Investigating the Role of Socio-organizational Factors in the Information Security Compliance in Organizations

The increase reliance on information systems has created unprecedented challenges for organizations to protect their critical information from different security threats that have direct consequences on the corporate liability, loss of credibility, and monetary damage. As a result, the security of information has become a top priority in many organizations. This study investigates the role of socio-organizational factors by drawing the insights from the organizational theory literature in the adoption of information security compliance in organizations. Based on the analysis of the survey data collected from 294 employees from different organizations, the study indicates management commitment, awareness and training, accountability, technology capability, technology compatibility, processes integration, and audit and monitoring have a significant positive impact on the adoption of information security compliance in organizations. The study contributes to the information security compliance research by exploring the criticality of socio-organizational factors at the organizational level for information security compliance.

💡 Research Summary

The paper addresses the growing challenge of protecting critical information in an era where organizations increasingly rely on information systems. While prior research on information security compliance (ISC) has largely focused on individual-level factors such as user awareness, attitudes, and technical controls, this study shifts the lens to the organizational level, drawing on organizational theory to identify “socio‑organizational” determinants that shape an organization’s adoption of security policies.

The authors formulate a conceptual model comprising seven constructs: (1) Management Commitment – the extent to which senior leadership publicly endorses and allocates resources for security; (2) Awareness and Training – systematic programs that educate employees about threats and policy requirements; (3) Accountability – clear assignment of responsibility, sanctions, and rewards for compliance or violation; (4) Technology Capability – the organization’s ability to acquire and maintain up‑to‑date security tools; (5) Technology Compatibility – the degree to which those tools integrate smoothly with existing business systems; (6) Process Integration – embedding security procedures into routine workflows so that compliance does not impose extra effort; and (7) Audit and Monitoring – continuous oversight mechanisms that track policy enactment and provide feedback.

To test the model, the researchers collected survey responses from 294 employees across a variety of industries (including IT, manufacturing, finance, and services) in early 2023. Items were adapted from validated scales and measured on a five‑point Likert format. Using structural equation modeling (SEM), the authors assessed reliability, convergent and discriminant validity, and the strength of the hypothesized paths. All constructs demonstrated high internal consistency (Cronbach’s α > 0.78) and met standard validity criteria.

Empirical results reveal that each of the seven socio‑organizational factors exerts a statistically significant positive influence on ISC adoption. Management Commitment (β = 0.28, p < 0.001) and Audit & Monitoring (β = 0.26, p < 0.001) emerge as the strongest drivers, underscoring the pivotal role of top‑down leadership and ongoing oversight in translating policy into practice. Awareness & Training (β = 0.22, p < 0.01) and Accountability (β = 0.20, p < 0.01) also show robust effects, confirming that regular education and clear consequence structures motivate employees to adhere to security rules. Technology Capability (β = 0.18, p < 0.05) and Technology Compatibility (β = 0.16, p < 0.05) indicate that having modern, well‑integrated security solutions reduces friction and facilitates compliance. Finally, Process Integration (β = 0.15, p < 0.05) highlights that when security steps are seamlessly woven into everyday tasks, users are less likely to view compliance as a burdensome add‑on.

The study contributes both theoretically and practically. Theoretically, it extends the ISC literature by integrating organizational‑level variables into a unified structural model, bridging a gap between individual‑centric and technology‑centric perspectives. Practically, the findings offer a clear roadmap for managers: articulate and visibly support security initiatives; invest in continuous, role‑relevant training; define and enforce accountability mechanisms; ensure that security technologies are both capable and compatible with existing IT landscapes; embed security controls within standard operating procedures; and maintain rigorous audit and monitoring regimes.

Limitations include the sample’s geographic concentration in South Korea, which may affect external validity, and the cross‑sectional design, which precludes causal inference over time. Future research could employ multi‑country longitudinal designs, incorporate qualitative case studies, and explore mediating or moderating effects (e.g., organizational culture, risk perception). Nonetheless, the paper convincingly demonstrates that socio‑organizational factors are decisive levers for fostering information security compliance, providing actionable insights for scholars and practitioners seeking to strengthen organizational cyber‑resilience.