119,695 research outputs found

    Behavioral Approach to Information Security Policy Compliance

    Get PDF
    Information security is among the top organizational priorities. Theoretically, information security in socio-technical networks is as much of a behavioral issue as it is of a technical issue. Protection motivation theory (PMT), the dominant theory used to investigate end-user security behavior, though has shown conflicting results - primarily due to lack of contextualizing the theory to information security context from a healthcare context. In this paper, we outline a theoretically grounded conceptual model of the major factors influencing information security policy compliance. The model contextualizes the two independent variables of PMT. Threat appraisal evaluation is viewed as construal evaluation based on construal level theory, while coping appraisal evaluation is viewed as an outcome of training based on social cognitive theory. Overall, the model provides a well-grounded nomological network to better explain information security compliance behavior. The paper also outlines key managerial levers that can be used to influence end-user behavior

    An Integrative Behavioral Model of Information Security Policy Compliance

    Get PDF
    The authors found the behavioral factors that influence the organization members’ compliance with the information security policy in organizations on the basis of neutralization theory, Theory of planned behavior, and protection motivation theory. Depending on the theory of planned behavior, members’ attitudes towards compliance, as well as normative belief and self-efficacy, were believed to determine the intention to comply with the information security policy. Neutralization theory, a prominent theory in criminology, could be expected to provide the explanation for information system security policy violations. Based on the protection motivation theory, it was inferred that the expected efficacy could have an impact on intentions of compliance. By the above logical reasoning, the integrative behavioral model and eight hypotheses could be derived. Data were collected by conducting a survey; 194 out of 207 questionnaires were available. The test of the causal model was conducted by PLS. The reliability, validity, and model fit were found to be statistically significant. The results of the hypotheses tests showed that seven of the eight hypotheses were acceptable. The theoretical implications of this study are as follows: (1) the study is expected to play a role of the baseline for future research about organization members’ compliance with the information security policy, (2) the study attempted an interdisciplinary approach by combining psychology and information system security research, and (3) the study suggested concrete operational definitions of influencing factors for information security policy compliance through a comprehensive theoretical review. Also, the study has some practical implications. First, it can provide the guideline to support the successful execution of the strategic establishment for the implement of information system security policies in organizations. Second, it proves that the need of education and training programs suppressing members’ neutralization intention to violate information security policy should be emphasized

    Replication Research of Moody, Siponen, and Pahnila’s Unified Model of Information Security Policy Compliance

    Get PDF
    Information security compliance behavior research has produced several theoretical models derived from different disciplines to explain or predict violations of information security policies (ISP) or related employee intentions. The application of these theories to ISP violations has led to an increasing number of information security behavioral models. Based on this observation, Moody et al. (2018) reviewed and empirically compared 11 theories that predict information system security behavior using a Finnish sample. Drawing on these findings, they derived and tested a unified model of ISP compliance (UMISPC). This study is a conceptual replication of the refined UMISPC by Moody et al (2018). For the replication, we considered the general tendency to violate policy rather than respondents considering specific behaviors according to the scenario approach that Moody et al. (2018) used to test the refined UMISPC. Further, in contrast to Moody et al. (2018), we tested the refined UMISPC with respondents from Germany. In our data, we found empirical evidence for seven of the eight proposed relationships of the refined UMISPC. Only the relationship between fear and reactance remained insignificant in our estimation. Although more research is necessary to confirm our results, we interpret them as further support for the model’s generalizability

    A Phenomenological Analysis of Information Security Reporting: A Paradoxical Perspective

    Get PDF
    Current information security research has focused on security threats, prevention of incidents, and federal regulations for reporting incidents. However, we know little about how the behavior of information security professionals impacts security. Against this backdrop, this dissertation seeks to understand the drivers of tensions that information security professionals encounter in the performance of their job functions, which result in paradoxical tensions while reporting on the security of organizational assets. The findings of this study reveal how information security professionals respond to inherent tensions as they become salient, and how these salient tensions often become paradoxical in nature as they are dealt with as part of a security professional’s everyday lived experience. The findings highlight the actions undertaken by security professionals to resolve these paradoxical tensions and, in doing so, often engage in deviant behaviors that are contrary to organizational policy and industry or governmental regulations. These findings thus allow for an improved understanding of the motivations of an individual and assist with the creation of policies and management oversight activities that are intended to reduce the likelihood of information security professionals becoming insider threats to their organizations. To that end, an analytical framing combining paradox theory and deterrence theory as complementary theoretical lenses was adopted in this study. Following an interpretive phenomenological analysis methodology, a series of three in-depth interviews, each with eight information security professionals, was conducted. This methodological approach helped the participants to reflect on the drivers of tensions that they perceived as part of their lived experiences. The participants were selected from a range of industries and across a wide spectrum of experiences to capture a broad diversity of lived experiences. Hence, by determining how the drivers of tensions lead to paradoxical tensions that impact or guide the motivations and behaviors of information security professionals responsible for security reporting, the study seeks to contribute to behavioral information security knowledge in the areas of improvement of information security compliance, separation of insider deviant behavior from insider misbehavior, and understanding insider deviant behavior under duress

    Three Essays on Information-Securing in Organizations

    Get PDF
    This dissertation is intended to interpret, analyze, and explain the interplay between organizational structure and organizational information systems security by mapping structural contingency theory into three qualitative studies. The research motivation can be attributed in two ways. First, Johnson and Goetz\u27s (2007) conception of embedding information in organizations as part of their field research interviewing security executives serves as a methodological inspiration for the series of three studies reported here. The point that security should be infused into organization activities instead of serving as a bolted-on function is a central tenet guiding the development of this dissertation. Second, a macro approach is employed in the studies reported here, aimed at a theoretical expansion from existing behavioral security studies which typically take a micro perspective, while mitigating potential theoretical reductionism due to a predominant research concentration on individual components of organizational information security instead of the holistic function of the firm. Hence, this dissertation contributes to the behavioral organizational security research by positing a theoretical construct of information-securing, an organizational security process which is essentially characterized by dualism, dynamism, and democratism. With a macro organizational perspective on the elements of information securing, organizations can effectively discover and leverage organization-wide resources, efforts, and knowledge to cope with security contingencies. The first study of this dissertation is designed to investigate the nature of employees’ extra-role behaviors. This study investigated how employees might sometimes take steps beyond the requirements of the organizational-level security policy in order to facilitate effective workgroup operation and to assist less-skilled colleagues. The second study of this dissertation conducts an interpretive study of the role of information systems auditing in improving information security policy compliance in the workplace, with a specific focus on the role of non-malicious insiders who unknowingly or innocuously thwart corporate information security directives by engaging in unsafe computing practices. The last study of the dissertation explores the interplay between organizational structures and security activities. The organizational perspective of security bureaucracies is developed with three specific bureaucratic archetypes to define the evolutionary stages of the firm’s progress through evolving from coercive rule-based enforcement regimes to fully enabled and employee-centric security cultures in the workplace. Borrowing from Weberian metaphors, the characterization of security bureaucracies evolving from an “iron cage” to an “iron shield” is developed. These three studies revolving around the general notion of information-securing are deemed to be a promising start of a new stream of organizational IS security research. In order to enrich and extend our IS security literature, the perspective advocated in this dissertation suggests a shift in the epistemological paradigm of security behaviors in organizations from the prevailing micro views to macro perspectives which will result in very useful new perspectives on security management, security behaviors and security outcomes in organizations. GS Form 14 (8/10) APPROVAL FOR SCHOLAR

    A descriptive review and classification of organizational information security awareness research

    Get PDF
    Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding

    Are we predisposed to behave securely? Influence of risk disposition on individual security behaviors

    Get PDF
    Employees continue to be the weak link in organizational security management and efforts to improve the security of employee behaviors have not been as effective as hoped. Researchers contend that security-related decision making is primarily based on risk perception. There is also a belief that, if changed, this could improve security-related compliance. The extant research has primarily focused on applying theories that assume rational decision making e.g. protection motivation and deterrence theories. This work presumes we can influence employees towards compliance with information security policies and by means of fear appeals and threatened sanctions. However, it is now becoming clear that security-related decision making is complex and nuanced, not a simple carrot- and stick-related situation. Dispositional and situational factors interact and interplay to influence security decisions. In this paper, we present a model that positions psychological disposition of individuals in terms of risk tolerance vs. risk aversion and proposes research to explore how this factor influences security behaviors. We propose a model that acknowledges the impact of employees' individual dispositional risk propensity as well as their situational risk perceptions on security-related decisions. It is crucial to understand this decision-making phenomenon as a foundation for designing effective interventions to reduce such risk taking. We conclude by offering suggestions for further research.</p

    Peeling Back the Student Privacy Pledge

    Get PDF
    Education software is a multi-billion dollar industry that is rapidly growing. The federal government has encouraged this growth through a series of initiatives that reward schools for tracking and aggregating student data. Amid this increasingly digitized education landscape, parents and educators have begun to raise concerns about the scope and security of student data collection. Industry players, rather than policymakers, have so far led efforts to protect student data. Central to these efforts is the Student Privacy Pledge, a set of standards that providers of digital education services have voluntarily adopted. By many accounts, the Pledge has been a success. Since its introduction in 2014, over 300 companies have signed on, indicating widespread commitment to the Pledge’s seemingly broad protections for student privacy. This industry participation is encouraging, but the Pledge does not contain any meaningful oversight or enforcement provisions. This Article analyzes whether signatory companies are actually complying with the Pledge rather than just paying lip service to its goals. By looking to the privacy policies and terms of service of a sample of the Pledge’s signatories, I conclude that noncompliance may be a significant and prevalent issue. Consumers of education software have some power to hold signatories accountable, but their oversight abilities are limited. This Article argues that the federal government, specifically the Federal Trade Commission, is best positioned to enforce compliance with the Pledge and should hold Pledge signatories to their promises

    Peeling Back the Student Privacy Pledge

    Get PDF
    Education software is a multi-billion dollar industry that is rapidly growing. The federal government has encouraged this growth through a series of initiatives that reward schools for tracking and aggregating student data. Amid this increasingly digitized education landscape, parents and educators have begun to raise concerns about the scope and security of student data collection. Industry players, rather than policymakers, have so far led efforts to protect student data. Central to these efforts is the Student Privacy Pledge, a set of standards that providers of digital education services have voluntarily adopted. By many accounts, the Pledge has been a success. Since its introduction in 2014, over 300 companies have signed on, indicating widespread commitment to the Pledge’s seemingly broad protections for student privacy. This industry participation is encouraging, but the Pledge does not contain any meaningful oversight or enforcement provisions. This Article analyzes whether signatory companies are actually complying with the Pledge rather than just paying lip service to its goals. By looking to the privacy policies and terms of service of a sample of the Pledge’s signatories, I conclude that noncompliance may be a significant and prevalent issue. Consumers of education software have some power to hold signatories accountable, but their oversight abilities are limited. This Article argues that the federal government, specifically the Federal Trade Commission, is best positioned to enforce compliance with the Pledge and should hold Pledge signatories to their promises

    Cost-Benefit Analysis and Well-Being Analysis

    Get PDF
    • …
    corecore