The Assumptions and Profiles Behind IT Security Behavior

Among the major IT security challenges facing organizations is non-malicious employee behavior that nevertheless poses significant threats to an organization’s IT security. Using a grounded theory methodology, this paper finds that organizational security behaviors are inherently related to employee assumptions regarding the importance of IT security policy compliance and regarding the reason why IT security measures are implemented. Analyzing these assumptions uncovers four profiles of perspectives concerning IT security: the IT Security Indulgence, the IT Security Overindulgence, the IT Knows Best and the IT Security Disconnect profiles. These profiles are useful in understanding employee IT security behaviors and may help IT departments in developing more effective strategies designed to ensure policy compliance

Too Much of a Good Thing? An Investigation of the Negative Consequences of Information Security in a Healthcare Setting

Information security is becoming a prime concern for individuals and organizations. This is especially true in healthcare settings where widespread adoption of integrated health information systems means that a vast amount of highly sensitive information on patients is accessible through many interaction points across the care delivery network. In this research in progress, we seek to uncover how individuals react when they perceive that their security environment is stressful. To do so, we conducted a case study using an inductive approach based on semi-structured interviews with 41 participants. The preliminary analysis of some of our interviews showed that too much security in a health setting can bring in negative consequences like evoking negative emotions in users toward the system, increased dissatisfaction, and increase of inappropriate workarounds, which can lead to ineffective usage of the system and eventually can put patients’ health at risk

SNS Use, Risk, and Executive Behavior

Organizations can suffer attacks designed to take advantage of employee vulnerabilities. Successful attacks cause firms to suffer financial damage ranging from minor information breaches to severe financial losses. Cybercriminals focus on organization executives, because the power and influence they wield affords access to more sensitive data and financial resources. The purpose of this research in progress submission is to identify the types of executive behaviors that information security professionals believe introduce risk to an organization, as well as to explore the degree of risk organizations face as a result of these behaviors

Anger or Fear? Effects of Discrete Emotions on Deviant Security Behavior

Deterrence theory has received considerable attention in recent years. However, scholars have begun to call for research beyond the deterrence approach on security behaviors, and argue that the theory of emotion should not be omitted from information systems security decision making [15, 81]. In this research, we examine and distinguish effects of anger and fear on perceived costs of sanctions and deviant security behavior. A research model is developed based on deterrence theory and cognitive appraisal theory of emotion. We propose to design a scenario of introducing a new security monitoring system, to analyze the interplays of anger, fear, perceived certainty, perceived severity of sanctions and deviant security behavior. The results will have important implications for comprehensively understanding employees’ deviant security behavior

Factors that Affect the Success of Security Education, Training, and Awareness Programs: A Literature Review

Preventing IT security incidents poses a great challenge for organizations. Today, senior managers allocate more resources to IT security programs (especially those programs that focus on educating and training employees) in order to reduce human misbehavior—a significant cause of IT security incidents. Building on the results of a literature review, we identify factors that affect the success of security education, training, and awareness (SETA) programs and organize them in a conceptual classification. The classification contains human influencing factors derived from different behavioral, decision making, and criminology theories that lead to IT security compliance and noncompliance. The classification comprehensively summarizes these factors and shows the correlations between them. The classification can help one to design and develop SETA programs and to establish suitable conditions for integrating them into organizations

An Empirical Investigation of the Influence of Organizational Virtues on Information Technology Security Policy Compliance

While studies have proposed multiple factors that influence information technology (IT) security policy compliance, this research tries to understand this phenomenon from the alternate perspective of organizational ethics. Drawing upon the theory of virtue ethics proposed by the Greek philosopher Aristotle, and subsequently forwarded by noted philosophers like Alasdair McIntyre, we theorize how organizational virtues can create a positive impact on IT security policy compliance in organizations. Our theory considers four cardinal organizational virtues: wisdom, justice, courage, and temperance. We propose that an organization that develops, practices, and implements these virtues achieves greater compliance with IT security policies. An empirical study conducted with managers in public organizations provide support for our theory. Ultimately, our work promotes a novel, virtue ethics-based perspective to better understand and address the crucial challenge of achieving IT security policy compliance

Seeing the forest and the trees: A meta-analysis of information security policy compliance literature

A rich stream of research has identified numerous antecedents to employee compliance with information security policies. However, the breadth of this literature and inconsistencies in the reported findings warrants a more in-depth analysis. Drawing on 25 quantitative studies focusing on security policy compliance, we classified 105 independent variables into 17 distinct categories. We conducted a meta-analysis for each category’s relationship with security policy compliance and then analyzed the results for possible moderators. Our results revealed a number of illuminating insights, including (1) the importance of categories associated with employees’ personal attitudes, norms and beliefs, (2) the relative weakness of the link between compliance and rewards/punishment, and (3) the enhanced compliance associated with general security policies rather than specific policies (e.g., anti-virus). These findings can be used as a reference point from which future scholarship in this area can be guided

Using the theory of interpersonal behaviour to explain employees' cybercrime preventative behaviour during the pandemic

Purpose – The COVID-19 pandemic necessitated a significant shift in how employees executed their professional responsibilities. Concurrently, the incidence of cybercrime experienced a noteworthy surge due to the increased utilisation of cyberspace. The abrupt transition to telecommuting altered the interpersonal dynamics inherent in traditional work environments. This paper aims to examine the impact of interpersonal factors on the cybercrime preventative measures adopted by telecommuting employees.Design/methodology/approach – A conceptual model, grounded in the Theory of Interpersonal Behaviour, is evaluated through an online survey. The data set comprises responses from 209 employees in South Africa, and the analysis uses partial least squares structural equation modelling.Findings – The results reveal substantial predictive power to explain cybercrime preventative behaviours. Notably, the study underscores the significant influence of habit and affect on intention and subsequent behaviour.Practical implications – The results suggest that practitioners should give due attention to emotional dimensions (affect) as a catalyst for information security behaviour. The formulation of employees’ information security responsibilities should be pragmatic, fostering subconscious compliance to establish routine behaviour (habit).Originality/value – This research underscores the pivotal roles played by habit and emotions in shaping behavioural patterns related to information security. Furthermore, it provides researchers with an illustrative model for operationalising these constructs within the realm of security. The results contribute additional perspectives on the repercussions of the COVID-19 pandemic on cybercrime preventative behaviours.<br/

Information security policies compliance in a global setting: An employee's perspective

Data availability: The data that has been used is confidential.Information security threats have a severe negative impact on enterprises. Organizations rely on employee compliance with information security policies to eliminate or reduce these hazards. The Unified Model of Information Security Policies Compliance (UMISPC) is employed to identify the factors that may affect employees' intention towards compliance with information systems security policy and reactance in a global setting. The study was assessed in two phases. The model's validity and measurement reliability were evaluated in the first phase, while in the second phase, all preliminary model relationships were appraised. This was achieved utilizing structural equation modelling to establish whether the proposed constructs, i.e. neutralization, response efficacy, fear, threat, habit and role values were good predictors for intention or reactance towards compliance with information systems security policy. Participants included 348 employees from 7 nations, i.e. the USA, the UK, Oman, India, Pakistan, Malaysia, and the Philippines. SmartPLS v. 3.3.9 was used for data analysis. The models' measurement reliability and validity were affirmed. Fear and role values have a significant influence on intention toward ISPC. RE significantly predicted threat which in turn significantly predicted fear, and the latter demonstrated a significant effect on reactance as well as Neutralization predicted reactance. In contrast, habit failed to reach a significant influence on intention towards ISPC. The implications are presented, together with proposals for further studies. Our findings are helpful for ISS literature and application by supporting the crucial functions of role values in encouraging employees to behave in a compliant manner. Additionally, it is regarded as the first empirical attempt to estimate intended compliance concerning ISPs in higher education from a worldwide viewpoint.The Research Council (TRC), Sultanate of Oman (Block Fund-Research Grant), BFP/RGP/ICT/21/132