Determinants that affect information security awareness and behavior: A systematic literature review

In today’s digital age, it is crucial for all organizations to manage their information systems security. This makes them potentially endangered by actions of employees and users. So there is a need of investing more on security related issues; one of them is giving attention for the human i.e. the social aspect of security. This paper critically analysis the different literatures using a systematic literature review technique using PRISMA search protocol concerning the determinants which most affect information security awareness and behavior. The information security training or education has given more emphasis than behavior and attitude. Then after identifying those determinants, it filters out the areas further study is needed which includes information security knowledge and care. It is determined that employee information security awareness and conduct are highly influenced by information security training, attitude, and behavior. Due to the choice of search criteria and/or databases, some pertinent papers may not have been included in this literature review so as to the study focus on developing nations. The factors that affect employees\u27 information security tasks and initiatives must be determined for future stud

Information Security Practices in Organizations: A Literature Review on Challenges and Related Measures

This paper reports a systematic literature review that explores challenges related to information security practices in organizations and the ways these challenges are managed to avoid security breaches. We focused on empirical evidence from extant research studies and identified four general challenges re-lated to: (1) security rules and procedures, (2) individual and personal risks, (3) culture and security awareness, and (4) organizational and power relations. To manage these risks, nine measures were prominent in the selected studies. Training and organizational collaboration across the hierarchical levels were widely used to enhance the security culture. In addition, awareness campaigns for the work-force, as well as continuously measuring and improving security initiatives were highly recommended. Our literature review points to the socio-technical aspects of information security. Although many or-ganizations have both administrative and technical infrastructures in place, they must also think about employee attitudes, knowledge, and behavior. Information systems research towards this direction needs to be further developed. More qualitative studies are needed for exploring how to develop a cul-ture of security awareness and for gaining insights on how security rules and training courses can become more appealing and accessible

How do Leader Emotional Displays Influence Employees’ Information Security Effort?

The leader has been considered important in influencing employees’ behavior and performance. However, the research identifying the mechanism about the role of leader in the information systems (IS) security context is still scant. According to the Emotion as Social Information (EASI) theory, this study posits that emotional displays by leaders play a critical role in influencing employees’ information security effort. Motivated thus, this study proposes that leader displays of happiness or anger towards organizational information security significantly influence employees’ subsequent efforts on information security protection and employees’ personalities (extraversion and openness to experience) moderate the process. In essence, this study sheds new light on the interaction effect between leader emotional display and employees’ personalities on employees’ information security effort. This study contributes to the IS security literature by unveiling the importance of leader emotional displays

FORMING THE AWARENESS OF EMPLOYEES IN THE FIELD OF INFORMATION SECURITY

Research purpose: The aim of this study is to present the essence and importance of information security awareness in the organisation and to analyse selected methods used in forming employee awareness in terms of information security. Methodology/ approach: This paper is based on literature studies and available reports. Findings: The presented paper suggests that in order to create a positive change in the organisation, information security training should focus on the attitude and behavior of employees. Concentration is primarily about what they do and how their actions affect the results. In order to minimise the risk of data breaches, often resulting from human error, training methods must meet the needs of today's employees. Effective information security awareness strategies should address the needs of both the organisation itself and the learning people. Limitations/implications: The study is based on the theoretical analysis, indicating the need of conducting further empirical research. Originality/value: The main value of the study is to clarify the need for forming employees' awareness of information security while indicating a number of available methods enabling the implementation of awareness programs in the organisation

The impact of personality traits on user’s susceptibility to social engineering attacks

Phishing attacks and other social manipulation attacks are an everyday occurrence for most workers in their email boxes. Others experience social engineering tricks to take and divert payments on legitimate electronic commerce transactions. This exploratory pilot study aims to examine the impact of user’s personality on the likelihood of user’s susceptibility to social engineering attacks. Five expert interviews were conducted to investigate what traits makes some individuals more or sometimes less susceptible to social engineering attack than others. The personality traits were obtained using the big five personality model for correlation with interview data. The result suggests that users with high scores in agreeableness and extroversion traits are likely to be more susceptible to social engineering attack than others. These results are a useful start for further research into the impact of different tricks on different personality types

Smartphone security awareness, perceptions and practices:a Welsh higher education case study

Higher Education students are purported to be heavy users of technology; specifically smartphones, which represent the “Internet of Things” (IoT). These have revolutionized every sector of public and personal lives, and also revolutionised teaching and learning within Higher Education, providing students a 21st century learning experience. The way students engage with each other, with institutions of higher learning, and with their own learning, has changed dramatically. The smartphone is used to assist with all areas of their lives; however, a plethora of security issues accompanies its use. Cybersecurity perceptions are said to inform security practices and precautionary-related behaviours. If perceptions are skewed, the necessary security behaviours might be inadequate. The main objective of this quantitative study was to investigate the level of smartphone security awareness of Higher Education students undertaking a Business degree at a Welsh University during the 2016-17 and 2018-19 academic years. Understanding whether students have acquired prior cybersecurity knowledge through formal means was key to understanding whether there was a link between security education, security awareness, smartphone security behaviours, perceptions and practices.This research therefore aimed to investigate:1) The level of smartphone security awareness depicted in the attitudes, behaviours, knowledge and competences of these university students;2) Any gender differences in terms of attitudes, behaviours, knowledge and competences regarding smartphone security awareness;3) The importance of cybersecurity awareness training.Participants in this study were largely male, with half of the participants having undertaken a prior information communication technology related type courses. Almost all participants recognised that there were security related issues with social networking and location based applications. The majority of participants did not deploy measures to prevent viruses, this being the case for significantly more females. More than half of the participants used some mechanisms to protect their data. However, significantly more of the 2018-19 participant group compared to the 2016-17 participant group indicated that they did not do this. Moreover, a large proportion of the participants were unaware of the liability linked to the use of social media and the related rules applicable. This study suggests that students who received some formal information communication technology training prior to university entry were more aware of the security risks and their behaviours reflect this. Despite this, the level of smartphone security awareness is not as high as it should be which is in keeping with other research findings. This study suggests that as technology and digital literacy gain further importance, smartphone security literacy training should not be left to chance. . It is clear that education and training should occur early in the education life cycle, and should be a lifelong learning activity

Employee Information Security Practices: A Framework and Research Agenda

Author's accepted manuscriptEmployee information security practices are pivotal to prevent, detect, and respond to security incidents. This paper synthesizes insights from research on challenges related to employee information security practices and measures to address them. The challenges identified are associated to idiosyncratic aspects of communities and individuals within organizations (culture and personal characteristics) and to systemic aspects of organizations (procedural and structural arrangements). The measures identified aim to enhance systemic capabilities and to adapt security mechanisms to the idiosyncratic characteristics and are categorized as: (a) measures of training and awareness, (b) measures of organizational support, (c) measures of rewards and penalties. Further research is needed to explore the dynamics related to how challenges emerge, develop, and get addressed over time and also, to explore the interplay between systemic and idiosyncratic aspects. Additionally, research is needed on the role of security managers and how it can be reconfigured to suit flatter organizationsacceptedVersio

Gender Differences in Information Security Perceptions and Behaviour

Information security is of universal concern to computer users from all walks of life. Though gender differences in technology adoption are well researched, scant attention has been devoted to the study of gender differences in information security. We address this research gap by investigating how information security perceptions and behaviours vary between genders in a study involving 624 home users. The results reveal that females exhibit significantly lower overall levels of security behaviour than males. Furthermore, individual perceptions and behaviours in many cases also vary by gender. Our work provides evidence that gender effects should be considered when formulating information security education, training, and awareness initiatives. It also provides a foundation for future work to explore information security gender differences more deeply

Cybersecurity Continuity Risks: Lessons Learned from the COVID-19 Pandemic

The scope and breadth of the COVID-19 pandemic were unprecedented. This is especially true for business continuity and the related area of cybersecurity. Historically, business continuity and cybersecurity are viewed and researched as separate fields. This paper synthesizes the two disciplines as one, thus pointing out the need to address both topics simultaneously. This study identifies blind spots experienced by businesses as they navigated through the difficult time of the pandemic by using data collected during the height of the COVID-19 pandemic. One major shortcoming was that most continuity and cybersecurity plans focused on single-axis threats. The COVID-19 pandemic resulted in multi-axes threats, pointing out the need for new business strategies moving forward. We performed multiple regression analysis and constructed a correlation matrix to capture significant relationships between percentage loss of revenue and levels of concern for different business activities moving forward. We assessed the most pervasive issues Florida small businesses faced in October 2020 and broke these down by the number of citations, the total number of impacts cited, and industry affectedness. Key security risks are identified and specific mitigation recommendations are given

Test-retest reliability and internal consistency of the Human Aspects of Information Security Questionnaire (HAIS-Q)

This paper reports on an evaluation of the test-retest reliability and internal consistency of the Human Aspects of Information Security Questionnaire (HAIS-Q), a measure designed to capture an individual’s knowledge, attitude and self-reported behaviour towards information security in the workplace. The analyses focused on responses from 197 working Australians, who completed two iterations of the HAIS-Q, approximately four weeks apart. The HAIS-Q showed significant test-retest correlations and has high internal reliability levels. The results of this study demonstrated that the HAIS-Q possesses both external reliability and internal consistency, and can therefore be used as a reliable measure of information security awareness. The HAIS-Q can be used within organisations to measure the effectiveness and impacts of training interventions, information security awareness programs and to determine the impact of security incidents and cultural changes