The role of internal communication in preventing employees' information security policy noncompliance

No Thumbnail Available
Journal Title
Journal ISSN
Volume Title
School of Business | Master's thesis
Ask about the availability of the thesis by sending email to the Aalto University Learning Centre
MSc program in Corporate Communication
MSc program in Corporate Communication
Degree programme
Objective of the study: The present study was triggered by the lack of research on the human factor of information security and the on-going digital transition that continues to alter employee behaviour. The objective of the study was to assess the relationship between internal communication and ISP noncompliance, and to identify the extent to which the occurrences of ISP noncompliance in a Finnish commercial bank could be prevented by enhancing the internal communication practices of the bank. Methodology and the theoretical framework: The study exploited a qualitative methodology, using a case study approach to research the topic. The empirical data was collected by conducting five semi-structured interviews with the case company employees to gain knowledge about the reasons behind the employees' ISP noncompliance, and about the internal communication practices of the case company. Secondary data consisted of the bank's internal material, and assisted in identifying the contents of the bank's ISP. The data analysis was based on the theoretical framework that was largely built on the previous literature. The framework focused on the factors of information security policy noncompliance and internal communication. Findings and conclusions: The findings implied that the reasons behind the employees' ISP noncompliance are manifold, but the most prevalent ones were work-related stress, employees' attitudes, and colleagues' expectations. Moreover, the findings indicated that the case company manages the ISP communication rather well. However, the bank could prevent certain noncompliance incidents or decrease their number by enhancing management communication to increase employee engagement and to bring the ISPs more on the foreground, and by improving the consistency of the ISP communication.
tietosuoja, information security, tietosuojasäädökset, information security policy, ISP, tietosuojasääntörikkomukset, information security policy noncompliance, yritysviestintä, corporate communication, sisäinen viestintä, internal communication, finanssiala Suomessa, Finnish financial industry, liikepankit, commercial banks
Other note