• Refine Query
  • Source
  • Publication year
  • to
  • Language
  • 6
  • 2
  • 1
  • Tagged with
  • 17
  • 17
  • 14
  • 10
  • 9
  • 6
  • 5
  • 4
  • 3
  • 3
  • 3
  • 3
  • 3
  • 3
  • 2
  • About
  • The Global ETD Search service is a free service for researchers to find electronic theses and dissertations. This service is provided by the Networked Digital Library of Theses and Dissertations.
    Our metadata is collected from universities around the world. If you manage a university/consortium/country archive and want to be added, details can be found on the NDLTD website.
1

Examining the Behavioral Intention of Individuals' Compliance with Information Security Policies

Brown, David A. 01 January 2017 (has links)
Target Corporation experienced an information security breach resulting in compromising customers' financial information. Management is responsible for implementing adequate information security policies that protect corporate data and minimize financial losses. The purpose of this experimental study was to examine the effect of a fear appeal communication on an individual's information security policy behavioral intention. The sample population involved information technology professionals randomly selected from the SurveyMonkey audience. A research model, developed using constructs from deterrence theory and protection motivation theory, became the structural model used for partial least squares-structural equation modeling (PLS-SEM) analysis of the survey response data, which indicated that self-efficacy was statistically significant. The remaining model variables, perceived threat vulnerability, perceived threat severity, response efficacy, informal sanction certainty, informal sanction severity, formal sanction certainty, and formal sanction severity, were not statistically significant. A statistically significant self-efficacy result could indicate confidence among the population to comply with information security policies. The nonsignificant results could indicate the fear appeal treatment did not motivate a change in behavior or information security policy awareness bias was introduced by selecting information technology professionals. Social change in information security could be achieved by developing an effective information security policy compliance fear appeal communication, which could change information security compliance behavior and contribute to securing the nation's critical cyber infrastructure and protecting data.
2

Employee and Organization Security Value Alignment Through Value Sensitive Security Policy Design

Solomon, Dianne Blitstein 05 September 2014 (has links)
Every member of the organization must be involved in proactively and consistently preventing data loss. Implementing a culture of security has proven to be a reliable method of enfranchising employees to embrace security behavior. However, it takes more than education and awareness of policies and directives to effect a culture of security. Research into organizational culture has shown that programs to promote organizational culture - and thus security behavior - are most successful when the organization's values are congruent with employee values. What has not been clear is how to integrate the security values of the organization and its employees in a manner that promotes security culture. This study extended current research related to values and security culture by applying Value Sensitive Design (VSD) methodology to the design of an end user security policy. Through VSD, employee and organizational security values were defined and integrated into the policy. In so doing, the study introduced the concept of value sensitive security policy (VSP) and identified a method for using VSPs to promote a culture of security. At a time when corporate values are playing such a public role in defining the organization, improving security by increasing employee-organization value congruence is both appealing and practical.
3

Investigating the Impact of Self-Control and Deterrents on Noncompliant Information Security Behavior

Chuma, Ramadhan 01 January 2012 (has links)
Employees' noncompliance with information security policy and rules is a serious impediment to the effectiveness of security programs in organizations. The extant information security studies have used General Deterrence Theory (GDT) to investigate noncompliant information security behavior, yet most of the findings have not been effective in practice due to a lack of strong theoretical underpinning. Neglecting criminal propensity of the potential perpetrator has been identified to be one of the theoretical weaknesses of GDT-based studies. Any attempt to explain noncompliant information security behavior in organizational context, demands a well grounded framework to explain why employees transgress information security policies and rules. The purpose of this study was to empirically investigate the link between self-control (criminal propensity), deterrence perceptions, and noncompliant information security behavior. Criminal propensity was operationalized using the three perspectives of self-control: personality trait, social bond, and self-generated inhibitions. This study then examined the influence of the three self-control variables on deterrence perceptions (certainty, severity, and celerity). Further, the study investigated the impact of deterrence perceptions on noncompliant information security behavior. Data collected from 421 employees in a Southern USA-based company was used to test the relationships between research model constructs using SPSS's Amos structural equation modeling software package. Results indicated that employees' perceptions on all three dimensions of deterrents were positively impacted by self-control based on self-generated inhibitions. The results also showed that only employees' perceptions on certainty of apprehension and celerity of punishment were positively impacted by social bond self-control. No significant relationships were established between deterrence perceptions and personality trait self-control. Further, employees' perceptions on certainty of apprehension and celerity of punishment were negatively associated with noncompliant information security behavior. The results also indicated that severity of punishment was not a significant predictor of noncompliant information security behavior. The uniqueness of this study provided evidence on the importance of incorporating criminal propensity in GDT-based studies. The current study also highlighted the importance of celerity of punishment dimension, which is highly neglected by GDT-based information security studies.
4

Ascertaining the Relationship between Security Awareness and the Security Behavior of Individuals

Grant, Gordon J. 01 January 2010 (has links)
Security threats caused by the inappropriate actions of the user continue to be a significant security problem within any organization. The purpose of this study was to continue the efforts of Katz by assessing the security behavior and practices of working professionals. Katz conducted a study that assessed whether the faculty and staff at Armstrong Atlantic State University had been performing the simple everyday practices and behavior necessary to avert insider threats to information security. Critical in understanding human behavior is in knowing how behavior varies across different groups or demographics. Because a user's behavior can be influenced by demographic groups, this study adapted Katz's study by examining the influence on the security behavior of four demographic groups identified by gender, age, education, and occupation. Like Katz, this study used a 5-point Likert scale quantitative self-administered, closed-ended questionnaire to assess the participants' security practices and behaviors. The questionnaire was developed in two sections: Section 1 used a binary scale to gather the participants' demographics data while Section 2 used a 5-point Likert scale to measure the participants' security behaviors. The sample population was derived from working professionals at the General Dynamic and Program Manager Advanced Amphibious Assault (GD & PM AAA) Facility in Woodbridge, Virginia. The total population at PM AAA Office was 288, of which 87 or 30% completed the survey. Results of the demographic survey indicate that (a) women were more security aware than their male counterparts, (b) younger participants were more security aware than their older counterparts, (c) participants who did not attend college were more security aware than their college-educated counterparts, and (d) participants in nontechnical positions were more security aware than their counterparts in technical positions. The results indicate that a relation exists between the participants' security behaviors and their levels of security awareness.
5

Users’ information systems (IS) security behavior in different contexts

Li, Y. (Ying) 09 October 2015 (has links)
Abstract Users’ information systems (IS) security behavior continuously draws attentions from scholars and practitioners. While previous studies usually focused on one context (e.g., employees’ compliance with IS security policies in an organizational context), little research has focused on the possible explanations for users’ IS security behavior if the context changes. To address this gap, this dissertation discusses the role of context in IS security behavior research. An analysis of the differences between the organizational context and the home context suggests a need to study users’ IS security behavior solely in a specific context, such as home. This study provides guidelines for applying and developing contextualized theories in IS security behavior research. Based on the guidelines, this dissertation includes two empirical studies. First, drawing on rational choice theory, it compares specific IS security behavior in two contexts: the work context (N = 210) and the personal context (N = 202). Second, drawing on stewardship theory, this dissertation develops a contextualized theory explaining employees’ IS security risk-taking behavior in the organizational context (N = 170). The findings of this dissertation show different explanations for users’ IS security behavior in different contexts and highlight the importance of taking context into account when doing IS security behavior research. The results of each empirical study provide both theoretical contributions to research as well as actionable advice to practice. / Tiivistelmä Tietokoneenkäyttäjien tietoturvakäyttäytyminen on jatkuvan kiinnostuksen kohteena niin tutkijoiden kuin käytännön ammatinharjoittajienkin keskuudessa. Aiempi tutkimus on keskittynyt tarkastelemaan tietoturvakäyttäytymistä yleensä yhdessä kontekstissa (esim. työntekijöiden tietoturvaohjeiden noudattaminen organisaatiokontekstissa), kun taas vähemmälle huomiolle on jäänyt se, kuinka kontekstin muuttuminen selittää tietoturvakäyttäytymistä. Tämä väitöskirja vastaa kyseiseen ongelmaan, sillä se käsittelee kontekstin roolia tietoturvakäyttäytymistutkimuksessa. Tutkimuksessa analysoidaan organisaatiokontekstin ja kotikontekstin eroja. Analyysi osoittaa, että on tarpeellista tutkia tietokoneen käyttäjien tietoturvakäyttäytymistä tietyissä konteksteissa, kuten esimerkiksi kotikontekstissa. Tutkimus tarjoaa ohjeita siihen, kuinka kontekstisidonnaisia teorioita sovelletaan ja kehitetään tietoturvakäyttäytymistutkimuksessa. Väitöskirja sisältää 2 empiiristä tutkimusta, jotka pohjautuvat edellä mainittuihin ohjeisiin. Ensimmäisessä vaiheessa tutkimuksessa sovelletaan rational choice -teoriaa, jonka pohjalta vertaillaan tiettyä tietoturvakäyttäytymistyyppiä 2 kontekstissa: työkonteksti<br clear="none"/> (N = 210) ja henkilökohtaisen käytön konteksti (N = 202). Toiseksi, tutkimus soveltaa stewardship -teoriaa ja kehittää siihen pohjautuen kontekstisidonnaisen teorian, joka selittää organisaation työntekijöiden käyttäytymistä liittyen tietoturvariskin ottamiseen<br clear="none"/> (N = 170). Väitöskirjan tutkimustulokset esittävät erilaisia selityksiä tietokoneen käyttäjien tie-toturvakäyttäytymiselle eri konteksteissa. Tutkimus korostaa sitä, kuinka tärkeää on ottaa konteksti huomioon tutkittaessa tietoturvakäyttäytymistä. Kummankin empiirisen tutkimuksen tulokset tarjoavat teoreettisen kontribuution lisäksi käytännöllisiä neuvoja tietoturvan toteuttamiseen.
6

The Role of Self-Efficacy in Computer Security Behavior: Developing the Construct of Computer Security Self-Efficacy (CSSE)

Clarke, Marlon Renese 01 January 2011 (has links)
As organizations have become more dependent on networked information systems (IS) to conduct their business operations, their susceptibility to various threats to information security has also increased. Research has consistently identified the inappropriate security behavior of the users as the most significant of these threats. Various factors have been identified as contributing to these inappropriate security behaviors, however, not enough is known about the role of social factors in mediating these behaviors. This study developed a new computer security self-efficacy (CSSE) construct, identified items of CSSE in the context of individuals' use of encrypted e-mail, and determined the validity and reliability of the items of CSSE. Further, significant factors of CSSE were identified. First, a qualitative phase comprising focus groups and an expert panel was used to identify valid items of CSSE, develop a new instrument to measure the new CSSE construct, and validate the new CSSE instrument. After completing the qualitative phase, a quantitative phase was employed to collect empirical data on the CSSE items. The CSSE measurement instrument was administered to IS users at a major university in the southeastern United States and 292 responses were received. The collected data was statistically analyzed to identify significant factors of CSSE and the items of CSSE that demonstrate high reliability. Factor analysis was performed using Principal Component Analysis (PCA) and identified four significant and highly reliable factors of CSSE with a cumulative variance of nearly 68%. The four factors were named Performance Accomplishments and Technical Support, Goal Commitment and Resource Availability, Experience Level, and Individual Characteristics. Additionally, 35 items of CSSE were identified as possessing high reliability. This study contributes to advancing of the body of knowledge regarding the use of e-mail encryption by developing a new CSSE construct and extending Computer Self-Efficacy research into the area of computer security and e-mail encryption. Further, by identifying factors of CSSE, an understanding of what IS users believe will impact their ability to use encryption to send e-mail messages is obtained. This understanding can aid in enhancing the use of encryption mechanisms to send e-mail, promoting positive computer security behavior, and so contribute positively to IS practice.
7

Strong Intents Against Weak Links : Towards a Holistic Integration of Behavioral Information Security in Organizations with Strategic Intent

Koller, Teresa Marie, Ljung, Migle January 2021 (has links)
The human factor has been detected as the weakest link in the information security of organizations. Methods like training and awareness programs and the implementation of security policies have been developed, but they still seem to be less effective than desired. Authors have suggested integrating information security more holistically in organizations. In this study we discuss how strategic intent can influence an information security culture and improve information security behavior, thereby strengthening the weakest link. This thesis aims to develop a conceptual framework for organizations to integrate behavioral information security holistically with strategic intent. This thesis is based on a qualitative study with an abductive approach consisting of nine exploratory, semi-structured interviews. This way we could find today’s most prominent factors that might reinforce information security behavior in organizations and discuss the interrelations among those factors together with their potential facilitators and barriers. To improve behavioral InfoSec holistically in organizations, strategic Intent and InfoSec culture are promising factors. All factors have clear interrelations, but also potential facilitators and barriers.
8

Factors impacting information security noncompliance when completing job tasks

Harrell, Martha Nanette 26 November 2014 (has links)
Work systems are comprised of the technical and social systems that should harmoniously work together to ensure a successful attainment of organizational goals and objectives. Information security controls are often designed to protect the information system and seldom consider the work system design. Using a positivist case study, this research examines the user's perception of having to choose between completing job tasks or remaining compliant with information security controls. An understanding of this phenomenon can help mitigate the risk associated with an information system security user's choice. Most previous research fails to consider the work system perspective on this issue. This study is based on the socio-technical system theory, the Leavitt Diamond Model (1965). Using this model as a lens to examine user information security behavior and perspectives, the Synergistic Security Model was developed. The research data indicated that the relationships between the structure, technology, task and people constructs can have an impact on user information security behavior. The research found that a change in the organization's information security policies, technology, or a change in employee processes for task completion can impact a user's information security choice. Some of the information security situations found in the research could be easily changed to lower the risk of a user's choice to circumvent information security. This change could be a technical configuration change, a purchase of a new technology or a change in a process to help impact a user's choice to circumvent information security controls. The Synergistic Security Model can help researchers understand the relationships between the general constructs found in a work system and how those relationships can influence user behaviors. The research presented in the paper examines a triad relationship between each work system construct, consisting of: Structure-Technology-People; Structure-Task-People; Task-Technology-People; and Task-Technology-Structure. The findings indicate that the relationship between the constructs can have a significant impact on user information security behavior and therefore should be a consideration when designing an efficient and effective information security program.
9

Examining the Security Awareness, Information Privacy, and the Security Behaviors of Home Computer Users

Edwards, Keith 01 January 2015 (has links)
Attacks on computer systems continue to be a problem. The majority of the attacks target home computer users. To help mitigate the attacks some companies provide security awareness training to their employees. However, not all people work for a company that provides security awareness training and typically, home computer users do not have the incentive to take security awareness training on their own. Research in security awareness and security behavior has produced conflicting results. Therefore, it is not clear, how security aware home computer users are or to what extent security awareness affects the security behavior of home computer users. The goal of this study was to determine if there is a relationship between security awareness and users practicing good security behavior. This study adapted its research model from the health belief model (HBM), which accesses a patient’s decision to perform health related activities. The research model included the HBM constructs of perceived severity, perceived susceptibility, perceived threat, perceived benefits, perceived barriers, cues to action, and self-efficacy. The research model also contained the security awareness (SA) and concern for information privacy (CFIP) constructs. The model used SA to ascertain the effect of security awareness on a person’s self-efficacy in information security (SEIS), perceived threat, CFIP, and security behavior. The research model included CFIP to ascertain its effect on security behavior. The developed survey measured the participants' security awareness, concern for information privacy, self-efficacy, expectations of security actions, perceived security threats, cues to action, and security behavior. SurveyMonkey administered the survey. SurveyMonkey randomly selected 267 participants from its 30 million-member base. The findings of this study indicate home computer users are security aware. SA does not have a direct effect on a user’s security behavior, perceived threat, or CFIP. However, it does have influence on SEIS. SEIS has a weak effect on expectations. CFIP has an effect on a user’s security behavior after removing perceived threat from the research model. Perceived susceptibility has a direct effect on a user’s security behavior, but perceived severity or perceived threat does not.
10

Improving employees’ information systems (IS) security behavior:toward a meta-theory of IS security training and a new framework for understanding employees' IS security behavior

Karjalainen, M. (Mari) 18 October 2011 (has links)
Abstract Employee non-compliance with information systems (IS) security procedures is a key concern for organizations. However, even though the importance of having effective IS security training is widely acknowledged by scholars and practitioners, the existing literature does not offer an understanding of the elementary characteristics of IS security training, nor does it explain how these elementary characteristics shape IS security training principles in practice. To this end, this thesis develops a theory that suggests that IS security training has certain elementary characteristics that separate it from other forms of training, and sets a fundamental direction for IS security training practices. Second, the theory defines four pedagogical requirements for designing IS security training approaches. Then it points out that no existing IS security training approaches meet all these requirements. To address these shortcomings, the way in which to design an IS security training approach that meets all these requirements is demonstrated. In this thesis it is also argued that, along with an effective IS security training approach, reasons for employees’ IS security behavior need to be understood. The existing empirical research in the field of employees’ IS security behavior is dominated by theory-verification studies that test well-known theories developed in other fields in the context of IS security. Instead, it is argued that there is a need to focus the investigation on the phenomenon of employees’ compliance itself through an inductive and qualitative approach to complement the existing body of knowledge of this topic. As a result, a framework identifying reasons associated with compliance/non-compliance with security procedures is developed. A particularly interesting finding is that individuals’ violation of IS security procedures depends on the type of violation. Besides advancing a meta-theory for IS security training and developing the theoretical framework that points out reasons for employees’ IS security behavior, the thesis provides a future research agenda for IS security training and behavior. For practitioners, this thesis points out the limitations of the previous IS security training approaches and reasons for IS security behavior and, based on these observations, offers principles for designing effective IS security training approaches in practice. / Tiivistelmä Yhtenä keskeisenä ongelmana organisaatioissa pidetään sitä, että työntekijät laiminlyövät organisaation tietoturvakäytäntöjä. Vaikka tutkijat ja organisaatiot ovat tunnistaneet tietoturvakoulutuksen tärkeyden, olemassa oleva kirjallisuus ei tuo esiin tietoturvakoulutuksen perusominaisuuksia ja niiden asettamia vaatimuksia käytännön tietoturvakoulutukselle. Tässä väitöskirjassa kehitetään kolmitasoinen meta-teoria, joka huomioi nämä aikaisemmasta tietoturvakoulutusta käsittelevästä kirjallisuudesta puuttuvat kysymykset. Teorian ensimmäisellä tasolla määritellään tietoturvakoulutuksen perusominaisuudet, jotka erottavat sen muista koulutusmuodoista ja ohjaavat tietoturvakoulutuksen toteuttamista käytännössä. Teorian toisella tasolla määritellään neljä pedagogista vaatimusta tietoturvakoulutuksen suunnitteluun. Lisäksi kirjallisuusanalyysin perusteella osoitetaan, että olemassa oleva tietoturvakoulutusta käsittelevä kirjallisuus ei täytä kaikkia näitä vaatimuksia. Teorian kolmannella tasolla esitetään käytännön esimerkki siitä, kuinka tietoturvakoulutus voi täyttää tutkimuksessa määritellyt pedagogiset vaatimukset. Väitöskirjassa esitetään myös, että tehokkaan koulutusmenetelmän lisäksi on tärkeää ymmärtää työntekijöiden tietoturvakäyttäytymistä. Aikaisemmin tällä alueella on pääasiassa testattu muiden tieteenalojen teorioita tietoturvakontekstissa. Tässä väitöskirjassa sen sijaan tarkastellaan työntekijöiden tietoturvakäyttäytymisen syitä induktiivisen ja laadullisen tutkimusmenetelmän avulla. Tutkimuksen tuloksena kehitetään teoreettinen viitekehys, jonka avulla analysoidaan työntekijöiden tietoturvakäyttäytymistä. Tutkimuksen päätuloksena osoitetaan, kuinka tietoturvakäyttäytymiseen syyt eroavat rikkomustyypeittäin. Tietoturvakoulutuksen suunnittelua tukevan meta-teorian ja työntekijöiden tietoturvakäyttäytymistä selittävän teoreettisen viitekehyksen lisäksi väitöskirjassa esitetään uusia näkökulmia tietoturvakoulutuksen ja tietoturvakäyttäytymisen tutkimukselle. Käytännön tietoturva-ammattilaisille väitöskirja selventää olemassa olevien tietoturvakoulutuksen lähestymistapojen puutteita ja syitä työntekijöiden tietoturvakäyttäytymiselle. Näihin havaintoihin perustuen väitöskirjassa esitetään tekijöitä, joita tietoturvakoulutuksessa tulisi käytännössä ottaa huomioon.

Page generated in 0.0598 seconds