A design theory for information security awareness

Puhakainen, P. (Petri)

01 August 2006

Abstract When implementing their information security solutions organizations have typically focused on technical and procedural security measures. However, from the information systems (IS) point of view, this is not enough: effective IS security requires that users are aware of and use the available security measures as described in their organizations' information security policies and instructions. Otherwise, the usefulness of the security measures is lost. The research question of this thesis is to explore how IS users' compliance with IS security policies and instructions can be improved. Solving this research question is divided into two steps. Since there is a lack of a comprehensive review of existing IS security awareness approaches, the first step aims at reviewing the existing IS security awareness approaches. This kind of analysis is useful for practitioners as they do not necessarily have the time to go through a large body of literature. For scholars, such an analysis shows what areas of IS security awareness have been studied, and to where the need for future research is of greatest importance. The second step in this dissertation is to address the shortcomings detected by the analysis by developing three novel design theories for improving IS users' security behavior: (1) IS security awareness training, (2) IS security awareness campaigns, and (3) punishment and reward. These design theories aim to help practitioners to develop their own IS security awareness approaches. Finally, testing of the design theory for IS security awareness training (1) in two action research interventions is described. The results of the interventions suggest that this design theory provides a useful and applicable means for developing a training program in organizations. In addition, the results provide empirically evaluated information regarding the obstacles to user compliance with IS security policies and instructions. In the action research studies described, the goal was to solve practical problems experienced by the host organizations and to understand them and the results achieved from the viewpoint of theory. Consequently, the results as such can not be generalized, but they are of use in the host organizations in planning and delivering subsequent IS security awareness training programs. In addition, the results are utilizable in similar organizations as a point of departure in planning IS security awareness training programs.

information systems security

information systems security - awareness

information systems security - training

Improving employees’ information systems (IS) security behavior:toward a meta-theory of IS security training and a new framework for understanding employees' IS security behavior

Karjalainen, M. (Mari)

18 October 2011

Abstract Employee non-compliance with information systems (IS) security procedures is a key concern for organizations. However, even though the importance of having effective IS security training is widely acknowledged by scholars and practitioners, the existing literature does not offer an understanding of the elementary characteristics of IS security training, nor does it explain how these elementary characteristics shape IS security training principles in practice. To this end, this thesis develops a theory that suggests that IS security training has certain elementary characteristics that separate it from other forms of training, and sets a fundamental direction for IS security training practices. Second, the theory defines four pedagogical requirements for designing IS security training approaches. Then it points out that no existing IS security training approaches meet all these requirements. To address these shortcomings, the way in which to design an IS security training approach that meets all these requirements is demonstrated. In this thesis it is also argued that, along with an effective IS security training approach, reasons for employees’ IS security behavior need to be understood. The existing empirical research in the field of employees’ IS security behavior is dominated by theory-verification studies that test well-known theories developed in other fields in the context of IS security. Instead, it is argued that there is a need to focus the investigation on the phenomenon of employees’ compliance itself through an inductive and qualitative approach to complement the existing body of knowledge of this topic. As a result, a framework identifying reasons associated with compliance/non-compliance with security procedures is developed. A particularly interesting finding is that individuals’ violation of IS security procedures depends on the type of violation. Besides advancing a meta-theory for IS security training and developing the theoretical framework that points out reasons for employees’ IS security behavior, the thesis provides a future research agenda for IS security training and behavior. For practitioners, this thesis points out the limitations of the previous IS security training approaches and reasons for IS security behavior and, based on these observations, offers principles for designing effective IS security training approaches in practice. / Tiivistelmä Yhtenä keskeisenä ongelmana organisaatioissa pidetään sitä, että työntekijät laiminlyövät organisaation tietoturvakäytäntöjä. Vaikka tutkijat ja organisaatiot ovat tunnistaneet tietoturvakoulutuksen tärkeyden, olemassa oleva kirjallisuus ei tuo esiin tietoturvakoulutuksen perusominaisuuksia ja niiden asettamia vaatimuksia käytännön tietoturvakoulutukselle. Tässä väitöskirjassa kehitetään kolmitasoinen meta-teoria, joka huomioi nämä aikaisemmasta tietoturvakoulutusta käsittelevästä kirjallisuudesta puuttuvat kysymykset. Teorian ensimmäisellä tasolla määritellään tietoturvakoulutuksen perusominaisuudet, jotka erottavat sen muista koulutusmuodoista ja ohjaavat tietoturvakoulutuksen toteuttamista käytännössä. Teorian toisella tasolla määritellään neljä pedagogista vaatimusta tietoturvakoulutuksen suunnitteluun. Lisäksi kirjallisuusanalyysin perusteella osoitetaan, että olemassa oleva tietoturvakoulutusta käsittelevä kirjallisuus ei täytä kaikkia näitä vaatimuksia. Teorian kolmannella tasolla esitetään käytännön esimerkki siitä, kuinka tietoturvakoulutus voi täyttää tutkimuksessa määritellyt pedagogiset vaatimukset. Väitöskirjassa esitetään myös, että tehokkaan koulutusmenetelmän lisäksi on tärkeää ymmärtää työntekijöiden tietoturvakäyttäytymistä. Aikaisemmin tällä alueella on pääasiassa testattu muiden tieteenalojen teorioita tietoturvakontekstissa. Tässä väitöskirjassa sen sijaan tarkastellaan työntekijöiden tietoturvakäyttäytymisen syitä induktiivisen ja laadullisen tutkimusmenetelmän avulla. Tutkimuksen tuloksena kehitetään teoreettinen viitekehys, jonka avulla analysoidaan työntekijöiden tietoturvakäyttäytymistä. Tutkimuksen päätuloksena osoitetaan, kuinka tietoturvakäyttäytymiseen syyt eroavat rikkomustyypeittäin. Tietoturvakoulutuksen suunnittelua tukevan meta-teorian ja työntekijöiden tietoturvakäyttäytymistä selittävän teoreettisen viitekehyksen lisäksi väitöskirjassa esitetään uusia näkökulmia tietoturvakoulutuksen ja tietoturvakäyttäytymisen tutkimukselle. Käytännön tietoturva-ammattilaisille väitöskirja selventää olemassa olevien tietoturvakoulutuksen lähestymistapojen puutteita ja syitä työntekijöiden tietoturvakäyttäytymiselle. Näihin havaintoihin perustuen väitöskirjassa esitetään tekijöitä, joita tietoturvakoulutuksessa tulisi käytännössä ottaa huomioon.

information systems security

information systems security behavior

information systems security training

learning paradigms

oppimisparadigmat

tietoturva

tietoturvakoulutus

tietoturvakäyttäytyminen

Establishing an information security culture in organizations : an outcomes based education approach

Van Niekerk, Johannes Frederick

January 2005

Information security is crucial to the continuous well-being of modern orga- nizations. Humans play a signfiicant role in the processes needed to secure an organization's information resources. Without an adequate level of user co-operation and knowledge, many security techniques are liable to be misused or misinterpreted by users. This may result in an adequate security measure becoming inadequate. It is therefor necessary to educate the orga- nization's employees regarding information security and also to establish a corporate sub-culture of information security in the organization, which will ensure that the employees have the correct attitude towards their security responsibilities. Current information security education programs fails to pay su±cient attention to the behavioral sciences. There also exist a lack of knowledge regarding the principles, and processes, that would be needed for the establishment of an corporate sub-culture, specific to information security. Without both the necessary knowledge, and the desired attitude amongst the employee, it will be impossible to guarantee that the organi- zation's information resources are secure. It would therefor make sense to address both these dimensions to the human factor in information security, using a single integrated, holistic approach. This dissertation presents such an approach, which is based on an integration of sound behavioral theories.

Computer security

Competency-based education

MISSTEV : model for information security shared tacit espoused values

Thomson, Kerry-Lynn

January 2007

One of the most critical assets in most organisations is information. It is often described as the lifeblood of an organisation. For this reason, it is vital that this asset is protected through sound information security practices. However, the incorrect and indifferent behaviour of employees often leads to information assets becoming vulnerable. Incorrect employee behaviour could have an extremely negative impact on the protection of information. An information security solution should be a fundamental component in most organisations. It is, however, possible for an organisation to have the most comprehensive physical and technical information security controls in place, but the operational controls, and associated employee behaviour, have not received much consideration. Therefore, the issue of employee behaviour must be addressed in an organisation to assist in ensuring the protection of information assets. The corporate culture of an organisation is largely responsible for the actions and behaviour of employees. Therefore, to address operational information security controls, the corporate culture of an organisation should be considered. To ensure the integration of information security into the corporate culture of an organisation, the protection of information should become part of the way the employees conduct their everyday tasks – from senior management, right throughout the entire organisation. Therefore, information security should become an integral component of the corporate culture of the organisation. To address the integration of information security into the corporate culture of an organisation, a model was developed which depicted the learning stages and modes of knowledge creation necessary to transform the corporate culture into one that is information security aware.

Computer security -- Management

Data protection

General Deterrence Theory: Assessing Information Systems Security Effectiveness in Large versus Small Businesses

Schuessler, Joseph H.

05 1900

This research sought to shed light on information systems security (ISS) by conceptualizing an organization's use of countermeasures using general deterrence theory, positing a non-recursive relationship between threats and countermeasures, and by extending the ISS construct developed in prior research. Industry affiliation and organizational size are considered in terms of differences in threats that firms face, the different countermeasures in use by various firms, and ultimately, how a firm's ISS effectiveness is affected. Six information systems professionals were interviewed in order to develop the appropriate instruments necessary to assess the research model put forth; the final instrument was further refined by pilot testing with the intent of further clarifying the wording and layout of the instrument. Finally, the Association of Information Technology Professionals was surveyed using an online survey. The model was assessed using SmartPLS and a two-stage least squares analysis. Results indicate that a non-recursive relationship does indeed exist between threats and countermeasures and that countermeasures can be used to effectively frame an organization's use of countermeasures. Implications for practitioners include the ability to target the use of certain countermeasures to have desired effects on both ISS effectiveness and future threats. Additionally, the model put forth in this research can be used by practitioners to both assess their current ISS effectiveness as well as to prescriptively target desired levels of ISS effectiveness.

countermeasures

Information systems security

threats

risk assessment

Computer networks -- Security measures.

Computer security.

Developing a Risk Management System for Information Systems Security Incidents

Farahmand, Fariborz

22 November 2004

The Internet and information systems have enabled businesses to reduce costs, attain greater market reach, and develop closer business partnerships along with improved customer relationships. However, using the Internet has led to new risks and concerns. This research provides a management perspective on the issues confronting CIOs and IT managers. It outlines the current state of the art of information security, the important issues confronting managers, security enforcement measure/techniques, and potential threats and attacks. It develops a model for classification of threats and control measures. It also develops a scheme for probabilistic evaluation of the impact of security threats with some illustrative examples. It involves validation of information assets and probabilities of success of attacks on those assets in organizations and evaluates the expected damages of these attacks. The research outlines some suggested control measures and presents some cost models for quantifying damages from these attacks and compares the tangible and intangible costs of these attacks. This research also develops a risk management system for information systems security incidents in five stages: 1- Resource and application value analysis, 2- Vulnerability and risk analysis, 3- Computation of losses due to threats and benefits of control measures, 4- Selection of control measures, and 5- Implementation of alternatives. The outcome of this research should help decision makers to select the appropriate control measure(s) to minimize damage or loss due to security incidents. Finally, some recommendations for future work are provided to improve the management of security in organizations.

Business

Information systems

Risk

Security

Actual and Perceived Information Systems Security

Oscarson, Per

January 2007

As the Internet becomes the major information infrastructure in most sectors, the importance of Information Systems (IS) security steadily increases. While reaching a certain level of actual IS security is vital for most businesses, this level must also be perceived as acceptable by stakeholders. Businesses have to maintain a certain level of security and be able to assess the level of other actors’ security. IS security is abstract and complex, however, and difficult to estimate and measure. This thesis uses epistemic and ontological frameworks to study the conceptual nature of IS security and separate the concepts of actual and perceived IS security. A well-known event is used to illustrate the conceptual discussion: the Sasser worm that was spread around the world in 2004. This study also includes a smaller case study from the City of Stockholm, where about 4,000 computers were infected by Sasser. The outcome of the study is that actual IS security should be treated as a dynamic condition that is influenced by three different objects: information assets, threat objects and security mechanisms. Incidents are processes that are ruled by the conditions of these three objects and affect the states of confidentiality, integrity and availability of information assets. The concepts of threat, risk and trust remain at epistemic level, i.e. perceptions. Perceptions of IS security can differ depending on their social establishment and are classified as subjective judgements, inter-subjective judgements or institutional facts. While actual IS security conditions can influence actors’ perceptions of IS security, perceived IS security can also influence actual IS security.

Information systems security

IS security

IT security

Information security

Actual and perceived

Information science

Informationslära

A framework for information security governance in SMMEs

Coertze, Jacques Jacobus

January 2012

It has been found that many small, medium and micro-sized enterprises (SMMEs) do not comply with sound information security governance principles, specifically the principles involved in drafting information security policies and monitoring compliance, mainly as a result of restricted resources and expertise. Research suggests that this problem occurs worldwide and that the impact it has on SMMEs is great. The problem is further compounded by the fact that, in our modern-day information technology environment, many larger organisations are providing SMMEs with access to their networks. This results not only in SMMEs being exposed to security risks, but the larger organisations as well. In previous research an information security management framework and toolbox was developed to assist SMMEs in drafting information security policies. Although this research was of some help to SMMEs, further research has shown that an even greater problem exists with the governance of information security as a result of the advancements that have been identified in information security literature. The aim of this dissertation is therefore to establish an information security governance framework that requires minimal effort and little expertise to alleviate governance problems. It is believed that such a framework would be useful for SMMEs and would result in the improved implementation of information security governance.

Computer networks -- Security measures

Utilizing the Technology Acceptance Model to Assess Employee Adoption of Information Systems Security Measures

Jones, Cynthia

16 September 2009

Companies are increasing their investment in technologies to enable better access to information and to gain a competitive advantage. Global competition is driving companies to reduce costs and enhance productivity, increasing their dependence on information technology. Information is a key asset within an organization and needs to be protected. Expanded connectivity and greater interdependence between companies and consumers has increased the damage potential of a security breach to a company's information systems. Improper unauthorized use of computer systems can create a devastating financial loss even to the point of causing the organization to go out of business. It is critically important to understand what causes users to understand, accept and to follow the organization's information systems security measures so that companies can realize the benefits of their technological investments. In the past several years, computer security breaches have stemmed from insider misuse and abuse of the information systems and non-compliance to the information systems security measures. The purpose of this study was to address the factors that affect employee acceptance of information systems security measures. The Technology Acceptance Model was extended and served as the theoretical framework for this study to examine the factors that affect employee adoption of information systems security measures. The research model included three independent dimensions, perceived ease of use, perceived usefulness and subjective norm. These constructs were hypothesized to predict intention to use information systems security measures, moderated by management support affecting subjective norm. Five hypotheses were posited. A questionnaire was developed to collect data from employees across multiple industry segments to test these hypotheses. Partial least squares statistical methodology was used to analyze the data and to test the hypotheses. The results of the statistical analysis supported three of the five hypotheses with subjective norm and management support showing the strongest effect on intention to use information systems security measures. Few studies have used TAM to study acceptance of systems in a mandatory environment and to specifically examine the employee acceptance of computer information systems security measures. This study, therefore, adds to the body of knowledge. Further, it provides important information for senior management and security professionals across multiple industries regarding the need to develop security policies and processes and to effectively communicate them throughout the organization and to design these measures to promote their use by employees in the organization.

Information Systems Security

Mandatory environment

Partial Least Squares

structural equation modeling

Technology Acceptance Model

Business

Towards an aligned South African National Cybersecurity Policy Framework

Chigada, Joel

22 August 2023

This thesis measured and aligned factors that contribute to the misalignment of the South African National Cybersecurity Policy Framework (SA-NCPF). The exponential growth rate of cyber-attacks and threats has caused more headaches for cybersecurity experts, law enforcement agents, organisations and the global business economy. The emergence of the global Corona Virus Disease-2019 has also contributed to the growth of cyber-attacks and threats thus, requiring concerted efforts from everyone in society to devise appropriate interventions that mitigate unacceptable user behaviour in the reality of cyberspace. In this study, various theories were identified and pooled together into an integrative theoretical framework to provide a better understanding of various aspects of the law-making process more comprehensively. The study identified nine influencing factors that contributed to misalignment of the South African National Cybersecurity Policy Framework. These influencing factors interact with each other continuously producing complex relationships, therefore, it is difficult to measure the degree of influence of each factor, hence the need to look at and measure the relationships as Gestalts. Gestalts view individual interactions between pairs of constructs only as a part of the overall pattern. Therefore, the integrative theoretical framework and Gestalts approach were used to develop a conceptual framework to measure the degree of alignment of influencing factors. This study proposed that the stronger the coherence among the influencing factors, the more aligned the South African National Security Policy Framework. The more coherent the SA-NCPF is perceived, the greater would be the degree of alignment of the country's cybersecurity framework to national, regional and global cyberlaws. Respondents that perceived a strong coherence among the elements also perceived an effective SA-NCPF. Empirically, this proposition was tested using nine constructs. Quantitative data was gathered from respondents using a survey. A major contribution of this study was that it was the first attempt in South Africa to measure the alignment of the SA-NCPF using the Gestalts approach as an effective approach for measuring complex relationships. The study developed the integrative theoretical framework which integrates various theories that helped to understand and explain the South African law making process. The study also made a significant methodological contribution by adopting the Cluster-based perspective to distinguish, describe and predict the degree of alignment of the SA-NCPF. There is a dearth of information that suggests that past studies have adopted or attempted to address the challenge of alignment of the SA-NCPF using the cluster-based and Gestalts perspectives. Practical implications from the study include a review of the law-making process, skills development strategy, a paradigm shift to address the global Covid-19 pandemic and sophisticated cybercrimes simultaneously. The study asserted the importance of establishing an independent cybersecurity board comprising courts, legal, cybersecurity experts, academics and law-makers to provide cybersecurity expertise and advice. From the research findings, government and practitioners can draw lessons to review the NCPF to ensure the country develops an effective national cybersecurity strategy. Limitations and recommendations for future research conclude the discussions of this study.

Alignment

Cybercrime

Cyberlaws

Cybersecurity

Information Systems Security

National Cybersecurity Policy Framework