Exploring Knowledge Sharing Practices for Raising Security Awareness

This study aims to explore the types of information can be effectively communicated in three knowledge-sharing methods and their impact on employees’ security practice. On one end, guarding the organisation’s information system against cyber-attacks is critical and improving users’ knowledge and skills is a common approach to any security program. On the other end, organisations lack a clear understanding in determining what types of security information should be delivered through various methods of communication to be effective in boosting users’ knowledge and compliance behaviour. The study employed a qualitative method using semi-structured interviews with business users in Vietnam. The initial findings indicate a single method of knowledge and skill development is not sufficient to assist users to deal with complex and constant changing security needs. It is necessary to further experiment methods of encouraging formal and peer knowledge sharing that can support individual effort in complying with security policies

Understanding the Roles of Challenge Security Demands, Psychological Resources in Information Security Policy Noncompliance

It is widely agreed that employees’ noncompliance with information security policies (ISP) is still a major problem for organizations. In order to understand the factors that reduce employees’ ISP noncompliance, previous studies have focused on stressful security demands that consequently aggravate noncompliance, and tangible job resources to promote compliance. However, how security demands encourage employees to comply and how intangible resources affect employees’ ISP noncompliance have been largely overlooked. In this study, we posit and argue that challenge security demands and intangible psychological resources can help promote employees’ ISP compliance. Drawing on the Job Demands- Resources Model and the theory of psychological resource, we specifically examine the roles of continuity demand, mandatory demand as challenge security demands, and felt trust, professional development and personal resource as psychological resources in influencing employees’ ISP noncompliance. The proposed model is validated by survey data from 224 employees. The theoretical and practical contributions are also discussed

Information security burnout: Identification of sources and mitigating factors from security demands and resources

This study examines how information security burnout can develop from complying with organisational security demands, and whether security burnout can be reduced by engaging organisational and personal resources. The Job Demands-Resources model was extended to the IT security context, to develop and empirically test a security burnout model, using a sample of 443 participants in Vietnam. The results demonstrate that security task overload and difficult access to security requirements increased security burnout while dealing with challenging security requirements reduced burnout. Neither organisational resources nor user self-efficacy were effective in reducing burnout. Moreover, simple security tasks did not guarantee a burnout-free experience for users. The findings emphasise the significance of providing resources and designing security tasks as challenging and rewarding experiences, rather than simply reducing user involvement as a source of decreasing cyber security risks. The research establishes a theoretical basis for further studying the phenomenon of security burnout and its role in user security management

IMPROVING INFORMATION SECURITY PRACTICES TO REDUCE SECURITY-RELATED STRESS IN END-USERS

This thesis studies the causes and consequences of security-related stress (SRS) in organizations as well as how to combat the negative effects of the phenomenon. SRS, meaning stress that arises from information security requirements and practices enforced by the organization, can be considered as a derivation of the more researched concept of technostress which has been studied since the introduction of the first computers into the workplace. The primary theoretical framework used in this study is a conceptualization of security-related stress by Ament & Haag (2016), which suggests that security-related stress manifests itself through different stressors in three different environments: the work environment, the personal environment and the social environment. As all previous research on security-related stress has been studied quantitatively, this study aims to provide new insight into the phenomenon qualitatively through the semi-structured interview method. The findings of the study bring to light the fact that while many of the causes and consequences of SRS identified in scientific research can truly be found in an organization, they are not usually characterized or experienced as stressful by the employees. The more pressing matter seems to be the divide between information security professionals and end users, as most employees are not security-conscious and do not see information security as a real threat therefore neglecting their information security responsibilities

Understanding employee non-malicious intentional and unintentional information security misbehaviors

Digitization has given rise to information system security (ISS) risks since the adoption of new technologies (e.g., IoT and multi-cloud environments) has increased vulnerabilities to ISS threats. The behavioral ISS literature depicts employees within organizations (insiders) as a major information security threat. Previous research extensively investigated insiders' intentional ISS misbehaviors. However, a growing number of security incidents by non-malicious insiders implies that potential factors influencing employees' non-compliance behaviors with information security policies (ISPs) are yet to be addressed. To this end, we conduct four (four essays) to understand why employees violate ISPs. Two studies investigate factors that lead to non-malicious intentional ISP violations. The other two studies explore how and why non-malicious unintentional ISP violations occur. Drawing on the person-technology fit model, essay 1 investigates how employees' interaction with information technology (IT) increases ISS vulnerabilities. This essay sheds light on the impact of one understudied aspect of IT use- technostress, on employees' non-malicious ISP violation intentions. Essay 2 relies on organizational role theory and explains stress resulting from role expectations, including intra-role activities (e.g., job tasks) and extra-role activities (e.g., ISS requirements) could cause ISP non-compliance behaviors. To distinguish non-malicious intentional insiders from unintentional insiders, Essay 3 employs the dual-system theory to describe the mechanism of employees' decision-making process to comply (or not comply) with ISPs and aims to investigate the impact of some personality traits like risk-taking behaviors, impulsivity, and curiosity on employees' ISS misbehaviors. Finally, to explore unknown factors influencing non-compliance behaviors with ISPs (e.g., individual, organizational), essay 4 proposes an in-depth qualitative approach to distinguish non-malicious intentional and unintentional ISS misbehaviors and identify potential causes rooted in each type of misbehavior. Overall, the dissertation highlights the importance of individual differences in perceptions of technostress, role stress, and personality traits. Moreover, it differentiates the nature of ISP violations based on the intents of employees and challenges the existing knowledge and theoretical frameworks regarding insiders' information security behaviors at the workplace. In doing so, proposed theoretical models are assessed empirically by utilizing data (both interviews and online surveys) from a sample of employees from different organizations

Cyber defensive capacity and capability::A perspective from the financial sector of a small state

This thesis explores ways in which the financial sectors of small states are able todefend themselves against ever-growing cyber threats, as well as ways these states can improve their cyber defense capability in order to withstand current andfuture attacks. To date, the context of small states in general is understudied. This study presents the challenges faced by financial sectors in small states with regard to withstanding cyberattacks. This study applies a mixed method approach through the use of various surveys, brainstorming sessions with financial sector focus groups, interviews with critical infrastructure stakeholders, a literature review, a comparative analysis of secondary data and a theoretical narrative review. The findings suggest that, for the Aruban financial sector, compliance is important, as with minimal drivers, precautionary behavior is significant. Countermeasures of formal, informal, and technical controls need to be in place. This study indicates the view that defending a small state such as Aruba is challenging, yet enough economic indicators indicate it not being outside the realm of possibility. On a theoretical level, this thesis proposes a conceptual “whole-of-cyber” model inspired by military science and the VSM (Viable Systems Model). The concept of fighting power components and governance S4 function form cyber defensive capacity’s shield and capability. The “whole-of-cyber” approach may be a good way to compensate for the lack of resources of small states. Collaboration may be an only out, as the fastest-growing need will be for advanced IT skillsets

Security demands, organisational and personal resources: a stress-based security compliance model

This thesis examines the impact of information security demands and organisational and personal resources on Information Technology (IT) users’ security compliance behaviour in different organisations in Vietnam. IT users’ security compliance is essential to the overall effectiveness of information security programs and policies in organisations. Users’ failure to comply with security policies and/or procedures results in cyber risks and compromises the security of the organisation’s information systems. By employing an exploratory sequential design of the mixed methods approach, this PhD research proposes and tests a theoretical model of stress-based security compliance. Specifically, the research demonstrates that security engagement mediates the impact of security demands and organisational and personal resources on employees’ security compliance. Existing research to date has not yet focused on mediating factors between security demands, organisational and personal resources and users’ security compliance. The developed research model interrogated the extended Job Demands-Resources (JD-R) model, which is usually used to assess individuals’ work stress or burnout caused by fulfilling job demands, to explain security compliance. This research proposes that fulfilling security demands leads to compliance burnout, which consequently reduces security compliance. Adequate organisational and personal resources would not only reduce employees’ compliance burnout but also promote security engagement (i.e. the energy and enthusiasm in performing security tasks), which motivates user security compliance. The extended JD-R model has not been applied to ascertain determinants of security behaviour, therefore some qualitative research is required to check that the theory still applies. The first stage of the research (Study One) involved a qualitative study using in-depth interviews with 17 participants in three organisations to explore the ability of using characteristics of security requirements, types of organisational and personal resources to explain security compliance. In particular, Study One identified three characteristics of security demands (security overload, access to security policies, and security skill requirements), four types of organisational resources (security communication efficacy, skill use and development, rewards and sanctions) and two personal resources (self-efficacy and security exposure) that affected the participants’ security compliance. Findings from Study One helped further refine the studied theoretical model, as well as develop the survey instrument to test the model in the second stage of the research (Study Two). Study Two involved a quantitative study using a survey to empirically test the theoretical model developed from literature review and Study One. Four hundred and forty three (443) participants from different organisations in Vietnam took part in the survey. The study employed several procedural remedies during data collection to control the common method bias. The data collected from the survey was analysed using structural equation modelling and the results of the analysis supported the theoretical model with some exceptions. Study Two found that factors drawn from the JD-R model, such as organisational resources, self-efficacy, and security engagement, have a much stronger impact on security compliance than security demands and compliance burnout do. In particular, security engagement partially and positively moderates the impact of organisational resources on security compliance and fully moderates the impact of security self-efficacy, security exposure, and security skill requirements on compliance. Study Two also demonstrated that security compliance burnout has little impact on security compliance if users receive effective organisational security resources and possess security self-efficacy. The findings of the research offer a number of theoretical and practical implications for advancing behavioural security research and for the organisations to develop effective security compliance programs respectively. By extending the extended JD-R model, this research offers a theoretical explanation and empirical support for the mediating effects of security compliance burnout and engagement on security compliance. For security practitioners, the results showed that specific implementations and operations of IT security systems can have negative impacts on users’ burnout and engagement, which to some extent influence compliance with security policies. Security practitioner should focus on providing adequate resources to promote engagement and compliance

Exploring Strategies for Enforcing Cybersecurity Policies

Some cybersecurity leaders have not enforced cybersecurity policies in their organizations. The lack of employee cybersecurity policy compliance is a significant threat in organizations because it leads to security risks and breaches. Grounded in the theory of planned behavior, the purpose of this qualitative case study was to explore the strategies cybersecurity leaders utilize to enforce cybersecurity policies. The participants were cybersecurity leaders from 3 large organizations in southwest and northcentral Nigeria responsible for enforcing cybersecurity policies. The data collection included semi-structured interviews of participating cybersecurity leaders (n = 12) and analysis of cybersecurity policy documents (n = 20). Thematic analysis identified 4 primary themes: security awareness and training, communication, management support, and technology control. A key recommendation is that organizations should have a chief information security officer for oversight of cybersecurity. Employee cybersecurity compliance should be reviewed regularly throughout the year for improvement and desired cybersecurity behavior. The implications for positive social change include the potential for cybersecurity leaders to implement cybersecurity measures that could enhance the public’s confidence by assuring them of their data’s safety and confidentiality, the integrity of data, and the availability of their services

How Attitude Toward the Behavior, Subjective Norm, and Perceived Behavioral Control Affects Information Security Behavior Intention

The education sector is at high risk for information security (InfoSec) breaches and in need of improved security practices. Achieving data protections cannot be through technical means alone. Addressing the human behavior factor is required. Security education, training, and awareness (SETA) programs are an effective method of addressing human InfoSec behavior. Applying sociobehavioral theories to InfoSec research provides information to aid IT security program managers in developing improved SETA programs. The purpose of this correlational study was to examine through the theoretical lens of the theory of planned behavior (TPB) how attitude toward the behavior (ATT), subjective norm (SN), and perceived behavioral control (PBC) affected the intention of computer end users in a K-12 environment to follow InfoSec policy. Data collection was from 165 K-12 school administrators in Northeast Georgia using an online survey instrument. Data analysis occurred applying multiple linear regression and logistic regression. The TPB model accounted for 30.8% of the variance in intention to comply with InfoSec policies. SN was a significant predictor of intention in the model. ATT and PBC did not show to be significant. These findings suggest improvement to K-12 SETA programs can occur by addressing normative beliefs of the individual. The application of improved SETA programs by IT security program managers that incorporate the findings and recommendations of this study may lead to greater information security in K-12 school systems. More secure school systems can contribute to social change through improved information protection as well as increased freedoms and privacy for employees, students, the organization, and the community

The mediating effect of intrinsic motivation on perceived work uncertainty for individual information security policy compliance

This dissertation is centered on investigating how employees' intrinsic motivation mediates the relationship between perceived work uncertainty and individual information security policy compliance. As stay-at-home orders, and unemployment increased, surveys indicated that 49% of traditional office employees experienced remote working for the first time. Work systems rapidly shifted to a reliance on home WIFI networks, personal computers, and personal anti-virus software. This move created vulnerabilities to information security policies and procedures where almost 20% of work from home employees were given no tips to improve information security at home (Security 2020). Unemployment increased, and remaining employees had to adapt to changing work tasks, reduced or lacking resources, and minimal technical or managerial support to navigate job uncertainty while maintaining overall information security. With organizational threats to information security increasing, it is becoming clear that little attention has been given to how individuals become intrinsically motivated when the design of work itself becomes uncertain. Taking into account the changing work and job environment and the uncertainty which this environment facilitates, we have identified a research gap in which the need for individuals to rely on their skills and abilities to interpret work needs during uncertain times, and the overall intrinsically driven work motivation required to comply with organizational ISP’s during times of perceived work uncertainty, has not been investigated. Using a theoretical basis of Work Design theory (Wall et al., 2002) and Self-determination theory of work motivation (Gange and Deci, 2005), we performed a cross-sectional survey of 269 participants at the onset and height of the global pandemic. One of the primary implications of this study and our results is the indirect mediation by intrinsic motivation of the relationship between perceived work uncertainty and intentions to comply with information security policies. Another vital aspect of our study’s findings is the view that information security policies (ISP) themselves can become the source of uncertainty in compliance decisions. Most all ISPs are developed to bring clarity to employees on how to address security threats while making compliance decisions. Where ISPs have been investigated about the demands (and impositions) they place on work goal attainment (or inhibiting work requirements), we have found that ISPs may not be able to provide answers to all security threats encountered. Overall, our results should invigorate the debate about which strategies increase intrinsic motivation and what methods should be deployed to maximize positive reactions during uncertainty concerning information security compliance behaviors. This study has provided evidence that organizations should design work practices, especially ISPs, that allow employees latitude to make ISP compliance decisions when ISPs are unclear or uncertain and where managers similarly cannot provide correct courses of remedy or action