Strong Intents Against Weak Links : Towards a Holistic Integration of Behavioral Information Security in Organizations with Strategic Intent

Koller, Teresa Marie, Ljung, Migle

January 2021

The human factor has been detected as the weakest link in the information security of organizations. Methods like training and awareness programs and the implementation of security policies have been developed, but they still seem to be less effective than desired. Authors have suggested integrating information security more holistically in organizations. In this study we discuss how strategic intent can influence an information security culture and improve information security behavior, thereby strengthening the weakest link. This thesis aims to develop a conceptual framework for organizations to integrate behavioral information security holistically with strategic intent. This thesis is based on a qualitative study with an abductive approach consisting of nine exploratory, semi-structured interviews. This way we could find today’s most prominent factors that might reinforce information security behavior in organizations and discuss the interrelations among those factors together with their potential facilitators and barriers. To improve behavioral InfoSec holistically in organizations, strategic Intent and InfoSec culture are promising factors. All factors have clear interrelations, but also potential facilitators and barriers.

Information Security Behavior

Information Security Culture

Strategic Intent

Behavioral Information Security

Qualitative Study

Business Administration

Företagsekonomi

Shaping information security behaviors related to social engineering attacks

Rocha Flores, Waldo

January 2016

Today, few companies would manage to continuously stay competitive without the proper utilization of information technology (IT). This has increased companies’ dependency of IT and created new threats that need to be addressed to mitigate risks to daily business operations. A large extent of these IT-related threats includes hackers attempting to gain unauthorized access to internal computer networks by exploiting vulnerabilities in the behaviors of employees. A common way to exploit human vulnerabilities is to deceive and manipulate employees through the use of social engineering. Although researchers have attempted to understand social engineering, there is a lack of empirical research capturing multilevel factors explaining what drives employees’ existing behaviors and how these behaviors can be improved. This is addressed in this thesis. The contribution of this thesis includes (i) an instrument to measure security behaviors and its multilevel determinants, (ii) identification of multilevel variables that significantly influence employees’ intent for behavior change, (iii) identification of what behavioral governance factors that lay the foundation for behavior change, (iv) identification that national culture has a significant effect on how organizations cope with behavioral information security threats, and (v) a strategy to ensure adequate information security behaviors throughout an organization. This thesis is a composite thesis of eight papers. Paper 1 describes the instrument measuring multilevel determinants. Paper 2 and 3 describes how security knowledge is established in organizations, and the effect on employee information security awareness. In Paper 4 the root cause of employees’ intention to change their behaviors and resist social engineering is described. Paper 5 and 8 describes how the instrument to measure social engineering security behaviors was developed and validated through scenario-based surveys and phishing experiments. Paper 6 and 7 describes experiments performed to understand reason to why employees fall for social engineering. Finally, paper 2, 5 and 6 examines the moderating effect of national culture. / <p>QC 20160503</p>

Information security

Behavioral information security

Social engineering

Phishing

Measuring information security behaviors

Information security governance

Experiments

National culture

Mixed method research design

Quantitative methods