Abstract

Background: To ensure effective IS security, fostering compliance behaviors among civil servants is essential. Sanctions and training are widely recommended managerial strategies to enhance IS security policy compliance. However, research on their effectiveness has yielded mixed results, with some studies even questioning their impact. Additionally, while cybersecurity is increasingly vital for public organizations, most research on IS security compliance has focused on the private sector, where organizational cultures differ significantly from those of public institutions, potentially affecting compliance behaviors. This study aims to empirically analyze the influence of sanctions and training on public employees' perceptions of IS security policy compliance in the context of public institutions in a developing country.

Method: To address response bias, we conducted a vignette experiment with a unique set of 1,321 civil servants in Kyrgyzstan. We applied the Deterrence Theory and the Theory of Planned Behavior to discuss the effects of sanctions and training on IS security policy compliance among civil servants.

Results: Findings revealed that civil servants perceive that both the use of sanctions and training positively affect their intentions to comply with IS security policies, confirming the effectiveness of these approaches. In addition, our analysis examined the possible heterogeneity across the respondents’ demographic characteristics. Female respondents along with individuals belonging to the younger generation, with less work experience, a high-ranked position, high confidence in computer skills, and high public service motivation, perceived civil servants as sensitive to imposed sanctions.

Conclusion: First, public leaders should prioritize IS security by budgeting specifically for comprehensive training, ensuring public employees understand security policies, risks, and compliance procedures. Second, public organizations should establish certain and severe sanctions, ensuring that these penalties are consistently enforced when security policies are breached. Third, it is advisable to periodically review and update sanction policies to ensure their effectiveness and relevance.

Download

Share

COinS