Power Distance as a Variable in Assessing Employees’ Behavior towards Information Security Policy Compliance in a High-Power Distance Society: An Exploratory Study

Information security is a concern of every business, therefore the need for employees to comply with a policy that would protect the organization’s assets. The model developed for this research was based on Protection Motivation Theory, Theory of Planned Behavior, and Rational Choice Theory. There were 129 responses from Nigeria used to validate the model. The data analysis using PLS-SEM resulted in these findings: self-efficacy, normative beliefs, and power distance were significant, therefore impacting. Therefore, not significant descriptive norms did not positively impact intention to comply with information security policy. Power distance was impactful on employees’ intention to comply with information system policy and contributed to theory and practice; respondents chose to do right by their intention to comply with information security policy. Training and managerial oversight in policy compliance are significant since those actions would help protect the organization’s information. The analysis showed the adverse effect of a high correlation between indicators of different constructs.


INTRODUCTION
I nformation security policy (ISP) is crafted for an organization's employees to guide in what to do to protect the organization's assets and resources (1); current events do not support the intended outcome. According to Myyry, Siponen, Pah-nila, Vartiainen, and Vance (2), 90% of organizations have at least one information security occurrence in a year. The 2006 Computer Security Institute / Federal Bureau of Investigation (CSI/FBI) Computer Crime and Security Survey indicates that organizations are exposed to thirteen categories of attacks, ranging from viruses, laptop/mobile theft to unautho-rized access to information (3). There are concerns about phishing, weak and unprotected passwords that would allow information security breaches.
Phishing is a way criminal represents himself as trusted entities using social engineering to obtain information for exploitation (4). Phishing attacks do not show signs of slowing down, mainly by email, and one reason for the increase is that they are effortless to create, and email filters are not very successful as detecting agents (5,6). In 2014 28.8% of phishing attacks were to steal financial data, and the business segment that suffered the worst episode was the mail service (7). Between October 2013 and January 2015 FBI saw a 270 percent increase in victims of fake email crime referred to as the CEO emails, which resulted in a $2.3 billion loss to businesses (7).
The past 50 years have witnessed different evolutions of an imperfect security system we know as password. Against all proposed alternative forms of ways to secure systems and data, it has survived and gained widespread use (8). Weak passwords are subject to guessing attacks and the leakage of password hash database makes them vulnerable, as pointed out by Chatterjee, Athayle, Akawhe, Juels, and Ristenpart [ (9,10). The success of the first form of attack depends on the complexity of the password. Password complexity depends on the user, and the user must have the knowledge and desire to provide such a complex password.
Statistics based on over one hundred forty-three million data records collected by Verizon and the United States Secret Service, after analysis, show that out of one hundred forty-one confirmed breaches, insider attacks were responsible for 46% of them (11). Criminals seek access to enterprise systems by exploiting connections to the organization, as employees or supply chain partners, for example,  (12). Information security researchers are constantly investigating factors that would help increase ISP compliance and reduce data breaches, but power distance is not one of the factors investigated.

Supplementary information
Power distance (PD), as defined by Hofstede, Jan Hofstede, and Minkov (13), is "the extent to which the less powerful members of institutions and organizations within a country expect and accept that power is distributed unequally." In a high-power distance index (PDI) society, subordinates must obey their superiors and carry out their instructions without questions. In a low PDI society, the opposite is true (14,15). The environment's culture shapes a person's behavior he/she grows up in (15,16).
ISP is a crucial tool to guide employees on managing incidents they may face, such as those stated above. Still, the responsibility is left to the employees to implement the instructions outlined in such policy. Behavior subsequently determines the response exhibited by each employee. This research aim is to introduce power distance as one of the factors to research in assessing the behavior of employees in a high PDI society toward ISP, which would address the question (17) : 1. How would PD influence employees in a high PDI society to respond to ISP compliance in their organizations?
The theoretical background for the model in this research is Protection Motivation Theory (PMT) (18), which leads to the concept that possessing the right skills and knowledge will facilitate compliance with ISP, self-efficacy. Theory of Planned Behavior (TPB) (19), subjective norms will encourage ISP compliance. Cultural attributes will influence intention to comply with ISP stemming from Rational Choice Theory (RCT) (20). The research adds to the available body of knowledge in information security by introducing the concept of power distance as one of the constructs that need investigation. It provides practical insight to businesses that may expand into high PDI countries.

LITERATURE REVIEW
Early research on ISP was based on sanctions and fear appeals (21,22). Focus has shifted to behaviorbased research recently to highlight variables responsible for ISP violations (23) Building psychological profiles and behavior models to predict the potential for ISP compliance or violations have proven partially successful (23)(24)(25). The following literature shows employees' behaviors considering ISP compliance.
In an attempt to find why employees may go rogue and violate ISP, Hu, Xu, Dinev, and Ling (26) investigated deterrence effectiveness. The authors discovered that comprehensive ISP and extensive awareness training did not deter employees from ISP violations. The prime reason for their finding was that violators derived benefits from violation of ISP than compliance. The concept of Neutralization Theory (NT), violators rationalizing their actions, was introduced by Siponen and Vance (27) as an alternative to deterrence in the study of ISP violations. The research was designed based on Sykes and Matza's (28) neutralization techniques; denial of responsibility, denial of injury, denial of victim, condemnation of the condemners, and the appeal to higher loyalties. The collected data analysis pointed to neutralization as a predictor of intention to violate ISP (26).
A study conducted by Bulgurcu et al. (21) included normative beliefs as one of the constructs that affected employees' ISP compliance. Normative beliefs are social pressures centered around employment, based on what colleagues, managers, and executives think (21). Based on data analysis from 464 participants, the finding supported their hypothesis that normative beliefs positively influenced employees' intention to comply with ISP.
Cheng, Li, Li, Holm, and Zhai (29) investigated the effect of subjective norms and co-worker behavior, both grouped as social pressure, on employee's intention to comply or violate ISP. Their proposed hy-potheses were that the immediate supervisor's opinion weighed negatively on employees' intent to violate ISP, and co-worker's behavior would positively impact employees' intention to violate ISP. The data supported the two hypotheses on the evaluation of 185 completed surveys returned (29).
Self-efficacy is an essential aspect of information security; it involves assessing individual skills, knowledge, and confidence in performing required tasks (18,30). Rhee, Kim, and Ryu (31) investigated the influence of self-efficacy on the end users' information security behavior; they postulated that those with higher self-efficacy in information security use more security software and are more security conscious and dedicated to information security. Analysis of the survey data returned by 415 graduate students provided significant results supporting the stated hypotheses (31).
Power distance as a construct in ISP compliance deserves investigation. The study of PD in another discipline makes it possible to understand its effect on ISP compliance. Albers-Miller and Gelb (32) wanted to answer whether business advertisement had to mirror cultural dimension, including power distance. In a study conducted in eleven countries, five out of eight appeals coded for power distance showed significant support leading the authors to conclude that general advertisement across culture was not advisable. Target the market's culture when advertising to specific people (32) . Ahmed, Mouratidis, and Preston (33) observed that website design was one-dimensional, excluding high power distance and high-context culture contents. Based on several websites, they developed guidelines for websites that incorporated components that would appeal to high power distance and high context cultures.
Another area that depends on behavior is the detection and response to phishing emails. Employees must examine phishing emails that escape filters visually to determine their authenticity, therefore the following research outcome. One of the signs that shows an email to be fake is an IP address in the link, but more sophisticated ones do not have such links (5). Playpal.com, PayPal-update are examples of slight changes made to domain names to entice users' clicks. Spelling errors should be a giveaway

MANUSCRIPT CENTRAL
of a phishing email (5,34). Users should be cautious of email with instructions like "click here to restore your account" it is a red flag indicating a problem link (5) . Users are the primary target for phishing email attacks, and proper training is the only way to prevent users from becoming victims (4). Public education efforts by the news media, government agencies, and corporations have not been very successful because users frequently do not update their software to either the latest versions or patches (35). Policies should be straight forward easy to understand by all users (3). Users are known to be tired of learning and have even ignored policies, license agreements, and help pages (3). Users have to examine URLs to identify a phishing email using a mouse-over (34).
The use of passwords for access has been another area generating problems for information protection. Several studies concerning secure passwords and proper usage have resulted in some of the findings expressed here. Unique passwords with sufficient complexity repeated several times depending on the number of accounts a user sets up is not reality, Bonneau et al. (9) argued. It is impossible to expect any person to set up a complex password comprising a mix of symbols, letters, at least eight characters long, no personal information, not written down, and unique on every account set up and remembered (8).
The results of research conducted for the United Kingdom's MI5 security service exposed some of the prevailing password practices (25). Password policy -mandating complex and frequently changed passwords do not solve insider attacks since remembering such passwords becomes a problem for the employees who may have to write them down to be easily assessable by others (25). Security experts' advice to users on secure passwords only causes irritation and annoyance to users who would conveniently ignore such advice (9).

THEORETICAL BACKGROUND
Protection Motivation Theory (PMT) consists of fear appeals and coping appraisal (18,36). Fear appeals result from a threat that leaves a person vulnerable, followed by assessing the threat severity (36). The next logical step in the process is an analysis of the possibility of an event taking place and ascertaining the recommended remedy's efficacy (36). Rogers (37) revised original postulates to include the coping process, mediating process, and modes of coping. The coping strategy triggers an adaptive response to assess response efficacy followed by self-efficacy. Self-efficacy is needed to perform the necessary action to protect the information system from threats. This type of protection is not a planned action since an employee does not know the danger beforehand. Self-efficacy is to be armed with the right knowledge and be confident to apply it when needed to protect (36,37).
Rational Choice Theory (RCT): this theory explains that a person chooses based on his/her moral or cultural beliefs and acts on those beliefs that could be wrong or right (38). It links selection to preference, which indicates that people should behave purposefully according to their values. The theory's extension includes a positive spectrum of moral or cultural obligation, doing right instead of wrong (38,39). One of the Criticism of RCT by researchers is unfalsifiability, but Lovett (40) explains that RCT is one of the tools employed to make sense of causal social phenomena.
Theory of Planned Behavior (TPB): this is an extension to the Theory of Reasoned Action (TRA) (19). TPB relates to a person's behavioral intention, and the choice results from a person's attitude toward the behavior (41). Fishbein and Ajzen (42) postulate that behavior results from purpose, and philosophy and subjective norms make up that intention. Ajzen (19), as an extension to TRA, added perceived control, consisting of time, money, right skills, and other people's help. Moody, Siponen, and Pahnila (43) agree that self-efficacy provides a positive attitude toward behavior.

RESEARCH MODEL AND HYPOTHESES
There are five constructs in the model, four independent variables: self-efficacy, descriptive norms, normative beliefs, and power distance, and one dependent variable, the intention to comply, as shown in Figure 1. The subjects under research make the

FIGURE 1: Research Modal
Fear is a powerful motivator that invokes a defensive posture or sometimes confrontation avoidance (36) . Fear appeals are the underpinnings of PMT (18,(43)(44)(45)(46). PMT originally was proposed for health research (37), but it applies to information security. The fear invokes the cognitive process, leading to the threat severity appraisal; the coping strategy drives the solution, culminating in self-efficacy (18,43).
As an extension to TRA, TPB states that there is a need for self-efficacy in combination to perform a behavior (37,43). The proliferation of technology into this society requires strategies to defend against the impending danger of data breaches. Knowledge and confidence in handling such tasks are among the methods. Hence, we hypothesize that, 1. H1: Self-efficacy will encourage ISP compliance by employees.
Working in an organization where employees tend to respond favorably to instructions will weigh on every person in such an environment to adapt. Complying with ISP by other employees is designated a social factor that would encourage every person to do the same; a positive environment would generate a positive response (19,44). Instead, the research subjects would do what others do without understanding the implications, not to be left out. Hence, we hypothesize that, 1. H2: Descriptive norms will encourage ISP compliance by employees.
There are pressures on an employee from co-workers and management when they follow protocols, as they respond positively to them; this is the primary outcome of normative beliefs (19,21,41). In an environment where following instructions is the norm, employees will not disregard pressure from management. Hence, we hypothesize that, 1. H3: Normative beliefs will encourage ISP compliance by employees.
Dinev, Goo, Hu, and Nam (47) agree that cultural factors should be a part of the ISP program to make it successful. The antecedent of behavior is culture, shaping a person's everyday life event (48). Employees in high PDI society would obey instructions without questions (14-16). When exposed to choices, to follow or not, the option would be to perform the required instructions. Hence, we hypothesize that, 1. H4: Power distance will encourage ISP compliance by employees.

RESEARCH METHODOLOGY
The study is quantitative research that empirically validates the hypotheses derived from the research model. The model is exploratory as power distance has not been tested before for ISP compliance.

Data Collection
A trusted representative distributed and collected the survey in a southern state in Nigeria; there is a high concentration of most ethnic groups. The population was the Nigerian working class, and the population sampling was by random survey questionnaire distribution in different organizations. There were 219 returned questionnaires out of 510 distributed. There were 129 useable, 25% completion rate.

Operationalization of construct
Measurement items are adopted from extant literature to maximize validity, reliability, and minimize bias, on the recommendation of Straub, Boudreau, and Gefen (49). There are no easy means of measuring latent variables except by indicators (50). The constructs from the research model turn into measurement items with a 7-point Likert scale. Table 2 describes the measurement items.

RESULTS
We

Assessment of Measurement Model
The indicators used in the model are reflective. The measurement model's assessment included evaluating internal consistency, each indicator's reliability, convergent reliability, and discriminant validity. We removed indicators DN3, NB1, NB2, PD3, and SE3; they loaded high on more than one variable (50,54); the empirical correlation value between NB1 and PD1 was very high. Reflective constructs must exceed the required threshold of 0.7 to be reliable (50,55). Outer loading has to exceed 0.708 to be considered statistically significant, and 0.4 is acceptable for exploratory research (50,56). Table 4 shows individual indicator reliability exceeds the required minimum. The assessment of convergent validity requires the average variance extracted (AVE) of each latent variable to be (≥ 0.50) (50,53). The values in Table 4 are (> 0.5) confirm that the measure of all reflective constructs has met the requirements of convergent validity.
Discriminant validity, the traditional method of testing for this distinction, is the Fornell-Larcker criterion, which states that each construct's AVE's square root should be greater than the AVE of other correlated constructs (50,57,58). The data in Table 5 comply, satisfying the requirement. Heterotrait-Monotrait Ratio of Correlation is another means of assessing discriminant validity; the required value should be (< 0.850) ( the more conservative value) (57). The highest value in Table 6 is 0.776; therefore, discriminant validity is established. The criteria for the measurement model are satisfied.

Assessment of Structural Model
Structural model measurement represents the relationship between constructs [50]. The evaluation of the following criteria must be satisfied for an assessment to be valid: collinearity issues, the significance and relevance of structural model relationships, coefficient of determination R 2 , the effect sizes f 2 , and the predictive relevance Q 2 effect sizes [50], [59]. Variance Inflation Factor of 5 or greater means problem with collinearity [50]. The values of predictor variables in Table 7 are < 5; therefore, no collinearity issues.  The critical t-values are 1.65 for a 10% significant level, 1.96 for 5% significant level and 2.5% for 1% significant level. Alternatively, a p-value less than 0.10 for a 10% significant level, less than 0.05 for a 5% significant level, and less than 0.01 for a 1% significant level. The path coefficient value should be between +1 and -1; a value close to 1 represents a strong relationship between the predictor and outcome variables. A value close to 0 represents a weak relationship [50]. Figure 2 shows the research model with path coefficient and R 2 value. Table 8 shows path coefficient, T statistics, and p-values.   The R 2 value is a measure of a model predictive power. The R 2 values of 0.75, 0.50, or 0.25 for the endogenous construct are substantial, moderate, and weak, respectively [50]. The R 2 value for this research is 0.603, as represented in Table 8, which means that 60.3% variation in the intention to comply is the combined effect of all the independent variables. Based on the predictive accuracy power guidelines, we observed that the model has moderate explanatory power.
Using Standard Root Mean Square Residual (SRMR), we assessed Goodness of Fit (GoF), a good fit is (< 0.080) [60]. Our value was 0.057, below the required threshold. Predictive Relevance Q 2 is known as Stone-Geisser's Q 2 value, a measure of how well the path model predicts the observed values. The rule of thumb requires the Q 2 value must be larger than 0 to show that the exogenous constructs have predictive relevance for the endogenous linked to them [50]. The parameter for the blindfolding process used was omission Distance (D) value = 7. The value of Q 2 observed was (> 0), as seen in Table 8, indicating a high predictive relevance. Effect Size f 2 is a recalculation of R 2 after eliminating a specified exogenous construct to determine how much impact such elimination has on the R 2 value of the remaining endogenous constructs [50]. The guideline points out three values for assessing f 2 effect size, 0.02, 0.15, and 0.35; small, medium, and large effects, respectively [61].
The effect size of all the constructs was small (< 0.15), as shown in table 8. The structural model assessment is satisfactory.

Hypothesis Testing
The findings were as follows: the path from selfefficacy to intention to comply with information security policy (β = 0.289), normative beliefs to intention to comply with information security policy (β = 0.293), and power distance to intention to comply with information security policy (β = 0.231) were significant at 0.05 level, therefore supported. The path from descriptive norms (β = 0.101) was not

FIGURE 2:
Research Modal-Path Coefficientand P-value significant at 0.05 level, therefore not supported (see Table 9 ).

DISCUSSION
We showed that normative beliefs, power distance, and self-efficacy influenced employees' intention to comply with information security policy. The pvalue for descriptive norms exceeded the required threshold of 0.05 and did not influence intention to comply with information security policy. We dropped some of the factors because they loaded high on more than one variable. Investigation revealed that the correlation between the factors of one variable and other variables also were high.

LIMITATIONS
There were several limitations to this study.
First, taking the survey was during the pandemic limiting access to employees.
Second, the questions related to each construct may have invoked the same response type since they were highly correlated, which showed up on the questionnaire prompting rejection.
Third, the reliability of the responses was not ascertainable.
Fourth, people understand questions differently, which could lead to wrong responses.
Fifth, people could respond to questions without reading them.
Sixth, over 50 percent did not respond, and a small percent of responses were useable.

PRACTICAL IMPLICATIONS
The point that normative beliefs, self-efficacy, and power distance have produced positive results should encourage management to be directly involved in information security programs. Build trust between management and employees in information security to promote its importance. Information security training should be the same for all; the employees who lack technical knowledge should be brought up to the required technical level to participate comfortably. Hands-on participation should be a requirement for every employee, including management, to increase confidence. Job assignments should consider power distance as an influencing factor to encourage a positive response to information security policy. An information security policy should be written in plain and concise language to avoid misinterpretation. Give the policy to every employee; every few months, there should be a short refresher training to stress its importance.

CONCLUSIONS
This study was theory-based research combining Protection Motivation Theory, Theory of Planned Behavior, and Rational Choice Theory to empirically validate a model that introduced a new construct, power distance in information security policy compliance. Nigeria was a random survey location because it is a high-power distance country. The findings demonstrated that employees in a highpower distance society would respond favorably to the concept of information security policy compliance; the newly introduced construct power distance played a major role in the favorable response to ISP compliance. The results showed that normative beliefs, power distance, and self-efficacy had significant impacts on intention to comply with information security policy. On the contrary descriptive norms, did not positively affect the intention to comply with information security policy.