Protection-motivated behaviors of organizational insiders

Protecting information from a wide variety of security threats is an important and sometimes daunting organizational activity. Instead of solely relying on technological advancements to help solve human problems, managers within firms must recognize and understand the roles that organizational insiders have in the protection of information. The systematic study of human influences on organizational information security is termed behavioral information security (Fagnot 2008; Stanton, Stam, Mastrangelo, and Jolton 2006), and it affirms that the protection of organizational information assets is best achieved when the detrimental behaviors of organizational insiders are effectively deterred and the beneficial activities of these individuals are appropriately encouraged. Relative to the former, the latter facet has received little attention in the academic literature. Given this opportunity, this dissertation explicitly focuses upon protective behaviors that help promote the protection of organizational information resources. These behaviors are termed protection-motivated behaviors (PMBs) and are defined as the volitional behaviors organizational insiders can enact that protect (1) organizationally-relevant information within their firms and (2) the computer-based information systems in which that information is stored, collected, disseminated, and/or manipulated from information-security threats. Each of the chapters herein is dedicated to fostering knowledge about these beneficial behaviors and acts as a complement to existing research in order to more fully support the entire scope of behavioral information security. Chapter 2 focuses upon the development of a formal typology of PMBs and relies on the complementary classification techniques of Multidimensional Scaling (MDS), Property Fitting (ProFit) analysis, and cluster analysis. 67 individual PMBs were discovered, and the above classification techniques uncovered a three-dimensional perceptual space common among organizational insiders regarding PMBs. This space verifies that insiders differentiate PMBs according to whether the behaviors (1) require minor or continual level of improvements within organizations, (2) are widely or narrowly standardized and applied throughout various organizations, and (3) are a reasonable or unreasonable request of organizations to make of their insiders. 14 unique clusters were also discovered during this process, which finding further assists information security researchers in their understanding of how organizational insiders perceive the behaviors that help protect information assets. Chapter 3 uses the findings from Chapter 2 to develop a self-report measure of insiders\u27 engagement in PMBs within their organizations. PMBs are modeled as a multiple indicators and multiple causes (MIMIC) structure (Joreskog and Goldberger 1975) with the clusters found in Chapter 2 being first-order, formative constructs of the overall, second-order PMB measure. These clusters explain over 70% of the variance in overall PMB activity. The nomological validity of the newly constructed measure is also empirically examined in this chapter, and the results largely support the conceptualization of PMBs. Chapter 4 places the measure developed in the previous chapter in a motivational model founded on Protection Motivation Theory (PMT) (Rogers 1975, 1983). The findings from covariance-based structural equation modeling show that insiders\u27 motivation to engage in PMBs is largely influenced by the perceived efficacy of protective responses and potential adaptive response costs—both components of the coping appraisal process. Fear, however, is shown to have little influence on these motivational levels. In addition to the PMT components, several rival explanations are examined. Job satisfaction and management support are found to significantly explain variance in organizational insiders\u27 motivation to engage in PMBs. In summary, this dissertation comprises a significant work in the field of behavioral information security by conducting 33 semi-structured interviews, eliciting the participation of 13 subject matter experts, and issuing 6 individual data collections. When these efforts are combined, the results of this dissertation are based on the responses of more than 1,700 organizational insiders. The findings help both information security researchers and managers within organizations more fully understand the protective role that organizational insiders play in the protection of information resources

Information security: Listening to the perspective of organisational insiders

Aligned with the strategy-as-practice research tradition, this article investigates how organisational insiders understand and perceive their surrounding information security practices, how they interpret them, and how they turn such interpretations into strategic actions. The study takes a qualitative case study approach, and participants are employees at the Research & Development department of a multinational original brand manufacturer. The article makes an important contribution to organisational information security management. It addresses the behaviour of organisational insiders – a group whose role in the prevention, response and mitigation of information security incidents is critical. The article identifies a set of organisational insiders’ perceived components of effective information security practices (organisational mission statement; common understanding of information security; awareness of threats; knowledge of information security incidents, routines and policy; relationships between employees; circulation of stories; role of punishment provisions; and training), based on which more successful information security strategies can be developed

To Fear or Not to Fear? A Critical Review and Analysis of Fear Appeals in the Information Security Context

Controlling organizational insiders’ security behaviors is an important management concern. Research presents fear appeals as a viable security control to promote protective security behaviors. To date, research has proven security-related fear appeals have to effectively control insiders’ security behaviors. However, from critically examining fear appeals, we find a different story. Specifically, we critically analyze security-related fear appeal research from two ontological positions: critical realism and critical constructivism. The critical realist analysis identifies several issues with existing fear appeal research, which particular research traditions may cause. We explicate these traditions and issues in the paper. The critical constructivist analysis draws on critical management studies of control and Foucault’s work to identify the identities, beliefs, and values that fear appeals promote and the ways in which fear appeals create discursive closures that limit the consideration and discussion of other positions. Based on the two analyses, we provide important directions for future fear appeal research

A descriptive review and classification of organizational information security awareness research

Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding

The impact of organizational insiders\u27 psychological capital on information security

This dissertation research seeks to examine the role of organizational insiders\u27 psychological capital (PsyCap) on the performance of protection motivated behaviors (PMBs). The dissertation examines the role of PsyCap through three studies which were conducted for this research. Using structural equation modeling (SEM), the responses from four distinct samples were analyzed. The results largely support the significant role of PsyCap in information security. The first study takes an expectancy theory (Vroom, 1964) approach and found that PsyCap was a significant consequence of insiders\u27 security-related expectancy dimensions. Additionally, expectancy theory was found to be an appropriate frame-work for promoting PMBs. The expectancy dimensions were found to be trainable through security, education, training, and awareness (SETA) programs, and were significantly related to the performance of PMBs. The second study draws upon the broaden-and-build theory (Fredrickson, 2004) to examine the role of PsyCap within an emotional security framework. The second study found that the broaden-and-build theory explained the performance of PMBs through a direct relationship between emotion and behavior as well as through an indirect relationship between emotions and an insider\u27s PsyCap. Finally, the dissertation examines the role of PsyCap in information security from a framework of behavioral complexity (Wu et al., 2010) in the third study. The results of the third study indicate that PsyCap is a significant contributor to a model of security behavioral complexity which is shown to effectively influence insiders\u27 performance of PMBs. Implications of the results on both practice and research are discussed along with limitations to the current studies. The overall contributions of the dissertation are highlighted and areas of future research evidenced by the findings are raised

The Influence of Information Security Stress on Security Policy Compliance: A Protection Motivation Theory Perspective

The occurrence of security incidents will not only cause substantial loss to the enterprise but also serious damage to goodwill. An enterprise has to formulate and implement effective security policies to reduce the occurrence of security incidents. However, the process of promoting the security policy will put stress on employees. The focus of this paper is whether these pressures will affect staff\u27s compliance with the security policies based on the protection motivation theory. This study uses a survey method and 324 responses are collected. The results show that security task stress and security job stress have a significant impact on the formation of security role stress. Security role stress impacts threat and coping appraisals leading to security compliance

Understanding the Whistle-blowing Intention to Report Breach of Confidentiality

We examine the factors that encourage employees to whistle-blow wrongdoings in relation to confidentiality breaches. We investigate how their anticipated regret about remaining silent changes over time, how such changes influence their whistle-blowing intentions, and what employee characteristics and organizational policies moderate this relationship. Drawing on attribution theory, we develop three hypotheses. Our experiment findings show that: 1) employees’ perceptions of the controllability and intentionality (but not stability) of the wrongdoing act affect how their anticipated regret evolves, 2) anticipated regret increases employees’ whistle-blowing intentions, 3) anticipated regret has a stronger effect on whistle-blowing intentions when organizations implement policies that promote efforts to protect information confidentiality, and 4) employees with information technology knowledge have a stronger intention to whistle-blow. Theoretically, our study extends the organization security literature’s focus to individuals’ whistle-blowing and highlights an IS research agenda around whistle-blowing in relation to confidentiality breaches. Practically, it informs organizations about how to encourage employees to whistle-blow when they observe confidentiality breaches

Mitigating Insider Sabotage and Espionage: A Review of the United States Air Force\u27s Current Posture

The security threat from malicious insiders affects all organizations. Mitigating this problem is quite difficult due to the fact that (1) there is no definitive profile for malicious insiders, (2) organizations have placed trust in these individuals, and (3) insiders have a vast knowledge of their organization’s personnel, security policies, and information systems. The purpose of this research is to analyze to what extent the United States Air Force (USAF) security policies address the insider threat problem. The policies are reviewed in terms of how well they align with best practices published by the Carnegie Mellon University Computer Emergency Readiness Team and additional factors this research deems important, including motivations, organizational priorities, and social networks. Based on the findings of the policy review, this research offers actionable recommendations that the USAF could implement in order to better prevent, detect, and respond to malicious insider attacks. The most important course of action is to better utilize its workforce. All personnel should be trained on observable behaviors that can be precursors to malicious activity. Additionally, supervisors need to be empowered as the first line of defense, monitoring for stress, unmet expectations, and disgruntlement. In addition, this research proposes three new best practices regarding (1) screening for prior concerning behaviors, predispositions, and technical incidents, (2) issuing sanctions for inappropriate technical acts, and (3) requiring supervisors to take a proactive role

Buying in and Feeling Responsible: A Model of Extra-role Security Behavior

Extra-role security behavior has been recognized as a salient element of information security. Drawing upon the research on proactivity in the management literature, we identify ‘felt responsibility for constructive change’ (FRCC) as an important proactive motivational state that drives the behavior. We then follow proactive motivation theory and seek the contextual element and individual difference that precede FRCC. Based on buy-in theory, we propose that user participation in the development of information security-related activities and artifacts induces FRCC. To balance context specificity with generality, we model the individual difference of proactive personality as a moderator of this relation. Our model expands the scope of studying behavioral security by addressing users’ proactive involvement in protecting organizations’ information assets, as opposed to only examining reactive and passive user involvement. Further, the model extends the literature by addressing how promoting positive pre-kinetic events serves organizational information security