1 |
Investigating the Impact of Self-Control and Deterrents on Noncompliant Information Security BehaviorChuma, Ramadhan 01 January 2012 (has links)
Employees' noncompliance with information security policy and rules is a serious impediment to the effectiveness of security programs in organizations. The extant information security studies have used General Deterrence Theory (GDT) to investigate noncompliant information security behavior, yet most of the findings have not been effective in practice due to a lack of strong theoretical underpinning. Neglecting criminal propensity of the potential perpetrator has been identified to be one of the theoretical weaknesses of GDT-based studies. Any attempt to explain noncompliant information security behavior in organizational context, demands a well grounded framework to explain why employees transgress information security policies and rules. The purpose of this study was to empirically investigate the link between self-control (criminal propensity), deterrence perceptions, and noncompliant information security behavior. Criminal propensity was operationalized using the three perspectives of self-control: personality trait, social bond, and self-generated inhibitions. This study then examined the influence of the three self-control variables on deterrence perceptions (certainty, severity, and celerity). Further, the study investigated the impact of deterrence perceptions on noncompliant information security behavior.
Data collected from 421 employees in a Southern USA-based company was used to test the relationships between research model constructs using SPSS's Amos structural equation modeling software package. Results indicated that employees' perceptions on all three dimensions of deterrents were positively impacted by self-control based on self-generated inhibitions. The results also showed that only employees' perceptions on certainty of apprehension and celerity of punishment were positively impacted by social bond self-control. No significant relationships were established between deterrence perceptions and personality trait self-control. Further, employees' perceptions on certainty of apprehension and celerity of punishment were negatively associated with noncompliant information security behavior. The results also indicated that severity of punishment was not a significant predictor of noncompliant information security behavior. The uniqueness of this study provided evidence on the importance of incorporating criminal propensity in GDT-based studies. The current study also highlighted the importance of celerity of punishment dimension, which is highly neglected by GDT-based information security studies.
|
2 |
Examining the Behavioral Intention of Individuals' Compliance with Information Security PoliciesBrown, David A. 01 January 2017 (has links)
Target Corporation experienced an information security breach resulting in compromising customers' financial information. Management is responsible for implementing adequate information security policies that protect corporate data and minimize financial losses. The purpose of this experimental study was to examine the effect of a fear appeal communication on an individual's information security policy behavioral intention. The sample population involved information technology professionals randomly selected from the SurveyMonkey audience. A research model, developed using constructs from deterrence theory and protection motivation theory, became the structural model used for partial least squares-structural equation modeling (PLS-SEM) analysis of the survey response data, which indicated that self-efficacy was statistically significant. The remaining model variables, perceived threat vulnerability, perceived threat severity, response efficacy, informal sanction certainty, informal sanction severity, formal sanction certainty, and formal sanction severity, were not statistically significant. A statistically significant self-efficacy result could indicate confidence among the population to comply with information security policies. The nonsignificant results could indicate the fear appeal treatment did not motivate a change in behavior or information security policy awareness bias was introduced by selecting information technology professionals. Social change in information security could be achieved by developing an effective information security policy compliance fear appeal communication, which could change information security compliance behavior and contribute to securing the nation's critical cyber infrastructure and protecting data.
|
3 |
Strong Intents Against Weak Links : Towards a Holistic Integration of Behavioral Information Security in Organizations with Strategic IntentKoller, Teresa Marie, Ljung, Migle January 2021 (has links)
The human factor has been detected as the weakest link in the information security of organizations. Methods like training and awareness programs and the implementation of security policies have been developed, but they still seem to be less effective than desired. Authors have suggested integrating information security more holistically in organizations. In this study we discuss how strategic intent can influence an information security culture and improve information security behavior, thereby strengthening the weakest link. This thesis aims to develop a conceptual framework for organizations to integrate behavioral information security holistically with strategic intent. This thesis is based on a qualitative study with an abductive approach consisting of nine exploratory, semi-structured interviews. This way we could find today’s most prominent factors that might reinforce information security behavior in organizations and discuss the interrelations among those factors together with their potential facilitators and barriers. To improve behavioral InfoSec holistically in organizations, strategic Intent and InfoSec culture are promising factors. All factors have clear interrelations, but also potential facilitators and barriers.
|
4 |
Factors impacting information security noncompliance when completing job tasksHarrell, Martha Nanette 26 November 2014 (has links)
Work systems are comprised of the technical and social systems that should harmoniously work together to ensure a successful attainment of organizational goals and objectives. Information security controls are often designed to protect the information system and seldom consider the work system design. Using a positivist case study, this research examines the user's perception of having to choose between completing job tasks or remaining compliant with information security controls. An understanding of this phenomenon can help mitigate the risk associated with an information system security user's choice. Most previous research fails to consider the work system perspective on this issue. This study is based on the socio-technical system theory, the Leavitt Diamond Model (1965). Using this model as a lens to examine user information security behavior and perspectives, the Synergistic Security Model was developed. The research data indicated that the relationships between the structure, technology, task and people constructs can have an impact on user information security behavior. The research found that a change in the organization's information security policies, technology, or a change in employee processes for task completion can impact a user's information security choice. Some of the information security situations found in the research could be easily changed to lower the risk of a user's choice to circumvent information security. This change could be a technical configuration change, a purchase of a new technology or a change in a process to help impact a user's choice to circumvent information security controls.
The Synergistic Security Model can help researchers understand the relationships between the general constructs found in a work system and how those relationships can influence user behaviors. The research presented in the paper examines a triad relationship between each work system construct, consisting of: Structure-Technology-People; Structure-Task-People; Task-Technology-People; and Task-Technology-Structure. The findings indicate that the relationship between the constructs can have a significant impact on user information security behavior and therefore should be a consideration when designing an efficient and effective information security program.
|
5 |
Examining the Security Awareness, Information Privacy, and the Security Behaviors of Home Computer UsersEdwards, Keith 01 January 2015 (has links)
Attacks on computer systems continue to be a problem. The majority of the attacks target home computer users. To help mitigate the attacks some companies provide security awareness training to their employees. However, not all people work for a company that provides security awareness training and typically, home computer users do not have the incentive to take security awareness training on their own. Research in security awareness and security behavior has produced conflicting results. Therefore, it is not clear, how security aware home computer users are or to what extent security awareness affects the security behavior of home computer users. The goal of this study was to determine if there is a relationship between security awareness and users practicing good security behavior.
This study adapted its research model from the health belief model (HBM), which accesses a patient’s decision to perform health related activities. The research model included the HBM constructs of perceived severity, perceived susceptibility, perceived threat, perceived benefits, perceived barriers, cues to action, and self-efficacy. The research model also contained the security awareness (SA) and concern for information privacy (CFIP) constructs. The model used SA to ascertain the effect of security awareness on a person’s self-efficacy in information security (SEIS), perceived threat, CFIP, and security behavior. The research model included CFIP to ascertain its effect on security behavior.
The developed survey measured the participants' security awareness, concern for information privacy, self-efficacy, expectations of security actions, perceived security threats, cues to action, and security behavior. SurveyMonkey administered the survey. SurveyMonkey randomly selected 267 participants from its 30 million-member base.
The findings of this study indicate home computer users are security aware. SA does not have a direct effect on a user’s security behavior, perceived threat, or CFIP. However, it does have influence on SEIS. SEIS has a weak effect on expectations. CFIP has an effect on a user’s security behavior after removing perceived threat from the research model. Perceived susceptibility has a direct effect on a user’s security behavior, but perceived severity or perceived threat does not.
|
6 |
Empirical Assessment of Mobile Device Users’ Information Security Behavior towards Data Breach: Leveraging Protection Motivation TheoryGiwah, Anthony Duke 01 January 2019 (has links)
User information security behavior has been an area of growing demand in information systems (IS) research. Unfortunately, most of the previous research done in user information security behavior have been in broad contexts, therefore creating a gap in the literature of similar research that focuses on specific emerging technologies and trends. With the growing reliance on mobile devices to increase the flexibility, speed and efficiency in how we work, communicate, shop, seek information and entertain ourselves, it is obvious that these devices have become data warehouses and platform for data in transit.
This study was an empirical and quantitative study that gathered data leveraging a web-survey. Prior to conducting the survey for the main data collection, a Delphi study and pilot study were conducted. Convenience sampling was the category of nonprobability sampling design used to gather data. The 7-Point Likert Scale was used on all survey items. Pre-analysis data screening was conducted prior to data analysis. The Partial Least Square Structural Equation Modeling (PLS-SEM) was used to analyze the data gathered from a total of 390 responses received.
The results of this study showed that perceived threat severity has a negative effect on protection motivation, while perceived threat susceptibility has a positive effect on protection motivation. Contrarily, the results from this study did not show that perceived response cost influences protection motivation. Response efficacy and mobile self-efficacy had a significant positive influence on protection motivation. Mobile device security usage showed to be significantly influenced positively by protection motivation. This study brings additional insight and theoretical implications to the existing literature. The findings reveal the PMT’s capacity to predict user behavior based on threat and coping appraisals within the context of mobile device security usage. Additionally, the extension of the PMT for the research model of this study implies that mobile devices users also can take recommended responses to protect their devices from security threats.
|
7 |
User Information Security Behavior in Professional Virtual Communities: A Technology Threat Avoidance ApproachForrester, Vivienne 01 January 2019 (has links)
The popularization of professional virtual communities (PVCs) as a platform for people to share experiences and knowledge has produced a paradox of convenience versus security. The desire to communicate results in disclosure where users experience ongoing professional and social interaction. Excessive disclosure and unsecured user security behavior in PVCs increase users’ vulnerability to technology threats. Nefarious entities frequently use PVCs such as LinkedIn to launch digital attacks. Hence, users are faced with a gamut of technology threats that may cause harm to professional and personal lives. Few studies, however, have examined users’ information security behavior and their motivation to engage in technology threat avoidance behavior in a PVC.
This study tested a professional virtual community technology threat avoidance model empirically. The model was developed from the conceptualization of different aspects of the technology threat avoidance theory, social cognitive theory, and involvement theory through an integrated approach. This quantitative study employed a random sampling methodology. Prior to collecting data for the main study an expert panel review and a pilot study were conducted. A web-based survey designed with a 5-point Likert scale was distributed to 1285 LinkedIn members to gather self-reported data on users’ technology threat avoidance behavior. Confirmatory factor analysis (CFA) and structural equation modeling (SEM) were used to analyze the data gathered from 380 respondents.
The results of the data analysis revealed that perceived susceptibility, perceived severity, and information security knowledge sharing are strong predictors of avoidance motivation. Information security knowledge sharing had the most significant predicting effect on avoidance motivation in PVCs. Also, self-efficacy, group norms, and avoidance motivation all have a significant predicting effect on users’ information security avoidance behavior in PVCs. However, information security experience and safeguarding measure cost do not have a significant predicting effect on users’ information security avoidance motivation. This study makes significant contributions to the IS body of knowledge and has implications for practitioners and academics. This study offers a comprehensive model through the integration of behavioral and cognitive theories to better understand user information security behavior in PVCs. The model also identifies essential elements to motivate users to engage in technology threat avoidance behavior.
|
8 |
Tietoturvakoulutuksen vaikuttavuuden arviointi yksilön ja organisaation tietoturvakäyttäytymiseenNykänen, K. (Kari) 02 November 2011 (has links)
Abstract
Information security is a key factor supporting companies' security and business requirements,
and it is significantly affected by the information security behavior of the employees. Previous
research has studied empirically as to which factors explains employees' compliance with
information security policies and instructions. However, there are only a few empirical studied
on the effectiveness of information security training on the information security behavior of
employees. Especially, studies examining the effect on training on employees' cyberloafing
(non-work related Internet use) behavior are far and few between. To address this gap in
research, this thesis carries out an action research study aimed at improving employees'
cyberloafing behavior at an organizational context. The results suggest that cyberloafing can be
reduced by a proper training. / Tiivistelmä
Tietoturva on keskeinen tekijä yrityksen kokonaisturvallisuuden ja liiketoiminnan tarpeiden tukemisessa, johon henkilökunnan tietoturvakäyttäytyminen vaikuttaa hyvin merkittävästi. Yksilön tietoturvakäyttäytymistä ja tietoturvapolitiikan ja -ohjeistuksien noudattamista on tutkittu empiirisesti vahvojen teoreettisten taustojen pohjalta. Tutkimustulokset ovat osoittaneet, että yksilön normeista ja ohjeistuksista poikkeava käyttäytyminen on vahvasti sidoksissa henkilökohtaisiin tapoihin, joita puolustellaan ja selitetään erilaisilla syillä.
Tietoturvakoulutuksen vaikuttavuutta yksilön ja organisaation tietoturvakäyttäytymiseen on tutkittu empiirisesti hyvin vähän. Työhön liittymättömän Internetin käytön kontekstissa tehtyjä tutkimuksia on vain muutamia, ja niissä on selvitetty käytön motivaatiota ja käyttäjien profilointia. Tietoturvakoulutuksen vaikutusta yksilön työhön liittymättömän Internet-käyttäytymisen muuttamiseen ei ole aikaisemmin tieteellisesti tutkittu. Tässä väitöskirjassa tutkitaan tätä ajankohtaista kansainvälisen tutkijayhteisön tiedostamaa ongelmaa.
Tutkimus suoritetaan noudattaen toimintatutkimusmallia kahdessa vaiheessa, joista toisessa sovelletaan kokeellista tutkimusmenetelmää. Pitkittäistutkimuksen ensimmäisessä vaiheessa tutkitaan organisaation tietoturvakäyttäytymistä ja -toimintaa. Tämän perusteella suunnitellaan koulutusmenetelmä, jonka avulla pyritään ratkaisemaan organisaation tietoturvatoiminnan keskeiset ongelmat ja parantamaan yksilön tietoturvatietoisuutta. Toisessa vaiheessa koulutusmenetelmää kehitetään ja laajennetaan koko organisaation henkilökunnan tasolle, minkä tavoitteena on muuttaa yksilön työhön liittymätöntä Internet-käyttäytymistä. Tutkimuksessa sovelletaan kriminologiaan pohjautuvaa neutralisoimisteoriaa ja sosiaalipsykologian tapateoriaa, joiden avulla pyritään selittämään yksilön työhön liittymätöntä Internet-käyttäytymistä. Tietoturvakoulutuksen laadinnassa sovelletaan oppimisen psykologiaa, sosiokonstruktiivista oppimisnäkemystä ja muutos-johtamista.
Tutkimustulokset tarjoavat uutta tietoa siitä, mitä tulee huomioida laadittaessa organisaation tietoturvakoulutusta ja miten huolellisesti laaditun koulutuksen avulla voidaan muuttaa yksilön työhön liittymätöntä Internet-käyttäytymistä. Koulutuksen avulla pyritään vaikuttamaan yksilön syvälle juurtuneisiin tapoihin, käyttäytymiseen ja vastuunottamiseen omasta toiminnasta.
|
Page generated in 0.1467 seconds