Spelling suggestions: "subject:"2security policy compliance"" "subject:"bsecurity policy compliance""
1 |
Intrinsic Motivation and Information Systems Security Policy Compliance in OrganizationsAbdul Talib, Yurita Yakimin 01 January 2015 (has links)
Incidents of computer abuse, proprietary information leaks and other security lapses have been on the increase. Most often, such security lapses are attributed to internal employees in organizations subverting established organizational IS security policy. As employee compliance with IS security policy is the key to escalating IS security breaches, understanding employee motivation for following IS security policy is critical. In addition to several types of extrinsic motives noted in prior studies, including sanctions, rewards, and social pressures, this study adds that an important contributing intrinsic factor is empowerment. Per Thomas and Velthouse’s (1990) intrinsic motivation model, empowerment is the positive feelings derived from IS security task assessments. Through survey data collected from 289 participants, the study assesses how dimensions of psychological empowerment (i.e., competence, meaning, impact, and choice) as derived from IS security task may impact the IS security performance of the participants, measured by their compliance with IS security policy. The study demonstrates that the competence and meaning dimensions of psychological empowerment have a positive impact on participants’ IS security policy compliance intention, while impact has a marginal negative influence on compliance. Furthermore, dimensions of psychological empowerment can be predicted by structural empowerment facets, particularly IS security education, training, and awareness (SETA), access to IS security strategy and goals, and participation in IS security decision-making. In addition, the competence and meaning dimensions of psychological empowerment may act as mediators for the relations between structural empowerment and participants’ IS security policy compliance. Theoretical contributions, managerial implications, and directions for future research of this study will be discussed.
|
2 |
Addressing ambiguity within information security policies in higher education to improve complianceButhelezi, Mokateko Portia 06 1900 (has links)
nformation security (InfoSec) policies are widely used by institutions as a form of InfoSec control measure to protect their information assets. InfoSec policies are commonly documented in natural language, which is prone to ambiguity and misinterpretation, thereby making it hard, if not impossible, for users to comply with. These misinterpretations may lead the students or staff members to wrongfully execute the required actions, thereby making institutions vulnerable to InfoSec attacks. According to the literature review conducted in this work, InfoSec policy documents are often not followed or complied with; and the key issues facing InfoSec policy compliance include the lack of management support for InfoSec, organisational cultures of non-compliance, intentional and unintentional policy violation by employees (the insider threat), lack of policy awareness and training as well as the policy being unclear or ambiguous. This study is set in the higher education context and explores the extent to which the non-compliance problem is embedded within the policy documents themselves being affected by ambiguity.
A qualitative method with a case study research strategy was followed in the research, in the form of an inductive approach with a cross-sectional time horizon, whereby a selection case of relevant institutional InfoSec policies were analysed. The data was collected in the form of academic literature and InfoSec policies of higher education institutions to derive themes for data analysis. A qualitative content analysis was performed on the policies, which identified ambiguity problems in the data. The findings indicated the presence of ambiguity within the policy documents, making it possible to misinterpret some of the policy statements. Formal methods were explored as a possible solution to the policy ambiguity. A framework was then proposed to address ambiguity and improve on the clarity of the semantics of policy statements. The framework can be used by policy writers in paying attention to the presence of ambiguity in their policies and address these when drafting or revising their policy documents. / School of Computing / M. Sc.(Computing)
|
3 |
The COVID-19 pandemic impact on Information Security Policy compliance in regional healthcare. : An empirical studyFält, Melker, Minierski, Bartlomiej January 2022 (has links)
Information Security (InfoSec) is a broad term used to describe the study of how to protect sensitive data from unauthorized access, modification, or deletion. InfoSec is commonly used within companies and organisations to facilitate the secure use of digital systems, taking its shape in the form of technical solutions as well as rules and guidelines defined in a so-called Information Security Policy (ISP). Subsequently, ISPs, which aim to mitigate the risks posed by the generally agreed upon weakest link, the human factor, is considered a crucial asset to maintaining security. The outbreak of the COVID-19 pandemic further solidifying its worth as an increase in attacks targeting humans, especially within the healthcare sector, can be seen. Research directed at ISPs is a much debated area which scientists from many different fields of study continuously lend their efforts. However, to the best of the authors' knowledge no recent studies can been seen that examines ISP Compliance (ISPC), with a focus on InfoSec awareness, from a Swedish regional healthcare employees’ perspective. Hence, this study seeks to provide an insight into this area, with the outbreak of the COVID-19 pandemic in mind. The research is based on a web-questionnaire survey created using information gained throughout several interviews with people working in the field of InfoSec. It seeks to examine healthcare employees' InfoSec awareness following the COVID-19 pandemic outbreak with regard teleworking. It can be seen from the results that healthcare sector employees' were well aware of the InfoSec risks related to the changing work conditions following the outbreak of the COVID-19 pandemic.
|
4 |
Three Essays on Collective Privacy and Information SecurityMemarian Esfahani, Sara 07 1900 (has links)
In Essay 1, we seek to expand the insights on an individual's decision to share group content. Social networking sites (SNS) have become a ubiquitous means of socializing in the digital age. Using a survey, we collected data from 520 respondents with corporate work experience to test our research model. Our analysis highlights the complex interplay between individual and group factors that shape users' risk-benefit analysis of sharing group content on social networking sites. Furthermore, the results of this study have important implications for social networking site design and policy, particularly with regard to providing granular control over the privacy settings of group content and clear and concise information about the potential risks and benefits of sharing group content. Essay 2 aims to extend the knowledge of information security policy (ISP) compliance. Using a comprehensive approach, we extended the perspective of control mechanisms in the context of ISPs. It is evident that maintaining information security is an important concern for organizations of all sizes and industries. Organizations can establish policies and procedures to regulate and ensure compliance with information security policies, and various control mechanisms can be employed to ensure compliance. Among these control mechanisms, enforcement, punishment, evaluation, and recognition have been identified as important factors that influence information security policy compliance. In Essay 3, we delve deep into the current digital era and the reality of individuals becoming particularly vulnerable to privacy breaches. In the third essay, we offer a thorough examination of existing literature to gain insight into the disparities between users' stated privacy concerns and their actual information-sharing behavior. Our analysis reveals that, in addition to technological and environmental factors, cultural and personal differences significantly contribute to the paradoxical behavior observed among individuals. Utilizing the S-O-R (stimulus-organism-response) framework, we emphasize the necessity of examining the intricate interplay between technological aspects, individual attributes, and environmental factors in order better to understand the complexities of individuals' privacy decision-making processes. By addressing these factors and their interactions, we can develop more effective strategies to improve individuals' privacy awareness, decision-making, and overall online experiences. This will ultimately create more secure and privacy-respecting digital communities for users with various characteristics.
|
5 |
The Impact of Awareness of Being Monitored on Internet Usage Policy Compliance: An Agency and Stewardship ViewSummers, Nirmalee 14 August 2015 (has links)
Internet usage has become a norm in most organizations where organizations have started monitoring employee, Internet usage, e-mail communications, social network usage and etc. With the increased Internet usage, Internet misuse by employees has increased the potential for security vulnerabilities for these organizations. Organizations have established various security countermeasures such as sanctions, incentives, and Internet usage policies in order to prevent Internet misuse and protect the organizational information assets. However, it is important for organizations to understand whether these Internet usage polices are effective in mitigating the threats towards Internet misuse. Therefore, this dissertation investigates the impact of different countermeasures such as sanctions, incentives and awareness of being monitored on Internet usage policy compliance. Furthermore, it investigates the impact of organizational stewardship culture consisting of collectivism and low power distance, on Internet usage policy compliance behavior. A research model was developed to test the influence of penalties (sanction severity, sanction certainty, sanction celerity), incentives, collectivism and power distance on Internet usage policy compliance intention. Furthermore, it investigates the impact of awareness of being monitored which has not received much attention from information security researchers. In order to test the hypothesized relationships in the research model, data was collected utilizing an online survey through an online survey panel provider, Amazon Mechanical Turk. The findings indicate that, sanction certainty, awareness of being monitored, collectivism and power distance have a significant influence on Internet usage policy compliance intention of the sample population. Additionally, when employees are aware that they are being monitored, it increases the effectiveness of sanction severity and celerity. This dissertation makes several contributions to research and practitioners. It contributes to research by investigating the impact of two contrasting theories where agency theory assumes that employees are motivated through extrinsic factors whereas stewardship theory assumes that they are motivated through intrinsic means (organizational stewardship culture). It contributes to practitioners as well by highlighting the importance of controls such as computer monitoring, swift punishments in protecting organizational assets. As the results suggest, apart from the controls, organizational stewardship culture can play an important role in mitigating some of these threats as well.
|
6 |
Addressing ambiguity within information security policies in higher education to improve complianceButhelezi, Mokateko Portia 06 1900 (has links)
Information security (InfoSec) policies are widely used by institutions as a form of InfoSec control measure to protect their information assets. InfoSec policies are commonly documented in natural language, which is prone to ambiguity and misinterpretation, thereby making it hard, if not impossible, for users to comply with. These misinterpretations may lead the students or staff members to wrongfully execute the required actions, thereby making institutions vulnerable to InfoSec attacks. According to the literature review conducted in this work, InfoSec policy documents are often not followed or complied with; and the key issues facing InfoSec policy compliance include the lack of management support for InfoSec, organisational cultures of non-compliance, intentional and unintentional policy violation by employees (the insider threat), lack of policy awareness and training as well as the policy being unclear or ambiguous. This study is set in the higher education context and explores the extent to which the non-compliance problem is embedded within the policy documents themselves being affected by ambiguity.
A qualitative method with a case study research strategy was followed in the research, in the form of an inductive approach with a cross-sectional time horizon, whereby a selection case of relevant institutional InfoSec policies were analysed. The data was collected in the form of academic literature and InfoSec policies of higher education institutions to derive themes for data analysis. A qualitative content analysis was performed on the policies, which identified ambiguity problems in the data. The findings indicated the presence of ambiguity within the policy documents, making it possible to misinterpret some of the policy statements. Formal methods were explored as a possible solution to the policy ambiguity. A framework was then proposed to address ambiguity and improve on the clarity of the semantics of policy statements. The framework can be used by policy writers in paying attention to the presence of ambiguity in their policies and address these when drafting or revising their policy documents. / School of Computing
|
7 |
Intrusion detection techniques in wireless local area networksGill, Rupinder S. January 2009 (has links)
This research investigates wireless intrusion detection techniques for detecting attacks on IEEE 802.11i Robust Secure Networks (RSNs). Despite using a variety of comprehensive preventative security measures, the RSNs remain vulnerable to a number of attacks. Failure of preventative measures to address all RSN vulnerabilities dictates the need for a comprehensive monitoring capability to detect all attacks on RSNs and also to proactively address potential security vulnerabilities by detecting security policy violations in the WLAN. This research proposes novel wireless intrusion detection techniques to address these monitoring requirements and also studies correlation of the generated alarms across wireless intrusion detection system (WIDS) sensors and the detection techniques themselves for greater reliability and robustness. The specific outcomes of this research are: A comprehensive review of the outstanding vulnerabilities and attacks in IEEE 802.11i RSNs. A comprehensive review of the wireless intrusion detection techniques currently available for detecting attacks on RSNs. Identification of the drawbacks and limitations of the currently available wireless intrusion detection techniques in detecting attacks on RSNs. Development of three novel wireless intrusion detection techniques for detecting RSN attacks and security policy violations in RSNs. Development of algorithms for each novel intrusion detection technique to correlate alarms across distributed sensors of a WIDS. Development of an algorithm for automatic attack scenario detection using cross detection technique correlation. Development of an algorithm to automatically assign priority to the detected attack scenario using cross detection technique correlation.
|
8 |
Assessing information security compliant behaviour using the self-determination theoryGangire, Yotamu 02 1900 (has links)
Information security research shows that employees are a source of some of the security incidents in the organisation. This often results from failure to comply with the Information Security Policies (ISPs). The question is, therefore, how to improve information security behaviour of employees so that it complies with the ISPs. This study aims to contribute to the understanding of information security behaviour, especially how it can be improved, from an intrinsic motivation perspective.
A review of the literature suggested that research in information security behaviour is still predominantly based on the extrinsic perspective, while the intrinsic perspective has not received as much attention. This resulted in the study being carried out from the perspective of the self-determination theory (SDT) since this theory has also not received as much attention in the study of information security behaviour. The study then proposed an information security compliant behaviour conceptual model based on the self-determination theory, (ISCBMSDT).
Based on this model, a questionnaire, the ISCBMSDT questionnaire, was developed using the Human Aspects of Information Security Questionnaire and SDT. Using this questionnaire, a survey (n = 263) was carried out at a South African university and responses were received from the academic, administrative and operational staff. The following statistical analysis of the data was carried out: exploratory factor analysis, reliability analysis, analysis of variance (ANOVA), independent samples test (t-tests) and Pearson correlation analysis. The responses to the survey questions suggest that autonomy questions received positive perception followed by competence questions and relatedness questions. The correlation analysis results show the existence of a statistically significant relationship between competence and autonomy factors. Also, a partial significant relationship between autonomy and relatedness factors as well as between competence and relatedness factors was observed.
The exploratory factor analysis that was performed on the questionnaire produced 11 factors.
Cronbach alpha was then computed for the eleven factors and all were found to be above 0.7, thus suggesting that the questionnaire is valid and reliable. The results of the research study also suggest that competence and autonomy could be more important than relatedness in directing information security behaviour among employees. / School of Computing / M. Tech. (Information Technology)
|
Page generated in 0.0559 seconds