Effects of a Comprehensive Computer Security Policy on Computer Security Culture

It is well known that humans are the weakest link in computer security, and that developing and maintaining a culture of computer security is essential for managing the human aspect of computer security. It is less well known how a comprehensive computer security policy incorporating both information technology computer security, and operational technology computer security, impacts a culture of computer security. While a literature review of this domain includes research on the impact of various aspects of a computer security policy on computer security culture, no peer reviewed research was found that explained the impact of a comprehensive computer security policy on computer security culture through an understanding of its direct or indirect effects. Thus, it is the thesis of this study that a comprehensive computer security policy has a direct effect on computer security culture, which can be further explained through indirect effects

A Social Cognitive Neuroscience Approach to Information Security

Information security (InfoSec) represents a significant challenge for private citizens, corporations, and government entities. Breaches of InfoSec, may lower consumer confidence (Yayla & Hu, 2011), shape national and international politics (Groll, 2017), and represent a significant threat to the world economy (e.g., estimated costs of breaches related to cybercrime were $3 trillion in 2015; Cybersecurity Ventures). Significant progress has been made in the context of developing and refining hardware and software infrastructure to thwart cybercrime (Ayuso, Gasca, & Lefevre, 2012; Choo, 2011). However, much less attention has been devoted to understanding the factors that lead individuals within an organization to compromise the digital assets of a company or government entity (Posey, Bennett, & Roberts, 2011; Warkentin & Willison, 2009). The need to for a greater understanding of the causes of insider threat becomes readily apparent when one considers that roughly 50% of security violations result from the activities of individuals within an organization (Richardson, 2011). Additionally, in a recent survey 89% of respondents felt that their organizations were at risk from an insider attack, and 34% felt very or extremely vulnerable (Vormetric Data Security, 2015). In this paper we describe our program of research that examines the neural basis of individual decision making related to InfoSec, and is grounded in a social cognitive neuroscience approach. We also consider evidence from studies examining the effects of individual and cultural differences on decision making related to InfoSec. Together this evidence may serve to motivate future research that integrates theories from neuroscience and the social and behavioral sciences in order to deepen our understanding of the factors that lead individuals to compromise InfoSec

Too Much of a Good Thing? An Investigation of the Negative Consequences of Information Security in a Healthcare Setting

Information security is becoming a prime concern for individuals and organizations. This is especially true in healthcare settings where widespread adoption of integrated health information systems means that a vast amount of highly sensitive information on patients is accessible through many interaction points across the care delivery network. In this research in progress, we seek to uncover how individuals react when they perceive that their security environment is stressful. To do so, we conducted a case study using an inductive approach based on semi-structured interviews with 41 participants. The preliminary analysis of some of our interviews showed that too much security in a health setting can bring in negative consequences like evoking negative emotions in users toward the system, increased dissatisfaction, and increase of inappropriate workarounds, which can lead to ineffective usage of the system and eventually can put patients’ health at risk

Development of the MyCyberSkills™ iPad App: A Scenarios-Based, Hands-On Measure of Non-IT Professionals’ Cybersecurity Skills

Although advances in Information Technology (IT) have been significant over the past several decades when it comes to protection of corporate information systems (IS), human errors and social engineering appear to prevail in circumventing such IT protections. While most employees may have the best of intentions, without cybersecurity skills they represent the weakest link in an organization’s IS security. Skills are defined as the combination of knowledge, experience, and ability to do something well. Cybersecurity skills correspond to the skills surrounding the hardware and software required to execute IS security to mitigate cyber-attacks. However, the current measures of end-user cybersecurity skills are based on self-reported surveys. This study is the second phase of a larger research project that is aimed to develop a scenario-based iPad application to measure cybersecurity skills based on actual scenarios with hands-on tasks that the participants complete in demonstrating their skills. To design a measure that has both high validity and reliability, subject matter experts’ (SMEs) opinion of the top nine cybersecurity skills and their skill importance weight were identified in the first phase of the study following the Delphi method. This phase of the research in progress involves the design and development of the MyCyberSkills™ iPad application (app) using scenario-based, hands-on tasks related to each of the nine SMEs identified cybersecurity skills

UNDERSTANDING ORGANIZATION EMPLOYEE`S INFORMATION SECURITY OMISSION BEHAVIOR: AN INTEGRATED MODEL OF SOCIAL NORM AND DETERRENCE

Employee`s information security behavior is critical to ensure the security of organization`s information assets. Countermeasures, such as information security policies, are helpful to reduce computer abuse and information systems misuse. However, employees in practice tend to engage in these violation behaviors, although they know policies and countermeasures. Undoubtedly, these omission behaviors will bring big loss or other potential risks to information assets security. The current study try to make clear on the influence factors of information security omission behaviors and how these drive factors work. From organization control perspective, we integrate deterrence theory and social norm theory to construct research model. We expect deterrence (as normal control) will effectively decrease omission behavioral intention. Besides, colleague`s security omission behaviors may mislead some employee`s behaviors more or less, which is easy to form error code of conduct and induce to the similar omission behaviors. To date, social norms of misperception (as informal control) has not been sufficiently concerned in IS security literature and we believe that may provide a new perceptive to understand the formation mechanism of security omission behaviors

Critical role of ethical leadership on information security climate and employee ISP violation behavior

Employees have been considered as one of the major threats to organizational information security. Prior research has considered lots of factors that can influence the information security policy (ISP) violation behaviors. However, the interaction factors between leaders and employees have not been investigated in depth. Based on social learning theory and social information processing theory, this paper aims to investigate the relationship between ethical leadership and employees’ ISP violation intentions as well as the mediation effect of organizational information security climate. Our results will provide a guidance to future study on investigating the influences of leadership on employees’ security behavioral intention and contribute to both leadership and information security research

The Role of Abusive Supervision and Interactional Justice in Employee Information Security Policy Noncompliance Intention

Employee information security noncompliance behaviors may ruin an organization’s reputation; thus, much scholarly effort has been devoted to reducing deviating behaviors in organizations. We attempt to determine what motivations may contribute to the formation of an employees’ noncompliance behavioral intentions. The proposed research model links the relationship between abusive supervision and policy noncompliance intention in an information security context. Drawing on organizational justice research, this work explores the role of abusive supervision in employees’ noncompliance with information security policy from an interactional justice perspective and further proposes that the effect of interactional justice on noncompliance intention is moderated by the certainty and severity of sanctions based on general deterrence theory. We present a theoretical foundation for this investigation and an empirical design for exploring this research question. We also propose a plan for a research design and data collection, with results to be presented in the future

Predicting Insider’s Malicious Security Behaviours: A General Strain Theory-Based Conceptual Model

Insider’s malicious information security behaviours have always been a persistent problem and requiring urgent mitigation solutions. More recently, seminal calls for future research suggested exploring the influences of employee-workplace interaction and pre-kinetic events such as organisational injustice since they are argued to hold potential impacts on the insider’s intention to perform abusive computer behaviours. This study responds to those calls by investigating the relationship between organisational injustice and insider’s intention to commit malicious security behaviours. In addition, it employed General Strain Theory–a highly influential theory in criminology yet receives little attention in information security behavioural research. The literature review suggested the employed theory to have close relationship with organisational injustice concepts, therefore adds more explanations to why insiders deliberately perform computer abuses. As a result, a testable conceptual model incorporating strains, disgruntlement and organisational injustice is proposed to describe the relationships between those factors and insider’s malicious information security behaviours. The research concludes with the model’s potential implications, limitations and provides future directions

Why do Healthcare Organizations Choose to Violate Information Technology Privacy Regulations? Proposing the Selective Information Privacy Violations in Healthcare Organizations Model (SIPVHOM)

Privacy concerns about protected healthcare information (PHI) are rampant because of the ease of access to PHI from the advent of Healthcare IT (HIT) and its exploding use. Continual negative cases in the popular attest to the fact that current privacy regulations are failing to keep PHI sufficiently secure in the climate of increate HIT use. To address these issues, this paper proposes a theoretical model with testable hypotheses to explain and predict organizational IT privacy violations in the healthcare industry. Our model, the Selective Information Privacy Violations in Healthcare Organizations Model (SIPVHOM), explains how organizational structures and processes and characteristics of regulatory environments alter perceptions of risk and thereby the likelihood of rule violations. Finally, based on SIPVHOM, we offer recommendations for the structuring of regulatory environments and organizational structures to decrease abuse of PHI

Information Systems Security Policy Violation: Systematic Literature Review on Behavior Threats by Internal Agents

Systematic literature review (SLR) addresses the question of structured literature searches when dealing with a potentially large number of literature sources. An example of a large number of literature sources where SLR would be beneficial can be found in the Information systems security literature which touches on internal agents’ behavior and tendencies to violate security policies. Upon close examination, very few studies have used SLR in the work. This work presents an insightful approach to how SLR may be applicable in the domain of Information Systems security. The article presents a summary of the SLR approach contextualized in the domain of IS security in order to address such a gap. Rigor and relevance is systematized in the work through a pre-selection and coding of literature using Atlas.ti. The outcome of the SLR process outlined in this work is a presentation of literature in three pre-determined schemes namely, the theories that have been used in information systems security violations literature, categorization of security violations as presented in literature; and the contexts that these violations occur. The work concludes by presenting suggestions for future research