Initial Validation and Empirical Development of the Construct of Computer Security Self-Efficacy (CSSE)

As organizations have become more dependent on networked information systems (IS) to conduct their business operations, their susceptibility to various threats to information security has also increased. Research has consistently identified the inappropriate security behavior of the users as the most significant of these threats. Various factors have been identified in prior research as contributing to these inappropriate security behaviors, however, not enough is known about the role of social factors in mediating these behaviors. This study developed a new Computer Security Self-Efficacy (CSSE) construct, identified 35 highly reliable items of CSSE in the context of individuals’ use of encrypted e-mail, and identified four significant factors of CSSE. The four factors were named Performance Accomplishments and Technical Support, Goal Commitment and Resource Availability, Experience Level, and Individual Characteristics. We conclude with a discussion on limitations and recommended future research that can result from the findings of this study

Ascertaining the Relationship between Security Awareness and the Security Behavior of Individuals

Security threats caused by the inappropriate actions of the user continue to be a significant security problem within any organization. The purpose of this study was to continue the efforts of Katz by assessing the security behavior and practices of working professionals. Katz conducted a study that assessed whether the faculty and staff at Armstrong Atlantic State University had been performing the simple everyday practices and behavior necessary to avert insider threats to information security. Critical in understanding human behavior is in knowing how behavior varies across different groups or demographics. Because a user\u27s behavior can be influenced by demographic groups, this study adapted Katz\u27s study by examining the influence on the security behavior of four demographic groups identified by gender, age, education, and occupation. Like Katz, this study used a 5-point Likert scale quantitative self-administered, closed-ended questionnaire to assess the participants\u27 security practices and behaviors. The questionnaire was developed in two sections: Section 1 used a binary scale to gather the participants\u27 demographics data while Section 2 used a 5-point Likert scale to measure the participants\u27 security behaviors. The sample population was derived from working professionals at the General Dynamic and Program Manager Advanced Amphibious Assault (GD & PM AAA) Facility in Woodbridge, Virginia. The total population at PM AAA Office was 288, of which 87 or 30% completed the survey. Results of the demographic survey indicate that (a) women were more security aware than their male counterparts, (b) younger participants were more security aware than their older counterparts, (c) participants who did not attend college were more security aware than their college-educated counterparts, and (d) participants in nontechnical positions were more security aware than their counterparts in technical positions. The results indicate that a relation exists between the participants\u27 security behaviors and their levels of security awareness

An Empirical Investigation of the Relationship between Computer Self-Efficacy and Information Privacy Concerns

The Internet and the growth of Information Technology (IT) and their enhanced capabilities to collect personal information have given rise to many privacy issues. Unauthorized access of personal information may result in identity theft, stalking, harassment, and other invasions of privacy. Information privacy concerns are impediments to broad-scale adoption of the Internet for purchasing decisions. Computer self-efficacy has been shown to be an effective predictor of behavioral intention and a critical determinant of intention to use Information Technology. This study investigated the relationship between an individual\u27s computer self-efficacy and information privacy concerns; and also examined the differences among different age groups and between genders regarding information privacy concerns and their relationships with computer self-efficacy. A paper-based survey was designed to empirically assess computer self-efficacy and information privacy concerns. The survey was developed by combining existing validated scales for computer self-efficacy and information privacy concerns. The target population of this study was the residents of New Jersey, U.S.A. The assessment was done by using the mall-intercept approach in which individuals were asked to fill out the survey. The sample size for this study was 400 students, professionals, and mature adults. The Shapiro-Wilk test was used for testing data normality and the Spearman rank-order test was used for correlation analyses. MANOVA test was used for comparing mean values of computer self-efficacy and information privacy concerns between genders and among age groups. The results showed that the correlation between computer self-efficacy and information privacy concerns was significant and positive; and there were differences between genders and among age groups regarding information privacy concerns and their relationships with computer self-efficacy. This study contributed to the body of knowledge about the relationships among antecedents and consequences of information privacy concerns and computer self-efficacy. The findings of this study can help corporations to improve e-commerce by targeting privacy policy-making efforts to address the explicit areas of consumer privacy concerns. The results of this study can also help IT practitioners to develop privacy protection tools and processes to address specific consumer privacy concerns

Self-Efficacy in Information Security: A Mixed Methods Study of Deaf End-Users

This explanatory sequential mixed methods study focuses on gaining an overall understanding of the potential variances in self-efficacy in information security and security practice behavior in the deaf population. Very little is understood about the deaf experience when engaging in security practices and their confidence levels in doing so. Due to the fastpaced nature of cyber security and its many facets, the human factor plays a crucial role in the success of cyber security. It is important to understand the potential implications of variances that may affect a deaf end-user’s security practice behavior to be able to provide more effective security awareness programs. By using a two-pronged approach, further insight is gained on the potential variances in self-efficacy in information security and the resultant security practice behavior. Starting with a broad quantitative survey that measures an end-user’s self-efficacy, behavioral intention, security practice with technology, and security practice conscious care behavior. In the first phase, data is collected to identify variances when compared hearing end-users allows for a greater understanding of what unique areas of weaknesses may need to be addressed. The second phase consisted of phenomenological semi-structured interviews that are held with deaf end-users that have indicated variances in self-efficacy in information security and security practice behavior. The intent of the interviews was to capture the essence of the deaf end-user’s lived experiences when engaging with security practice behavior. Through extensive data analysis of 228 responses from 119 deaf participants and 109 hearing participants, all three null hypotheses in this first phase of the study were rejected. It was concluded that deaf end-users had significantly higher SEIS while having a significantly lower behavioral intention, security practice – technology, and security practice – conscious vii care behavior than hearing end-users. It was also concluded in the first phase that a positive SEIS corresponds to improved security practice behavior for both deaf and hearing end-users. In-depth semi-structured interviews of 10 deaf end-users who indicated a variance in self-efficacy in information security and security practice behavior allowed for the identification of essential themes. These themes were derived from coded analysis of the interviews: (1) Deaf-Specific Barriers; (2) Digital Literacy; (3) Positive Security Intention; (4) Reliance on Technology; (5) Poor Security Knowledge; (6) Poor Security Behavior; (7) Having a Support Network. These identified themes were prevalent among all deaf end-users of varying demographics and backgrounds. The impact of this study is to highlight the need for the development of tailored and accessible cyber security awareness programs for deaf end-users to address the significantly lower security practice behavior in comparison to hearing end-users. The identification of a such variance and understanding the lived experiences that lead to such behavior raises the need for additional research into the full scope of impact on deaf end-users’ security practice behavior and how to best address the concerns

Empirical Analysis of Socio-Cognitive Factors Affecting Security Behaviors and Practices of Smartphone Users

The overall security posture of information systems (IS) depends on the behaviors of the IS users. Several studies have shown that users are the greatest vulnerability to IS security. The proliferation of smartphones is introducing an entirely new set of risks, threats, and vulnerabilities. Smartphone devices amplify this data exposure problem by enabling instantaneous transmission and storage of personally identifiable information (PII) by smartphone users, which is becoming a major security risk. Moreover, companies are also capitalizing on the availability and powerful computing capabilities of these smartphone devices and developing a bring-your-own-device (BYOD) program, which makes companies susceptible to divulgence of organizational proprietary information and sensitive customer information. In addition to users being the greatest risk to IS security, several studies have shown that many people do not implement even the most basic security countermeasures on their smartphones. The lack of security countermeasures implementation, risky user behavior, and the amount of sensitive information stored and transmitted on smartphones is becoming an ever-increasing problem. A literature review revealed a significant gap in literature pertaining to smartphone security. This study identified six socio-cognitive factors from the domain of traditional computer security which have shown to have an impact on user security behaviors and practices. The six factors this study identified and analyzed are mobile information security self-efficacy, institutional trust, party trust, and awareness of smartphone risks, threats, and vulnerabilities and their influence on smartphone security practices and behaviors. The analysis done in this research was confirmatory factor analysis (CFA) – structural equation modeling (SEM). The goal of this study was to cross-validate previously validated factors within the context of traditional computer security and assess their applicability in the context of smartphone security. Additionally, this study assessed the influential significance of these factors on the security behaviors and practices of smartphone users. This study used a Web-based survey and was distributed to approximately 539 users through Facebook® and LinkedIn® social media outlets which resulted in 275 responses for a 51% response rate. After pre-analysis data screening was completed, there were a total of 19 responses that had to be eliminated due to unengaged responses and outliers leaving 256 responses left to analyze. The results of the analysis found that vulnerability awareness, threat awareness, and risk awareness are interrelated to one another which all in turn had significance in predicting self-efficacy, security practices, and behaviors. This intricate relationship revealed in this study indicates that a user has to have an increased awareness in all three categories of awareness before they can fully understand how to protect themselves. Having an increased awareness in one category does not impact the overall security posture of the user and that risk, threat, and vulnerability awareness all work together. Another interesting find was that as risk awareness increased the less the smartphone users protected themselves. This finding warrants additional research to investigate why the user is more averse to risk, and willing to accept the risk, despite their increased awareness. Finally, institutional trust and party trust was found not to have any significance on any of the factors. These findings should give smartphone users and organizations insight into specific areas to focus on in minimizing inappropriate security behaviors and practices of smartphone users. More specifically, users and organizations need to focus on educating users on all three factors of threats, risks, and vulnerabilities in order for there to have any impact on increasing self-efficacy and reducing inappropriate security behaviors and practices