Information Security Practices in Organizations: A Literature Review on Challenges and Related Measures

This paper reports a systematic literature review that explores challenges related to information security practices in organizations and the ways these challenges are managed to avoid security breaches. We focused on empirical evidence from extant research studies and identified four general challenges re-lated to: (1) security rules and procedures, (2) individual and personal risks, (3) culture and security awareness, and (4) organizational and power relations. To manage these risks, nine measures were prominent in the selected studies. Training and organizational collaboration across the hierarchical levels were widely used to enhance the security culture. In addition, awareness campaigns for the work-force, as well as continuously measuring and improving security initiatives were highly recommended. Our literature review points to the socio-technical aspects of information security. Although many or-ganizations have both administrative and technical infrastructures in place, they must also think about employee attitudes, knowledge, and behavior. Information systems research towards this direction needs to be further developed. More qualitative studies are needed for exploring how to develop a cul-ture of security awareness and for gaining insights on how security rules and training courses can become more appealing and accessible

Leadership and employees reaction towards change: role of leaders' personal attributes and transformational leadership

This research study has empirically examined the role of leadership in shaping employees' attitude towards an organizational change/reform in an educational sector organization i.e. Army Public Schools and Colleges System, Pakistan. Data was collected from 95 leaders (principals, wing-heads and coordinators) and 250 employees (teachers) through convenience sampling technique. Data was analyzed through Hierarchical Linear Modeling (HLM). This study has found that leaders' and teachers' dispositional resistance to change were positively related to teachers' intentions to resist change and leaders' transformational behaviors had a negative impact on teachers' intentions to resist change. Furthermore, leaders' conservation values were positively related to teachers' resistance intentions whereas leaders' openness to change values were negatively associated with teachers' resistance intentions. However, transformational leadership did not moderate the relationship between teachers' dispositional resistance to change and teachers' resistance intentions

How do security managers motivate employees' security behavior - Leadership perspective

In today’s digital world, there are several possible threats to organizations. Because of these possible threats, it is important to be as aware as possible and prepared for attacks to occur. Large and small organizations should have a good team of employees and a good leader to carry the organization through possible threats and attacks. Cybersecurity is not just about technology but a mix of different aspects involving people and policy. For an organization to succeed in the field of cybersecurity, the organization needs to have committed and skilled managers at the top. This study examines how security managers seek to motivate and influence employees' security behavior and which leadership styles they adopt to do so. There is a need for research that specifically addresses the approaches that security managers can adopt to motivate their employees toward security behavior. To find this out, the research approach I used was a qualitative interview study with semi-structured interviews and a systematic literature review approach. I interviewed eight security managers in various organizations from Norway and abroad. The interviews were transcribed and then coded into different categories. I also used a systematic literature review approach to look at previous studies on this topic and create a literature background for my study. The findings show a variation in the leadership styles adopted by the different security managers and the approaches used to motivate employees. I created a table with an overview of the leadership styles I found in my study, including the different approaches related to the leadership styles. There are differences in the approaches that are used to motivate in relation to the adopted leadership styles, but also similarities across the styles. This study contributes to promoting approaches that can help various organizations and security managers to motivate and influence their employees' security behavior. It can also help raise awareness of how necessary it is to motivate your employees, especially in cybersecurity

Factors that Affect the Success of Security Education, Training, and Awareness Programs: A Literature Review

Preventing IT security incidents poses a great challenge for organizations. Today, senior managers allocate more resources to IT security programs (especially those programs that focus on educating and training employees) in order to reduce human misbehavior—a significant cause of IT security incidents. Building on the results of a literature review, we identify factors that affect the success of security education, training, and awareness (SETA) programs and organize them in a conceptual classification. The classification contains human influencing factors derived from different behavioral, decision making, and criminology theories that lead to IT security compliance and noncompliance. The classification comprehensively summarizes these factors and shows the correlations between them. The classification can help one to design and develop SETA programs and to establish suitable conditions for integrating them into organizations

Effects of a Comprehensive Computer Security Policy on Human Computer Security Policy Compliance

It is well known that humans are the weakest link in computer security, and that developing and maintaining a culture of computer security is essential for managing the human aspect of computer security. It is less well known how a comprehensive computer security policy incorporating both information technology computer security, and operational technology computer security, impacts a culture of computer security. While a literature review of this domain includes research on the impact of various aspects of a computer security policy on computer security culture, no peer reviewed research was found that explained the impact of a comprehensive computer security policy on computer security culture through an understanding of its direct or indirect effects. Thus, it is the thesis of this study that a comprehensive computer security policy has a direct effect on computer security culture, which can be further explained through indirect effects

SNS Use, Risk, and Executive Behavior

Organizations can suffer attacks designed to take advantage of employee vulnerabilities. Successful attacks cause firms to suffer financial damage ranging from minor information breaches to severe financial losses. Cybercriminals focus on organization executives, because the power and influence they wield affords access to more sensitive data and financial resources. The purpose of this research in progress submission is to identify the types of executive behaviors that information security professionals believe introduce risk to an organization, as well as to explore the degree of risk organizations face as a result of these behaviors

Information Security Compliance regarding Security Culture, Job Satisfaction, and Perceived Organizational Support

Heeding recent calls for more replications in MIS research (Dennis and Valacich 2014), this study is a methodological replication of the original research (D’Arcy and Greene 2014) to investigate the drivers of employees’ security compliance regarding security culture and the employment relationship. Data were collected using an online survey of respondents recruited with the snowball method. We applied the structural equation modeling technique (SmartPLS 2.0) to test three hypotheses and achieved similar results compared with the original paper. Our findings reflect that organizational security culture and employees’ job satisfaction are drivers of employees’ security compliance in the workplace. The results also provide empirical validation of the measurement of security culture, which consisted of a three-dimensional nature, including top management commitment, security communication, and computer monitoring

Social Engineering: How U.S. Businesses Strengthen the Weakest Link against Cybersecurity Threats

The purpose of this transcendental phenomenological qualitative study was to investigate how IS professionals working in U.S. businesses make sense of their lives and experiences as they address and prevent vulnerabilities to social engineering attacks. This larger problem was explored through an in-depth study of social engineering and its effect on IS professionals working in U.S. businesses operating within healthcare, financial services, and educational industries across the central and northwest regions of Louisiana. Through its use of a phenomenological research design, the study bridged a gap in the social engineering literature, which was primarily comprised of studies that utilized a quantitative methodology. The use of a qualitative approach allowed participants to give voice to their beliefs, thoughts, and motivations about the work they do. The findings, consisting of ten themes and two subthemes, present the essence of experience of six IS professionals addressing and preventing social engineering vulnerabilities in their workplace. The findings revealed that the lived experience of protecting an organization from social engineering attacks involves the unification of people across the enterprise to develop a strong security-minded culture. Additionally, participants shared two primary beliefs, (1) that social engineering attacks would never be eradicated and (2) that IS professionals depend on everyone in the organization to protect the organization from social engineering attacks. The study offers recommendations to IS professionals, business leadership, HR professionals, educators, consultants, vendors, and researchers

Patients’ perception of the information security management in health centers:the role of organizational and human factors

Abstract Background Researchers paid little attention to understanding the association of organizational and human factors with patients’ perceived security in the context of health organizations. This study aims to address numerous gaps in this context. Patients’ perceptions about employees’ training on security issues, monitoring on security issues, ethics, physical & technical protection and trust in hospitals were identified as organizational and human factors. Methods After the development of 12 hypotheses, a quantitative, cross-sectional, self-administered survey method was applied to collect data in 9 hospitals in Iran. After the collection of 382 usable questionnaires, the partial least square structural modeling was applied to examine the hypotheses and it was found that 11 hypotheses were empirically supported. Results The results suggest that patients’ trust in hospitals can significantly predict their perceived security but no significant associations were found between patients’ physical protection mechanisms in the hospital and their perceived information security in a hospital. We also found that patients’ perceptions about the physical protection mechanism of a hospital can significantly predict their trust in hospitals which is a novel finding by this research. Conclusions The findings imply that hospitals should formulate policies to improve patients’ perception about such factors, which ultimately lead to their perceived security