Information Security Policy Compliance in SMEs

In the paper we examined attitudes, intent and adherence to information security policies and procedures in SMEs in Slovakia. Data were collected from the employees of several SME in Slovak republic. Not all enterprises have established information security policies and procedures. Only 443 respondents (from 722) worked in a SME that had formulated an information security policy. The impact of the size of enterprises, age on the measured variables has not been shown. IT related jobs, managerial post and education level of the respondents has shown significant impact in the evaluation of attitudes, intentions and adherence to information security policies and procedures. From statistical methods we use the maximum-likelihood estimation of the polychoric correlation coefficient. The calculations have been carried out in R statistical programming environment

Beyond Rational Information Security Decisions: An Alternate View

Extant work has examined users’ security behavior in both individual and organizational contexts by mainly applying theories that assume users’ rationality. While this has enhanced our understanding of the conscious factors that underlie security behaviors, the assumption of conscious rationality bounds the theoretical lens. Addressing this limitation would facilitate expanding the knowledge ecology in the information security literature. Information security studies have started to recognize this assumption. To evaluate this milieu of disparate approaches, we conduct a preliminary literature review and identify several nonconscious factors that may shape security behaviors. In this ERF paper, we discuss herd behavior, cognitive biases, automatic cognition (also termed system 1 thinking), affect, risk homeostasis, and framing effects perception. We discuss future plans to develop a research framework that integrates the alternate nonconscious factors that may underlie security behavior, thereby providing a comprehensive alternate approach to studying behavioral information security

Will SOC telemetry data improve predictive models of user riskiness? A work in progress

Security Operation Centers (SOC) play a key role in protecting organizations from many cybersecurity threats, such as system intrusion or information breaches. A major challenge in improving SOC operations is the adequacy of the data used to identify such threats. Detection tools employed by SOCs are largely based on observable telemetry indicators (e.g., network traffic patterns or system logs and activities collected from user devices). However, the use of such telemetry data without understanding human behaviors in-depth can lead to increasing false-positive alerts. Prior work shows that it can even be a more significant problem when analysts largely ignore alerts if they are overwhelmingly false-positive. These false positive alerts raise SOC analysts’ cognitive workload, diminish conscious cognitive processing, and decrease their trust in future alerts

Perceptions of Information Systems Security Compliance: An Empirical Study in Higher Education Setting

Ensuring information systems security policy compliance is an integral part of the security program of any organization. This paper investigated the perceptions of different stakeholder groups towards information security policy compliance constructs of Unified Model of Information Security Compliance (UMISPC) [1] in a higher education environment. The research findings showed that faculty/staff generally has higher tendency towards security policy compliance comparing to students in a higher education institution. In addition, students with security knowledge are more incline to have security policy compliance activities. Our finding not only added to the knowledge base of information systems security compliance research, but also offers practical implications

A Review of Information Systems Security Management: An Integrated Framework

As information has been a basic commodity and strategic asset, information systems (IS) security has become increasingly important to organizations. This paper conducts a review on the prior literature that has studied non-technical factors of IS security issues from organizational perspective rather than individual level. Five key concepts are studied: IS security management, organizational factors, human factors, strategic planning, and IS security policies. By integrating the main concepts that are reflected in the literature, this paper proposes an integrated framework which provides a comprehensive look at effective IS security management. Four propositions are developed. This framework is intended to provide guidance for organizations and security practitioners that need to implement their IS security management effectively

Rhetorical appeals and legitimacy perceptions: How to induce information security policy compliance

This paper intends to extend Protection Motivation Theory (one of the leading theories in Information Security research) based on innovation diffusion and institutional legitimacy theories. We postulate that legitimacy, in which fear is only a partial representation, is a more comprehensive antecedent to intention to comply with security policies. We argue the use of ethos, pathos, and logos appeals to complement the fear rhetoric traditionally present in information security research to elicit legitimacy judgments and indirectly intention to comply. We propose an experiment in which by manipulating the rhetorical elements of the communication, we can study its impact on legitimacy and ultimately intention to abide by the security policy

A Compliance-Based Framework for Digital Identity Management

Managing the digital identity is critical for minimizing the potential loss from identity theft in organizations. How digital identity can be better managed, however, remains to be addressed. This study investigates what affects the adoption of a compliance-based approach for managing digital identities in organizations. A comprehensive review of the related literature has been conducted, leading to the development of a compliance-based framework by integrating the unified theory of acceptance and use of technology and the general deterrence theory for better understanding the adoption of the compliance-based approach. This framework can then be tested and validated using structural equation modelling of the survey data collected, leading to the identification of the critical factors affecting the adoption of the compliance-based approach to manage digital identities. It contributes to existing digital identity management literature by proposing an integrated framework for better exploring the adoption of a compliance-based approach for managing digital identities

Information Resilience in a Digital Built Environment

Information is the underpinning driver in the Digitised Built Environment and crucial to the Centre for Digital Built Britain’s agenda. Threats to information affect the intrinsic, relational and security dimensions of information quality. Therefore, the DBE requires capabilities of people, and requirements of the process, software and hardware for threat prevention and reduction. Existing research and protocols seldomly outline the capabilities and requirements needed to reduce threats to information. The aim of this report is to develop an information resilience framework which outlines the capabilities and requirements needed to ensure the resilience of information throughout its lifecycle; creation, use, storage, reuse, preserve and destroy. The findings highlight the need for people’s (stakeholder) competencies and behaviours which are driven by cognitive abilities such as attention, learning, reasoning and perception. Furthermore, process’ requirements such as embedding validation check process, standard requirements for Level of Detail, digital upskilling, among others, were identified. Additionally, identified software requirements include its ability to be customised to meet the project needs, detect conflicts and provide context of information. Finally, hardware requirements encompass facilitating backup, having a high capacity system and being inaccessible to peripherals. This research will be further extended to the development of a decision-making assessment tool to measure capabilities and requirements in the entire lifecycle of built assets