Full text

1. Introduction

The Malaysian Communications and Multimedia Commission (MCMC, 2021) reported that for the second quarter of 2018, there were a total of 44.0 million mobile cellular subscriptions, out of which 10.8 million and 33.3 million were from post-paid and prepaid subscriptions, respectively. In addition to this, there were also 2.6 million fixed-broadband subscriptions, 36.2 million mobile-broadband subscriptions and 6.5 million fixed-telephone subscriptions (The Edge Markets, 2018). This is clear proof that the amount of data possessed by the Malaysian telecommunications industry is extremely high.

In recent years, however, Malaysia has been involved in many incidents of data breaches. In 2017, the number of data breach cases was only 19. The following year, the number of cases increased to 63 and in 2019, a total of 178 cases were reported (Yunus, 2019). The steep incline in the number of cases is extremely alarming.

Although high profile data breach cases in Malaysia have involved various industries such as education (Zurairi, 2018) and aviation (Augustin, 2020), it was a massive breach involving the data of 46.2 million mobile phone users in 2017 (Tan and Nair, 2017) that served as the motivation for this study. The Straits Times (2017) showed evidence that the crime was most probably committed by an employee from the telecommunications industry. Further, past studies have shown that most data breach incidents are indeed caused by employees (Cheng et al., 2017; MyCert, 2017). This stresses the need for instilling an information security culture among employees of the Malaysian telecommunications industry.

According to Chen et al. (2015), information security culture (ISC) is a collection of high level shared security values, beliefs and assumptions in information security in the organization. It can lead to unconscious, continuous and habitual behaviours towards security. Da Veiga and Eloff (2010) assert that an organization should focus on its employees’ behaviour towards information security or employees’ information security behaviour (ESB) to have good information security culture. This is because the failure or success of an organization depends on what its employees do or do not do. Other factors which have been known to have a strong impact on ISC are information security awareness (ISA) (Humaidi and Balakrishnan, 2015) and information security training programmes such as security, education, training and awareness...