadership style is supportive and
be results-oriented, taking initiative and valuing focused on employee empowerment and
achievement; the prevalent leadership style is participation. This type of culture emphasizes
directive and focused on outcomes. Research employee involvement, cohesion, and mutual
suggests that high effectiveness cultures are support and is characterized by a sense of
positively associated with organizational belonging and loyalty to the organization.
commitment, job involvement, job satisfaction, Research has shown that this type of culture is
trust, and empowerment and negatively positively related to organizational commitment,
associated with conflict and resistance to job satisfaction, and trust(Goodman et al., 2001).
change(Di Stefano et al., 2019). In this culture, employees are
This culture is typical of organizations encouraged to engage in prosaic behaviours and
with a focus on customer satisfaction and an organizational citizenship behaviours, which can
emphasis on performance that adopt positively impact their compliance with ISP
decentralized authority over organizational policies. According to the exchange norm of
processes, respect results-based hierarchy, and group gain, individuals are expected to act in the
emphasize accountability. According to Kakkar interest of the group, and behaviours that are
and Sivanathan (2022)a culture that values damaging to the collective are strongly
achievement and accountability may actually discouraged(Di Stefano et al., 2019; Tadesse et
reduce the likelihood of unethical behaviours al., 2021). Hence, it is reasonable to expect that
such as violations of ISP, as employees are more employees in cooperative cultures are less likely
likely to be committed to the organization's goals to engage in ISP non-compliance.
and values. We argue that an effective culture, Furthermore, research has shown that
due to its focus on accountability and results, organizations that promote collaboration and
22 Kibrom Ejigu etal.

teamwork are more likely to have a positive selected branch offices. The list of employees was
ethical climate, which is characterized by a organised by department, and representative
shared belief in the importance of ethical samples were drawn from each. We used
behaviour (Di Stefano et al., 2019). Such ethical systematic sampling methods to select
climates can help reinforce the importance of ISP questionnaire respondents. We used Solvin's
compliance and create a sense of shared formula to calculate the sample size.The total
responsibility for maintaining the security of number of employees in six branches was 670. Of
information systems. According toKarlsson et al. which 250 samples were selected using 5%
(2022), the cooperativeness culture that margin error and 95% level of confidence
employees believe exists at their organisations (Kothari, 2004).
has a positive effect on their compliance with Data analysis was performed using
information security policies.Therefore, we AMOS software. AMOS software was selected
hypothesize that cooperativeness culture has a for data analysis due to its robust capabilities. Its
positive influence on employees' compliance primary strengths lie in structural equation
with ISP, as it promotes pro-social and modelling Tilahun and Tibebe (2017), which is
organizational citizenship behaviours, reinforces ideal for exploring complex relationships in
the exchange norm of group gain, and fosters a research, such asinformation security
positive ethical climate that emphasizes the compliance. AMOS accommodates both
importance of ISP compliance. reflective and formative measurements, making
it versatile in handling various data types.
H4: A cooperative culture has a positive Moreover, it facilitates theory development and
influence on employees' compliance with ISP. has high statistical power, ensuring the detection
of subtle associations. The ability to conduct path
Method analysis is crucial when exploring multiple
For our study on assessing employee variable relationships, and AMOS enjoys
compliance with information security policies, widespread acceptance in the research
we employed a quantitative survey research community, aligning with journal-level
approach. This choice is grounded in several key publication standards.
considerations: Firstly, a quantitative survey We employed established tools for data
approach is well-suited for collecting data from a collection, drawn from the existing literature on
substantial sample population, allowing for a information security (Table 1). To ensure the
comprehensive analysis (Kumar, 2018). reliability and validity of our instrument, we
Secondly, it provides the means to precisely conducted a pilot test with 50 employees from
measure the variables related to compliance with the commercial bank of Ethiopia, with 21
information security policies, facilitating completing the questionnaire (42% response
numerical analysis essential for our research rate.) a group separate from the main survey to
(Bryan, 2020). Thirdly, the use of surveys ensures mitigate potential biases. The analysis confirmed
the objectivity and standardization of data the instrument's validity and reliability, with
collection as respondents provide responses to Cronbach's α value above .82. During the pilot
predefined questions, reducing potential bias test, participants reviewed the questionnaire for
and subjectivity(Edwards et al., 2014). Lastly, our validity, clarity, question order, and redundancy.
decision is supported by the approach's ability to Feedback from the pilot test informed the final
explore causal relationships between questionnaire. It comprises two sections: the first
independent and dependent variables, a critical gathers demographic information, including
aspect in the investigation of employee gender, education level, and work experience, to
compliance with information security explore potential influences on participants'
policies(Mohajan, 2020). perceptions and behaviours regarding
For our study, we conducted research at information security policies. This demographic
the Commercial Bank of Ethiopia, recognized as data enhances the interpretation of study results.
one of the largest financial institutions in The second section, a pivotal component,
Ethiopia having branch offices all over the contains tools designed to directly measure the
country. From all CBE branch offices, six branch research variables, providing essential insights
offices located in Adama and Addis Ababa were into the effectiveness of information security
selected by using random sample method. Then policies. We used paper-based surveys due to
we compiled a list of employees who work in the internet connectivity challenges.
SINET: Ethiop. J. Sci.,47(1), 2024 23

Table 1. Measurement items for organizational culture and information security compliance.

Cooperativeness COOP_1 Managers empower staff Ernest Chang

(2007)
COOP_2 In this organization, managers treat all staff as their big family Ernest Chang
members. (2007)
COOP_3 Employees are loyal and trust one another. Ernest Chang
(2007)
COOP_4 Your organization encourages employees to actively participate Ernest Chang
all company activities and events. (2007)
COOP_5 Employees are devoted to protect their organization. Ernest Chang
(2007)
COOP_6 Employees are trusted by their managers, and can participate Ernest Chang
in the decision making process. (2007)
COOP_7 It is very harmonious amongst employees, and your company Ernest Chang
is treated like a big family. (2007)
COOP_8 Your Company pays attentions to human resource Ernest Chang
development, employees’ morale, and team work. (2007)
Innovativeness INNO_1 Managers have courage to make innovation and take risk. Ernest Chang
(2007)
INNO_2 Managers actively lead the staff to grow and innovate. Ernest Chang
(2007)
INNO_3 Managers have vision and insights to create new business Ernest Chang
opportunities. (2007)
INNO_4 Employees always have to face challenges and they can learn Ernest Chang
and grow from the challenges. (2007)
INNO_5 Your Company pays attentions to the uniqueness of employees Ernest Chang
and encourages the innovation from employees. (2007)
INNO_6 Your Company is willing to take risks, and it is indeed an Ernest Chang
ambitious and energetic organization. (2007)
Consistency CONS_1 Managers set up clear goals and demand employees to carry Ernest Chang
out the goals strictly. (2007), Hu et al.
(2012).
CONS_2 Your Company always has formal and strict rules for Ernest Chang
employees to follow. (2007), Hu et al.
(2012).
CONS_3 The operation of your company emphasizes stability and Ernest Chang
conservative culture. It does not allow any confusion. (2007), Hu et al.
(2012)
CONS_4 Your Company pays attentions to efficiency and performance Ernest Chang
for achieving the goals. (2007), Hu et al.
(2012)
CONS_5 Your Company is stable and offers job security to employees. Ernest Chang
(2007), Hu et al.
(2012)
CONS_6 Your Company is a systematic organization where each Ernest Chang
employee has clear duty, and its operations are well defined (2007), Hu et al.
with clear rules to follow. (2012)
Effectiveness EFFE_1 Managers emphasize working efficiency and acts effectively. Ernest Chang
(2007), Hu et al.
(2012)
EFFE_2 Managers pay attentions to achieve good work performance Ernest Chang
and reach the goal, regardless of personal feelings. (2007), Hu et al.
(2012)
EFFE_3 The critical success factor of your company is its good Ernest Chang
productivity. (2007), Hu et al.
(2012)
EFFE_4 Your Company pays attentions to work efficiency. Every Ernest Chang
department and (2007), Hu et al.
(2012)
EFFE_5 Your Company pays attentions to maintaining its competition Ernest Chang
advantages. (2007), Hu et al.
(2012)
EFFE_6 Your Company pays attentions to employees in terms of Ernest Chang
increasing their efficiency and pursuing their accomplishment. (2007), Hu et al.
(2012)
Information security ISP_1 I follow information security policy and procedures while Bulgurcu et al.
Policy compliance communicating with other colleagues within and outside the (2010)
organization.
ISP_2 Bulgurcu et al.
I protect information and technology resources according to (2010)
the requirements of the information security policy of my
organization.
ISP_3 I understand that information security policy is not restrictive Antoniou (2015)
to access information resources in my organization.
24 Kibrom Ejigu etal.

RESULTS

We will now delve into the outcomes of the 34.8% had satisfactory experience, 7.7% had
measurement model evaluation, structural sufficient experience, and 0.9% had moderate
model examination, and hypothesis testing. experience. This data underscores the reliance of
These results adhere to the rigorous criteria employees on computers for information
expected in quantitative research within the field management, highlighting their susceptibility to
of information systems. potential information security risks. Despite the
high response rate, some respondents (29) chose
Descriptive Statistics not to return the questionnaire, while 5 provided
Out of the 250 questionnaires distributed incomplete responses, resulting in their exclusion
to the selected sample, 221 were correctly from the data analysis process.
completed and returned, resulting in a response
rate of 88.4%, which aligns with sampling Measurement Model Evaluation
assumptions. This sample comprised 143 male The assessment of reliability and validity
respondents and 78 female respondents, is a critical step in validating a measurement
indicating a somewhat skewed gender model. In this study, we rigorously examined the
distribution. The majority of participants, model fit measurements, reliability and validity
constituting 52.5% of the sample, fell within the of our measurement model by assessing
age range of 26 to 35 years. Additionally, 29.9% construct reliability, using composite reliability
were aged between 36 and 45 years, while the (CR), average variance extracted (AVE),
remaining 17.6% were between 20 and 25 years maximum shared variance (MSV), and
old. It's important to note that no data errors maximum variance extracted (MaxR(H)). The
were identified that could introduce gender or results confirmed high internal consistency,
age bias. In terms of educational attainment, the convergent validity, and discriminant validity
majority of respondents (75.6%) held a bachelor's across all constructs. These findings demonstrate
degree, followed by 19.9% with a master's the robustness of the measurement model,
degree, and 4.5% with a college diploma, thereby affirming its suitability for assessing
indicating a well-educated participant group latent constructs in the studied population. A
capable of understanding and adhering to visual representation of the measurement model
organizational information security policies. is presented in Figure 2.
Further analysis based on respondents'
computer experience revealed that 56.6%
reported having good computer experience,
SINET: Ethiop. J. Sci.,47(1), 2024 25

Figure 2: The Proposed Measurement Model

In structural equation modelling Tilahun The model's fit assessment yielded these
and Tibebe (2017), assessing goodness of fit results: CMIN = 815.11, CMIN/DF = 2.245,
involves several categories of fit indices: absolute RMSEA = 0.048, indicating a close fit.
(e.g., Chi-square, RMSEA, RMSR, SRMR), Incremental fit indices (CFI, IFI, TLI, NFI, RFI) all
incremental (e.g., CFI, NFI, TLI, IFI), relative exceeded 0.9, indicating a robust fit. Parsimony
(RFI), and parsimonious (e.g., PCFI, PRATIO, fit indices (PCFI, PNFI, PRATIO) neared 1,
PNFI). Hair Jr et al.'s (2017) recommend using a striking a balance between fit and complexity.
subset of three or four fit indices: chi-square, at These results affirm the model's compatibility
least one incremental, and at least one absolute with the data and its ability to provide insights
fit index for a well-rounded assessment. into variable relationships.

Table 2. Goodness of Fit Statistics for the Model.

Absolute Fit Index Incremental Fit Index Parsimony Fit Index

CMIN 815.11 CFI .958 PCFI .857
DF 363 IFI .958 PNFI .829
CMIN/DF 2.245 TLI .953 PRATIO .894
RMSEA 0.048 RFI .918
PClose 0.825 NFI .927
SRMR 0.037

The results, as summarized in Table 2, threshold of 0.50 (Straub et al., 2004).

are as follows: Composite Reliability (CR) the Discriminant Validity (MSV and MaxR(H)): The
assessment revealed that all constructs exhibited analysis of MSV values, ranging from 0.138 to
acceptable levels of internal consistency, with CR 0.279, indicated a lack of substantial overlap
values ranging from 0.878 to 0.927 in line with among the constructs, confirming discriminant
Hair Jr et al. (2017)guidelines. This indicates the validity.
model's ability to consistently measure each Additionally, all MaxR(H) values were
construct. Convergent Validity (AVE) the AVE below the corresponding AVE values, thereby
value, ranging from 0.576 to 0.706, demonstrated strengthening the case for convergent validity.
that each constructswas above the recommended Correlation Matrix: The correlation coefficients
26 Kibrom Ejigu etal.

presented in Table 1 between the constructs were underscore the robustness and reliability of the
all found to be below the AVE values, providing measurement model. All constructs exhibited
further evidence of discriminant validity, in high composite reliability, convergent validity,
accordance with the principles outlined byHair Jr and discriminant validity, thereby affirming the
et al. (2017).The results of the validity analysis model's quality.

Table 3. Reliability and Validity Test Result.

CR AVE MSV MaxR(H) Innovative Effectiveness Consistency Cooperati ISP

ness veness Complia
nce

Innovativeness 0.892 0.582 0.138 0.903 0.763

Effectiveness 0.890 0.576 0.262 0.897 0.216*** 0.759

Consistency 0.927 0.679 0.279 0.930 0.240*** 0.512*** 0.824

Cooperativeness 0.925 0.606 0.199 0.927 0.318*** 0.379*** 0.446*** 0.778

ISP 0.878 0.706 0.279 0.883 0.371*** 0.385*** 0.528*** 0.304*** 0.840
Compliance

The Structural Model Evaluation statistics(Hair Jr et al., 2017), furnish valuable

The next step in SEM analysis is to insights into the model's overall fit,
conduct statistical tests of hypotheses and verify improvements over a baseline model, and model
the structural model's validity. In Table 4, we can parsimony. Absolute fit indices encompass
see how well the statistical model passed the degrees of freedom (DF), Chi-square statistic
SEM test. The R-squared value and the (CMIN), Chi-square divided by degrees of
regression weight analysis can be found in freedom (CMIN/DF), root mean square error of
Tables 5 and 6, respectively. Several types of fit approximation (RMSEA), and standardized root
indices are used to determine whether or not a mean square residual (SRMR).
structural equation model Tilahun and Tibebe The CMIN value, at 815.11, is associated
(2017)is plausible. These include absolute (e.g., with 363 degrees of freedom. The CMIN/DF
Chi-square, RMSEA, SRMR) and incremental ratio, at 2.24, falls within the recommended
(e.g., CFI, TLI, NFI), relative (RFI), and range of 1 to 3, signifying a good fit. The
parsimonious (e.g., PCFI, PRATIO, PNFI) fit RMSEA, measuring 0.048, is below the suggested
indices. For a thorough evaluation, Hair Jr. et al. threshold of 0.06, indicating a robust model fit.
(2017) suggest using a combination of three or The SRMR, with a value of 0.037, is also below
four fit indices, including the chi-square, at least the recommended threshold of 0.08, denoting
one incremental, and at least one absolute fit excellent fit. Consequently, the model
index. demonstrates an excellent fit, providing valuable
In our study, these measures are categorized into insights into model performance. The results
three types: absolute fit indices, incremental fit affirm the model's strong fit and its ability to
indices, and parsimony fit indices, adhering to elucidate relationships among variables within
established criteria for each measure. These the model.
criteria, formulated by experts in the field of

Table 4. Model Fit indices for the structural model.

Absolute Fit Index Incremental Fit Index Parsimony Fit Index

CMIN 815.11 CFI .958 PCFI .857
DF 363 IFI .958 PNFI .829
CMIN/DF 2.24 TLI .953 PRATIO .894
RMSEA 0.048 RFI .918
PClose 0.825 NFI .927
SRMR 0.037
SINET: Ethiop. J. Sci.,47(1), 2024 27

The output presented in Table 5 strongly support the research hypotheses and
showcases the standardized regression weights objectives.
between latent constructs and their respective The analysis of standardized regression
observed variables, providing compelling weights between latent constructs and their
grounds for the research. The regression weights corresponding observed variables is a
offer crucial insights into the strength and fundamental aspect of SEM. Such an analysis
direction of the relationships investigated, serves as a cornerstone for evaluating the
underscoring the significance of the research robustness of relationships within the model,
findings. The regression weights reveal shedding light on the strength and direction of
substantial and consistent associations between these connections. The significance of this
the latent constructs and their observed analysis lies in its potential to validate research
variables. For instance, the regression weights findings and contribute to a deeper
between innovativeness (INNO) and its observed understanding of the phenomena under
variables (INNO_1, INNO_2, INNO_3, INNO_4, investigation. In this study, we delve into the
INNO_5, and INNO_6) consistently range intricate web of relationships between latent
from.722 to.837. This indicates a robust and constructs and their observed indicators,
positive relationship between innovativeness emphasizing the importance of these connections
and its indicators, implying that higher levels of in our research. Through the examination of
innovativeness correspond to higher scores on standardized regression weights, we aim to
the observed variables. Likewise, the uncover consistent and substantial associations,
relationships between effectiveness (EFFE) and which hold the key to unravelling our research's
its observed variables (EFFE_1, EFFE_2, EFFE_3, implications.
EFFE_4, EFFE_5, and EFFE_6) demonstrate To illustrate the significance of this
consistent positive associations, with regression analysis, the output in Table 5 presents
weights ranging from.755 to.822. standardized regression weights between latent
This consistent pattern validates the constructs and their corresponding observed
relationship between effectiveness and its variables, emphasizing the research's
indicators, offering valuable insights into the significance. These regression weights offer
research question. Furthermore, the relationships essential insights into the strength and direction
between consistency (CONS) and its observed of the relationships under investigation,
variables (CONS_1, CONS_2, CONS_3, CONS_4, underscoring the research findings' importance.
CONS_5, and CONS_6) display a strong positive Notably, the consistent and substantial
connection, with regression weights ranging associations between latent constructs and their
from.759 to.881. This consistent pattern further observed variables are evident. For example,
supports the robustness of the relationship innovativeness (INNO) exhibits robust and
between consistency and its indicators, positive relationships with its indicators
providing compelling evidence for the research's (INNO_1, INNO_2, INNO_3, INNO_4, INNO_5,
objectives. Similarly, the associations between INNO_6), with regression weights consistently
cooperativeness (COOP) and its observed ranging from.722 to.837. Similarly, effectiveness
variables (COOP_1, COOP_2, COOP_3, (EFFE) displays consistent positive relationships
COOP_4, COOP_5, COOP_6, COOP_7, and with its observed variables (EFFE_1, EFFE_2,
COOP_8) consistently exhibit positive EFFE_3, EFFE_4, EFFE_5, EFFE_6), featuring
relationships, with regression weights ranging regression weights ranging from.755 to.822.
from.717 to.813. These patterns validate the relationships
These findings reinforce the validity of between latent constructs and their indicators,
the relationship between cooperativeness and its offering valuable insights into the research
indicators, contributing to the understanding of question. Furthermore, the strong positive
the research area. Moreover, the relationship connections between consistency (CONS) and its
between ISP compliance (INT) and its observed observed variables (CONS_1, CONS_2, CONS_3,
variables (INT_1, INT_2, and INT_3) CONS_4, CONS_5, CONS_6) are evident, with
demonstrates a strong positive association, with regression weights ranging from.759 to.881.
regression weights ranging from.811 to.881. This These consistent findings support the
finding provides valuable insights into the relationship between consistency and its
relationship between ISP compliance and its indicators, providing compelling evidence for
indicators, contributing to the knowledge base in the research's objectives. The positive
the field. The consistent and significant associations between cooperativeness (COOP)
regression weights presented in the analysis and its observed variables (COOP_1, COOP_2,
28 Kibrom Ejigu etal.

COOP_3, COOP_4, COOP_5, COOP_6, COOP_7, weights ranging from.811 to.881, provides
COOP_8) also reinforce the validity of this valuable insights into the relationship between
relationship, contributing to a deeper ISP compliance and its indicators, further
understanding of the research area. Moreover, enriching the field's knowledge base. These
the strong positive association between ISP consistent and significant regression weights
compliance (INT) and its observed variables strongly affirm the research hypotheses and
(INT_1, INT_2, INT_3), featuring regression objectives.

Table 5. Factor Loadings.

Standardized Regression Weights Estimate

INNO_6 <--- Innovativeness .722
INNO_5 <--- Innovativeness .744
INNO_4 <--- Innovativeness .723
INNO_3 <--- Innovativeness .828
INNO_2 <--- Innovativeness .800
INNO_1 <--- Innovativeness .837
EFFE_6 <--- Effectiveness .822
EFFE_5 <--- Effectiveness .798
EFFE_4 <--- Effectiveness .767
EFFE_3 <--- Effectiveness .795
EFFE_2 <--- Effectiveness .755
EFFE_1 <--- Effectiveness .773
CONS_6 <--- Consistency .759
CONS_5 <--- Consistency .881
CONS_4 <--- Consistency .832
CONS_3 <--- Consistency .825
CONS_2 <--- Consistency .812
CONS_1 <--- Consistency .831
COOP_8 <--- Cooperativeness .754
COOP_7 <--- Cooperativeness .810
COOP_6 <--- Cooperativeness .773
COOP_5 <--- Cooperativeness .813
COOP_4 <--- Cooperativeness .791
COOP_3 <--- Cooperativeness .827
COOP_2 <--- Cooperativeness .735
COOP_1 <--- Cooperativeness .717
INT_3 <--- ISP_Compliance .811
INT_2 <--- ISP_Compliance .881
INT_1 <--- ISP_Compliance .827

The squared multiple correlations (R- suggests that the independent variables in the
squared) are a statistic used in regression model explain a larger proportion of the variance
analysis to measure the proportion of the in the dependent variable, while a lower R-
variance in the dependent variable that is squared value suggests that the model is not a
predictable from the independent variables. good fit for explaining the variation in the
Table 6, the R-squared value for the variable dependent variable.
"ISP_Compliance" is 0.354, which means that
approximately 35.4% of the variance in the Table 6. Squared Multiple Correlations.
dependent variable can be explained by the
independent variables in the regression model. Estimate
This value indicates the goodness of fit of the ISP_Compliance .35

regression model. A higher R-squared value

SINET: Ethiop. J. Sci.,47(1), 2024 29

Figure 3. Goodness of Fit Statistics for the structural model.

Hypotheses Testing influence on employees' ISP compliance

Our first hypothesis (H1) postulated a intentions.
positive relationship between consistency culture Our third hypothesis 3, (H3), suggested
and employees' intentions toward ISP a positive relationship between effectiveness
compliance. As depicted in Table 7, the path culture and employees' intentions toward ISP
coefficient (β) is 0.377, with a t-value of 7.541, compliance. Table 7 presents a path coefficient
and the p-value of less than 0.001. These (β) of 0.101, a t-value of 2.513, and a p-value of
statistical results support H1, with a p-value 0.012, all indicating robust statistical support for
below 0.05, demonstrating statistical significance. H3. This confirms that effectiveness culture have
This affirms that consistency culture positively a substantial positive impact on employees' ISP
influence on employees' ISP compliance compliance intentions.In relation to Hypothesis 4
intentions. The standardized estimate reinforces (H4), the empirical examination presented in
this relationship (H1: β = 0.377; t-value = 7.541; p Table 7 reveals that the influence of
< 0.001).Hypothesis 2 (H2) proposed a positive cooperativeness culture on employees
relationship between the innovativeness culture compliance intention is not statistically
and employees' intentions toward ISP significant (H4: β= -0.004, t-value = -0.088,
compliance. The results in Table 7 reveal a path P=0.930). Thus, we can conclude that H4 is
coefficient (β) of 0.267, a t-value of 5.396, and a p- rejected, suggesting that the presence of an
value of 0.001. These findings strongly support innovativeness culture does not have a
H2, with a p-value well below the significance substantial enhancing effect on employees
threshold. This demonstrates that the compliance intention.
innovativeness culture indeed exerts a positive

Table 7. Hypotheses results of the structural model.

Hypothesized Relationship Standardize Estimate t-value P-value Decision

ISP_Compliance <--- Consistency .377 7.541 *** Supported
ISP_Compliance<---Innovativeness .267 5.396 *** Supported
ISP_Compliance <--- Effectiveness .101 2.513 .012 Supported
ISP_Compliance<---Cooperativeness -.004 -.088 .930 Not supported
30 Kibrom Ejigu etal.

Consistency .377
.267
Innovativeness
.101 ISP compliance
R2= .354
Effectiveness -.004

Figure s
Cooperativenes 4. Research Model with empirical values
Note: -*P<0.05, **P<0.01, ***P<0.001
s

how culture influences behaviour across

DISCUSSION different organizational levels. To enhance policy
compliance, organizations should explore
Organizational culture's impact on organizational culture's influence on information
employee compliance with information security security policies. The initial step to achieving
policy is a critical concern. A consistent information security compliance involves
organizational culture significantly influences assessing cultural prerequisites for ISP.
compliance, emphasizing the need for Subgroups within an organization may share
organizations to foster a culture that values common cultural dimensions but also develop
consistent policy implementation. Clear and unique sub-cultures, collectively influencing the
uniform policies and procedures are crucial to overall culture. In summary, organizations must
ensure employees understand and adhere to strike a balance between culture and compliance,
them. Managers play a pivotal role as role shifting their culture to prioritize compliance and
models, influencing compliance by providing align it with strategic objectives to maintain a
resources. Innovation culture, characterized by secure and compliant environment.
creativity, experimentation, and adaptability, is
the second most influential factor, contributing
26.7% to compliance. Organizations must CONCLUSION
balance innovation and compliance, empowering
employees to innovate responsibly while This study, employed survey data and structural
emphasizing information security. Effectiveness equation modelling to examine the relationships
culture, contributing 10.1% to compliance, between organizational culture and information
emphasizes results and high-quality outcomes. security compliance. The aim was to identify the
However, organizations must not undervalue elements of organizational culture influencing
information security and compliance in their employee compliance with information security
pursuit of results. Employees should prioritize policies. The study identified four dimensions of
compliance alongside their goals. organizational factors: consistency,
As proposed byErnest Chang (2007), innovativeness, cooperativeness, and
information security's evolution involves effectiveness. The results indicated that all
technical, management, and institutionalization factors, except cooperativeness, positively
aspects. Top management's involvement in influenced employee compliance with ISP.
policy development is crucial. Organizations aim Consistency emerged as the primary influencer,
to foster an organizational culture that makes followed by innovativeness, while effectiveness
information security an integral part of every had a comparatively lower impact. The existing
employee's tasks. Compliance with information literature lacks a comprehensive theory for
security policies can be facilitated by information analysing information security compliance.
security managers. Organizations are urged to This research contributes to theoretical
adopt an integrated approach that combines knowledge by adopting an organizational
policy and organizational culture aspects. The culture perspective to explore factors affecting
efficiency of information security policy depends employee behaviour concerning information
on the internal organizational culture shared by security compliance. Additionally, the study
all employees at all levels.Vroom and von Solms validates the data collection tools used to
(2004)merge organizational behaviour levels measure different dimensions of organizational
with Schein (1983)culture model, illustrating culture factors related to information security
SINET: Ethiop. J. Sci.,47(1), 2024 31

compliance. The study presents a novel model rationality-based beliefs and information
that uses CVF to explore organizational cultural security awareness. MIS quarterly, 523-548.
impacts on employee compliance with 8. Cardoso, A. C. H. and Ramos, I. (2012). Looking at the
information security policies. The research past to enrich the future: A reflection on Klein
and Myers’ quality criteria for interpretive
adopts an individual-level approach, addressing
research.
concerns of oversimplification and enriching the
9. Cram, W. A., et al. (2017). Organizational
field of information system security research.
information security policies: a review and
The study has limitations. It focused on a research framework. European Journal of
single organization in a specific country, limiting Information Systems, 26, 605-641.
the generalizability of findings to other 10. De Witte, K. and Van Muijen, J. J. (1999).
organizations and countries. Measuring Organizational culture. European Journal of
employees' intentions rather than their actual work and organizational psychology, 8(4), 497-
behaviour is another limitation, though 502.
intentions are typically associated with actual 11. Di Stefano, G., et al. (2019). The effect of
behaviour. Future research recommendations organizational culture on deviant behaviors
include conducting similar studies in diverse in the workplace. The International Journal of
geographic contexts for comparative analysis. Human Resource Management, 30(17), 2482-
Moreover, the research model, which explained 2503.
only 35% of the variation in ISP compliance, can 12. Edwards, M. L., et al. (2014). An experimental test
benefit from the incorporation of additional of the effects of survey sponsorship on
internet and mail survey response. Public
technical and individual factors to enhance
Opinion Quarterly, 78(3), 734-750.
predictive power. The study intends to expand
13. Ejigu, K. T., et al. (2021). Investigating the Impact of
in the future by considering these supplementary
Organizational Culture on Information Security
factors to create a more comprehensive model for Policy Compliance: The Case of Ethiopia. Paper
understanding factors influencing employee presented at the Americas Conference on
behaviour regarding information security Information Systems.
compliance. 14. Ernest Chang, S. (2007). Exploring organizational
culture for information security management.
Industrial Management & Data Systems, 107(3),
REFERENCES 438-458. doi:10.1108/02635570710734316
15. Ernest Chang, S. and Lin, C. S. (2007). Exploring
1. Alotaibi, M., et al. (2016). Information security policies: organizational culture for information
A review of challenges and influencing factors. security management. Industrial Management
Paper presented at the 2016 11th & Data Systems, 107(3), 438-458.
International Conference for Internet 16. Goodman, E. A., et al. (2001). The competing
Technology and Secured Transactions values framework: Understanding the impact
(ICITST). of organizational culture on the quality of
2. Amankwa, E., et al. (2018). Establishing information work life. Organization Development Journal,
security policy compliance culture in 19(3), 58.
organizations. Information & Computer 17. Hair Jr, J. F., et al. (2017). PLS-SEM or CB-SEM:
Security. updated guidelines on which method to use.
3. Antoniou, G. S. (2015). Designing an effective International Journal of Multivariate Data
information security policy for exceptional Analysis, 1(2), 107-123.
situations in an organization: An experimental 18. Hu, Q., et al. (2012). Managing Employee
study. Nova Southeastern University, Compliance with Information Security
4. Arage, T., et al. (2015). Influence of national culture Policies: The Critical Role of Top
on employees’ compliance with information Management and Organizational Culture.
systems security (ISS) policies: towards ISS Decis. Sci., 43, 615-660.
culture in Ethiopian companies. 19. Ifinedo, P. (2014). Information systems security
5. Assefa, T. (2021). Factors influencing information policy compliance: An empirical study of the
security compliance: an institutional effects of socialisation, influence, and
perspective. SINET: Ethiopian Journal of cognition. Information & Management, 51(1),
Science, 44(1), 108-118. 69-79.
6. Bryan, L. L. (2020). Effective information security 20. Jin, K. G. and Drozdenko, R. G. (2010).
strategies for small business. International Relationships among perceived
Journal of Cyber Criminology, 14(1), 341-360. organizational core values, corporate social
7. Bulgurcu, B., et al. (2010). Information security responsibility, ethics, and organizational
policy compliance: an empirical study of performance outcomes: An empirical study
32 Kibrom Ejigu etal.

of information technology professionals. 32. Stafford, T., et al. (2018). The role of internal audit
Journal of business ethics, 92, 341-359. and user training in information security
21. Kakkar, H. and Sivanathan, N. (2022). The impact policy compliance. Managerial Auditing
of leader dominance on employees’ zero-sum Journal, 33(4), 410-424.
mindset and helping behavior. Journal of 33. Tadesse, K., et al. (2021). Influence of
Applied Psychology, 107(10), 1706. Organizational Culture on Employees’
22. Karjalainen, M., et al. (2013). One size does not fit Compliance with Information Security Policy:
all: different cultures require different Ethiopian and Finland Companies.
information systems security interventions. 34. Tang, M., et al. (2016). The impacts of
23. Karlsson, M., et al. (2022). The effect of perceived organizational culture on information
organizational culture on employees’ security culture: a case study. Information
information security compliance. Information Technology and Management, 17, 179-186.
& Computer Security, 30(3), 382-401. 35. Tarafdar, M., et al. (2014). The dark side of
24. Kim, D. and Solomon, M. G. (2016). Fundamentals of information technology. MIT Sloan
Information Systems Security: Print Bundle: Management Review.
Jones & Bartlett Learning. 36. Tilahun, A. and Tibebe, T. (2017). Influence of
25. Kothari, C. R. (2004). Research methodology: Methods national culture on employees’intention to
and techniques: New Age International. violate information systems security policies:
a national culture and rational choice theory
26. Kumar, R. (2018). Research methodology: A step-by-
perspective.
step guide for beginners: Sage.
37. Vance, A., et al. (2020). Effects of sanctions, moral
27. Mohajan, H. K. (2020). Quantitative research: A
beliefs, and neutralization on information
successful investigation in natural and social
security policy violations across cultures.
sciences. Journal of Economic Development,
Information & Management, 57(4), 103212.
Environment and People, 9(4), 50-79.
38. Von Solms, B. (2006). Information security–the
28. O’Neill, D., et al. (2021). Leadership and
fourth wave. Computers & Security, 25(3), 165-
community healthcare reform: a study using
168.
the Competing Values Framework (CVF).
Leadership in Health Services, 34(4), 485-498. 39. Vroom, C. and von Solms, R. (2004). Towards
information security behavioural compliance.
29. Schein, E. H. (1983). Organizational culture: A
Computers & Security, 23(3), 191-198.
dynamic model.
doi:10.1016/j.cose.2004.01.012
30. Siponen, M., et al. (2010). Compliance with
40. Xu, H., et al. (2019). Earnings management in firms
information security policies: An empirical
with data security breaches. Journal of
investigation. Computer, 43(2), 64-71.
Information Systems, 33(3), 267-284.
31. Solomon, G. and Brown, I. (2021). The influence of
41. Zeb, A., et al. (2021). The competing value
organisational culture and information
framework model of organizational culture,
security culture on employee compliance
innovation and performance. Business process
behaviour. Journal of Enterprise Information
management journal.
Management, 34(4), 1203-1228.