Determining critical success factors of information security knowledge towards organisations’ information security effectiveness

It is very difficult to achieve information security effectiveness in an organisation when the biggest problem stems from people factor. The lack of awareness and understanding of information security knowledge (ISK) coupled with the lack of security awareness on security behaviour amongst employees; are the top contributing factors towards internal security incidents. No matter how great the technology, which is applied in the organisation, if the employees still retain their non-secure behaviour in the organisation, not only it will jeopardise their own self but the whole organisation as well. Therefore, it is important to continuously educate people in the organisation in managing these types of incidents and guide them towards appropriate behaviour and practice in their daily work routines. This thesis seeks to investigate the critical success factors of ISK in Malaysian public sector organisation (MPSO). Through systematic literature review (SLR), this thesis proposes five critical success factors of ISK that affect the organisations’ information security effectiveness. These critical success factors are knowledge, employee behaviour, knowledge sharing, motivation, and protection of information. In addition, through SLR, this thesis highlights the role of leadership as a moderating factor amongst the critical success factors of ISK and organisations’ information security effectiveness. Self-administered questionnaire is employed to collect data from Information and Communication Technology (ICT) division in several organisations in the Malaysian public sector. The research model is then developed and tested using partial least square (PLS) technique. SPSS 22 and SMART PLS 2.0M3 are used to validate the research model and test the proposed research hypotheses. Based on the findings, the organisations’ information security effectiveness was influenced positively by knowledge (β=0.092, t=2.028, p<0.05), employee behaviour (β=0.091, t=1.734, p<0.1), motivation (β=0.108, t=2.261, p<0.05) and protection of information (β = -0.119, t = 2.283, p < 0.05). However, knowledge sharing did not positively impact the organisations’ information security effectiveness (β = 0.001, t = 0.023, p<0.1). It was also found that leadership moderated the relationship between employee behaviour and organisations’ information security effectiveness (β=0.167, t=1.904, p<0.1), knowledge sharing and organisations’ information security effectiveness (β=0.146, t=2.390, p<0.05), motivation and organisations’ information security effectiveness (β=0.163, t=4.993, p<0.01), and lastly protection of information and organisations’ information security effectiveness (β=0.123, t=3.259, p<0.01). However, the finding showed that leadership did not moderate the relationship between knowledge and organisations’ information security effectiveness (β= 0.151, t=1.110, p<0.1). This research provides a conceptual model of ISK which is the main contribution of this research that can be a used as a guideline to MPSO operations (includes security practices) towards achieving organisations’ information security effectiveness.