A Common Description and Measures for Perceived Behavioral Control in Information Security for Organizations.

Understanding employee’s security behavior is required before effective security policies and training materials can be developed. The Anti-virus software, secure systems design methods, information management standards, and information systems security policies; which have been developed and implemented by many organizations; have not been successfully adopted. Information systems research is encompassing social aspects of systems research more and more in order to explain user behavior and improve technology acceptance. Theory of planned behavior based on Attitude, subjective norm, and perceived behavioral control (PBC) constructs, considers intentions as cognitive antecedents of actions or behavior. This study reviews various research on PBC and finds the most common measures for PBC, which can be used in organizations to develop a method to influence employees perceived behavioral control positively with the goal of inducing positive security behavior. Further, a conceptua

Risk compensation behaviors on cascaded security choices

Organizations are interested in improving information security and make use of a range of technical, organizational, or behavioral measures. The different approaches to improving information security must not be viewed as being isolated, instead, different measures might influence each other. Security efforts fail when technical measures influence human behavior in a way that their security perceptions and behaviors are altered to the disadvantage of the security outcome. Those unintended consequences of information security practices can be classified as risk compensation behaviors, describing how users become more careless when they perceive some level of protection. This research in progress is interested in understanding risk compensation behaviors for cascaded security choices by different actors (e.g., security decisions made by organizations vs. decisions made by individuals) and presents a lab experiment to test this issue

Information Security Policy Compliance: An Ethical Perspective

Ethical issues are key factors with respect to compliance intention with information security policies (ISPs). As such, understanding employees’ compliance behavior with ISPs from ethical lenses is an important first step to leverage knowledge worker assets in efforts targeted toward reducing information security risks. This study proposes an integrated model that combines the Theory of Reasoned Action (TRA) and ethics theories; deontology and teleology, to examine users’ behavioral intention to comply with ISPs. This is a research in progress, and an instrument is under development to conduct a survey study to gather data from employees in the banking sector in Jordan

UNDERSTANDING ORGANIZATION EMPLOYEE`S INFORMATION SECURITY OMISSION BEHAVIOR: AN INTEGRATED MODEL OF SOCIAL NORM AND DETERRENCE

Employee`s information security behavior is critical to ensure the security of organization`s information assets. Countermeasures, such as information security policies, are helpful to reduce computer abuse and information systems misuse. However, employees in practice tend to engage in these violation behaviors, although they know policies and countermeasures. Undoubtedly, these omission behaviors will bring big loss or other potential risks to information assets security. The current study try to make clear on the influence factors of information security omission behaviors and how these drive factors work. From organization control perspective, we integrate deterrence theory and social norm theory to construct research model. We expect deterrence (as normal control) will effectively decrease omission behavioral intention. Besides, colleague`s security omission behaviors may mislead some employee`s behaviors more or less, which is easy to form error code of conduct and induce to the similar omission behaviors. To date, social norms of misperception (as informal control) has not been sufficiently concerned in IS security literature and we believe that may provide a new perceptive to understand the formation mechanism of security omission behaviors

The Role of Formal and Social Control in Information Security Behaviors

The purpose of this study is to explore the effect of formal and social control on in-role and extra-role security behaviors. Following past studies, we reexamine the effect of formal control on behaviors. Based on social control theory, we further hypothesize the effect of social control on security behaviors. Data collected from 259 members of IS departments confirmed our hypotheses that both formal control and social control generate effects on both in-role and extrarole security behaviors. Implications for academia and practitioners are also provided

Factors Affecting Computer Crime Protection Behavior

This research aimed to investigate factors that affect computer crime protection behavior, based on the protection motivation theory. Personal factors were considered, including: conscientious personality, perceived value of data, prior experience, and environmental factors. In addition, other factors were evaluated, including: subjective norm, security knowledge, and safeguard costs. These factors are mediated by threat appraisal and coping appraisal. The data were collected from 600 personal computer users by use of a questionnaire. Data were analyzed using structural equation modeling. Findings showed that all factors had significant effects on the computer crime protection behavior. In addition, the results showed that security knowledge, one of the environmental factors, had the strongest effects on coping appraisal which subsequently had the strongest impact on protection behavior

An annotated bibliography of multidisciplinary information security resources, for the purpose of maintaining privacy and confidentiality in New Zealand government records management

Research Problem Maintaining privacy and confidentiality of data in an age of e-government and electronic recordkeeping is one of the key challenges for records management staff today. In New Zealand this issue has attracted negative attention through several recent public sector privacy and security breaches, raising questions about systemic issues, accountability, and a disconnect between strategy and implementation. How government responds will depend in large measure on the advice received regarding solutions to information security. A bibliographic gap on the relationship between records management and information security has been identified in the academic literature. Methodology Using targeted search strategies this annotated bibliography draws together articles from a range of journals with the aim of developing a consolidated resource for practitioners to become acquainted with the multifaceted and multidisciplinary nature of information security. The outcome is a resource directly relevant to the New Zealand context, which identifies key perspectives, relationships, technical issues, and shortcomings in research. Results Key findings relate to publishing trends, divided disciplines, and shortcomings in research pertaining to records management relationships with IT groups and engagement in e-government. Implications Includes the development of more comprehensive e-government information and security strategies, the re-examination and utilisation of existing relationships, and the strengthening of records management's position as a contributor to research and leadership in the array of possible responses to information security

Information Security Policy Compliance: The Role of Information Security Awareness

Compliance and systems misuse has been the focus of researchers in the last couple of years. However, given that voids in this area is still significant and systems abuse is a pressing issue likely to persist in the future, more investigation is needed in this area. Toward this end, we conducted a research study to help understand factors motivating compliance behavior intentions. Drawing on Theory of Planned Behavior, we investigated the role of users’ self-learning and knowledge of security issues in shaping their attitudes toward compliance with information security policies (ISPs). We collected data from nine financial organizations to test the proposed research model. Results show that employees’ previous knowledge of security issues and technologies have significant positive impact on their attitudes toward compliance with ISPs. This study sheds light on the importance of users’ general awareness of security issues and technologies in shaping their attitudes to comply with ISPs

Understanding the Effect of Tie Strength on Continuance Intention of Second-Generation Mobile Instant Messaging Services

Facilitated by the widespread adoption of smartphones, applications (apps) on smartphones such as WeChat and WhatsApp have seen rapid and explosive growth. These apps are generally referred to as second-generation mobile instant messaging (SMIM) services. Unlike first-generation mobile instant messaging (FMIM) services (e.g. Short Message Service), SMIM services typically support multimedia contents and are embedded within social networks, which may have a bearing on the post-adoption behaviour of users in particular. However, prior studies on the post-adoption usage of SMIM services have a limited understanding of the effects of social network. Network tie strength, as a configuration of social network, has an important impact on users in SMIM services. In order to explore the effects of social network on users’ continued usage intention in SMIM services, we propose and empirically test an integrated model by identifying the antecedents such as tie strength, satisfaction, and perceived critical mass. This study contributes to existing IS post-adoption literature by understanding and capturing the role of social network (i.e. tie strength) in SMIM services. Implications for theory and practice are discussed

АНАЛІЗ ЧИННИКІВ, ЯКІ ВПЛИВАЮТЬ НА КІБЕРБЕЗПЕКУ ВИЩОГО ВІЙСЬКОВОГО НАВЧАЛЬНОГО ЗАКЛАДУ

The impact of the development and dissemination of information and communication technologies (ICT) in higher military educational institutions (HMEI) is considered in the article, as on the one hand, it increases its efficiency and promotes the training of highly qualified personnel (tactical, operational and strategic level of military education) for the Security Sector and defense of Ukraine, which is extremely necessary in the case of armed aggression by the Russian Federation, and on the other hand, it makes its information space vulnerable to cyberattacks, which the issue of cybersecurity of HMEI raises. At the same time, the author focuses on the analysis of cyber-attacks on educational institutions in recent years, which are due to the development of methods (means) of their implementation and wide access to them by various users, including attackers. In addition, Distributed Denial of Service (DDoS) cyber-attack is the most common cyber threat to international educational institutions, according to an analytical report by Netscout (a developer of ICT solutions to combat DDoS cyberattacks in the United States). It has been analyzed that criminals have recently used DDoS cyberattacks to extort money. Moreover, DDoS cyberattacks were aimed at banks, stock exchanges, travel agencies, currency exchanges and educational institutions. Therefore, the cybersecurity of HMEI needs constant attention from the participants of its provision. In addition, the analysis shows that the cybersecurity of any university is influenced by external and internal factors, which confirm the relevance of the chosen area of research. Therefore, the cybersecurity of HMEI requires an analysis of the factors that affect it, in order to choose the best option for its implementation. Accordingly, the essence and main features of the impact of factors on the cybersecurity of HMEI are identified and their characteristics are presented. The influence of factors on the cybersecurity of HMEI has been decomposed, in particular on the interdependence and criticality of their impact. The necessity of taking into account and constant monitoring of the influence of external and internal factors on the cybersecurity of HMEI is substantiated, which allows to get situational awareness of the current state of cybersecurity and to make appropriate decisions to the management.У статті розглянуто вплив розвитку та поширення інформаційно-комунікаційних технологій (ІКТ) у вищому військовому навчальному закладі (ВВНЗ), оскільки з одного боку – підвищує ефективність його функціонування та сприяє підготовці висококваліфікованих кадрів (тактичного, оперативного та стратегічного рівня військової освіти) для Сектору безпеки і оборони України, що є вкрай необхідним в умовах протистояння збройній агресії Російської Федерації, а з іншого – робить вразливим його інформаційний простір до кібератак, що актуалізує проблемне питання забезпечення кібербезпеки ВВНЗ. При цьому, автор зосереджує увагу на аналізі кібератак на заклади освіти останніх років, які обумовлені розвитком методів (засобів) їх виконання та широким доступом до них різних користувачів, зокрема зловмисників. До того ж визначено, що розподілена кібератака на відмову в обслуговуванні (Distributed Denial of Service – DDoS) є найпоширенішою кіберзагрозою міжнародних освітніх закладів, що відображено в аналітичному звіті компанії Netscout (компанія розробник ІКТ рішень для протидії DDoS кібератакам – США). Проаналізовано, що останнім часом зловмисники використовують DDoS кібератаки з метою вимагання грошей. При чому DDoS кібератаки були спрямовані, як на банки, фондові біржі, туристичні агентства, валютні біржі, так і на заклади освіти. Тому, кібербезпека ВВНЗ потребує постійної уваги з боку учасників її забезпечення. Окрім того, проведений аналіз свідчить, що на кібербезпеку будь-якого ВВНЗ впливають зовнішні та внутрішні чинники, що підтверджує актуальність обраного напряму дослідження. У зв’язку з цим кібербезпека ВВНЗ вимагає аналізу чинників, які на неї впливають, з метою вибору кращого варіанту її реалізації. Відповідно у статті визначено сутність та основні особливості впливу чинників на кібербезпеку ВВНЗ та наведено їх характеристику. Зроблено декомпозицію впливу чинників на кібербезпеку ВВНЗ, зокрема за взаємозалежністю та критичністю їх впливу. Обґрунтовано необхідність врахування та постійного моніторингу впливу зовнішніх та внутрішніх чинників на кібербезпеку ВВНЗ, що дає змогу отримати ситуаційну обізнаність сучасного стану кібербезпеки та прийняти керівництву відповідні рішення