Information security management and employees' security awareness : an analysis of behavioral determinants

[no abstract

A descriptive review and classification of organizational information security awareness research

Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding

Information Security Awareness: Literature Review and Integrative Framework

Individuals’ information security awareness (ISA) plays a critical role in determining their security-related behavior in both organizational and private contexts. Understanding this relationship has important implications for individuals and organizations alike who continuously struggle to protect their information security. Despite much research on ISA, there is a lack of an overarching picture of the concept of ISA and its relationship with other constructs. By reviewing 40 studies, this study synthesizes the relationship between ISA and its antecedents and consequences. In particular, we (1) examine definitions of ISA; (2) categorize antecedents of ISA according to their level of origin; and (3) identify consequences of ISA in terms of changes in beliefs, attitudes, intentions, and actual security-related behaviors. A framework illustrating the relationships between the constructs is provided and areas for future research are identified

Determinants of information security awareness and behaviour strategies in public sector organizations among employees

In this digital era, protecting an organisation's sensitive information system assets against cyberattacks is challenging. Globally, organisations spend heavily on information security (InfoSec) technological countermeasures. Public and private sectors often fail to secure their information assets because they depend primarily on technical solutions. Human components create the bulk of cybersecurity incidents directly or indirectly, causing many organisational information security breaches. Employees' information security awareness (ISA) is crucial to preventing poor information security behaviours. Until recently, there was little combined information on how to improve ISA and how investigated factors influencing employees' ISA levels were. This paper proposed a comprehensive theoretical model based on the Protection Motivation Theory, the Theory of Planned Behaviour, the General Deterrence Theory, and Facilitating Conditions for assessing public sector employees' ISA intentions for information security behaviour. Using a survey and the structural equation modelling (SEM) method, this research reveals that the utilised factors are positively associated with actual information security behaviour adoption, except for perceived sanction certainty. The findings suggest that the three theories and facilitating conditions provide the most influential theoretical framework for explaining public sector employees' information security adoption behaviour. These findings support previous empirical research on why employees' information on security behaviours vary. Consistent with earlier research, these psychological factors are just as critical as facilitating conditions in ensuring more significant behavioural intention to engage in ISA activities, ensuring information security behaviour. The study recommends that public-sector organisations invest in their employees' applied information security training

Understanding cybersecurity behavioral habits: Insights from situational support

© 2020 While the Internet has become an indispensable aspect of personal and professional lives, it has also served to render many individuals vulnerable to cybersecurity threats. Thus, the promotion of cybersecurity behaviors can effectively protect individuals from these threats. However, cybersecurity behaviors do not necessarily come naturally, and people need support and encouragement to develop and adopt them. A habit is an important factor that may motivate cybersecurity behaviors, but it has often been overlooked in past studies. To address this limitation, this study examined the formation of cybersecurity behavioral habits. Hierarchical regression analysis was used to analyze cybersecurity behavior survey data obtained from 393 college student participants. The results revealed the following: (1) efficacy and behavioral comprehensiveness predict cybersecurity behavioral habits; (2) efficacy has a positively impact on behavioral comprehensiveness; (3) situational support has a positive influence on efficacy. These findings suggest that cybersecurity behavioral habits can be formed by promoting the diversity of cybersecurity measures practiced (behavioral comprehensiveness) and efficacy

Business not as usual: Understanding the drivers of tacit knowledge-sharing behavior in teleworking modality

Dissertation presented as the partial requirement for obtaining a Master's degree in Information Management, specialization in Knowledge Management and Business IntelligenceIn recent years, companies have differentiated themselves from their competitors through their intellectual capital, an essential resource for survival. As such, tacit knowledge gives companies leverage when it comes to obtaining a competitive advantage, as it originates in personal actions or attitudes, making its formalization, sharing, and expression very difficult, which in turn results in a big challenge for competitors who want to appropriate it when compared to explicit knowledge. Applying the theory of planned behavior and extending it to individual and organizational factors, this study aims to examine the drivers of employees' tacit knowledge-sharing behavior for workers that are in traditional, hybrid, and teleworking modalities, which is the current norm in the corporate world. This research begins with a brief review of the context of the COVID-19 pandemic in organizations and people. The literature review allows studying the concepts of organizational knowledge creation and sharing, tacit knowledge, telework, and the theory of planned behavior. Our research model is based on a sample where, surprisingly, almost 80% of respondents work remotely for at least half of their time and data analysis was performed using the partial least squares technique, supported by SmartPLS. The results demonstrate that the proposed factors can explain more than 40% of employees' tacit knowledge-sharing behavior variation

Antecedents of Employees\u27 Behavioral Intentions Regarding Information Technology Consumerization

The majority of organizations worldwide have adopted IT consumerization. However, only a small percentage of them explicitly manage the dual use of personal devices and applications for work purposes. This correlational study used the extended unified technology acceptance and use technology model (UTAUT2) to examine whether employees\u27 perceptions of habit, effort expectancy, performance expectancy, facilitating conditions, hedonic motivation, social influence, and price value can predict IT consumerization behavioral intentions (BI). A pre-existing UTAUT2 survey instrument was used to collect data from employees (N = 112) of small- and medium-sized organizations across different industries in Ontario, Canada. The regression analysis confirmed a positive statistically significant relationship between study variables and BI. Overall, the model significantly predicted BI, F (7, 100) = 76.097, p \u3c .001, R2 = .842. Performance expectancy (β = .356, p \u3c .001), habit (β = .269, p \u3c .001), and social influence (β = .258, p \u3c .001) were significant predictors of BI at the .001 level whereas effort expectancy (β = .187, p \u3c .01), facilitating conditions (β = .114, p \u3c .01), hedonic motivation (β = .107, p \u3c .01), and price value (β =.105, p \u3c .01), were significant predictors at the .005 level. Using study results, chief information officers may be able to develop improved strategies to facilitate IT consumerization. Implications for positive social change include more flexibility and convenience for employees in managing their work and social lives

Exploring the reasons leading to software system rejection in MNCs

This thesis explores the reasons behind the rejection of software systems for strategic management in multinational corporations (MNCs). MNCs are particularly dependent on adopting novel technologies, as it contributes positively to MNCs’ revenue growth, reduce risks of globalization, and increases the ability to compete globally. Although the creative use of information technologies (IT) and information systems (IS) is particularly important for MNCs’ survival and growth, corporations are noted to be more hesitant in investing in novel technologies, i.e., software systems. As technology rejection can limit MNCs’ competitive postures, understanding the reasons leading to technology rejection is vital for overcoming it. By identifying these rejection reasons, both MNCs and technology vendors can reduce the barriers to software system adoption. The existing literature in academia has focused on understanding the reasons leading to technology adoption, and the reasons leading to technology rejection at the organizational level remain unclear for academia. To fill the identified research gap, this research explores reasons leading to software system rejection in MNCs, to reduce the barriers to software system adoption. This research conducted a comprehensive case study by observing the underlying reasons affecting rejection decisions in 13 case companies. The theoretical framework for the thesis is built on the existing research of digital transformation, technology adoption, and information systems adoption, as the existing academia lack research in technology rejection, and technology adoption and rejection are considered opposite actions in academia. The research adopted critical realism as a research philosophy, as this research aims to explain the underlying causes for the observed phenomenon, which is software system rejection. To explain these underlying causes, the research triangulated two perspectives in case study methodology: MNCs adopting novel software systems and technology vendors. The reasons leading to software system rejection in MNCs can be classified into five dimensions, which are indistinctly defined business case, inability to respond to the business case, incoherent customer-vendor fit, complex execution process, and incoherency with digital transformation strategies. The findings indicate that MNC’s indistinctly defined business case may guide the project in an unwanted direction. As the outcome does not respond to the MNC’s need, it will likely be rejected. Secondly, the software system’s inability to respond to the business case from organizational, technological, and environmental aspects leads to rejection. Thirdly, incoherency between the customer and technology vendor can lead to rejection if the organization types and ways to operate do not support each other in succeeding in the project. The complex execution process identifies the challenges in the execution phase, i.e., increased risks of execution which the MNC is not willing to take. The final reason indicates that MNCs will reject a software system if it does not support the corporation in executing its’ digital transformation strategies. These findings contribute to technology rejection literature by providing the first insights into the reasons leading to software system rejection at the organizational level.Tämä tutkimus tutkii syitä ohjelmistojen (software systems) hylkäykselle kansainvälisissä yrityksissä. Kansainväliset yritykset ovat yhä riippuvaisempia uusien teknologioiden käyttöönotosta, sillä niillä on todettu olevan positiivinen vaikutus liikevaihdon kasvuun, kansainvälistymisen tuomien riskien vähenemiseen, sekä kansainvälisen kilpailuedun luomiseen. Vaikka tietojärjestelmien (IS) ja informaatiotekniikan (IT) monipuolinen hyödyntäminen on erityisen tärkeää kansainvälisten organisaatioiden kilpailukyvyn luomiselle, yritysten on huomattu epäröivän yhä enemmän investoimista uusiin teknologioihin, kuten ohjelmistoihin. Teknologioiden hylkäämisen syiden ymmärtäminen on erityisen tärkeää, sillä se rajoittaa kansainvälisten yritysten kilpailuedun luomista. Näiden syiden ymmärtäminen auttaa kansainvälisiä yrityksiä ja teknologian toimittajia vähentämään hyväksymisen esteitä. Syyt teknologian hylkäämiselle ovat epäselvät akateemisessa tutkimuksessa, sillä akatemia on keskittynyt selittämään syitä teknologian hyväksymiselle organisaatiotasolla. Tutkimusaukon täyttämiseksi tämä tutkimus tutkii ohjelmistojen hylkäämisen taustalla vaikuttavia syitä kansainvälisisissä yrityksissä, vähentääkseen esteitä ohjelmistojen hyväksymiselle. Tutkimus toteutettiin tutkimalla päätöksenteon taustalla vaikuttavia syitä 13 tutkimusyrityksessä. Tutkimuksen teoreettinen viitekehys on rakennettu olemassa olevan tutkimustiedon ympärille digitaalisten transformaatiostrategioista, teknologian ja tietojärjestelmien hyväksymisestä, sillä tieteellinen tutkimus on keskittynyt hyväksymisen selittämiseen ja hyväksymistä ja hylkäämistä pidetään toisistaan vastakkaisina toimintatapoina teoreettisessa kentässä. Tutkimus tarkastelee ilmiötä kriittisen realismin silmin, sillä tutkimuksessa vertaillaan kahden neuvotteluun osallistuvan osapuolen näkökulmia: yritysten ja teknologian toimittajien. Tutkimuksen perusteella syyt teknologian hylkäämiselle voidaan jakaa viiteen kategoriaan, jotka ovat epämääräisesti määritelty liiketoiminnan tarve, kykenemättömyys vastata liiketoiminnan määriteltyyn tarpeeseen, asiakkaan ja teknologian toimittajan keskinäinen sopivuus, monimutkainen käyttöönottoprosessi, sekä epäsopivuus digitaalisten transformaatiostrategioiden kanssa. Tulokset osoittavat, että epämääräisesti määritelty liiketoiminnan tarve ohjaa hankintaprojektia lopputulemaan, joka ei vastaa yrityksen tarvetta johtaen ohjelmiston hylkäämiseen. Ohjelmiston kykenemättömyys vastata yrityksen organisatorisiin, teknologisiin ja toimintaympäristön vaateisiin johtaa myös hylkäämiseen. Kolmas syy hylkäämiselle on yrityksen ja teknologian toimittajan keskinäinen sopimattomuus, sillä toimintatapojen ja organisaatiomallien eroavaisuus eivät edistä yhteistyötä. Myös monimutkainen käyttöönottoprojekti, jossa yritys tunnistaa mahdollisia riskejä projektin epäonnistumiselle, joita yritys ei halua ottaa, voi johtaa hylkäämiseen. Viimeinen syy on ohjelmiston kykenemättömyys tukea yrityksen digitaalisten transformaatiostrategioiden toteutumista. Tutkimus kuroo teknologian hylkäämistä koskevaa tutkimusaukkoa tarjoamalla ensimmäisen käsityksen syistä, jotka johtavat ohjelmistojärjestelmän hylkäämiseen organisaatiotasolla

End-users Compliance to the Information Security Policy: A Comparison of Motivational Factors

Business information, held within information systems, is critical for most organizations. To protect these critical information assets, security controls should be deployed which might come as a hindrance for the end-users. The Information Security Policies (ISP) give direction to their behaviors. Organizations can focus on conditions likely to promote so-called motivational factors influencing the end-users intentions to perform the desired behavior of compliance to ISP in order to protect these information assets. In total, six motivational factors, applicable to intentions on compliance, are found during research and are measured within five organizational contexts. From the measurements and analysis is learned, that the degree to which these factors relate differs per factor and per context. Two of these factors were found to always relate in such degree to compliance intentions that even without measuring the degree for a particular organization, applying these factors can be very effective for any organization or context. The other four factors have shown to be effective within particular context(s) meaning measurement of the context is needed before utilizing these factors within an organization to optimize the effect of efforts

Orientation and Social Influences Matter: Revisiting Neutralization Tendencies in Information Systems Security Violation

It is estimated that over half of all information systems security breaches are due directly or indirectly to the poor security practices of an organization’s employees. Previous research has shown neutralization techniques as having influence on the intent to violate information security policy. In this study, we proposed an expansion of the neutralization model by including the effects of business and ethical orientation of individuals on their tendencies to neutralize and compromise with information security policy. Additionally, constructs from social influences and pressures have been integrated into this model to measure the impact on the intent to violate information security policy from social perspectives. This study is a quantitative study that used a survey methodology for data collection. A stratified sampling method was used to ensure equal representation in the population. A sample of members was collected using a random sampling procedure from each stratum. All data were collected by sending a survey link via email through SurveyMonkey’s participant outreach program to the aforementioned groups. Partial least squares were used for data analysis. Findings showed business and ethical orientation had a negative impact on accepting neutralization techniques which ultimately result in the intent to violate information security policy. Furthermore, this research found neutralization, social influences, and social pressures as having 24 percent of influence to violate information security policy. Business orientation and ethical orientation contributed to 15 percent of influence in variance on employees accepting neutralization techniques. Implications of this research suggest information security policies can be compromised by employees and additional measures are needed. Behavioral analytics may provide an understanding of how employees act and why. Routine training is necessary to help minimize risks, and a healthy security culture will promote information security as a focal point to the organization