Aaltodoc publication archive (Aalto University institutional repository)
School of Business | Department of Management Studies | MSc program in Corporate Communication | 2015
Thesis number: 13918
The role of internal communication in preventing employees' information security policy noncompliance
|Title:||The role of internal communication in preventing employees' information security policy noncompliance|
|Year:||2015 Language: eng|
|Department:||Department of Management Studies|
|Academic subject:||MSc program in Corporate Communication|
|Index terms:||viestintä; communication; yritysviestintä; business communication; pankit; banks; tietosuoja; data security; Suomi; Finland|
|Key terms:||tietosuoja; information security; tietosuojasäädökset; information security policy; ISP; tietosuojasääntörikkomukset; information security policy noncompliance; yritysviestintä; corporate communication; sisäinen viestintä; internal communication; finanssiala Suomessa; Finnish financial industry; liikepankit; commercial banks|
Objective of the study:
The present study was triggered by the lack of research on the human factor of information security and the on-going digital transition that continues to alter employee behaviour. The objective of the study was to assess the relationship between internal communication and ISP noncompliance, and to identify the extent to which the occurrences of ISP noncompliance in a Finnish commercial bank could be prevented by enhancing the internal communication practices of the bank.
Methodology and the theoretical framework:
The study exploited a qualitative methodology, using a case study approach to research the topic. The empirical data was collected by conducting five semi-structured interviews with the case company employees to gain knowledge about the reasons behind the employees' ISP noncompliance, and about the internal communication practices of the case company. Secondary data consisted of the bank's internal material, and assisted in identifying the contents of the bank's ISP. The data analysis was based on the theoretical framework that was largely built on the previous literature. The framework focused on the factors of information security policy noncompliance and internal communication.
Findings and conclusions:
The findings implied that the reasons behind the employees' ISP noncompliance are manifold, but the most prevalent ones were work-related stress, employees' attitudes, and colleagues' expectations. Moreover, the findings indicated that the case company manages the ISP communication rather well. However, the bank could prevent certain noncompliance incidents or decrease their number by enhancing management communication to increase employee engagement and to bring the ISPs more on the foreground, and by improving the consistency of the ISP communication.
Master's theses are stored at Learning Centre in Otaniemi.