Information Security Awareness: Literature Review and Integrative Framework

Individuals’ information security awareness (ISA) plays a critical role in determining their security-related behavior in both organizational and private contexts. Understanding this relationship has important implications for individuals and organizations alike who continuously struggle to protect their information security. Despite much research on ISA, there is a lack of an overarching picture of the concept of ISA and its relationship with other constructs. By reviewing 40 studies, this study synthesizes the relationship between ISA and its antecedents and consequences. In particular, we (1) examine definitions of ISA; (2) categorize antecedents of ISA according to their level of origin; and (3) identify consequences of ISA in terms of changes in beliefs, attitudes, intentions, and actual security-related behaviors. A framework illustrating the relationships between the constructs is provided and areas for future research are identified

When Colleagues Fail: Examining the Role of Information Security Awareness on Extra-Role Security Behaviors

Although prior information security research predominantly focuses on organizational in-role security behaviors (e.g., information security policy (ISP) compliance), the role of extra-role security behaviors – secure actions unspecified in ISPs but beneficial to organizations – has not seen nearly as much attention. At the same time, employees’ awareness manifests itself as prerequisite for security behavior but without research having really understood all of its potential impacts. Therefore this study ex-amines the role of information security awareness (ISA) in enhancing extra-role security behaviors in addition to in-role security behaviors. In particular, we propose that general ISA enhances promotive extra-role security behaviors (i.e., helping and voice) and ISP awareness fosters prohibitive extra-role security behaviors (i.e., stewardship and whistle-blowing). Data was collected from a field study, where employees responded to incoming emails from co-workers and supervisors asking for password sharing, unsafe data sharing via private emails, as well as the use of private cloud services and unau-thorized software. Our findings show that general ISA and ISP awareness are indeed driving both in-role and extra-role security behaviors. We discuss our implications for theory and practice, and con-clude with interesting avenues for further research

A NEUROSECURITY PERSPECTIVE ON THE FORMATION OF INFORMATION SECURITY AWARENESS – PROPOSING A MULTI-METHOD APPROACH

In today’s digital age, in which all kinds of information can be accessed electronically at all times, organizations are under continuous pressure of keeping their information systems (IS) secure. To protect IS and information assets from insider threats, information security awareness (ISA) has been established as a crucial factor in influencing employees’ behaviour that is supportive or disruptive of IS security. But yet to date, there is still a lack of in-depth and structured understanding of the factors influencing ISA. In this research-in-progress paper, we conduct a literature review to categorize determinants of ISA into four levels of origin (individual, organizational, social-environmental, and application-specific) and identify topics that are promising for future research. We then present our planned study as an example to pursue our recommendations. In the IS security context of phishing, we aim to uncover the extent to which non-IS professionals are able to develop an eye for technical aspects of IS security and pay higher visual attention to security and fraud indicators of web browsers and e-mails after being subject to different organizational awareness-raising activities. Among a survey and literature analysis, the multi-method approach uses the objective data collection instrument of eye tracking. We expect to contribute into the nascent area of neurosecurity research by offering new insights on the effectiveness of organizational means to increase employees’ ISA

What Faces Can(not) Tell – A Multi-Channel Analysis of Emotional Responses to Computer-Transferred Stimuli

In Information Systems (IS) research, emotions are predominantly measured using self-reports of survey participants (e.g. in IS adoption) or facial expressions (e.g. in Human-Computer Interaction). In order to combine both measurement foci, we assess and compare the impact of facial emotional reactions to computer-induced stimuli on self-reported perceptive evaluations towards the respective stimulus and system by using a multi-method experimental approach with multi-channel analysis. We captured implicit emotional expressions of happiness of 176 participants using eye-tracker and webcam technology as implicit emotion measures together with a post-experimental questionnaire containing items for the explicit emotion of pleasure, social presence, and arousal. Results analyzed using the FACS procedure (Ekman and Friesen 1978) and test for mean inequality indicate that facially transmitted happiness in response to hedonic design elements in online job ads leads to an increase in self-report measures for pleasure, but not unambiguously for social presence and arousal. Furthermore, we find support for the effect of implicit emotion expression of happiness on the explicit self-report measures of pleasure and arousal being higher for the measures of pleasure. We contribute to IS research on human behavior by complementing self-reported measures of emotion with a physical emotional measure in response to system’s feature, and by linking these measured emotional physical responses to individual behavior. In addition, by comparing both implicit (physical) and explicit (overt self-reported perceptions) measures of emotional responses we provide a more detailed picture on benefits and limitations of both measures and about their internal relationship

System Characteristic or User Purpose? - A Multi-group Analysis on the Adoption of Online Shopping by Mobility Impaired and Unimpaired Users

Since van der Heijden (2004) it is widely accepted that hedonic and utilitarian information systems underlie different adoption mechanisms. Within this research, we compare two homogenous user groups and their adoption behaviors with respect to e-commerce websites. The groups thereby differ only in the fact that one of them consists of individuals suffering from mobility impairment. Consistent with theory in psychology and medical rehabilitation that suggests that disablement leads to an adapted evaluation of surroundings (including ICT) in terms of needs and purposes, we show by means of a multi-group structural equation analysis that concerning adoption determinants of a sys-tem, not only the mere system characteristics (utilitarian vs. hedonic) matter, but also the value that is attached to the system by the user in terms of his personal needs. The results indicate that although e-commerce websites are predominantly classified as hedonic system, the adoption of them by the mobil-ity-impaired group is predominantly determined by perceived usefulness. This leads to the discussion if user characteristics in terms of physical capabilities and the needs they imply should be attached more importance to in IS adoption research

Lessons Learned from an Information Security Incident: A Practical Recommendation to Involve Employees in Information Security

With the increasingly negative impact of information security attacks, measures of information security, which address the weakest link in the information security chain, namely the employee, have become a necessity for today’s business world. One way to improve employees’ - yet limited - information security awareness is to learn from past information security incidents. This study theoretically builds upon the so called involvement theory to extend the existing research on information security awareness. Insights gained from 34 interviews suggest that involvement accompanied with a detailed review of past security incidents has a positive effect on staff’s information security awareness. Employees, directly affected by an information security incident, gain significant information security expertise and knowledge which they can, again, share with their colleagues. Moreover, constructive team work in the light of information security risks as well as an adequate adjustment of security-related measures is fostered

Security-Related Cynicism: Construct Development and Measurement

The widespread belief that employees are the weakest link in organizational information security leads to exposing them to a myriad of security requirements (i.e., policies and technical controls). Motivated by prior research indicating that such requirements can also have adverse effects, we introduce the concept of security-related cynicism. Based on organizational literature on employee cynicism, we develop a multidimensional construct including three key targets of employees’ security-related cynicism – the people responsible for information security, the employed security technologies, and the information security policies in use. We present our initial development of security-related cynicism by conceptualizing the construct, generating items from literature, and assessing the items’ content validity. By conducting a pretest and a main study, we plan to empirically validate a construct that helps researchers and practitioners alike to measure employees’ cynical attitudes towards information security

Does Your Smile Mean That You’re Happy? – a Multi-Channel Analysis of Emotional Reactions

In Information Systems (IS) research, emotions are primarily measured using facial expressions of participants or self-reported survey results. To unite both measurement foci, we analyze the impact of facial emotional reactions to computer-induced stimuli on self-reported evaluations towards the respective stimulus by using a multi-method experimental approach with multi-channel analysis. We collected emotional expressions of happiness of 176 participants using eye-tracker and webcam technology together with a post-experimental survey. We contribute to IS research by supplementing self-reported measures of emotion with a physical emotional measure in response to a system’s feature, and by relating these measured emotional physical responses to individual behavior

The CEP5 Peptide Promotes Abiotic Stress Tolerance, As Revealed by Quantitative Proteomics, and Attenuates the AUX/IAA Equilibrium in Arabidopsis.

Peptides derived from non-functional precursors play important roles in various developmental processes, but also in (a)biotic stress signaling. Our (phospho)proteome-wide analyses of C-TERMINALLY ENCODED PEPTIDE 5 (CEP5)-mediated changes revealed an impact on abiotic stress-related processes. Drought has a dramatic impact on plant growth, development and reproduction, and the plant hormone auxin plays a role in drought responses. Our genetic, physiological, biochemical, and pharmacological results demonstrated that CEP5-mediated signaling is relevant for osmotic and drought stress tolerance in Arabidopsis, and that CEP5 specifically counteracts auxin effects. Specifically, we found that CEP5 signaling stabilizes AUX/IAA transcriptional repressors, suggesting the existence of a novel peptide-dependent control mechanism that tunes auxin signaling. These observations align with the recently described role of AUX/IAAs in stress tolerance and provide a novel role for CEP5 in osmotic and drought stress tolerance

Security-Related Cynicism: A Double-Edged Sword?

Employees are exposed to a great number of security requirements such as information security policies (ISPs) or technical controls. Motivated by prior research indicating that such requirements can also have adverse effects, we introduce the concept of security-related cynicism. Based on organizational literature on employee cynicism, we conceptualize security-related cynicism as a negative attitude with cognitive, affective, and behavioral components directed towards key targets of an organization’s information security ecosystem, i.e. the people responsible for information security, the employed security technologies, and ISPs in use. We present our initial development of security-related cynicism and integrate it in a model including psychological contract violation and in- and extra-role security behaviors (ISP compliance and voice). In doing so, we propose that cynical employees, though unwilling to follow ISPs unquestioningly, could also be the devil’s advocate and challenge ineffective ISPs by raising their voice, making security-related cynicism a double-edged sword for organizations