School of Business publications portal
This portal is no longer updated. Aalto University School of Business Master's Theses are now in the Aaltodoc publication archive (Aalto University institutional repository)
School of Business | Department of Management Studies | MSc program in Corporate Communication | 2015
Thesis number: 13918
The role of internal communication in preventing employees' information security policy noncompliance
Author: Korpela, Pekka
Title: The role of internal communication in preventing employees' information security policy noncompliance
Year: 2015  Language: eng
Department: Department of Management Studies
Academic subject: MSc program in Corporate Communication
Index terms: viestintä; communication; yritysviestintä; business communication; pankit; banks; tietosuoja; data security; Suomi; Finland
Pages: 111
Key terms: tietosuoja; information security; tietosuojasäädökset; information security policy; ISP; tietosuojasääntörikkomukset; information security policy noncompliance; yritysviestintä; corporate communication; sisäinen viestintä; internal communication; finanssiala Suomessa; Finnish financial industry; liikepankit; commercial banks
Objective of the study:

The present study was triggered by the lack of research on the human factor of information security and the on-going digital transition that continues to alter employee behaviour. The objective of the study was to assess the relationship between internal communication and ISP noncompliance, and to identify the extent to which the occurrences of ISP noncompliance in a Finnish commercial bank could be prevented by enhancing the internal communication practices of the bank.

Methodology and the theoretical framework:

The study exploited a qualitative methodology, using a case study approach to research the topic. The empirical data was collected by conducting five semi-structured interviews with the case company employees to gain knowledge about the reasons behind the employees' ISP noncompliance, and about the internal communication practices of the case company. Secondary data consisted of the bank's internal material, and assisted in identifying the contents of the bank's ISP. The data analysis was based on the theoretical framework that was largely built on the previous literature. The framework focused on the factors of information security policy noncompliance and internal communication.

Findings and conclusions:

The findings implied that the reasons behind the employees' ISP noncompliance are manifold, but the most prevalent ones were work-related stress, employees' attitudes, and colleagues' expectations. Moreover, the findings indicated that the case company manages the ISP communication rather well. However, the bank could prevent certain noncompliance incidents or decrease their number by enhancing management communication to increase employee engagement and to bring the ISPs more on the foreground, and by improving the consistency of the ISP communication.
Master's theses are stored at Learning Centre in Otaniemi.