Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks

Bauer, Stefan, Bernroider, Edward, Chudzikowski, Katharina

17 April 2017

In organizations, users' compliance with information security policies (ISP) is crucial for minimizing information security (IS) incidents. To improve users' compliance, IS managers have implemented IS awareness (ISA) programs, which are systematically planned interventions to continuously transport security information to a target audience. The underlying research analyzes IS managers' efforts to design effective ISA programs by comparing current design recommendations suggested by scientific literature with actual design practices of ISA programs in three banks. Moreover, this study addresses how users perceive ISA programs and related implications for compliant IS behavior. Empirically, we utilize a multiple case design to investigate three banks from Central and Eastern Europe. In total, 33 semi-structured interviews with IS managers and users were conducted and internal materials of ISA programs such as intranet messages and posters were also considered. The paper contributes to IS compliance research by offering a comparative and holistic view on ISA program design practices. Moreover, we identified influences on users' perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. Finally, the study raises propositions regarding the relationship of ISA program designs and factors, which are likely to influence users' ISP compliance.

Personalising information security education

Talib, Shuhaili

January 2014

Whilst technological solutions go a long way in providing protection for users online, it has been long understood that the individual also plays a pivotal role. Even with the best of protection, an ill-informed person can effectively remove any protection the control might provide. Information security awareness is therefore imperative to ensure a population is well educated with respect to the threats that exist to one’s electronic information, and how to better protect oneself. Current information security awareness strategies are arguably lacking in their ability to provide a robust and personalised approach to educating users, opting for a blanket, one-size-fits-all solution. This research focuses upon achieving a better understanding of the information security awareness domain; appreciating the requirements such a system would need; and importantly, drawing upon established learning paradigms in seeking to design an effective personalised information security education. A survey was undertaken to better understand how people currently learn about information security. It focussed primarily upon employees of organisations, but also examined the relationship between work and home environments and security practice. The survey also focussed upon understanding how people learn and their preferences for styles of learning. The results established that some good work was being undertaken by organisations in terms of security awareness, and that respondents benefited from such training – both in their workplace and also at home – with a positive relationship between learning at the workplace and practise at home. The survey highlighted one key aspect for both the training provided and the respondents’ preference for learning styles. It varies. It is also clear, that it was difficult to establish the effectiveness of such training and the impact upon practice. The research, after establishing experimentally that personalised learning was a viable approach, proceeded to develop a model for information security awareness that utilised the already successful field of pedagogy and individualised learning. The resulting novel framework “Personalising Information Security Education (PISE)” is proposed. The framework is a holistic approach to solving the problem of information security awareness that can be applied both in the workplace environment and as a tool for the general public. It does not focus upon what is taught, but rather, puts into place the processes to enable an individual to develop their own information security personalised learning plan and to measure their progress through the learning experience.

005.8

The antecedents of information security policy compliance

Bulgurcu, Burcu

11 1900

Information security is one of the major challenges for organizations that critically depend on information systems to conduct their businesses. Ensuring safety of information and technology resources has become the top priority for many organizations since the consequences of failure can be devastating. Many organizations recognize that their employees, who are often considered as the weakest link in information security, can be a great resource as well to fight against information security-related risks. The key, however, is to ensure that employees comply with information security related rules and regulations of the organization. Therefore, understanding of compliance behavior of an employee is crucial for organizations to effectively leverage their human capital to strengthen their information security. This research aims at identifying antecedences of an employee’s compliance with the information security policy (ISP) of his/her organization. Specifically, we address how employees without any malicious intent choose to comply with requirements of the ISP with regards to protecting the information and technology resources of their organizations. Drawing on the Theory of Planned Behavior, we show an employee’s attitude towards compliance results in his/her intention to comply with the ISP. Of those, Benefit of Compliance and Cost of Non-Compliance are shown to be shaped by positive and negative reinforcing factors; such as, Intrinsic Benefit, Safety of Resources, Rewards and Intrinsic Cost, Vulnerability of Resources, and Sanctions, respectively. We also investigate the role of information security awareness on an employee’s ISP compliance behavior. As expected, we show that information security awareness positively influences attitude towards compliance. We also show that information security awareness positively influences the perception of reinforcing factors and negatively increases perception of the Cost of Compliance. As organizations strive to get their employees to follow their information security rules and regulations, our study sheds light on the role of an employee’s information security awareness and his/her beliefs about the rationality of compliance and non-compliance with the ISP.

Information security awareness

Information security management

Information security behavioral Issues

The antecedents of information security policy compliance

Bulgurcu, Burcu

11 1900

Information security is one of the major challenges for organizations that critically depend on information systems to conduct their businesses. Ensuring safety of information and technology resources has become the top priority for many organizations since the consequences of failure can be devastating. Many organizations recognize that their employees, who are often considered as the weakest link in information security, can be a great resource as well to fight against information security-related risks. The key, however, is to ensure that employees comply with information security related rules and regulations of the organization. Therefore, understanding of compliance behavior of an employee is crucial for organizations to effectively leverage their human capital to strengthen their information security. This research aims at identifying antecedences of an employee’s compliance with the information security policy (ISP) of his/her organization. Specifically, we address how employees without any malicious intent choose to comply with requirements of the ISP with regards to protecting the information and technology resources of their organizations. Drawing on the Theory of Planned Behavior, we show an employee’s attitude towards compliance results in his/her intention to comply with the ISP. Of those, Benefit of Compliance and Cost of Non-Compliance are shown to be shaped by positive and negative reinforcing factors; such as, Intrinsic Benefit, Safety of Resources, Rewards and Intrinsic Cost, Vulnerability of Resources, and Sanctions, respectively. We also investigate the role of information security awareness on an employee’s ISP compliance behavior. As expected, we show that information security awareness positively influences attitude towards compliance. We also show that information security awareness positively influences the perception of reinforcing factors and negatively increases perception of the Cost of Compliance. As organizations strive to get their employees to follow their information security rules and regulations, our study sheds light on the role of an employee’s information security awareness and his/her beliefs about the rationality of compliance and non-compliance with the ISP.

Information security awareness

Information security management

Information security behavioral Issues

The antecedents of information security policy compliance

Bulgurcu, Burcu

11 1900

Information security is one of the major challenges for organizations that critically depend on information systems to conduct their businesses. Ensuring safety of information and technology resources has become the top priority for many organizations since the consequences of failure can be devastating. Many organizations recognize that their employees, who are often considered as the weakest link in information security, can be a great resource as well to fight against information security-related risks. The key, however, is to ensure that employees comply with information security related rules and regulations of the organization. Therefore, understanding of compliance behavior of an employee is crucial for organizations to effectively leverage their human capital to strengthen their information security. This research aims at identifying antecedences of an employee’s compliance with the information security policy (ISP) of his/her organization. Specifically, we address how employees without any malicious intent choose to comply with requirements of the ISP with regards to protecting the information and technology resources of their organizations. Drawing on the Theory of Planned Behavior, we show an employee’s attitude towards compliance results in his/her intention to comply with the ISP. Of those, Benefit of Compliance and Cost of Non-Compliance are shown to be shaped by positive and negative reinforcing factors; such as, Intrinsic Benefit, Safety of Resources, Rewards and Intrinsic Cost, Vulnerability of Resources, and Sanctions, respectively. We also investigate the role of information security awareness on an employee’s ISP compliance behavior. As expected, we show that information security awareness positively influences attitude towards compliance. We also show that information security awareness positively influences the perception of reinforcing factors and negatively increases perception of the Cost of Compliance. As organizations strive to get their employees to follow their information security rules and regulations, our study sheds light on the role of an employee’s information security awareness and his/her beliefs about the rationality of compliance and non-compliance with the ISP. / Business, Sauder School of / Graduate

Information security awareness

Information security management

Information security behavioral Issues

The establishment of a mobile phone information security culture: linking student awareness and behavioural intent

Bukelwa, Ngoqo

January 2014

The information security behaviour of technology users has become an increasingly popular research area as security experts have come to recognise that while securing technology by means of firewalls, passwords and offsite backups is important, such security may be rendered ineffective if the technology users themselves are not information security conscious. The mobile phone has become a necessity for many students but, at the same time, it exposes them to security threats that may result in a loss of information. Students in developing countries are at a disadvantage because they have limited access to information relating to information security threats, unlike their counterparts in more developed societies who can readily access this information from sources like the Internet. The developmental environment is plagued with challenges like access to the Internet or limited access to computers. The poor security behaviour exhibited by student mobile phone users, which was confirmed by the findings of this study, is of particular interest in the university context as most undergraduate students are offered a computer-related course which covers certain information security-related principles. During the restructuring of the South African higher education system, smaller universities and technikons (polytechnics) were merged to form comprehensive universities. Thus, the resultant South African university landscape is made up of traditional and comprehensive universities as well as universities of technology. Ordinarily, one would expect university students to have similar profiles. However in the case of this study, the environment was a unique factor which had a direct impact on students’ learning experiences and learning outcomes. Mbeki (2004) refers to two economies within South Africa the first one is financially sound and globally integrated, and the other found in urban and rural areas consists of unemployed and unemployable people who do not benefit from progress in the first economy. Action research was the methodological approach which was chosen for the purposes of this study to collect the requisite data among a population of university students from the ‘second economy’. The study focuses on the relationship between awareness and behavioural intention in understanding mobile phone user information security behaviour. The study concludes by proposing a behaviour profile forecasting framework based on predefined security behavioural profiles. A key finding of this study is that the security behaviour exhibited by mobile phone users is influenced by a combination of information security awareness and information security behavioural intention, and not just information security awareness.

Information safety

Olika perspektiv på informationssäkerhet : En fallstudie på ett universitet

Wallin, Emma, Andersson, Ellinor

January 2022

Utbildningssektorn har sedan en tid tillbaka varit extra utsatt för cyberattacker, dels på grund av dess öppna nätverk och det stora antalet användare, men ofta också på grund av ett bristande informationssäkerhetsarbete (Wood 2014). Syftet med uppsatsen är att undersöka vad ett svenskt universitet och dess anställda har för uppfattning av informationssäkerhet samt om och i så fall hur dessa syner skiljer sig åt. Det med hjälp av teorin Technological frames (Orlikowski & Gash 1994). I studien har sex anställda och enheten för informationssäkerhet på universitetet intervjuats. Författarna har även utfört en deltagande observation vid en internutbildning i informationssäkerhet. Resultaten visar att de två grupperna bland annat har en samsyn om att människan är det största hotet för infektioner och attacker, att information i olika former är viktig att skydda, att den fysiska säkerheten samt lösenord är viktiga, att organisationen måste hitta en lagom nivå av informationssäkerhet och att ansvar för informationssäkerhetsutbildning för anställda främst ligger hos organisationen men att det trots allt också finns ett ansvar hos individen att själv ta reda på information. Det förelåg olika syner på huruvida phishing-mejl skulle raderas direkt eller rapporteras och vilka kommunikationsvägar som bör användas mellan enheten för informationssäkerhet och de anställda. De anställda hade dessutom en snävare syn på vad informationssäkerhet är jämfört med enheten för informationssäkerhet. / The education sector has recently been particularly exposed to cyber attacks, partly due to its open networks and the large number of users, but also due to a lack of information security (Wood 2014). The purpose of the thesis is to investigate what image a Swedish university and its employees have of information security and if these views differ, and in that case how. This study draws on the theory Technological frames (Orlikowski & Gash 1994). In the study, six employees and the information security unit at the university were interviewed. We also per­formed participatory observation during an internal course in information security. The results show that the two groups agree that humans are the biggest threat when it comes to cyber at­tacks, that information in various forms is important to protect, that physical security and pass­words are important, that the organization must find a reasonable level of information security and that the organization should have the primary responsibility for information security train­ing for employees, but that individuals also have a responsibility. There were different views on whether phishing emails should be deleted directly or reported. The views differ when it comes to which communication channels should be used between the unit of information secu­rity and the employees. The employees also had a narrower view of what information security is compared to the unit for information security.

Information security

Information Security Awareness

ISA

Information Security Training

IST

Technological frames

Informationssäkerhet

Information Security Awareness

ISA

Information Security Training

IST

Technological frames

Information Systems

Information Security Awareness amongst students : A study about information security awareness at universities

Lund, Per

January 2018

In the era of information, it has become vital for companies to make sure that their information is properly protected. They are therefore, willing to spend large amounts of resources on protecting their information. This can usually be done in a large variety of ways. The root of information security is first and foremost, having policies that regulate how information security is upheld. And secondly, by teaching employees proper practice of information security. These are however procedures that are not all that common in a university environment, and even more so in relation to students.   In order to explore this phenomenon further, an exploratory study have been carried out to find more information on the subject. This has been done in several ways in order to grasp as much information as possible. Firstly, by doing a literary study to find out what is already known within the field of information security in regard to students. Secondly, by doing a quantitative study that evaluates the student’s information security awareness. And lastly, by conducting an interview with a member of staff at a university to find out their attitude towards the phenomenon.    The thesis concludes by suggesting how universities might want to handle information security in relationship to students.

Information security awareness

information security

students

University

Information Systems

Mikroträning som utbildningsmetod inom informationssäkerhet / Micro training as a education approach in information security

Skärgård, Marie

January 2017

Cyberbrott har idag blivit en multimiljard-industri och det utövas mer och mer sofistikerade attacker där människan är måltavlan. Det är därför dags att ta utbildning och träning inom informationssäkerhet till en ny nivå. Detta för att skapa högre grad av medvetenhet gällande säkerhetsrisker. Det finns redan fungerande metoder, men bara för de som är motiverade att lära sig. Detta arbete har undersökt hur mikroträning uppfattas som utbildningsmetod inom informationssäkerhet. En studie som utförts med hjälp av både kvalitativa och kvantitativa metoder. Mikroträningsmaterial har tagits fram i form av videoklipp som på ett kort, koncist och konkret sätt presenterar olika områden inom informationssäkerhet på 60 sekunder. Dessa har sedan utvärderats av 198 subjekt i en enkätundersökning där subjektens attityd både till materialet och till mikroträning som koncept har analyserats. Studiens resultat visar att mikroträning är en uppskattad metod för att träna och lära ut specifika områden inom informationssäkerhet. Denna studie ska bidra till ett framtida forskningsprojekt som vill undersöka om mikroträning i den stund som användaren behöver den kommer bidra till högre grad av informationssäkerhetsmedvetenhet. Detta för att se om medvetenhetsträningen ger den eftersträvade effekt som önskas, att klokare och säkrare beslut fattas i en riskfylld situation. / Cybercrime has become a multimillion industry and it is practicing more and more sophisticated attacks where the human is the main target. Thus it is time to take education and training in information security to a new level, to create a higher degree of awareness about security risks. There are already working methods, but only for those who are motivated to learn. This work has investigated how micro training is perceived as an education method of information security, a study conducted using both qualitative and quantitative methods. Micro training material has been developed in the form of video clips that briefly, concisely and concretely present various areas of information security in 60 seconds. These have been evaluated by 198 subjects in a questionnaire survey where the subject's attitude to the material and micro training as concept has been analysed. The study's findings show that micro training is an appreciated method for training and learning specific areas of information security. This study will contribute to a future research project that wants to investigate whether micro training in the moment the user needs it will contribute a greater degree of information security awareness. This to see whether awareness training will provide the desired effect, that a wiser and safer decision is made in a risky situation.

information security

information security awareness

micro training

informationssäkerhet

informationssäkerhetsmedvetenhet

mikroträning

Information Systems

Establishing an information security awareness and culture

Korovessis, Peter

January 2015

In today’s business environment all business operations are enabled by technology. Its always on and connected nature has brought new business possibilities but at the same time has increased the number of potential threats. Information security has become an established discipline as more and more businesses realize its value. Many surveys have indicated the importance of protecting valuable information and an important aspect that must be addressed in this regard is information security awareness. The human component has been recognized to have an important role in information security since the only way to reduce security risks is through making employees more information security aware. This also means that employees take responsibility of their actions when dealing with information in their everyday activities. The research is concentrated mainly on information security concepts alongside their relation to the human factor with evidence that users remain susceptible to information security threats, thus illustrating the need for more effective user training in order to raise the level of security awareness. Two surveys were undertaken in order to investigate the potential of raising security awareness within existing education systems by measuring the level of security awareness amongst the online population. The surveys analyzed not only the awareness levels and needs of students during their study and their preparation towards entering the workforce, but also whether this awareness level changes as they progress in their studies. The results of both surveys established that the awareness level of students concerning information security concepts is not at a sufficient level for students entering university education and does not significantly change as they progress their academic life towards entering the workforce. In respect to this, the research proposes and develops the information security toolkit as a prototype awareness raising initiative. The research goes one step further by piloting and evaluating toolkit effectiveness. As an awareness raising method, the toolkit will be the basis for the general technology user to understand the challenges associated with secure use of information technology and help him assess its current knowledge, identify lacks and weaknesses and acquire the required knowledge in order to be competent and confident users of technology.

005.8