Employee Information Security Practices: A Framework and Research Agenda

Author's accepted manuscriptEmployee information security practices are pivotal to prevent, detect, and respond to security incidents. This paper synthesizes insights from research on challenges related to employee information security practices and measures to address them. The challenges identified are associated to idiosyncratic aspects of communities and individuals within organizations (culture and personal characteristics) and to systemic aspects of organizations (procedural and structural arrangements). The measures identified aim to enhance systemic capabilities and to adapt security mechanisms to the idiosyncratic characteristics and are categorized as: (a) measures of training and awareness, (b) measures of organizational support, (c) measures of rewards and penalties. Further research is needed to explore the dynamics related to how challenges emerge, develop, and get addressed over time and also, to explore the interplay between systemic and idiosyncratic aspects. Additionally, research is needed on the role of security managers and how it can be reconfigured to suit flatter organizationsacceptedVersio

Barking Up the Wrong Tree? Reconsidering Policy Compliance as a Dependent Variable within Behavioral Cybersecurity Research

A rich body of research examines the cybersecurity behavior of employees, with a particular focus on explaining the reasons why employees comply with (or violate) organizational cybersecurity policies. However, we posit that this emphasis on policy compliance is susceptible to several notable limitations that could lead to inaccurate research conclusions. In this commentary, we examine the limitations of using cybersecurity policy compliance as a dependent variable by presenting three assertions: (1) the link between policy compliance and organizational-level outcomes is ambiguous; (2) policies vary widely in terms of their clarity and completeness; and (3) employees have an inconsistent familiarity with their own organization’s cybersecurity policies. Taken together, we suggest that studying compliance with cybersecurity policies reveals only a partial picture of employee behavior. In response, we offer recommendations for future research

It is not my job: exploring the disconnect between corporate security policies and actual security practices in SMEs

Purpose: This paper aims to present empirical results exemplifying challenges related to information security faced by small and medium enterprises (SMEs). It uses guidelines based on work system theory (WST) to frame the results, thereby illustrating why the mere existence of corporate security policies or general security training often is insufficient for establishing and maintaining information security. Design/methodology/approach: This research was designed to produce a better appreciation and understanding of potential issues or gaps in security practices in SMEs. The research team interviewed 187 employees of 39 SMEs in the UK. All of those employees had access to sensitive information. Gathering information through interviews (instead of formal security documentation) made it possible to assess security practices from employees’ point of view. Findings: Corporate policies that highlight information security are often disconnected from actual work practices and routines and often do not receive high priority in everyday work practices. A vast majority of the interviewed employees are not involved in risk assessment or in the development of security practices. Security practices remain an illusory activity in their real-world contexts. Research limitations/implications: This paper focuses only on closed-ended questions related to the following topics: awareness of existing security policy; information security practices and management and information security involvement. Practical implications: The empirical findings show that corporate information security policies in SMEs often are insufficient for maintaining security unless those policies are integrated with visible and recognized work practices in work systems that use or produce sensitive information. The interpretation based on WST provides guidelines for enhancing information system security. Originality/value: Beyond merely reporting empirical results, this research uses WST to interpret the results in a way that has direct implications for practitioners and for researchers

Organization Members Developing Information Security Policies: a Case Study

Information security policies (ISPs) have a key role in organizational information security. Research has introduced processes for ISP development, including lifecycle models. There are also recommendations to include contextual issues in the ISP development to ensure that the ISP provides tailored protection to the organization’s assets. One way of ensuring this is to include organization members in the development efforts. We identified six functions for the organization member participation from the research literature. Then, we presented two case studies of organizations where the personnel was included in the ISP development process. We found that the participation of the organization members did add value to the process through these functions but that there were also some negative effects. The inclusion of organization members in ISP development can help in gathering feedback directly at the beginning of the lifecycle without the need to go through the entire cycle to identify issues

The significance of information security policy in business strategy

Tietoa on saatavilla jatkuvasti enemmän ja sen suojaaminen on muuttunut ratkaisevaksi tekijäksi yrityksissä liiketoiminnan kannalta. Liiketoiminnan ylläpitämiseksi yritysten täytyy muodostaa strategia, jonka pohjalta yritys toteuttaa toimintaansa. Yrityksen toiminnan ylläpitämiseksi yrityksen on myös huolehdittava tietoturvasta, sillä tieto on yritykselle tärkeä resurssi. Tietoturvan toteuttamiseen liittyy vahvasti tietoturvapolitiikka, joka antaa yritykselle ohjeita tietoturvan toteuttamiseen. Tutkimuksen toteutustapana oli kirjallisuustutkimus, jossa tavoitteena oli aineiston perusteella etsiä vastaus, miten tietoturva ja tietoturvapolitiikka näkyvät yrityksen strategiassa. Tutkimuksessa käytetty aineisto koostui tieteellisistä julkaisuista, kuten kirjoista, artikkeleista ja konferenssijulkaisuista. Suurin osa käytetystä aineistosta oli sähköisessä muodossa. Tutkimusongelmaa selvitettiin pää- ja tutkimuskysymysten avulla, jotka rajasivat aihetta ja esittivät tarkentavia kysymyksiä, johon tutkimuksessa vastattiin. Tutkimuksessa selvisi, että tietoturvalla, tietoturvapolitiikalla ja yrityksen strategialla on paljon yhteistä ja ne sitoutuvat monilta osin toisiinsa. Niille löydettiin myös useita määritelmiä. Tietoturva todettiin prosessiksi, josta on vastuussa koko yritys. Tutkimuksessa löydettiin myös, että tietoturva on moniuloitteista ja koostuu useasta tasosta. Myös strategian todettiin koostuvan erilaisista tasoista, jotka mukailevat organisaatiorakennetta. Tutkimuksessa löydettiin tietoturvapolitiikalle erilaisia tapoja jakaa se osiin, esimerkiksi tietoturvapolitiikka-arkkitehtuurin avulla. Lisäksi tietoturvapolitiikan tehokkuuteen yrityksissä löydettiin vaikuttavia tekijöitä. Tutkimuksessa selvisi myös, että tietoturvasta, tietoturvapolitiikasta ja yrityksen strategiasta on vastuussa samoja organisaation johdon henkilöitä

Assessment of Information Security Culture in Higher Education

Information security programs are instituted by organizations to provide guidance to their users who handle their data and systems. The main goal of these programs is to protect the organization\u27s information assets through the creation and cultivation of a positive information security culture within the organization. As the collection and use of data expands in all economic sectors, the threat of data breach due to human error increases. Employee\u27s behavior towards information security is influenced by the organizations information security programs and the overall information security culture. This study examines the human factors of an information security program and their effect on the information security culture. These human factors consist of stringency of organizational policies, behavior deterrence, employee attitudes towards information security, training and awareness, and management support of the information security programs. A survey questionnaire was given to employees in the Florida College System to measure the human aspects of the information security programs. Confirmatory factor analysis (CFA) and Structural Equation Modeling (SEM) were used to investigate the relationships between the variables in the study using IBM® SPSS® Amos 24 software. The study results show that management support and behavior deterrence have a significant positive relationship with information security. Additionally, the results show no significant association between information security culture and organization policies, employee commitment and employee awareness. This suggests a need for further refinement of the model and the survey tool design to properly assess human factors of information security programs and their effects on the organizational security culture

IT Risk Management: Towards a System for Enhancing Objectivity in Asset Valuation that Engenders a Security Culture

In today’s technology-centric business environment, where organizations encounter numerous cyber threats, effective IT risk management is crucial. An objective risk assessment— based on information relating to business requirements, human elements, and the security culture within an organisation — can provide a sound basis for informed decision making, effective risk prioritisation, and the implementation of suitable security measures. This paper focuses on asset valuation, supply chain risk, and enhanced objectivity — via a “segregation of duties” approach — to extend and apply the capabilities of an established security culture framework. The resultant system design aims at mitigating subjectivity in IT risk assessments, thereby diminishing personal biases and presumptions to provide a more transparent and accurate understanding of the real risks involved. Survey responses from 16 practitioners working in the private and public sectors confirmed the validity of the approach but suggest it may be more workable in larger organisations where resources allow dedicated risk professionals to operate. This research contributes to the literature on IT and cyber risk management and provides new perspectives on the need to improve objectivity in asset valuation and risk assessment

Factors Affecting Employee Intentions to Comply With Password Policies

Password policy compliance is a vital component of organizational information security. Although many organizations make substantial investments in information security, employee-related security breaches are prevalent, with many breaches being caused by negative password behavior such as password sharing and the use of weak passwords. The purpose of this quantitative correlational study was to examine the relationship between employees’ attitudes towards password policies, information security awareness, password self-efficacy, and employee intentions to comply with password policies. This study was grounded in the theory of planned behavior and social cognitive theory. A cross-sectional survey was administered online to a random sample of 187 employees selected from a pool of qualified Qualtrics panel members. Participants worked for organizations in the United States and were aware of the password policies in their own organizations. The collected data were analyzed using 3 ordinal logistic regression models, each representing a specific measure of employees’ compliance intentions. Attitudes towards policies and password self-efficacy were significant predictors of employees’ intentions to comply with password policies (odds ratios ≥ 1.257, p \u3c .05), while information security awareness did not have a significant impact on compliance intentions. With more knowledge of the controllable predictive factors affecting compliance, information security managers may be able to improve password policy compliance and reduce economic loss due to related security breaches. An implication of this study for positive social change is that a reduction in security breaches may promote more public confidence in organizational information systems

The Nursing Workaround: Development of a Pyschometric Instrument

Title from PDF of title page viewed May 24, 2021Dissertation advisor: Eduardo AbreuVitaIncludes bibliographical references (pages 74-80)Thesis (Ph.D.)--School of Nursing and Health Studies. University of Missouri--Kansas City, 2020The development of nursing workarounds is a significant concern for healthcare organizations with the potential to have longstanding consequences to patient safety. Although numerous studies have been published about workarounds in general, little is known about influential factors resulting in workaround development by nurses. At this time, only one valid and reliable instrument is available to measure nursing workarounds, the Workaround Instrument (Halbesleben et. al., 2013), however, it does not examine the potential relationships between RN’s decision to employ a workaround and other demographic variables or other personal influences. The objective of this research was to psychometrically test the Workaround Motivation Survey (WMS). The WMS was designed specifically to distinguish between personal and professional motivational influences resulting in nursing workarounds as a method to predict those at greater risk for workaround development. The sample included nurses from four Mid-Western hospitals. Data were collected using RedCap, a web-based format that provides respondent confidentiality. Results indicate that the newly developed instrument is a reliable tool to identify nurses at greater risk for workaround development. Findings indicate the need for a larger sample size to accurately conduct factor analysis and to increase generalizability.Introduction -- Theoretical foundation and review of literature -- Methodology -- Results -- Discussion -- Appendix A. The Workaround Motivation Survey (WMS) -- Appendix B. Letters of Cooperation -- Appendix C. Study Invitation -- Appendix D. Cover lette

Informationssäkerhetspolicyer i organisationer

Vi lever i en värld där tillgängligheten till information är lättare än någonsin. Detta har medfört en ökad nivå av hot mot känslig information som existerar hos företag. Informationssäkerhet är inte längre en teknologisk fråga utan en mänsklig fråga. Människor är det största hotet mot informationen som finns på ett företag. För att hantera detta problem så väljer företag att skapa informationssäkerhetspolicyn som anställda måste följa för att minimera riskerna som kommer med informationshantering. Men hur ser processen ut i svenska IT organisationer när det kommer till utvecklingen och förmedlingen av informationssäkerhetspolicyer? Finns det några skillnader i hur företag gör när det kommer till utveckling och förmedling av informationssäkerhetspolicyer? Författarna har valt att utföra en kvalitativ intervjuundersökning hos tre IT organisationer för att få en inblick på om det existerar några skillnader när det kommer till företagens utveckling och förmedling av informationssäkerhetspolicyer. Resultatet av studien visade att det existerar skillnader mellan de tre företagen när det kommer till utveckling och förmedling av informationssäkerhetspolicyer