UNIX Administrator Information Security Policy Compliance: The Influence of a Focused SETA Workshop and Interactive Security Challenges on Heuristics and Biases

Information Security Policy (ISP) compliance is crucial to the success of healthcare organizations due to security threats and the potential for security breaches. UNIX Administrators (UXAs) in healthcare Information Technology (IT) maintain critical servers that house Protected Health Information (PHI). Their compliance with ISP is crucial to the confidentiality, integrity, and availability of PHI data housed or accessed by their servers. The use of cognitive heuristics and biases may negatively influence threat appraisal, coping appraisal, and ultimately ISP compliance behavior. These failures may result in insufficiently protected servers and put organizations at greater risk of data breaches and financial loss. The goal was to empirically assess the effect of a focused Security Education, Training, and Awareness (SETA) workshop, an Interactive Security Challenge (ISC), and periodic security update emails on UXAs knowledge sharing, use of cognitive heuristics and biases, and ISP compliance behavior. This quantitative study employed a pretest and posttest experimental design to evaluate the effectiveness of a SETA workshop and an ISC on the ISP compliance of UXAs. The survey instrument was developed based on prior validated instrument questions and augmented with newly designed questions related to the use of cognitive heuristics and biases. Forty-two participants completed the survey prior to and following the SETA, ISC, and security update emails. Actual compliance (AC) behavior was assessed by comparing the results of security scans on administrator’s servers prior to and 90 days following the SETA workshop and ISC. SmartPLS was used to analyze the pre-workshop data, post-workshop data, and combined data to evaluate the proposed structural and measurement models. The results indicated that Confirmation Bias (CB) and the Availability Heuristic (AH) were significantly influenced by the Information Security Knowledge Sharing (ISKS). Optimism Bias (OB) did not reach statistically significant levels relating to ISKS. OB did, however, significantly influence on perceived severity (TA-PS), perceived vulnerability (TA-PV), response-efficacy (CA-RE), and self-efficacy (CA-SE). Also, it was noted that all five security implementation data points collected to assess pre- and post-workshop compliance showed statistically significant change. A total of eight hypotheses were accepted and nine hypotheses were rejected

The technological panopticon:electronic monitoring and surveillance within the workplace: employee turbulence through perceptions of privacy infringement

As organizations work towards securing their digital assets and intellectual property from external threats, so the latest information security reports indicate that the biggest threat remains from inside. The insider threat has become one of the biggest exploitable vulnerability's corporates face as a level of trust is placed in their staff, or authenticated users, on their network, to ensure corporate objectives and goals are achieved. While monitoring and surveillance in the workplace are considered symbiotic and go hand in hand as part of the employee relationship, the advancement in technological capability for electronic monitoring and surveillance (EMS) has escalated to such a degree that all aspects of an employee's workplace routine can be recorded. This research-in-progress paper hopes to utilize the communication privacy management (CPM) theory to understand if increasing levels of EMS in the workplace affect employees' perception of privacy infringement

Toward an Effective SETA Program: An Action Research Approach

This study uses action research methods at a large US healthcare facility to create a security education training and awareness (SETA) program that is focused on three threats: phishing, unauthorized use of cloud services, and password sharing. The SETA training was based on self-regulation theory. Findings indicate that the training was effective at helping users to identify and avoid all three threats to the environment. Future research directions based on this study are also discussed

Information Systems Security Countermeasures: An Assessment of Older Workers in Indonesian Small and Medium-Sized Businesses

Information Systems (IS) misuse can result in cyberattacks such as denial-of-service, phishing, malware, and business email compromise. The study of factors that contribute to the misuse of IS resources is well-documented and empirical research has supported the value of approaches that can be used to deter IS misuse among employees; however, age and cultural nuances exist. Research focusing on older workers and how they can help to deter IS misuse among employees and support cybersecurity countermeasures within developing countries is in its nascent stages. The goal of this study was two-fold. The first goal was to assess what older workers within Indonesian Small to Medium-sized Businesses (SMBs) do to acquire, apply, and share information security countermeasures aimed at mitigating cyberattacks. The second goal was to assess if and how younger workers share information security countermeasures with their older colleagues. Using a qualitative case study approach, semi-structured interviews were conducted with five dyads of older (50-55 years) and younger (25-45 years) workers from five SMBs in Jakarta, Indonesia. A thematic analysis approach was used to analyze the interview data, where each dyad represented a unit of analysis. The data were organized into three main themes including 1) Indonesian government IS policy and oversight, which included one topic (stronger government IS oversight needed); 2) SMB IS practices, which included three topics (SMB management issues, SMB budget constraints, SMB diligent IS practices, and IS insider threat); and 3) SMB worker IS practices, which included three topics (younger worker job performance, IS worker compliance issues, older worker IS practices) and five sub-topics under older worker IS practices (older worker diligent in IS, older worker IS challenged, older worker riskier IS practices, older worker more IS dependent, and older worker more forgetful on IS practices). Results indicated that older and younger workers at Indonesian SMBs acquire, apply, and share information security countermeasures in a similar manner: through IS information dissemination from the SMB and through communication from co-workers. Also, while younger workers share IS countermeasures freely with their older co-workers, some have negative perceptions that older co-workers are slower and less proficient in IS. Overall, participants reported positive and cohesive teamwork between older and younger workers at SMBs through strong IS collaboration and transparent information sharing. The contribution of this research is that it provides valuable empirical data on older worker behavior and social dynamics in Indonesian organizations. This was a context-specific study aimed at better understanding the situationalities of older workers within organizations in the developing country of Indonesia and how knowledge is shared within the organization. This assessment of cybersecurity knowledge acquisition, skill implementation, and knowledge sharing contributes to the development of organization-wide cybersecurity practices that can be used to strengthen Indonesian SMBs and other organizations in developing countries. This study also provides a blueprint for researchers to replicate and extend this line of inquiry. Finally, the results could shed light on how older workers can be a productive part of the solution to information security issues in the workplace

Barking Up the Wrong Tree? Reconsidering Policy Compliance as a Dependent Variable within Behavioral Cybersecurity Research

A rich body of research examines the cybersecurity behavior of employees, with a particular focus on explaining the reasons why employees comply with (or violate) organizational cybersecurity policies. However, we posit that this emphasis on policy compliance is susceptible to several notable limitations that could lead to inaccurate research conclusions. In this commentary, we examine the limitations of using cybersecurity policy compliance as a dependent variable by presenting three assertions: (1) the link between policy compliance and organizational-level outcomes is ambiguous; (2) policies vary widely in terms of their clarity and completeness; and (3) employees have an inconsistent familiarity with their own organization’s cybersecurity policies. Taken together, we suggest that studying compliance with cybersecurity policies reveals only a partial picture of employee behavior. In response, we offer recommendations for future research

Reviewing influence of UTAUT2 factors on cyber security compliance: A literature review

Evidence suggests that, regardless of the number of technical controls in place, organizations will still experience security breaches. Organizations spend millions of dollars on their cyber security infrastructure that includes technical and non-technical measures but mostly disregarded the most important asset and vulnerability the human. Therefore, despite their investments, companies are not able to reap the exact benefits from their security investments because of the human/employee's non-compliance with cyber security policies and measures. Cyber Security compliance is the most effective way to prevent cyber security issues and improve cyber resiliency. To effectively comply with cyber security practices and human acceptance of cyber security technologies, it is important to identify, study and analyze the factors that contribute to their compliance and implementation. This study combines and integrates contemporary literature on the factors of UTAUT2 model related to cyber security compliance. The rationale of this study is to fill the gap of assessing the effect of factors of UTAUT2 model on cyber security compliance. Based on this study, it can be tentatively concluded that the factors influencing technology adoption also affect users' behavior towards cyber security compliance as well as the actual cyber security compliance. This study provides a basic level idea to organizations to formulate a fully functional and useful security compliance framework for their organizations based on factors that influence their employees' intentions and behavior towards cyber security. Consequently, the study is an exciting endeavor to prevent significant security weaknesses and reduce the security breaches in the information systems by explaining different factors that strengthen the users' behavior and intentions to comply with the security. This is an ongoing study, and more information will emerge as it progresses. This is also an ongoing investigation, and further results and findings will be published as the investigation progresses

The mediating effect of intrinsic motivation on perceived work uncertainty for individual information security policy compliance

This dissertation is centered on investigating how employees' intrinsic motivation mediates the relationship between perceived work uncertainty and individual information security policy compliance. As stay-at-home orders, and unemployment increased, surveys indicated that 49% of traditional office employees experienced remote working for the first time. Work systems rapidly shifted to a reliance on home WIFI networks, personal computers, and personal anti-virus software. This move created vulnerabilities to information security policies and procedures where almost 20% of work from home employees were given no tips to improve information security at home (Security 2020). Unemployment increased, and remaining employees had to adapt to changing work tasks, reduced or lacking resources, and minimal technical or managerial support to navigate job uncertainty while maintaining overall information security. With organizational threats to information security increasing, it is becoming clear that little attention has been given to how individuals become intrinsically motivated when the design of work itself becomes uncertain. Taking into account the changing work and job environment and the uncertainty which this environment facilitates, we have identified a research gap in which the need for individuals to rely on their skills and abilities to interpret work needs during uncertain times, and the overall intrinsically driven work motivation required to comply with organizational ISP’s during times of perceived work uncertainty, has not been investigated. Using a theoretical basis of Work Design theory (Wall et al., 2002) and Self-determination theory of work motivation (Gange and Deci, 2005), we performed a cross-sectional survey of 269 participants at the onset and height of the global pandemic. One of the primary implications of this study and our results is the indirect mediation by intrinsic motivation of the relationship between perceived work uncertainty and intentions to comply with information security policies. Another vital aspect of our study’s findings is the view that information security policies (ISP) themselves can become the source of uncertainty in compliance decisions. Most all ISPs are developed to bring clarity to employees on how to address security threats while making compliance decisions. Where ISPs have been investigated about the demands (and impositions) they place on work goal attainment (or inhibiting work requirements), we have found that ISPs may not be able to provide answers to all security threats encountered. Overall, our results should invigorate the debate about which strategies increase intrinsic motivation and what methods should be deployed to maximize positive reactions during uncertainty concerning information security compliance behaviors. This study has provided evidence that organizations should design work practices, especially ISPs, that allow employees latitude to make ISP compliance decisions when ISPs are unclear or uncertain and where managers similarly cannot provide correct courses of remedy or action

Gamifying a Learning Management System: Narrative and Team Leaderboard in the Context of Effective Information Security Education

Gamified learning management systems (LMS) can be effective in case game-design elements (GDE) address users’ motivation to engage with the topic and lower barriers to learning. In the context of Security Education, Training, and Awareness (SETA) programs, gamification is stated to be a major success factor. However, there is scarce research about the relationship between GDE and learning outcomes such as information security awareness. The evaluation of GDE regarding the application context is important because inappropriate gamified approaches can lead to negative outcomes, e.g., anxiety or inappropriate behavior. Thus, we first derive narrative and team leaderboard (TL) as appropriate GDE for the context of SETA. Second, Spearman correlation analyses indicate positive significant relationships between the experience of narrative and team leaderboard with information security awareness. Therefore, we implicate integrating narrative and team leaderboard within an LMS in the context of SETA programs

Understanding Contextual Factors of Bring Your Own Device and Employee Information Security Behaviors from the Work-Life Domain Perspective

Bring Your Own Device (BYOD) is no longer the exception, but rather the norm. Most prior research on employees’ compliance with organizational security policies has been primarily conducted with the assumption that work takes place in a specified workplace, not remotely. However, due to advances in technology, almost every employee brings his or her own device(s) to work. Further, particularly as a result of the 2020 Covid-19 pandemic, remote working has become very popular, with many employees using their own devices for work- related activities. BYOD brings new challenges in ensuring employees’ compliance with information security rules and policies by creating a gray area between the work and life domains as it diminishes the boundaries that separate them and thus affects employees’ perception of them. As yet, little is known about how BYOD changes individuals’ perception of work-life domains and how such perception may subsequently affect their compliance behavior. Building on prior research on information security behaviors and work-life domain management, this thesis investigates the possible effects of BYOD on employees’ compliance behavior through the changes it brings about in their work-life domain perspective. It extends existing border theory by identifying and empirically validating new border marking factors— namely, device ownership and data sensitivity—in employees’ interpretation of their work and life domains. Subsequently, protection motivation theory, a theory widely used in explaining employees’ compliance behavior, was used to examine why and how the perception of work- life domains is relevant and necessary to consider in examining employees’ intention to comply with information security policies

Do individual employees’ security compliance intentions relate to workgroup security effectiveness?

This paper examines how individual security inputs i.e., security compliance intention and perceived security knowledge, are processed to produce workgroup information security effectiveness in the workgroup. Based on the input-process-output framework, we investigate the multi-level relationships between focal variables. For the analysis, multi-level structural equation model will be used. In particular, the study potentially contributes to the understanding of the security management by showing how individual compliance intention can be mediated by security knowledge coordination and how this mediation works conditionally based on empowering security leadership and perceived security knowledge. Further possible contributions are discussed in the paper