Information security management and employees' security awareness : an analysis of behavioral determinants

[no abstract

Managing Information Security: The \u27Human Factor\u27 from the Point of View of IT Professionals, Decision Makers and Scientists

In our paper we argue that effective information system (IS) security mainly has to take employees as users into account. We focus on an informal behavioral level of IS security discussing individuals’ behavior within an organization–exploring assessments of risks and barriers amongst a well chosen sample of IT-professionals, decision makers and scientists in German-speaking countries. Among other issues the results of our empirical study show that it is still the “old threat” in the sense of mistakes and carelessness behavior of employees which brings up the most important danger for information security–regardless of an organization’s size or branch. According to the opinion of our respondents, behavioral training is needed and seen as an effective counter measure. Additionally, a strong support of IS security by the top management and compliance with the organization’s behavioral guidelines are important factors to be considered

A Common Description and Measures for Perceived Behavioral Control in Information Security for Organizations.

Understanding employee’s security behavior is required before effective security policies and training materials can be developed. The Anti-virus software, secure systems design methods, information management standards, and information systems security policies; which have been developed and implemented by many organizations; have not been successfully adopted. Information systems research is encompassing social aspects of systems research more and more in order to explain user behavior and improve technology acceptance. Theory of planned behavior based on Attitude, subjective norm, and perceived behavioral control (PBC) constructs, considers intentions as cognitive antecedents of actions or behavior. This study reviews various research on PBC and finds the most common measures for PBC, which can be used in organizations to develop a method to influence employees perceived behavioral control positively with the goal of inducing positive security behavior. Further, a conceptua

Understanding information security compliance - Why goal setting and rewards might be a bad idea

Since organizational information security policies can only improve security if employees comply with them, understanding the factors that affect employee security compliance is crucial for strengthening information security. Based on a survey with 200 German employees, we find that reward for production goal achievement negatively impacts security compliance. Whereas a distinct error aversion culture also seems to impair security compliance, the results provide no evidence for an impact of error management culture, affective commitment towards the organization, security policy information quality or quality of the goal setting process. Furthermore, the intention to comply with security policies turns out to be a bad predictor for actual security compliance. We therefore suggest future studies to measure actual behavior instead of behavioral intention

Buying in and Feeling Responsible: A Model of Extra-role Security Behavior

Extra-role security behavior has been recognized as a salient element of information security. Drawing upon the research on proactivity in the management literature, we identify ‘felt responsibility for constructive change’ (FRCC) as an important proactive motivational state that drives the behavior. We then follow proactive motivation theory and seek the contextual element and individual difference that precede FRCC. Based on buy-in theory, we propose that user participation in the development of information security-related activities and artifacts induces FRCC. To balance context specificity with generality, we model the individual difference of proactive personality as a moderator of this relation. Our model expands the scope of studying behavioral security by addressing users’ proactive involvement in protecting organizations’ information assets, as opposed to only examining reactive and passive user involvement. Further, the model extends the literature by addressing how promoting positive pre-kinetic events serves organizational information security

Information security management practices: study of the influencing factors in a brazilian air force institution

This article aims at analyzing the factors which influence the staff of the Brazilian Air Force Information Technology Board – DTI in relation to the understanding of the application of the Information Security Management practices. This attempt was based on the hypothetical-deductive method and, as to its objective, it was descriptive in nature. As to the approach of the research problem, it was quantitative in nature. In order to achieve the proposed objective, an adaptation of the Theoretical Technology Acceptance Model – TAM, which allowed the analysis of the relation between sociodemographic profile, perceived ease of use, perceived usefulness, attitude and behavior of the users, and the level of understanding of the Information Security practices. The survey was conducted with 59 military servants and civilians which are part of the Brazilian Air Force Information Technology Board, to whom a questionnaire was applied, submitted and approved by the Committee of Ethics in Research (CAAE: 62636016.7.0000.5111), which was based on the precepts of ISO/IEC 27001 (2013) and 27002, which deal, respectively, with the Information Security Management system and with the code of practice for Information Security controls. Once the data were gathered, they were tabulated and statistically analyzed, which enabled the demonstration of the influence of sociodemographic and behavioral factors and of the precepts of the TAM in the perception of the Information Security practices by the DTI staff

Extrinsic Factors Influencing the Effective Use of Security Awareness Guidelines: A Comparative Study between a Bank and a Telecommunications Company

Recently, the telecommunication and banking industries, regarded as key infrastructures of a country’s economy, are experiencing a rapid transformation driven by changing consumer behaviors, increased competitive environment and new innovations, for example mobile technology. Thus, the purpose of this study is to investigate the influence of extrinsic factors on the behavioral decisions of users to effectively use a security awareness program. This study is quantitative in nature and explores the relationship between effective information use and other variables namely; management support, reward, punishment, social pressure, information quality and attitude. The results of the empirical testing demonstrate that information quality and attitude of employees are relevant factors towards using a security awareness program. Our results also show that reward and threat of punishment are less relevant factors

Measuring the Onlooker Effect in Information Security Violations

Todays’ organizations need to be ensured that their critical information is secure, not leaked, and inadvertently modified. Despite the awareness of organizations and their investment in implementing an information security management plan, information security breaches still cause financial and reputational costs for organizations. A recent report of the Ponemon Institute for 2019 showed that the global cost and frequency of data breach increased, and negligent insiders are the root cause of most incidents. Many insider threats to cybersecurity are not malicious but are intentional. Specifically, more than 60 percent of reported incidents in 2019 were due to negligent or inadvertent employees or contractors (Ponemon Institute 2020). Many behavioral cybersecurity research projects investigate factors that influence mitigating information security violations, but still, there is a need to have a better understanding of behavioral factors. One of these factors is the perception of being overseen by onlookers who are organization members to whom one’s security policy violations are visible, but who are not directly involved in the behavior. This study examines the onlooker effect through the lens of Sociometer Theory and Affective Events Theory, which were used to investigate the impact of the perception of being overseen in a workplace on an intention to violate information security policies. In addition, this study tests the hypothesis that individuals under this situation experience different negative affective responses. Finally, this research tests the hypothesis that perceived onlooker threat intensifies these relationships by examining its moderating influence. An experimental vignette study was conducted with the Qualtrics platform with the currently employed population who are aware of information security policies in their organizations to determine responses to treatment conditions. The results suggested that the interaction of the perceived presence of onlookers and perceived onlooker threat results in experiencing negative affective responses such as shame, guilt, fear, and embarrassment. Moreover, the results showed that employees experiencing fear, guilt, or embarrassment are less intended to violate information security policies. Overall, this research the understanding of the onlooker effect and the essential role of perceived onlooker threat. This study has substantial theoretical and practical implications for information security scholars and practitioners

A Phenomenological Analysis of Information Security Reporting: A Paradoxical Perspective

Current information security research has focused on security threats, prevention of incidents, and federal regulations for reporting incidents. However, we know little about how the behavior of information security professionals impacts security. Against this backdrop, this dissertation seeks to understand the drivers of tensions that information security professionals encounter in the performance of their job functions, which result in paradoxical tensions while reporting on the security of organizational assets. The findings of this study reveal how information security professionals respond to inherent tensions as they become salient, and how these salient tensions often become paradoxical in nature as they are dealt with as part of a security professional’s everyday lived experience. The findings highlight the actions undertaken by security professionals to resolve these paradoxical tensions and, in doing so, often engage in deviant behaviors that are contrary to organizational policy and industry or governmental regulations. These findings thus allow for an improved understanding of the motivations of an individual and assist with the creation of policies and management oversight activities that are intended to reduce the likelihood of information security professionals becoming insider threats to their organizations. To that end, an analytical framing combining paradox theory and deterrence theory as complementary theoretical lenses was adopted in this study. Following an interpretive phenomenological analysis methodology, a series of three in-depth interviews, each with eight information security professionals, was conducted. This methodological approach helped the participants to reflect on the drivers of tensions that they perceived as part of their lived experiences. The participants were selected from a range of industries and across a wide spectrum of experiences to capture a broad diversity of lived experiences. Hence, by determining how the drivers of tensions lead to paradoxical tensions that impact or guide the motivations and behaviors of information security professionals responsible for security reporting, the study seeks to contribute to behavioral information security knowledge in the areas of improvement of information security compliance, separation of insider deviant behavior from insider misbehavior, and understanding insider deviant behavior under duress

INFORMATION SECURITY AWARENESS PROGRAMS IN CONGOLESE ORGANIZATIONS: CULTURAL INFLUENCE AND EFFECTIVE USE.

Motivated by a need to understand the underlying drivers of employee effective use behaviors as it relates to security awareness in Congolese organizations, this study examined extrinsic motivation, intrinsic motivation, attitude toward security, intention to comply with security, and cultural motivators as critical elements that have an influence on employee effective use of security awareness. To our knowledge, this study is the first to develop a model to investigate the influence of employees\u27 culture on the effective use of security awareness programs. This study contributes to behavioral aspects of the body of knowledge on information security by presenting empirical support that employees\u27 culture, intrinsic motivation, extrinsic motivation, information quality, and attitude toward security awareness programs are essential factors to consider in order to predict employees\u27 decisions on the effective use of security awareness program. The results indicate that influencing employees\u27 attitudes toward security is a better predictor of employees\u27 effective use of security awareness programs than their intention to comply. Both intrinsic and extrinsic factors considered in this study are positively associated with the effective use of security awareness programs. The cultural effect has also proven to influence employees\u27 effective use of security awareness programs. Collectivism and uncertainty avoidance are positively associated with the effective use of security awareness programs, while masculinity/femininity and power distance did not. Furthermore, the study confirms that top management support is a decisive factor in helping increase the effective use of security awareness in the Congolese context. According to the findings, senior management must work on improving employees\u27 intrinsic motivation and attitude concerning security awareness guidelines and must follow through with both reward and punishment. Finally, organizations should create a culture where each employee makes their peers accountable for following the security awareness guidelines