Should we wear a velvet glove to enforce Information security policies in higher education?

The United States higher education is facing a unique challenge in information security management due to its distinctive characteristics, such as decentralised structure, academic freedom, and shared governance. These characteristics sharply distinguish higher education from traditional corporations. Gradually, this is beginning to pose a challenge for higher education institutions to adopt the appropriate information technology governance framework, which, for traditional corporations, mostly addresses security governance and leadership in a top-down manner. To address this issue, we examine the effect of perceived information security management approaches on perceived security practices. Our results show that the perceived flexible-oriented approach of information security management is more effective to use in implementing security controls in high education institutions. This seems to contradict most of the findings in the literature that suggest that a control-oriented approach is more effective in enforcing information security policies. Research contributions and implications are discussed, accordingly.