Measuring the Onlooker Effect in Information Security Violations

Todays’ organizations need to be ensured that their critical information is secure, not leaked, and inadvertently modified. Despite the awareness of organizations and their investment in implementing an information security management plan, information security breaches still cause financial and reputational costs for organizations. A recent report of the Ponemon Institute for 2019 showed that the global cost and frequency of data breach increased, and negligent insiders are the root cause of most incidents. Many insider threats to cybersecurity are not malicious but are intentional. Specifically, more than 60 percent of reported incidents in 2019 were due to negligent or inadvertent employees or contractors (Ponemon Institute 2020). Many behavioral cybersecurity research projects investigate factors that influence mitigating information security violations, but still, there is a need to have a better understanding of behavioral factors. One of these factors is the perception of being overseen by onlookers who are organization members to whom one’s security policy violations are visible, but who are not directly involved in the behavior. This study examines the onlooker effect through the lens of Sociometer Theory and Affective Events Theory, which were used to investigate the impact of the perception of being overseen in a workplace on an intention to violate information security policies. In addition, this study tests the hypothesis that individuals under this situation experience different negative affective responses. Finally, this research tests the hypothesis that perceived onlooker threat intensifies these relationships by examining its moderating influence. An experimental vignette study was conducted with the Qualtrics platform with the currently employed population who are aware of information security policies in their organizations to determine responses to treatment conditions. The results suggested that the interaction of the perceived presence of onlookers and perceived onlooker threat results in experiencing negative affective responses such as shame, guilt, fear, and embarrassment. Moreover, the results showed that employees experiencing fear, guilt, or embarrassment are less intended to violate information security policies. Overall, this research the understanding of the onlooker effect and the essential role of perceived onlooker threat. This study has substantial theoretical and practical implications for information security scholars and practitioners

The Role of “Eyes of Others” in Security Violation Prevention: Measures and Constructs

Security research recognizes the effect of “being seen” in reducing the likelihood of security violations in the workplace. This has typically been construed in the context of formal monitoring processes by employers, but there is an emerging notion that workers care about what their workplace colleagues think of them and their activities. We leverage this idea of the “Eyes of Others” in motivating pro-security behaviors to apply to security contexts. We find that, for a set of worker self-perceptions including Morality and Self-Consciousness, the likelihood of engaging in mundane workplace security violations is impacted by the knowledge that coworkers are watching. This has important implications for novel expansions of deterrence research in IS Security, going forward

Self-sovereign identity: a primer and call for research in information systems

In this research-in-progress paper, we encourage information systems (IS) researchers to consider the self-sovereign identity (SSI) approach to identity management. We highlight several issues with current data practices, then provide an overview of SSI by discussing the technology and actors involved. Finally, we call for more IS research on SSI to ultimately increase its adoption

A Method for Interpretively Synthesizing Qualitative Research Findings

In the qualitative research world, one can use a method called meta-synthesis to interpretively assess a compiled body of literature on a specific topic, though it has seen little application in business research let alone in management information systems scholarship. However, because methods for qualitative inquiry have gained more popularity in the information systems discipline, this method holds great promise in supporting efforts toward theoretical generalization for qualitative researchers. Accordingly, in this paper, we present a methodological tutorial on the nature and practice of analytically synthesizing a body of qualitative research for developing and explicating theory

Teaching Tip: Hook, Line, and Sinker – The Development of a Phishing Exercise to Enhance Cybersecurity Awareness

In this paper, we describe the development of an in-class exercise designed to teach students how to craft social engineering attacks. Specifically, we focus on the development of phishing emails. Providing an opportunity to craft offensive attacks not only helps prepare students for a career in penetration testing but can also enhance their ability to detect and defend against similar methods. First, we discuss the relevant background. Second, we outline the requirements necessary to implement the exercise. Third, we describe how we implemented the exercise. Finally, we discuss our results and share student feedback

Investigation on Willingness of Employees to Share Information Security Advice

As modern organizations rely more on their information systems, mitigating information security risks becomes essential. Weaknesses in the information security management chain have continued to be challenged by employees. Therefore, enhancing employee security awareness becomes critical. Considering the effectiveness of informal methods, this research examines security advice sharing as one of the operative ways. Accordingly, in this paper, by adapting the theory of planned behavior as our theoretical lens, we propose a conceptual model of factors that are anticipated to impact the willingness of employees to share security advice. Finally, conclusion and avenues for future research are discussed

How Personality Has an Impact on Information Security Context: A Systematic Literature Review

Human behavior inside organizations is considered to be the main threat to organizations. Prior research demonstrated that employees are the weakest link in the information security management chain. Personality is playing an important role in individuals’ decision-making process and considering the role of employees’ personality in studying their behavior and action is inevitable. This research-in-progress paper focuses on identifying how different dimensions of personality have been considered in the information security context. It presents a systematic literature review of studies have been done on Big Five personality trait & information security in the last 20 years. The results of this study not only provide a comprehensive view of the role Big Five trait in improving information security compliance in a workplace but also indicate the gaps in the current literature and elaborate on future research directions. This study also helps practitioners and managers to have a better understanding of the reasons behind employees’ intentions regards information security behavior and may initiate some human resource procedures in organizations

Security Violation Prevention; CPTED in the context of information Security

Mitigating Information Security (IS) violations is crucial since organizations relying more on their information systems. This cannot be achieved only by advancements in security software and hardware technologies, but also there is a need to have multi-perspective approaches toward security violation prevention in organizations. Thus, we apply Crime Prevention through Environmental Design (CPTED) approach to develop conceptual research model in the context of IS. Our model considers both technical and non-technical perspectives as well as covers human-related, managerial and physical aspects of IS management. Moreover, we propose the moderation roles of two personality traits (trait anxiety and negative affectivity) on the relationships between all five variables of the research model and IS violation because impacts of personality is an inseparable part of human behaviors. To our best knowledge, this is the first study that applied CPTED into IS domain. This may help to reduce security violation in the organization

Investigating the Supervisor’s Role in Information Security Compliance

The awareness of organizations and their investment in information security have increased; however, the frequency of incidents per company has tripled from 2016. Insider-related security risks are still of the top concern of security professionals and scholars. Thus, this study considers the influence of managers and the relationship between supervisors and employees as a factor that may impact information security compliance in a workplace. Moreover, this paper considers the impact of perceived organizational support by emphasizing the role of organizational commitment as a mediator as a response to the contradictory results of prior studies in the literature. Finally, role conflict is proposed as a moderator of the perceived supervisor support and security compliance behavior relationship. This study extends the knowledge of the role of supervisor and organizational commitment in increasing security compliance behaviors for both practitioners and scholars