dc.description.abstract | Insider threat to information security is increasingly becoming a challenge to information security
managers. One of the biggest challenges is not a lack of strong and robust policies, but that of ensuring
full or highest rate of compliance with the policies. This is more compounded by the threats posed by
insiders who have unfettered access to information systems assets. It is no surprise then that despite
heavy investments in ensuring information security infrastructure, institutions still face the highest rates
of information security breaches. Numerous studies have been conducted to provide insights and models
on information security mitigations. However, very few studies have considered the policy compliance
culture phenomenon. Among those who have considered the mixed methodology approach, none of the
scholarly studies have considered grounded theory methods. The overall objective was to establish the
relationship existing between organizational culture and information security compliance culture. As
part of the Specific objective, the study intended to; 1) explore the relationship that exists between
organizational culture and the actual information security compliance culture in universities in Kenya,
2) explain the relationship that exists between organizational culture and the actual information security
compliance culture in universities in Kenya through theory generation, 3) and validate the theoretical
model that predicts information security compliance culture.
The study employed an exploratory sequential mixed-method research design. This followed the
QUAL-Quan principles. The population of this study was the Universities in Kenya. The study was
divided into two phases namely, the model development phase and the model validation phase. The
model development phase was designed to achieve two objectives namely: exploring the factors that
impact information security compliance culture and explaining the relationships between the emerging
factors and information security compliance culture through theory generation. The model validation
phase was designed to test and validate the emergent theory through a semi-structured questionnaire.
The model development phase adopted a grounded theory methodology while the model validation
phase adopted the survey questionnaire approach.
The resulting theory was analysed and discussed in terms of model development and model validation.
In the model development phase, several themes emerged which upon consolidation, were grouped into
4 main thematic groupings namely, demographic-oriented themes, organizational-oriented themes,
individual-oriented themes, and information security compliance culture-oriented themes. The
organizational oriented themes were further sub-grouped into the organizational level factors and
moderating factors. The same was also done for individual-oriented themes to generate the individuallevel
factors and the factors moderating the individual-level factors. The study thereafter generated a
theoretical model that explained a relationship between organizational initiatives, independent
behavioral trends, management support, individual demographic interventions, and external
organizational interventions towards information security compliance culture (ISCC). The model
validation phase produced findings that supported the emergent theoretical model by having factor
loadings that significantly supported the model among other parameters that were tested.
The study makes a main theoretical model contribution which is highlighted based on the model
developed in phase one and the validated theoretical model. The model is adaptable to future researchers
interested in covering information security compliance studies. The other contribution that this study
makes is the methodological contribution which is also discussed in line with the efficiency of the
procedures this study efficiently adopted. Further, the application of mixed methods as adopted in this
study will provide insights to future information systems researchers to consider when deciding on how
to conduct behavioral related studies. In terms of practice, the emergent theoretical model will be
beneficial to practitioners in formulating checklists geared towards strengthening information security
compliance regimes within their policy directions. This study is important because it provides a
theoretical direction and methodological directions for future exploration of information securityrelated
studies.
Keywords: Insider Threats, Information Security, Compliance Culture, Mixed Methods, Grounded
Theory | en_US |