9,646 research outputs found

    Exploring the Antecedents of Shadow Information Security Practices

    Get PDF
    Employees are both the first line of defence in organisations as well as a significant source of vulnerability. Behavioural research in information security (InfoSec) has studied compliance of employees with organisational directives. Less understood are ‘shadow security practices’–a related category of behaviour where employees invent InfoSec workarounds albeit with the intention of still complying with organisational InfoSec directives. In this research-in-progress paper, we present the theoretical development of a model, by conducting in-depth reviews of the relevant and multidisciplinary literatures, to identify the potential antecedents of the employees\u27 intention to perform shadow security

    Orientation and Social Influences Matter: Revisiting Neutralization Tendencies in Information Systems Security Violation

    Get PDF
    It is estimated that over half of all information systems security breaches are due directly or indirectly to the poor security practices of an organization’s employees. Previous research has shown neutralization techniques as having influence on the intent to violate information security policy. In this study, we proposed an expansion of the neutralization model by including the effects of business and ethical orientation of individuals on their tendencies to neutralize and compromise with information security policy. Additionally, constructs from social influences and pressures have been integrated into this model to measure the impact on the intent to violate information security policy from social perspectives. This study is a quantitative study that used a survey methodology for data collection. A stratified sampling method was used to ensure equal representation in the population. A sample of members was collected using a random sampling procedure from each stratum. All data were collected by sending a survey link via email through SurveyMonkey’s participant outreach program to the aforementioned groups. Partial least squares were used for data analysis. Findings showed business and ethical orientation had a negative impact on accepting neutralization techniques which ultimately result in the intent to violate information security policy. Furthermore, this research found neutralization, social influences, and social pressures as having 24 percent of influence to violate information security policy. Business orientation and ethical orientation contributed to 15 percent of influence in variance on employees accepting neutralization techniques. Implications of this research suggest information security policies can be compromised by employees and additional measures are needed. Behavioral analytics may provide an understanding of how employees act and why. Routine training is necessary to help minimize risks, and a healthy security culture will promote information security as a focal point to the organization

    Toward a behavioral contingency theory of security-related corruption control: understanding informal social controls

    Get PDF
    Information security is increasingly important to organizations, as security breaches are costly. Organizational insiders can be assets or vulnerabilities in the battle to secure information systems. However, organizational insiders’ security beliefs and behaviors are not well understood. In particular, little is known about how social influence affects insiders’ security behaviors, yet studies have shown that social influence is shown to be a strong predictor of security behavior. A deeper understanding of social influence is needed in the literature. Additionally, many security studies only examine a cross-sectional period with no concern for changes in beliefs and behaviors over time. Thus, little is known about how learning in previous life periods (e.g., childhood/adolescence and tenure at a previous job) influences insiders’ current security beliefs and behaviors. This study examines the influence that informal information security controls exert on the information security behaviors of organizational insiders. This study also identifies how perceptions of previous social learning experiences influence current security beliefs and behaviors. In particular, this dissertation highlights four security behaviors: security risk-taking behavior and security damaging behavior, and security compliant behavior and proactive security behavior. Through a qualitative study, a model of the effect of social learning on security behavior is developed. A quantitative test is then presented to further confirm the results of the qualitative study. Through the quantitative study, an initial exploration of social learning across national boundaries is also provided. The study also concerns itself with understanding how context influences information security beliefs and behaviors

    Schools on the Frontlines of Governance: How the Convergence of Criminal Justice and Education Shapes Adolescent Perceptions and Behavior

    Get PDF
    Theories of legal socialization posit that individuals’ interactions with both nonlegal (e.g., teachers) and legal (e.g., police officers) authorities impact our broader orientation towards governance our compliance with rules and laws. Examining the process of legal socialization in adolescents is critical for understanding individuals’ relationships with major institutions of social control, and further, predicting delinquency. Extant literature tends to consider legal socialization in the school and in interactions with the police as distinct processes related to offending, neglecting the potential influence of school contextual factors; and yet, because the incorporation of carceral features (e.g., exclusionary discipline, restrictive security, and enhanced presence of police) can expose youth to a convergence in criminal justice and education institutions, the school context may have a critical influence on how individuals’ perceptions of authorities as procedurally just or unjust influence their beliefs concerning authorities’ legitimacy, their broader assessments of fairness in American society, and in turn, their behavior. The dissertation unifies two disparate lines of research considering individuals’ perceptions of procedural justice in policing and criminalizing school environments to develop a novel theoretical model. First, the model outlines two distinct processes of legal socialization regarding the school and the criminal justice system in which youth perceptions of school personnel and police (i.e., the authority figures of each of these domains) affect youth delinquency through two different intervening mechanisms—authority legitimacy and perceptions of fairness in the US. Second, the model considers how youth exposure to a carceral school environment, as an indicator of criminal justice and school authorities’ control, may condition these processes. Third, the model outlines several paths in which youth perceptions of one type of authority may influence their noncompliance or delinquency in another domain. Using individual- and school-level data from the University of Missouri- St. Louis Comprehensive School Safety Initiative, a series of path models are estimated to test the components of the theoretical argument

    Successful Operational Cyber Security Strategies for Small Businesses

    Get PDF
    Cybercriminals threaten strategic and efficient use of the Internet within the business environment. Each year, cybercrimes in the United States cost business leaders approximately 6billion,andglobally,6 billion, and globally, 445 billion. The purpose of this multiple case study was to explore the operational strategies chief information security officers of high-technology companies used to protect their businesses from cyberattacks. Organizational learning theory was the conceptual framework for the study. The population of the study was 3 high-technology business owners operating in Florida who have Internet expertise and successfully protected their businesses from cyberattacks. Member checking and methodological triangulation were used to valid the data gathered through semistructured interviews, a review of company websites, and social media pages. Data were analyzed using thematic analysis, which supported the identification of 4 themes: effective leadership, cybersecurity awareness, reliance on third-party vendors, and cybersecurity training. The implications of this study for positive social change include a safe and secure environment for conducting electronic transactions, which may result in increased business and consumer confidence strengthened by the protection of personal and confidential information. The creation and sustainability of a safe Internet environment may lead to increased usage and trust in online business activities, leading to greater online business through consumer confidence and communication

    Information security awareness and behavior: A theory-based literature review

    Get PDF
    Purpose – This paper aims to provide an overview of theories used in the field of employees’ information systems (IS) security behavior over the past decade. Research gaps and implications for future research are worked out by analyzing and synthesizing existing literature. Design/methodology/approach – This paper presents the results of a literature review comprising 113 publications. The literature review was designed to identify applied theories and to understand the cognitive determinants in the research field. A meta-model that explains employees’ IS security behavior is introduced by assembling the core constructs of the used theories. Findings – The paper identified 54 used theories, but four behavioral theories were primarily used: Theory of Planned Behavior (TPB), General Deterrence Theory (GDT), Protection Motivation Theory (PMT) and Technology Acceptance Model (TAM). By synthesizing results of empirically tested research models, a survey of factors proven to have a significant influence on employees’ security behavior is presented. Research limitations/implications – Some relevant publications might be missing within this literature review due to the selection of search terms and/or databases. However, by conduction a forward and a backward search, this paper has limited this error source to a minimum. Practical implications – This study presents an overview of determinants that have been proven to influence employees’ behavioral intention. Based thereon, concrete training and awareness measures can be developed. This is valuable for practitioners in the process of designing Security Education, Training and Awareness (SETA) programs. Originality/value – This paper presents a comprehensive up-to-date overview of existing academic literature in the field of employees’ security awareness and behavior research. Based on a developed meta-model, research gaps are identified and implications for future research are worked out. © Emerald Group Publishing Limited

    A compliance based framework for information security in e-government in Oman

    Get PDF
    The development of electronic government (e-government) in Oman has created new means for public organizations to deliver services, engage citizens, and improve workflows between public organizations. Such a development has opened the possibility that critical information in e-government systems can be exposed. This directly affects the confidence and trust of e-government stakeholders. Such confidence and trust are important to the continued development of e-government in Oman. As a result, the security of information has become a critical issue that needs to be adequately addressed in e-government development. This research aims to develop a compliance-based framework for information security in public organizations in e-government development in Oman. Specifically it aims to (a) identify the critical factors for effective information security compliance in public organizations in Oman, (b) develop a framework for information security compliance, and (c) provide the Omani government with some recommendations for effective information security compliance in public organizations for e-government development. To fulfill these research aims, a mixed-methods methodology is used. A conceptual framework is developed by hypothesizing the critical factors for effective information security compliance in organizations. With the use of survey data collected from public organizations in Oman, the conceptual framework is tested and validated using structural equation modeling. To further validate the identified critical factors, thematic analysis is carried out on the semi-structured interview data collected simultaneously. The quantitative findings and the qualitative findings are triangulated for better understanding information security compliance in public organizations for e-government development in Oman. The study reveals that management commitment, awareness and training, accountability, organizational loyalty, audit and monitoring, process integration, technology capability, technology compatibility, technology reliability, legal pressures, and social pressures are critical for effective information security compliance in public organizations for e-government development in Oman. Based on the critical factors identified, a new framework for information security compliance is developed. Such a framework consists of four main dimensions including (a) organizational security culture, (b) information security processes, (c) security technologies, and (d) environment pressures. This research contributes to the e-government and information security compliance research from both the theoretical and practical perspectives. From the theoretical perspective, this research demonstrates the applicability of socio-organizational factors for influencing information security compliance in public organizations for e-government development. From the practical perspective, this research provides an in-depth investigation of the critical factors for information security compliance, which provides the Omani government with useful guidelines on how to ensure information security in public organizations for e-government development. Such guidelines are also useful for other developing countries in their e-government development endeavors
    • …
    corecore