Behavioral Approach to Information Security Policy Compliance

Information security is among the top organizational priorities. Theoretically, information security in socio-technical networks is as much of a behavioral issue as it is of a technical issue. Protection motivation theory (PMT), the dominant theory used to investigate end-user security behavior, though has shown conflicting results - primarily due to lack of contextualizing the theory to information security context from a healthcare context. In this paper, we outline a theoretically grounded conceptual model of the major factors influencing information security policy compliance. The model contextualizes the two independent variables of PMT. Threat appraisal evaluation is viewed as construal evaluation based on construal level theory, while coping appraisal evaluation is viewed as an outcome of training based on social cognitive theory. Overall, the model provides a well-grounded nomological network to better explain information security compliance behavior. The paper also outlines key managerial levers that can be used to influence end-user behavior

Information Security Practices in Organizations: A Literature Review on Challenges and Related Measures

This paper reports a systematic literature review that explores challenges related to information security practices in organizations and the ways these challenges are managed to avoid security breaches. We focused on empirical evidence from extant research studies and identified four general challenges re-lated to: (1) security rules and procedures, (2) individual and personal risks, (3) culture and security awareness, and (4) organizational and power relations. To manage these risks, nine measures were prominent in the selected studies. Training and organizational collaboration across the hierarchical levels were widely used to enhance the security culture. In addition, awareness campaigns for the work-force, as well as continuously measuring and improving security initiatives were highly recommended. Our literature review points to the socio-technical aspects of information security. Although many or-ganizations have both administrative and technical infrastructures in place, they must also think about employee attitudes, knowledge, and behavior. Information systems research towards this direction needs to be further developed. More qualitative studies are needed for exploring how to develop a cul-ture of security awareness and for gaining insights on how security rules and training courses can become more appealing and accessible

Effects of a Comprehensive Computer Security Policy on Computer Security Culture

It is well known that humans are the weakest link in computer security, and that developing and maintaining a culture of computer security is essential for managing the human aspect of computer security. It is less well known how a comprehensive computer security policy incorporating both information technology computer security, and operational technology computer security, impacts a culture of computer security. While a literature review of this domain includes research on the impact of various aspects of a computer security policy on computer security culture, no peer reviewed research was found that explained the impact of a comprehensive computer security policy on computer security culture through an understanding of its direct or indirect effects. Thus, it is the thesis of this study that a comprehensive computer security policy has a direct effect on computer security culture, which can be further explained through indirect effects

PREVENTIVNE MJERE PROTIV RAČUNALNOG KRIMINALA: PRIBLIŽAVANJE POJEDINCU

Cybercrime is a combination of information, financial and personal security threats. The purpose of this research is to target statistical data to allocate the most effective preventive measures against cybercrime that would contribute to the combat at the level of potential (or real) cyber victims and cyber criminals. Brining the so-called Cyberethics into the life of people will be preventive against cybercrimes, as it will add to their culture of cyberspace through educational and popular science projects (such-like program that was put into action in Nigeria stroke positively). With the rapid spread of cybercrime, preventive measures geared towards individuals such as anti-criminalization, anti-bullying and anti-phishing propaganda, the practice of shaping negative attitude towards crimes, and discovery of responsibility for committing cybercrimes gain in importance. Society improvement as a counter-move to cut out criminal factors provoking a positive or neutral attitude to cybercrimes should be geared towards better living, as the higher is the standard the lower is the level of cybercrime. Taking individualized preventing measures to people prone to commit cybercrimes will prevent against such even before they take place (with cyber extortion and ransomware threats, such actions gain in relevance). For the fight against cybercrime, special programs are to level down victimization in the field of cybersecurity by fostering a shielding attitude in persons who can become victims. The path of designing such programs will lead to a drop cybercrime activity. Specific public authorities and non-governmental organizations should take part in the preventive process. All-encompassing preventive measures against cybercrime approaching individual at the international level will allow designing specific pilot programs for individualized prevention.Kibernetički kriminal je kombinacija informacijskih, financijskih i osobnih sigurnosnih prijetnji. Svrha ovog istraživanja je ciljati statističke podatke za dodjelu najučinkovitijih preventivnih mjera protiv cyber kriminala koje bi doprinijele borbi na razini potencijalnih (ili stvarnih) cyber žrtava i cyber kriminalaca. Uvođenjem tzv. Cyber-etike u život ljudi bit će preventiva protiv cyber kriminala, jer će doprinijeti njihovoj kulturi korištenja cyber-prostora kroz obrazovne i popularno-znanstvene projekte (takav program je pozitivno djelovao u Nigeriji). S naglim širenjem cyber kriminala, preventivne mjere usmjerene prema pojedincima kao što su anti-kriminalizacija, propaganda protiv zlostavljanja i anti-phishing, praksa oblikovanja negativnog stava prema zločinima i otkrivanje odgovornosti za počinjenje kibernetičkih kriminala dobivaju na važnosti. Poboljšanje društva kao protupotez za izostavljanje kriminalnih čimbenika koji izazivaju pozitivan ili neutralan stav prema kiberkriminalitetu treba biti usmjereno prema boljem životu, jer što je viši standard, to je niža razina cyber kriminala. Poduzimanje individualiziranih mjera za sprječavanje ljudi koji su skloni počiniti kibernetički kriminal spriječit će takve napade čak i prije nego što se dogode (s prijetnjama cyber iznuđivanja i ransomwarea, takve akcije dobivaju na važnosti). Za borbu protiv kibernetičkog kriminala, posebni programi su smanjivanje viktimizacije u području kibernetičke sigurnosti poticanjem zaštitnog stava osoba koje mogu postati žrtve. Put izrade takvih programa dovest će do pada aktivnosti cyber kriminala. U preventivnom procesu trebaju sudjelovati posebna javna tijela i nevladine organizacije. Sveobuhvatne preventivne mjere protiv cyber kriminala koje se približavaju pojedincu na međunarodnoj razini omogućit će osmišljavanje specifičnih pilot-programa za individualiziranu prevenciju

Perceptions of Information Systems Security Compliance: An Empirical Study in Higher Education Setting

Ensuring information systems security policy compliance is an integral part of the security program of any organization. This paper investigated the perceptions of different stakeholder groups towards information security policy compliance constructs of Unified Model of Information Security Compliance (UMISPC) [1] in a higher education environment. The research findings showed that faculty/staff generally has higher tendency towards security policy compliance comparing to students in a higher education institution. In addition, students with security knowledge are more incline to have security policy compliance activities. Our finding not only added to the knowledge base of information systems security compliance research, but also offers practical implications

A Review of Information Systems Security Management: An Integrated Framework

As information has been a basic commodity and strategic asset, information systems (IS) security has become increasingly important to organizations. This paper conducts a review on the prior literature that has studied non-technical factors of IS security issues from organizational perspective rather than individual level. Five key concepts are studied: IS security management, organizational factors, human factors, strategic planning, and IS security policies. By integrating the main concepts that are reflected in the literature, this paper proposes an integrated framework which provides a comprehensive look at effective IS security management. Four propositions are developed. This framework is intended to provide guidance for organizations and security practitioners that need to implement their IS security management effectively

A systematic review of Information security knowledge-sharing research

It is crucial for knowledge to be shared in the information security domain. In effect, sharing ensures that knowledge and skills are propagated through the organisation. Here, we report on a systematic literature review we carried out to gain insight into the literature related to information security knowledge sharing within organisations. The literature highlights the importance of security knowledge sharing in terms of enhancing organisational security awareness, and identifies gaps that can be addressed by researchers in the area

Exploring Knowledge Sharing Practices for Raising Security Awareness

This study aims to explore the types of information can be effectively communicated in three knowledge-sharing methods and their impact on employees’ security practice. On one end, guarding the organisation’s information system against cyber-attacks is critical and improving users’ knowledge and skills is a common approach to any security program. On the other end, organisations lack a clear understanding in determining what types of security information should be delivered through various methods of communication to be effective in boosting users’ knowledge and compliance behaviour. The study employed a qualitative method using semi-structured interviews with business users in Vietnam. The initial findings indicate a single method of knowledge and skill development is not sufficient to assist users to deal with complex and constant changing security needs. It is necessary to further experiment methods of encouraging formal and peer knowledge sharing that can support individual effort in complying with security policies