The Impact of Affective Flow on Information Security Policy Compliance

Ormond, Dustin K

15 August 2014

Information system security literature has primarily focused on cognitive processes and their impact on information security policy noncompliance behavior. Specific cognitive theories that have been applied include planned behavior, rational choice, deterrence, neutralization, and protection motivation. However, affective processes may better determine misuse or information security policy noncompliance than cognitive processes. The purpose of this dissertation is to evaluate the impact of affective absorption (i.e. the trait or disposition to become deeply involved with one’s emotions) and affective flow (i.e. a state of deep involvement with one’s emotions) on cognitive processes in the context of attitude toward and compliance with information security policies. In essence, individuals with high levels of negative affective absorption may be more prone to experience negative affective flow which may lead to deviant behavior such as misuse of organizational information or noncompliance with information security policy. The proposed conceptual model is evaluated using the classical experimental design through a laboratory experiment. A preliminary investigation (e.g. expert panel reviews, pre-test, and pilot studies) is conducted to ensure measurement validity. During the main investigation, the proposed model and hypotheses are tested. Driven by theory, an alternative model is proposed and tested. The findings of this study underscore the need for understanding affective processes with regard to information security policy compliance behavior. By evaluating both cognitive and affective processes, we gain a more holistic understanding pertaining to information security decision making. This study contributes to information systems security literature by introducing two new constructs, affective absorption and affective flow. In addition, it asserts the need to capture actual behavior in information security research. The findings also contribute to practice by indicating that organizations should (1) include affect in their security, education, training, and awareness programs, (2) focus on eliminating frustrating tasks or reducing frustration caused by these tasks, and (3) induce positive affect through monitoring employee affect levels, identifying areas that need correction, and quickly responding to issues prior to deviance.

compliance

attitude

affective flow

affective absorption

affect

future compliance intention

information security policy

negative affect

organizational injustice

Pushes and pokes: Towards understanding Swedish ‘mid-range’ security policy-making

Jungwallius, Johanna

January 2023

Abstract: This thesis investigates the recursive relationship between strategic culture, security policy-making, and Swedish security policy, aiming to provide further insights into change and continuity in policy norms and practices. Using a case-study methodology, and Bloomfield’s (2016) norm-dynamic framework, it analyses the Swedish Parliament deliberations regarding two, ‘mid-range’ defence and security cooperations with NATO.  The  results show how security policy is influenced by political actors, who actively assume roles to defend and contest security policy, depending on temporal and institutional contexts. Furthermore, the study has proven valuable for understanding both what lies behind a smaller state’s policy status quo, and its steps towards more momentous security-policy decisions. The recursive relationships within and aspects of security policy-making, underscores the significance of strategic culture as contextual. The thesis hopes to invite research into other ‘mid-range’ decisions for broadening this insight.

Security policy

parliamentary democracy

strategic culture

norm-dynamics

Partnership for Peace

Host Nation Support

Other Social Sciences

Annan samhällsvetenskap

Three Essays on Collective Privacy and Information Security

Memarian Esfahani, Sara

07 1900

In Essay 1, we seek to expand the insights on an individual's decision to share group content. Social networking sites (SNS) have become a ubiquitous means of socializing in the digital age. Using a survey, we collected data from 520 respondents with corporate work experience to test our research model. Our analysis highlights the complex interplay between individual and group factors that shape users' risk-benefit analysis of sharing group content on social networking sites. Furthermore, the results of this study have important implications for social networking site design and policy, particularly with regard to providing granular control over the privacy settings of group content and clear and concise information about the potential risks and benefits of sharing group content. Essay 2 aims to extend the knowledge of information security policy (ISP) compliance. Using a comprehensive approach, we extended the perspective of control mechanisms in the context of ISPs. It is evident that maintaining information security is an important concern for organizations of all sizes and industries. Organizations can establish policies and procedures to regulate and ensure compliance with information security policies, and various control mechanisms can be employed to ensure compliance. Among these control mechanisms, enforcement, punishment, evaluation, and recognition have been identified as important factors that influence information security policy compliance. In Essay 3, we delve deep into the current digital era and the reality of individuals becoming particularly vulnerable to privacy breaches. In the third essay, we offer a thorough examination of existing literature to gain insight into the disparities between users' stated privacy concerns and their actual information-sharing behavior. Our analysis reveals that, in addition to technological and environmental factors, cultural and personal differences significantly contribute to the paradoxical behavior observed among individuals. Utilizing the S-O-R (stimulus-organism-response) framework, we emphasize the necessity of examining the intricate interplay between technological aspects, individual attributes, and environmental factors in order better to understand the complexities of individuals' privacy decision-making processes. By addressing these factors and their interactions, we can develop more effective strategies to improve individuals' privacy awareness, decision-making, and overall online experiences. This will ultimately create more secure and privacy-respecting digital communities for users with various characteristics.

Group Privacy

Group Content Sharing

Information Security

Security Policy Compliance

Privacy Paradox

Psychology, Behavioral

Sociology, Theory and Methods

Psychology, Experimental

The Impact of Awareness of Being Monitored on Internet Usage Policy Compliance: An Agency and Stewardship View

Summers, Nirmalee

14 August 2015

Internet usage has become a norm in most organizations where organizations have started monitoring employee, Internet usage, e-mail communications, social network usage and etc. With the increased Internet usage, Internet misuse by employees has increased the potential for security vulnerabilities for these organizations. Organizations have established various security countermeasures such as sanctions, incentives, and Internet usage policies in order to prevent Internet misuse and protect the organizational information assets. However, it is important for organizations to understand whether these Internet usage polices are effective in mitigating the threats towards Internet misuse. Therefore, this dissertation investigates the impact of different countermeasures such as sanctions, incentives and awareness of being monitored on Internet usage policy compliance. Furthermore, it investigates the impact of organizational stewardship culture consisting of collectivism and low power distance, on Internet usage policy compliance behavior. A research model was developed to test the influence of penalties (sanction severity, sanction certainty, sanction celerity), incentives, collectivism and power distance on Internet usage policy compliance intention. Furthermore, it investigates the impact of awareness of being monitored which has not received much attention from information security researchers. In order to test the hypothesized relationships in the research model, data was collected utilizing an online survey through an online survey panel provider, Amazon Mechanical Turk. The findings indicate that, sanction certainty, awareness of being monitored, collectivism and power distance have a significant influence on Internet usage policy compliance intention of the sample population. Additionally, when employees are aware that they are being monitored, it increases the effectiveness of sanction severity and celerity. This dissertation makes several contributions to research and practitioners. It contributes to research by investigating the impact of two contrasting theories where agency theory assumes that employees are motivated through extrinsic factors whereas stewardship theory assumes that they are motivated through intrinsic means (organizational stewardship culture). It contributes to practitioners as well by highlighting the importance of controls such as computer monitoring, swift punishments in protecting organizational assets. As the results suggest, apart from the controls, organizational stewardship culture can play an important role in mitigating some of these threats as well.

Information Security Policy Compliance

Internet Usage Policy Compliance

Sanction Celerity

Agency Theory

Stewardship Theory

Deterrence Theory

Sanction Severity

Sanction Certainty

Security and Environment in the Mediterranean: Conceptualising Security and Environmental Conflicts

Brauch, H.G., Liotta, P.H., Marquina, A., Rogers, Paul F.

January 2003

Focus on six structural factors: population growth, climate change, desertification, water scarcity, food security, urbanisation and pollution Review of environmental degradation as a cause of conflict and of conflict prevention as a new task of security policy Dialogue between academia and policy makers in international organisations as well as governmental and nongovernmental institutions In this volume security specialists, peace researchers, environmental scholars, demographers as well as climate, desertification, water, food and urbanisation specialists from the Middle East and North Africa, Europe and North America review security and conflict prevention in the Mediterranean. They also analyse NATO¿s Mediterranean security dialogue and offer conceptualisations on security and perceptions of security challenges as seen in North and South. The latter half of the book analyses environmental security and conflicts in the Mediterranean and environmental consequences of World War II, the Gulf War, the Balkan wars and the Middle East conflict. It also examines factors of global environmental change: population growth, climate change, desertification, water scarcity, food and urbanisation issues as well as natural disasters. Furthermore, it draws conceptual conclusions for a fourth phase of research on human and environmental security and peace as well as policy conclusions for cooperation and partnership in the Mediterranean in the 21st century.

Population growth

Climate change

Desertification

Water scarcity

Food security

Urbanisation

Pollution

Conflict

Conflict prevention

Security policy

Environmental change

Cooperation

美國柯林頓政府的朝鮮半島安全政策:從薄富爾的「行動戰略」理論分析

孫弘鑫, SUN,HUNG-HSIN

Unknown Date

自二次世界大戰結束以後，美國對朝鮮半島的安全政策經歷了不同的轉變。韓戰後各個時期的政府主要仍是以對南韓的安全承諾與〈美韓共同防衛條約〉的軍事嚇阻作為其政策與戰略的基石。冷戰後朝鮮半島遭遇了兩次核子危機，但是柯林頓政府卻改變政策，以合作與對話的方式試圖解決危機。小布希政府團隊在執政以前，對於柯林頓政府的作法始終抱持反對的態度，認為應該要對北韓採取強硬態度。但是隨著小布希政府執政、911事件的發生與反恐戰爭的進行，小布希政府對朝鮮半島安全政策卻採取了與柯林頓政府類似的作法。這種變化是否意味柯林頓政府在朝鮮半島安全政策上有其優點，值得後任政府效法。因此，本論文以薄富爾的「行動戰略」理論作為研究途徑，藉由政策與戰略選擇的分析、行動計畫中「政治診斷」與「戰略診斷」的研判，以及各種戰略行動模式的鋪陳，探討柯林頓政府時期的朝鮮半島安全政策。同時比較柯林頓和小布希政府政策與戰略上的差異與因襲，並分析當前情勢，嘗試提出未來可能的變化。 本論文發現，柯林頓政府對於北韓自始至終都是採取「交往與擴大」政策，希望能以「交往與擴大」政策將北韓拉回國際體系內，使其遵守國際體系的規範。小布希政府則是一開始採取典型的現實主義政策，不願意與北韓交往，因為典型現實主義者所重視的是和國際體系中強權國家之間關係的處理，而不是注重在衰敗國家或轉變中國家的事務。一直到911事件後才改採兼具現實主義與理想主義的新政策，對北韓的態度與作法才有所轉變。 柯林頓政府始終均是運用多邊主義的戰略行動。小布希政府最初對於北韓是「冷處理」的方式，不予理會，但是911事件之後，開始調整政策，在戰略也有所改變。小布希的戰略是所謂的「鷹派交往」。「鷹派交往」戰略和「選擇性交往」戰略比較貼近，但是二者還是有差異。雖然「鷹派交往」戰略和「選擇性交往」戰略的內涵均是以多邊主義的方式，聯合經過慎選的重要國家採取間接模式的總體戰略行動來追求政策目標，但是「鷹派交往」戰略卻對對手國更具有壓力，因為「鷹派交往」戰略在採取交往的同時，不忘記強硬的手段。換言之，「鷹派交往」戰略將交往的內容作為誘因，引誘對手國往本國所期望的方向行動，當其行動違反本國所欲時，這項誘因便可以隨時轉變成為懲罰的工具。從這點看來，小布希的戰略選擇，在戰略行動的產出上較柯林頓來得有效率。 由於戰略是「兩個對立意志使用力量以來解決其爭執時所用的辯證法藝術」，因此在決定戰略的選擇時必須考量敵我之間的各項資源、行動自由的大小，乃至於互動模式，這些都是在進行行動計畫，選取戰略之時，必須審慎考量的，否則便可能產生無法指導行動的戰略。柯林頓政府的戰略雖然立意甚佳，但卻沒有考慮到採取此種戰略是否能夠從中規劃出有效的行動模式，來維持原有的行動自由、並進一步爭取最大的行動自由。這是柯林頓政府朝鮮半島安全政策的缺憾。 / Since the end of World War II, There have been different changes in the U.S. Korean Peninsula security policy. During the post-Korean war era, each administration makes its policy and strategy on the basis of security promise to the South Korea and military deterrence toward the North with U.S.-R.O.K. Mutual Defense Treaty. There were two nuclear crises after the end of the cold war, but the Clinton administration changed its policy and tried to solve the problem in way of cooperation and dialog. Before taking office, George W. Bush’s team was against Clinton’s policy and declared that the United States should take coercive actions against the North Korea. However, since George W. Bush took office, 911 broke out and the war on terror was going on, the Bush administration took the similar policy on the Korean Peninsula security policy as the Clinton’s. Does this mean that Clinton’s policy may have goodness that worthy for the administrations after his to follow? Thus, I took Andr□ Beaufre’s “strategy of action” theory as my thesis study approach. Through the analysis on the choice of policy and strategy, the decision on “political diagnosis” and “strategic diagnosis” of action planning, and the display of each kind of strategic actions, this thesis analyzed the Korean Peninsula security policy in the Clinton era. At the same time, I compared the difference and continuance between the two administrations and analyzed the status quo trying to figure out the would-be changes in this thesis In the thesis I discovered that the Clinton administration took the “engagement and enlargement” policy from the beginning to the end, hoping that the policy would pull back the North Korea into the international system and make it follow the international order. At the beginning, Bush administration took the classical realist policy and was not willing to engage North Korea. Because the emphasis of classical realists is to deal with the relations among power nations, not paying attention to the affairs of declining and falling states. Not until the outbreak of 911 did the Bush administration take new policy composite with realism and idealism, and change the attitude toward North Korea. The Clinton administration undertook the strategic action in multi-polarity from the beginning to the end. Bush administration chose to ignore North Korea at the beginning, but changed his policy and strategy after the 911. What Bush undertook is called “Eagle Engagement Strategy”. “Eagle Engagement Strategy” is similar to “Selective Engagement Strategy” but there are still some differences between them. Though both Strategies unite those states carefully chosen and undertake indirect total strategic actions to chase the policy goals in multi-lateral way, the “Eagle Engagement Strategy” is much powerful in pressing the rival states. That is because when people undertake the “Eagle Engagement Strategy” to engage, there are still ways in coerciveness. In other words, the “Eagle Engagement Strategy” provides engagement as motive to make rival states undertake the way we wish. When the rival states do not follow our will, this motive may switch into the tool of punishment. In this point of view, the Bush administration’s strategy is more effective than the Clinton’s. The Clinton administration’s strategy was base on good will, but the Clinton administration did not considerate its effective action modes to maintain its original action freedom and chase the most action freedom by this strategy. To Clinton’s Korean Peninsula security policy it is a pity.

朝鮮半島

柯林頓

行動戰略

安全政策

KOREAN PENINSULA

BILL CLINTON

STATEFY OF ACTION

SECURITY POLICY

France, Germany and the United Kingdom Cooperation in Times of Turbulence

Herolf, Gunilla

January 2004

<p>This thesis deals with cooperation between France, Germany and the United Kingdom within the area of foreign and security policy. Two case studies are presented, one of them concerning cooperation between the three states within and outside institutions in 1980 following the Soviet invasion of Afghanistan, and the other dealing with cooperation concerning the crisis in Macedonia in 2001. In accordance with the approach of neoliberal institutionalism the primary hypothesis is that cooperation is primarily determined by the interests of states but it is also limited by norms and affected by the institutions of which the three states are members. The study describes the large variety of forms of cooperation that exist between France, Germany and the United Kingdom, in which the United States also plays an important part, and which also includes their cooperation within a number of international institutions. The study also points to the new forms of interaction between states and institutions that have come about since the Cold War ended, and which give a stronger role to institutions and the cooperation between them. Still, however, states retain a decisive role in cooperation within the field of foreign and security policy.</p>

France

Germany

United Kingdom

United States

United Nations

OSCE

WEU

NATO

European Union (EU)

Afghanistan

Macedonia

cooperation

foreign and security policy

CFSP

ESDP

Swiss Armed Forces XXI - the answer to current or future threats?

Schmidlin, Marco

06 1900

Approved for public release, distribution is unlimited / A changed security environment after the end of the Cold War forced Switzerland, Austria, and Sweden to reassess their security policy. New threats and challenges such as international terrorism, WMD, organized crime, the greater disparity of wealth and increased migration have replaced traditional military threats. Larger non-military concerns like peacekeeping operations, hu-manitarian support, and support to civil authorities have replaced territorial defense. All of which require international cooperation. Following a comprehensive security strategy, Switzerland, Austria, and Sweden aim to defend their territory, protect their population, and fostering international peace and security. Austria and Sweden focus on the integration and solidarity with the Euro-pean Union (EU) and the North Atlantic Treaty Organization (NATO). Switzerland retains its perpetual neutrality, but has shown increased international cooperation. Austria and Sweden model their Armed Forces after the EU Petersberg Tasks and have small peacetime organizations with a professional cadre and annual conscripts. The Swiss Armed Forces XXI focus on territorial defense and are organized in accordance with universal conscription and wartime organization policies. Traditional political, social, and economic aspects hinder Switzerland from following a straightforward strategy toward solidarity and fundamental change in its Armed Forces. Switzerland's new security policy and its Armed Forces XXI do not fully meet the requirements to fight new threats and challenges together with the international community. / Lieutenant Colonel, Swiss Air Force

National security

Switzerland

Austria

Sweden

Switzerland

Austria

Sweden

Security policy

Security strategy

Armed forces

Militia armed forces

Neutrality

Solidarity

Military transformation

Swiss Armed Forces XXI

La convergence de la sécurité informatique et de la protection des renseignements personnels : vers une nouvelle approche juridique

Vicente, Ana Isabel

07 1900

"Mémoire présenté à la Faculté des études supérieures en vue de l'obtention du grade de maîtrise en droit (LL.M.) option Nouvelles technologies de l'information" / Le développement exponentiel des réseaux informatiques a largement contribué à augmenter le volume des renseignements personnels disponibles et à remplacer les méthodes désuètes de collecte des renseignements par des méthodes plus rapides et plus efficaces. La vie privée et le contrôle sur les informations personnelles, telles que nous les connaissions il y a quelques décennies, sont des notions difficilement compatibles avec la société ouverte et commerciale comme la nôtre. Face à cette nouvelle réalité menaçante pour les droits et libertés de l'homme, il est essentiel de donner un cadre technique et légal stable qui garantisse un niveau de protection adéquat de ces données personnelles. Pour rester dans le marché ou bénéficier de la confiance des individus, les entreprises et les gouvernements doivent posséder une infrastructure de sécurité informatique efficace. Cette nouvelle donne a tendance à devenir plus qu'une simple règle de compétitivité, elle se transforme en une authentique obligation légale de protéger les données à caractère personnel par des mesures de sécurité adéquates et suffisantes. Ce mémoire aborde justement ces deux points: premièrement, l'étude du développement d'une obligation légale de sécurité et ensuite, l'encadrement juridique de la mise en place d'un programme de sécurisation des données personnelles par des mesures de sécurités qui respectent les standards minimaux imposés par les textes législatifs nationaux et internationaux. / The latest development in information networks largelly contributed to the increasing amount of personal data being collected by the public and private sector and the replacement of old fashioned collection methods by faster and cheaper techniques. Notions of privacy and control of personnal data are not as we used to know them a decade ago and they became somehow incompatible with an open and commercial society in which we live. Facing this new and dangerous reality to fondamental human rights and liberties, it is pressing to give a legal and technical stable framework insuring an adequate level of protection to personnal data. To keep a competitive position in the market and maintain individuals trust in the system, companies and governments must guarantee an efficent security infrastructure. If this feature was until now a strategie advantage, it has become an authentic legal obligation to protect personnal data by suffisant safeguards. The purpose of this work is essentially consider those two statements: the study of the development of a legal obligation to guarantee the security of personnal data and the legal backing for the implementation of a security policy respecting minimal standards imposed by national and international laws.

Sécurité informatique

Renseignements personnels

Niveau de protection adéquat

Politique de sécurité

Obligation légale de sécurité

Information security

Personnal data

Adequate safeguards

Security policy

Legal obligation for security

Une architecture logicielle et un langage métier pour la sécurité à base de politiques dans les systèmes distribués

Hamdi, Hedi

10 January 2009

Les systèmes distribués supportent l'exécution d'un grand nombre d'applications pouvant avoir des contraintes d'exécution différentes. La sécurité pour ces systèmes possède une influence déterminante sur les performances et la qualité de service de ces applications. Le recours à la sécurité à base de politiques pour sécuriser ces systèmes est particulièrement attrayant. Toutefois, cette approche implique la spécification et le déploiement de politiques, qui reste une tâche laborieuse, souvent propice aux erreurs, et requiert une connaissance approfondie des mécanismes de sécurité. Dans cette thèse nous proposons un cadre pour la spécification, la vérification et l'implémentation des politiques pour la sécurité des systèmes distribués. Ce cadre repose sur un langage de spécification de politiques nommé PPL (Policy Programming Language) et une architecture de déploiement de politiques. Cette architecture se base sur le langage PPL et offre un support pour la compilation de politiques dans différents mécanismes d'implémentation en tenant compte des exigences de l'application ou du service sous-jacent. Elle permet par ailleurs une attribution automatique des politiques de sécurité aux composants d'implémentation. Le langage métier PPL fournit quant à lui des abstractions spécifiques pour permettre la spécification de politiques de sécurité facilitant ainsi leur développement et leur intégration dans le support de déploiement. Il est déclaratif, robuste, fortement expressif, et permet plusieurs possibilités de vérification. Il est aussi doté d'une sémantique formelle, qui permet de valider, vérifier et prouver les propriétés et les règles de sécurité d'une politique. / Distributed systems support the execution of a large number of applications that have different performance constraints. Security for these systems has a decisive influence on the performance and quality of service of such applications. The use of security-based policies to secure these systems is particularly attractive. However, this approach involves the specification and the deployment of policies, which remains a laborious task, often conducive to error, and requires a thorough knowledge of security mechanisms. In this thesis we propose a framework for specification, verification and implementation of security policies for distributed systems. This framework is based on a policy specification language called PPL (Policy Programming Language) and an architecture of policies deployment. This architecture is based on PPL language and offers a support for the compilation of policies in different mechanisms of implementation, taking into account the requirements of the application or the underlying service. It also enables automatic distribution of security policies to their implementation components. The PPL language provides specific abstractions to allow the specification of security policies and facilitating their development and integration in the deployment support. It is declarative, robust, highly expressive, and allows several possibilities of verification. It also has a formal semantic, which allows you to validate, verify and prove the properties of a security policy.

Langage métier

Architecture

Politique de sécurité

Spécification

Vérification

Implémentation

Validation

Distribution automatique

Application-specific-language

Architecture

Specification

Verification

Enforcement

Security policy

Automatic distribution