Return to search

CONTROL, PERCEIVED RISK, AND INFORMATION SECURITY PRECAUTIONS: EXTERNAL AND INTERNAL MOTIVATIONS FOR SECURITY BEHAVIOR

Computer security has become increasingly important to organizations as the number of security incidents skyrockets. While many technical means are used to secure corporate systems, individual employees remain the last line and frequently the weakest link in organizational defenses. When individuals choose to disregard security policies and procedures meant to protect the organization, they leave the organization at risk. How, then, can organizations motivate their employees to follow security guidelines? Using organizational control and the fear of crime as the lens, we build a model to examine this research question.
The research model examines the relationship between the elements of control (specification, evaluation, and reward), risk elements and risk antecedents (direct experience, indirect experience, and risk) and precautions that can be taken at the individual level which are typically motivated by organizational policies and procedures. The model also introduces the concept of mandatoriness which is generally not specifically highlighted in extant literature.
The specific hypotheses are developed and tested using a field survey. An organization was identified for data collection and 1,738 total responses were collected from a population of approximately 3,500. The model was tested using PLS analysis after examination of the data, scale reliability, and item validity.
The results from the analysis suggest that the acts of specifying a policy and evaluating behaviors are effective in convincing individuals that security policies and procedures are mandatory. The perception of mandatoriness, in turn, is effective in motivating individuals to take security precautions. Likewise, both direct and indirect experience have a significant positive effect on perceptions of risk, but risk perceptions do not have any effect on the level of precautions taken by individuals.
The findings highlight the need for management to clearly specify computer security policies and procedures and to evaluate individual employee compliance with those policies. The findings also indicate that the perceived impact of specific scenarios is more likely to affect individual precaution taking behaviors than statistics indicating the likelihood that they will be affected. Additionally, managers need to address the problems of apathy as it relates to security and bolster individuals efficacy as it relates to computers.

Identiferoai:union.ndltd.org:PITT/oai:PITTETD:etd-07242007-151755
Date07 September 2007
CreatorsBoss, Scott Russel
ContributorsPeter H. Gray, Irene H. Frieze, Brian S. Butler, Jacob G. Birnberg, Laurie J. Kirsch
PublisherUniversity of Pittsburgh
Source SetsUniversity of Pittsburgh
LanguageEnglish
Detected LanguageEnglish
Typetext
Formatapplication/pdf
Sourcehttp://etd.library.pitt.edu/ETD/available/etd-07242007-151755/
Rightsunrestricted, I hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dissertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to University of Pittsburgh or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report.

Page generated in 0.0023 seconds