Investigating and mitigating the role of neutralisation techniques on information security policies violation in healthcare organisations

Healthcare organisations today rely heavily on Electronic Medical Records systems (EMRs), which have become highly crucial IT assets that require significant security efforts to safeguard patients’ information. Individuals who have legitimate access to an organisation’s assets to perform their day-to-day duties but intentionally or unintentionally violate information security policies can jeopardise their organisation’s information security efforts and cause significant legal and financial losses. In the information security (InfoSec) literature, several studies emphasised the necessity to understand why employees behave in ways that contradict information security requirements but have offered widely different solutions. In an effort to respond to this situation, this thesis addressed the gap in the information security academic research by providing a deep understanding of the problem of medical practitioners’ behavioural justifications to violate information security policies and then determining proper solutions to reduce this undesirable behaviour. Neutralisation theory was used as the theoretical basis for the research. This thesis adopted a mixed-method research approach that comprises four consecutive phases, and each phase represents a research study that was conducted in light of the results from the preceding phase. The first phase of the thesis started by investigating the relationship between medical practitioners’ neutralisation techniques and their intention to violate information security policies that protect a patient’s privacy. A quantitative study was conducted to extend the work of Siponen and Vance [1] through a study of the Saudi Arabia healthcare industry. The data was collected via an online questionnaire from 66 Medical Interns (MIs) working in four academic hospitals. The study found that six neutralisation techniques—(1) appeal to higher loyalties, (2) defence of necessity, (3) the metaphor of ledger, (4) denial of responsibility, (5) denial of injury, and (6) condemnation of condemners—significantly contribute to the justifications of the MIs in hypothetically violating information security policies. The second phase of this research used a series of semi-structured interviews with IT security professionals in one of the largest academic hospitals in Saudi Arabia to explore the environmental factors that motivated the medical practitioners to evoke various neutralisation techniques. The results revealed that social, organisational, and emotional factors all stimulated the behavioural justifications to breach information security policies. During these interviews, it became clear that the IT department needed to ensure that security policies fit the daily tasks of the medical practitioners by providing alternative solutions to ensure the effectiveness of those policies. Based on these interviews, the objective of the following two phases was to improve the effectiveness of InfoSec policies against the use of behavioural justification by engaging the end users in the modification of existing policies via a collaborative writing process. Those two phases were conducted in the UK and Saudi Arabia to determine whether the collaborative writing process could produce a more effective security policy that balanced the security requirements with daily business needs, thus leading to a reduction in the use of neutralisation techniques to violate security policies. The overall result confirmed that the involvement of the end users via a collaborative writing process positively improved the effectiveness of the security policy to mitigate the individual behavioural justifications, showing that the process is a promising one to enhance security compliance

Socio-Life Science and the COVID-19 Outbreak

This open access book presents the first step towards building socio-life science, a field of science investigating humans in such a way that both social and life-scientific factors are integrated. Because humans are both living and social creatures, a human action can never be understood fully without knowing both the biological traits of a person and the social scientific environments in which he exists. With this consideration, the editors of this book have initiated a research project promoting a deeper and more integrated understanding of human behavior and human health. This book aims to show what can, and could be, achieved through our interdisciplinary project. One important product is the newly formed three-party collaboration between Pasteur Institut, Kyoto University, and the Research Institute of Economy, Trade and Industry. Covering many different fields, including medicine, epidemiology, anthropology, economics, sociology, demography, geography, and policy, researchers in these institutes, and many others, present their studies on the COVID-19 pandemic. Although based on different methodologies, the studies show the importance of behavioral change and governmental policy in the fight against a huge pandemic. The book explains the unique genome cohort–panel data that the project builds to study social and life scientific aspects of humans

Biopsychosocial Factors That Discriminate Between White Collar Offenders and Business Professionals

White collar crime is pervasive with a larger financial impact to society than violent or street crime, yet it has been understudied. Violent and street offender research has moved beyond the examination of motive and opportunity to study personality, demographics, sociological influences, and psychological influences on development and criminal behavior; however, the bulk of white collar offender research has focused on greed as a motivator and organizational opportunity. Legislative efforts have attempted to curtail white collar crime, but incidents of crime continue to rise, resulting in a continued need to understand white collar offenders and the influences on offender behavior. The purpose of this quantitative study was to examine the multivariate difference between white collar offenders (n = 62) and business professionals (n = 121). Theoretically guided by the biopsychosocial model and prior empirical findings, 36 variables were univariately tested for group differences; 10 were significant and used in discriminant function analysis. White collar offenders tended to be female, have high neuroticism and alcohol abuse scores, and have low scores on narcissism and attribution. Drug use was positively correlated with the white collar offender profile, while income, openness, hostility, and anger were inversely related. The profile and correlates provide a deeper understanding of those who choose to cross legal and ethical lines. Positive social change could be realized through targeted collegiate business training programs to address risk characteristics and promote protective factors of ethics, integrity, and leadership

Socio-Life Science and the COVID-19 Outbreak

This open access book presents the first step towards building socio-life science, a field of science investigating humans in such a way that both social and life-scientific factors are integrated. Because humans are both living and social creatures, a human action can never be understood fully without knowing both the biological traits of a person and the social scientific environments in which he exists. With this consideration, the editors of this book have initiated a research project promoting a deeper and more integrated understanding of human behavior and human health. This book aims to show what can, and could be, achieved through our interdisciplinary project. One important product is the newly formed three-party collaboration between Pasteur Institut, Kyoto University, and the Research Institute of Economy, Trade and Industry. Covering many different fields, including medicine, epidemiology, anthropology, economics, sociology, demography, geography, and policy, researchers in these institutes, and many others, present their studies on the COVID-19 pandemic. Although based on different methodologies, the studies show the importance of behavioral change and governmental policy in the fight against a huge pandemic. The book explains the unique genome cohort–panel data that the project builds to study social and life scientific aspects of humans

Strategies to Monitor and Deter Cyberloafing in Small Businesses: A Case Study

Some information technology (IT) managers working for small businesses are struggling to monitor and deter cyberloafing. Strategies are needed to help IT practitioners to discourage cyberloafing and improve productivity while maintaining employee satisfaction. Grounded in adaptive structuration theory, the purpose of this qualitative multiple-case study was to explore strategies some small business IT managers use to monitor and deter cyberloafing. The participants were nine IT managers who successfully implemented cyberloafing monitoring and deterrence strategies in the United States. Data were collected via semistructured interviews and organization employee policy handbooks (n = 4) provided by the participants. Data were analyzed using thematic analysis. The major themes were using tools, policy, and procedures to monitor cyberloafing and using tools, trust, and policies as strategies to deter cyberloafing. One recommendation for practitioners is to incorporate hardware and software tools to monitor and deter cyberloafing early when hiring employees for a small business. The implications for positive social change include the potential to foster greater economic stability in the community while promoting a healthy working environment

To Report or Not to Report: Student Reporting Behaviors of Violent Crimes in Schools

School-based violence is a criminal justice topic that often captures the attention of the media and the public. As a result, measures - such as school security strategies, safety personnel, and teacher training - are put into place to help combat school-based violence. These measures are not only costly and time consuming, but also have inconclusive research findings to support them. However, violence in schools can still be prevented. Research has found support for the role that student reporting has in preventing violence. However, many students may choose not to report violent crimes. Using a modified version of Sykes & Matza’s 1957 Techniques of Neutralization theory, the current study aimed to understand the reasons students have for not reporting violent crime. To do so, I employed a two-step research strategy, analyzing the predictors of neutralizations and analyzing neutralizations as predictors of student reporting behaviors. The findings show some support for predictors of neutralizations, as well as neutralizations as predictors of reporting behaviors. Policy suggestions are provided at the end of the study

Raising the information security awareness level in Saudi Arabian organizations through an effective, culturally aware information security framework

The focus of the research is to improve the security of information systems in Saudi Arabian knowledge-intensive organisations by raising the awareness level among all types of information system users. This is achieved by developing a culturally aware information security framework that requires the involvement of all types of information system user. Saudi Arabia has a unique culture that affects the security of information systems and, hence, the development of this information security framework. The research uses Princess Nora bint Abdul Rahman University (PNU), the largest all female university in Saudi Arabia, as a case study. The level of information security awareness among employees at Saudi Arabia Universities was tested. Surveys and interviews were conducted to gather data related to the information security system and its uses. It was found that most employees in Saudi Arabian organisations and universities are not involved in the development of any information security policy and, therefore, they are not fully aware of the importance of the security of information. The purpose of this study is to develop a cultural aware information security framework that does involve all types of employees contributing to the development of information security policy. The framework, consists of nine steps that were adapted, modified and arranged differently from the international best practice standard ISO 27K framework to fit the unique culture in Saudi Arabia. An additional step has been added to the framework to define and gather knowledge about the organisations population to justify its fit into the segregated working environment of many Saudi Arabian institutions. Part of the research objective is to educate employees to use this information security framework in order to help them recognise and report threats and risks they may encounter during their work, and therefore improve the overall level of information security awareness. The developed information security framework is a collection of ISO 27k best practice steps, re-ordered, and with the addition of one new step to enable the framework to fit the situation in Saudi Arabian segregation working environments. A before-assessment methodology was applied before the application of the culturally aware information security policy framework between two universities, Imam University which has ISO27K accreditation and PNU, the case study, to measure and compare their users information security awareness level. Then, an after-assessment methodology is used to demonstrate the framework effectiveness by comparing the level of awareness before the application of the culturally aware information security policy framework with the level of the awareness knowledge gained after the application

DYNAMICS OF IDENTITY THREATS IN ONLINE SOCIAL NETWORKS: MODELLING INDIVIDUAL AND ORGANIZATIONAL PERSPECTIVES

This dissertation examines the identity threats perceived by individuals and organizations in Online Social Networks (OSNs). The research constitutes two major studies. Using the concepts of Value Focused Thinking and the related methodology of Multiple Objectives Decision Analysis, the first research study develops the qualitative and quantitative value models to explain the social identity threats perceived by individuals in Online Social Networks. The qualitative value model defines value hierarchy i.e. the fundamental objectives to prevent social identity threats and taxonomy of user responses, referred to as Social Identity Protection Responses (SIPR), to avert the social identity threats. The quantitative value model describes the utility of the current social networking sites and SIPR to achieve the fundamental objectives for averting social identity threats in OSNs. The second research study examines the threats to the external identity of organizations i.e. Information Security Reputation (ISR) in the aftermath of a data breach. The threat analysis is undertaken by examining the discourses related to the data breach at Home Depot and JPMorgan Chase in the popular microblogging website, Twitter, to identify: 1) the dimensions of information security discussed in the Twitter postings; 2) the attribution of data breach responsibility and the related sentiments expressed in the Twitter postings; and 3) the subsequent diffusion of the tweets that threaten organizational reputation