Employee Compliance to Information Security in Retail Stores

Retail industry has suffered some of the biggest data breaches in recent times. Organizations are deploying technological tools to limit data breaches. However, purely technological solution is not going to be sufficient because human-factor is often considered to be the weakest link in Information Security. In this paper, the authors investigate the behavioral aspect of information security in a retail setting. Specifically, the factors that influence compliance behaviors to information security policies (ISP) in retail stores are identified. Attitude, awareness, and sanctions are proposed as key variables that influence compliance intentions to ISP. The authors test the proposed model using employees from a well-known retail store. The implications and importance of human element in retail information security are discussed

Risk and Demographics’ Influence on Security Behavior Intentions

Behavioral information security has become an important aspect of information security. In this study, we extend previous works on developing a comprehensive tool to measure security behaviors (i.e. Security Behavior Intentions scale - SeBIS(Egelman & Peer, 2015)). We extend the work on SeBIS by 1) proposing the use of security domain-specific risk as opposed to a generic risk measure, 2) investigating differences in SeBIS across age, gender, education and experience, and 3) providing suggestions for improving SeBIS measures. Survey results from our study provide support for security risk - device securement relationship, a previously unsupported link. We also uncover the role of demographics in influencing SeBIS. Overall, our study contributes to, and further establishes SeBIS as a predictive tool for measuring security behaviors. doi:10.17705/3JSIS.0001

Exploring Strategies for Enforcing Cybersecurity Policies

Some cybersecurity leaders have not enforced cybersecurity policies in their organizations. The lack of employee cybersecurity policy compliance is a significant threat in organizations because it leads to security risks and breaches. Grounded in the theory of planned behavior, the purpose of this qualitative case study was to explore the strategies cybersecurity leaders utilize to enforce cybersecurity policies. The participants were cybersecurity leaders from 3 large organizations in southwest and northcentral Nigeria responsible for enforcing cybersecurity policies. The data collection included semi-structured interviews of participating cybersecurity leaders (n = 12) and analysis of cybersecurity policy documents (n = 20). Thematic analysis identified 4 primary themes: security awareness and training, communication, management support, and technology control. A key recommendation is that organizations should have a chief information security officer for oversight of cybersecurity. Employee cybersecurity compliance should be reviewed regularly throughout the year for improvement and desired cybersecurity behavior. The implications for positive social change include the potential for cybersecurity leaders to implement cybersecurity measures that could enhance the public’s confidence by assuring them of their data’s safety and confidentiality, the integrity of data, and the availability of their services

Impact of Sanctions and Awareness on Intention to Comply with Information Security

Employees in higher education are likely to violate information security policies because of the open nature of academic institutions. Policy violations can lead to data breaches and identity theft that can cause harm to businesses and individuals. The purpose of this quantitative, correlational, cross-sectional study based on general deterrence theory and neutralization theory was to analyze the relationships between the independent variables, severity of sanctions, vulnerability to sanctions, and awareness of consequences, and the dependent variable, intention to comply with information security policy. Participants (n=100) who work in a higher education institution with an information security policy completed an online survey. Multiple linear regression analysis showed that all of the independent variables had a significant relationship with the dependent variable intention. Severity had the strongest relationship, followed by awareness and then vulnerability. Understanding the relationships between the severity, vulnerability, awareness, and the dependent variable intention may aid information security practitioners in creating programs that increase compliance with information security and decrease the number of data breaches. Decreasing the number of data breaches could reduce the incidents of identity theft, fraud, compromised medical records, and small business bankruptcies, thus contributing to positive social change

Exploring Data Security Management Strategies for Preventing Data Breaches

Insider threat continues to pose a risk to organizations, and in some cases, the country at large. Data breach events continue to show the insider threat risk has not subsided. This qualitative case study sought to explore the data security management strategies used by database and system administrators to prevent data breaches by malicious insiders. The study population consisted of database administrators and system administrators from a government contracting agency in the northeastern region of the United States. The general systems theory, developed by Von Bertalanffy, was used as the conceptual framework for the research study. The data collection process involved interviewing database and system administrators (n = 8), organizational documents and processes (n = 6), and direct observation of a training meeting (n = 3). By using methodological triangulation and by member checking with interviews and direct observation, efforts were taken to enhance the validity of the findings of this study. Through thematic analysis, 4 major themes emerged from the study: enforcement of organizational security policy through training, use of multifaceted identity and access management techniques, use of security frameworks, and use of strong technical control operations mechanisms. The findings of this study may benefit database and system administrators by enhancing their data security management strategies to prevent data breaches by malicious insiders. Enhanced data security management strategies may contribute to social change by protecting organizational and customer data from malicious insiders that could potentially lead to espionage, identity theft, trade secrets exposure, and cyber extortion

Understanding Contextual Factors of Bring Your Own Device and Employee Information Security Behaviors from the Work-Life Domain Perspective

Bring Your Own Device (BYOD) is no longer the exception, but rather the norm. Most prior research on employees’ compliance with organizational security policies has been primarily conducted with the assumption that work takes place in a specified workplace, not remotely. However, due to advances in technology, almost every employee brings his or her own device(s) to work. Further, particularly as a result of the 2020 Covid-19 pandemic, remote working has become very popular, with many employees using their own devices for work- related activities. BYOD brings new challenges in ensuring employees’ compliance with information security rules and policies by creating a gray area between the work and life domains as it diminishes the boundaries that separate them and thus affects employees’ perception of them. As yet, little is known about how BYOD changes individuals’ perception of work-life domains and how such perception may subsequently affect their compliance behavior. Building on prior research on information security behaviors and work-life domain management, this thesis investigates the possible effects of BYOD on employees’ compliance behavior through the changes it brings about in their work-life domain perspective. It extends existing border theory by identifying and empirically validating new border marking factors— namely, device ownership and data sensitivity—in employees’ interpretation of their work and life domains. Subsequently, protection motivation theory, a theory widely used in explaining employees’ compliance behavior, was used to examine why and how the perception of work- life domains is relevant and necessary to consider in examining employees’ intention to comply with information security policies

Assessing information security compliant behaviour using the self-determination theory

Information security research shows that employees are a source of some of the security incidents in the organisation. This often results from failure to comply with the Information Security Policies (ISPs). The question is, therefore, how to improve information security behaviour of employees so that it complies with the ISPs. This study aims to contribute to the understanding of information security behaviour, especially how it can be improved, from an intrinsic motivation perspective. A review of the literature suggested that research in information security behaviour is still predominantly based on the extrinsic perspective, while the intrinsic perspective has not received as much attention. This resulted in the study being carried out from the perspective of the self-determination theory (SDT) since this theory has also not received as much attention in the study of information security behaviour. The study then proposed an information security compliant behaviour conceptual model based on the self-determination theory, (ISCBMSDT). Based on this model, a questionnaire, the ISCBMSDT questionnaire, was developed using the Human Aspects of Information Security Questionnaire and SDT. Using this questionnaire, a survey (n = 263) was carried out at a South African university and responses were received from the academic, administrative and operational staff. The following statistical analysis of the data was carried out: exploratory factor analysis, reliability analysis, analysis of variance (ANOVA), independent samples test (t-tests) and Pearson correlation analysis. The responses to the survey questions suggest that autonomy questions received positive perception followed by competence questions and relatedness questions. The correlation analysis results show the existence of a statistically significant relationship between competence and autonomy factors. Also, a partial significant relationship between autonomy and relatedness factors as well as between competence and relatedness factors was observed. The exploratory factor analysis that was performed on the questionnaire produced 11 factors. Cronbach alpha was then computed for the eleven factors and all were found to be above 0.7, thus suggesting that the questionnaire is valid and reliable. The results of the research study also suggest that competence and autonomy could be more important than relatedness in directing information security behaviour among employees.School of ComputingM. Tech. (Information Technology

Employees' Information Security Awareness and Behavioural Intentions in Higher Education Institutions in Oman

Organisations throughout the world face threats to the security of their information. In most organisations these threats are thought to be a consequence of employees’ lack of knowledge of information security, security behaviours and/or understanding of the possible detriments to their organisation of not complying with their organisation’s information security policy (ISP). Therefore, empirical research is needed to explore the main threats to information security and the factors that influence how employees intend to behave in relation to information security policies. The main aims of this research were to investigate employees’ ISP compliance behaviour intentions and to explore the organisational and human factors that influence this. Consequently, this research conducted four studies to explore the views of both those responsible for information security (IT staff and system administrators) and non-security employees from a range of higher education institutions in the Sultanate of Oman. First, interviews were conducted with eight IT staff and system administrators from Omani universities and colleges to explore the common, current information security threats, organisational information security processes and their perceptions of employee information security behaviour in general, and their compliance with ISPs in particular. The findings of this study showed the weaknesses in information security in different organisations and IT staff suggested that employees may not be aware of information security and do not comply with their organisation’s ISP. The reported perceptions of IT and staff system administrators were used to design a survey of employee knowledge, awareness and behaviour intentions which was used in the second study. The second study used a questionnaire-based survey which was designed from the knowledge gained form the first study, a review of the relevant literature and actual ISPs in use at the organisations involved in the study. Data from 503 employees from multiple higher education institutions was analysed. The survey comprised three parts: (i) demographic questions, (ii) 14 information security scenario questions designed to elicit employee behaviour intentions and (iii) some of the factors influencing their behaviour (underpinned by current theories in psychology). The results show that employees’ behaviour intentions vary according to the information security scenario they experience and that the biggest influences on their behaviour are perceived to be trust and authority. The third study involved 17 IT staff and system administrators from six higher education institutions. Using the same questionnaire from the second study plus qualitative questions, the aim of this third study was to understand what behaviours were seen by IT staff and system administrators as most important and what non-ISP-compliant behaviours they would, nevertheless, also deem to be acceptable. The results highlight the relationship between the behaviours that IT staff rate as important, and whether or not staff intend to adopt that behaviour. The fourth study used four focus groups (n= 21) from one higher education institution to further explore why employees may not intend to comply with the organisation’s ISP and to explore the factors that influence these non-compliance intentions. The focus groups also explored the employees’ recommendations for improving organisational information security management. The finding of this study revealed some recommendations for developing information security organisation management and the motivators and barriers that influence employees’ security behaviours. Finally, the results of the four studies were analysed together and it was found that staff consider that communicating the information security policy, ongoing information security risk assessment, ongoing awareness and training, management support and commitment and good communication are important factors in information security compliance intentions. Secondly, it was found that the way organisations manage information security, and human factors in particular (mostly to do with trust and authority), is most important in maximising compliance intentions. Recommendations were provided to improve organisational information security management and to encourage employees to comply with ISPs