Determining Critical Success Factors of Information Security Knowledge towards Organisations' Information Security Effectiveness

It is very difficult to achieve information security effectiveness in an organisation when the biggest problem stems from people factor. The lack of awareness and understanding of information security knowledge (ISK) coupled with the lack of security awareness on security behaviour amongst employees; are the top contributing factors towards internal security incidents. No matter how great the technology, which is applied in the organisation, if the employees still retain their non-secure behaviour in the organisation, not only it will jeopardise their own self but the whole organisation as well. Therefore, it is important to continuously educate people in the organisation in managing these types of incidents and guide them towards appropriate behaviour and practice in their daily work routines.
This thesis seeks to investigate the critical success factors of ISK in Malaysian public sector organisation (MPSO). Through systematic literature review (SLR), this thesis proposes five critical success factors of ISK that affect the organisations ' information security effectiveness. These critical success factors are knowledge, employee behaviour, knowledge sharing, motivation, and protection of information. In addition, through SLR, this thesis highlights the role of leadership as a moderating factor amongst the critical success factors of ISK and organisations' information security effectiveness. Self-administered questionnaire is employed to collect data from Information and Communication Technology (JCT) division in several organisations in the Malaysian public sector.
The research model is then developed and tested using partial least square (PLS) technique. SPSS 22 and SMART PLS 2.0M3 are used to validate the research model and test the proposed research hypotheses. Based on the findings, the organisations' information security effectiveness was influenced positively by knowledge (P=0.092, t=2.028, p<0.05), employee behaviour (P=0.091, t=l.734, p<0.1), motivation (P=0.108, t=2.261, p<0.05) and protection of information (P = -0.119, t = 2.283, p < 0.05). However, knowledge sharing did not positively impact the organisations' information security effectiveness (P = 0.001, t = 0.023, p<0.l). It was also found that leadership moderated the relationship between employee behaviour and organisations' information security effectiveness (P=0.167, t=l.904, p<0.1), knowledge sharing and organisations' information security effectiveness (P=0.146, t=2.390, p<0.05), motivation and organisations' information security effectiveness (P=0.163 , t=4.993 , p<0.01), and lastly protection of information and organisations' information security effectiveness (P=0.123, t=3.259, p<0.01). However, the finding showed that leadership did not moderate the relationship between knowledge and organisations' information security effectiveness (P= 0.151, t= I. I I 0, p<0. I). This research provides a conceptual model of ISK which is the main contribution of this research that can be a used as a guideline to MPSO operations (includes security practices) towards achieving organisations' information security effectiveness.

Adalah sangat sukar untuk mencapai keberkesanan keselamatan maklumat apabila masalah yang terbesar datangnya dari faktor manusia. Kurangnya kesedaran dan kefahaman tentang pengetahuan keselamatan maklumat (ISK), dan kurangnya kesedaran keselamatan mengenai tingkah laku keselamatan di kalangan pekerja adalah faktor yang paling menyumbang kepada insiden keselamatan dalaman. Tidak kiralah betapa hebatnya teknologi yang diterapkan di dalam organisasi, sekiranya perkerja masih mengekalkan tingkah laku yang tidak selamat dalam organisasi, bukan sahaja akan membahayakan diri mereka sendiri tetapi juga kepada organisasi. Oleh itu, adalah penting untuk terus mendidik orang di dalam organisasi dalam menguruskan jenis insiden ini dan membimbing mereka ke arah tingkah laku dan amalan yang sesuai dalam rutin kerja harian mereka. Tesis ini bertujuan untuk mengkaji faktor kejayaan penting ISK dalam organisasi sektor awam Malaysia (MPSO). Melalui tinjauan literatur sistematik (SLR), penulis telah mencadangkan lima faktor kejayaan penting ISK yang mempengaruhi keberkesanan keselamatan maklumat orgarnsas1, iaitu pengetahuan, tingkah laku pekerja, perkongsian pengetahuan, motivasi, dan perlindungan maklumat. Melalui SLR, penulis mencadangkan peranan kepemimpinan sebagai faktor penyederhanaan antara faktor kejayaan kritikal keberkesanan keselamatan maklumat ISK dan organisasi. Soal selidik yang dikendalikan sendiri digunakan untuk mengumpulkan data dari bahagian JCT di sektor awam Malaysia. Model kajian kemudian diuji menggunakan Teknik partial least square (PLS). SPSS 22 dan SMART PLS 2.0M3 digunakan untuk mengesahkan model kajian dan menguji hipotesis penyelidikan yang dicadangkan. Berdasarkan hasil penemuan penyelidikan, keberkesanan keselamatan maklumat organisasi dipengaruhi secara positif oleh pengetahuan (P=0.092, t=2.028 , p<0.05), tingkah laku pekerja (P=0.091 , t=l.734, p<0.1) , motivasi (P=0.108 , t=2.261, p<0.05), dan perlindungan maklumat ( p = -0.119, t =2.283 , p< 0.05) . Hasil penemuan penyelidikan juga menunjukkan bahawa perkongsian pengetahuan tidak memberi kesan positif kepada keberkesanan keselamatan maklumat organisasi (P = 0.001 , t = 0.023, p<0.1). Hasil penemuan juga menunjukkan bahawa kepimpinan mempunyai hubungan moderasi antara tingkah laku pekerja dan keberkesanan keselamatan maklumat organisasi (P=0.167, t= l.904, p<0.l), perkongsian pengetahuan dan keberkesanan keselamatan maklumat organisasi (P=0.146, t=2.390, p<0.05), motivasi dan keberkesanan keselamatan maklumat organisasi (P=0.163 , t=4.993 , p<0.01) dan perlindungan keselamatan dan keberkesanan keselamatan maklumat organisasi (P=0.123 , t=3.259, p<0.01). Walaubagaimanapun, hasil penemuan menunjukkan bahawa kepimpinan tidak mempunyai hubungan moderasi antara pengetahuan dan keberkesanan keselamatan maklumat organisasi (P= 0.151 , t=l.110, p<0.1). Kajian ini akan membangunkan model teori ISK yang merupakan sumbangan utama kajian yang dapat menjadi garis panduan kepada MPSO semasa melakukan sebarang kerja (termasuk amalan keselamatan) ke arah keberkesanan keselamatan maklumat organisasi.