Toward an Effective SETA Program: An Action Research Approach

This study uses action research methods at a large US healthcare facility to create a security education training and awareness (SETA) program that is focused on three threats: phishing, unauthorized use of cloud services, and password sharing. The SETA training was based on self-regulation theory. Findings indicate that the training was effective at helping users to identify and avoid all three threats to the environment. Future research directions based on this study are also discussed

Gestión de riesgos y seguridad de la información del Programa Fortalece Perú del MTPE, 2019

El siguiente trabajo de investigación, tiene como objetivo principal determinar la relación entre la Gestión de Riesgos y la seguridad de la información del Programa Fortalece Perú del MTPE, 2019. Donde el estudio fue de tipo básico nivel descriptivo correlacional, no experimenta de corte transversal, con una población y muestra de 25 consultores del Programa Fortalece Perú. Se aplicó el método hipotético deductivo bajo el enfoque cuantitativo y se realizó el procesamiento de datos con el software estadístico SPSS, donde el valor del coeficiente Alfa de Cronbach es 0.753 o 75.3% obtenido de 22 ítems de la variable Gestión de Riesgos, y 0.753 o 75.3% resultante de 14 ítems de la variable de Seguridad de Información. Los valores obtenidos nos indicaron que la confiabilidad fue fuerte para las variables, asimismo, del juicio de expertos se es afirmativa en la validación por los tres expertos, entendiéndose que el instrumento (cuestionario) fue confiable y aplicable a la población de estudio. Se determinó que existe una relación directa y significativa de nivel medio entre la gestión de riesgos y la seguridad de la información del Programa Fortalece Perú 2019, obteniendo como resultado Rho de Spearman = 0.661. Por ello, se propuso el uso de las metodologías de ambas variables para que asegure la continuidad del negocio

Orientation and Social Influences Matter: Revisiting Neutralization Tendencies in Information Systems Security Violation

It is estimated that over half of all information systems security breaches are due directly or indirectly to the poor security practices of an organization’s employees. Previous research has shown neutralization techniques as having influence on the intent to violate information security policy. In this study, we proposed an expansion of the neutralization model by including the effects of business and ethical orientation of individuals on their tendencies to neutralize and compromise with information security policy. Additionally, constructs from social influences and pressures have been integrated into this model to measure the impact on the intent to violate information security policy from social perspectives. This study is a quantitative study that used a survey methodology for data collection. A stratified sampling method was used to ensure equal representation in the population. A sample of members was collected using a random sampling procedure from each stratum. All data were collected by sending a survey link via email through SurveyMonkey’s participant outreach program to the aforementioned groups. Partial least squares were used for data analysis. Findings showed business and ethical orientation had a negative impact on accepting neutralization techniques which ultimately result in the intent to violate information security policy. Furthermore, this research found neutralization, social influences, and social pressures as having 24 percent of influence to violate information security policy. Business orientation and ethical orientation contributed to 15 percent of influence in variance on employees accepting neutralization techniques. Implications of this research suggest information security policies can be compromised by employees and additional measures are needed. Behavioral analytics may provide an understanding of how employees act and why. Routine training is necessary to help minimize risks, and a healthy security culture will promote information security as a focal point to the organization

Peers matter: The moderating role of social influence on information security policy compliance

Information security in an organization largely depends on employee compliance with information security policy (ISP). Previous studies have mainly explored the effects of command-and-control and self-regulatory approaches on employee ISP compliance. However, how social influence at both individual and organizational levels impacts the effectiveness of these two approaches has not been adequately explored. This study proposes a social contingency model in which a rules-oriented ethical climate (employee perception of a rules-adherence environment) at the organizational level and susceptibility to interpersonal influence (employees observing common practices via peer interactions) at the individual level interact with both command-and-control and self-regulatory approaches to affect ISP compliance. Using employee survey data, we found that these two social influence factors weaken the effects of both command-and-control and self-regulatory approaches on ISP compliance. Theoretical and practical implications are also discussed