Issue link: https://insights.oneneck.com/i/1476862
29 The 7 dimensions of security culture Compliance The knowledge of written security policies and the extent that employees follow them. There is an abundance of scientific and professional research of information security compliance. This is not surprising as it is assumed that non-compliance to information security standards and policies is one of the main human-related reasons for security breaches in organizations 63 . Information security compliance ensures that information security mechanisms implemented in an organization work together effectively to protect the critical information 64 . It is considered to be an institutional yardstick to show that adequate steps have been taken to protect organizational information 65 . Enforcing information security compliance is a complex security culture issue 66 . Compliance includes many organizational processes. First of all, compliance assumes existence of information security policies (ISPs). Usually presented as a document, ISPs are a set of rules, regulations, laws and practices that state how assets in the system including sensitive information are managed, protected, shared and distributed accurately without any type of loss 67 . These policies typically describe the acceptable use of computer resources, the responsibilities regarding information security, and also the type of training that employees should have and the consequences of security policy violation. Usually the main purpose of ISPs are to illustrate the employees' security responsibilities and roles and to describe procedures that should be followed to avoid the security risks 68 . They define a set of security rules and responsibilities of the employees to safeguard the information and technology resources of their organizations 69 . These policies must address the management, protection, and resources associated with the information and the Information Systems. Compliance is not just about the existence of an adequate document, complied to by the employees, but also involves processes of communication, cooperation and coordination, so that the policies are adequately implemented and adhered to at all organizational levels. Adoption of information security compliance in organizations involves 70 : (a) Implementation of effective and balanced information security measures and mechanisms. (b) Compliance with legal and security requirements and expectations of organizations. (c) Maintaining both employees' and stakeholders' confidence and trust in the security. Having a well-documented set of policies and procedures is not, by itself, good enough to deter information security breaches 71 . It is imperative to define and understand factors that motivate and enhance employees' compliance with ISPs. Nowadays a number of different approaches exist that aim to identify the main factors of information security compliance in organizations. The most commonly used approach is that of the Theory of Planned Behavior 72 . There are also other