Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Kholekile L. Gwebu,Jing Wang

DOI: https://doi.org/10.1016/j.cose.2024.103891

IF: 5.105

2024-05-08

Computers & Security

Abstract:Data breaches have become a common occurrence with serious consequences, making organizational security management critically important. Nonetheless, the research community has not yet clearly defined the characteristics of a strong organizational security climate. This study conducts a comprehensive literature analysis to identify a collection of research-based and managerially relevant constructs that represent the essential components of a strong security climate. We operationalize the identified measures of the constructs and empirically validate them for reliability, construct validity, and nomological validity in terms of their relationships with employees' security awareness, neutralization, and intention to comply with organizational information security policies (ISPs). The results suggest that these integral elements, when embraced by organizations, discourage employees' use of neutralization to justify violation of ISPs and improve employees' security awareness and their ISP compliance intention. Organizations can use the identified subcomponents and their corresponding measures as a diagnostic decision support instrument to make a reliable and valid assessment of the strengths and weaknesses of their security climate, to continuously monitor their security climate, and to develop interventions that contribute to a strong security climate.

computer science, information systems

Xiaofeng Chen,Liqiang Chen,Dazhong Wu

DOI: https://doi.org/10.1080/08874417.2016.1258679

2016-12-27

Journal of Computer Information Systems

Abstract:Information security policy (ISP) plays an important role in information security management in organizations. Past research investigated various factors that may impact employee behavior toward security policy compliance from the perspective of general deterrence theory (GDT), protection and motivation Theory (PMT), and rational choice theory (RCT). However, there is no unifying foundation/framework that examines all of those factors in a harmonic way so that the research findings can guide information security practices and research into the employee ISP compliance management context. Additionally, prior findings provided mixed results. This study proposes a research model based on the awareness-motivation-capability (AMC) framework, aiming to unify the factors to predict employee ISP compliance intention. We believe that a harmonic approach in managing employee ISP compliance can create optimal outcomes.

computer science, information systems

Aristotle Onumo,Irfan Ullah-Awan,Andrea Cullen

DOI: https://doi.org/10.1145/3424282

2021-06-01

ACM Transactions on Management Information Systems

Abstract:The increase in cybersecurity threats and the challenges for organisations to protect their information technology assets has made adherence to organisational security control processes and procedures a critical issue that needs to be adequately addressed. Drawing insight from organisational theory literature, we develop a multi-theory model, combining the elements of the theory of planned behaviour, competing value framework, and technology—organisational and environmental theory to examine how the organisational mechanisms interact with espoused cultural values and employee cognitive belief to influence cybersecurity control procedures. Using a structured questionnaire, we deployed structural equation modelling (SEM) to analyse the survey data obtained from public sector information technology organisations in Nigeria to test the hypothesis on the relationship of socio-organisational mechanisms and techno-cultural factors with other key determinants of employee security behaviour. The results showed that knowledge of cybersecurity and employee cognitive belief significantly influence the employees’ intentions to comply with organisational cybersecurity control mechanisms. The research further noted that the influence of organisational elements such as leadership on employee security behaviour is mediated by espoused cultural values while the impact of employee cognitive belief is moderated by security technologies. For effective cybersecurity compliance, leaders and policymakers are therefore to promote organisational security initiatives that ensure incorporation of cybersecurity principles and practices into job descriptions, routines, and processes. This study contributes to behavioural security research by highlighting the critical role of leadership and cultural values in fostering organisational adherence to prescribed security control mechanisms.

Inho Hwang,Robin Wakefield,Sanghyun Kim,Taeha Kim

DOI: https://doi.org/10.1080/08874417.2019.1650676

2019-08-13

Journal of Computer Information Systems

Abstract:In this study, we use the attentional phase of social learning theory to link workplace security-related experiences and observations to employees' security awareness. The responses of 398 organizational employees serve to test our research model using structural equational modeling with AMOS 22.0. The results show security awareness arises from both explicit and subjective security experiences in the workplace. Our respondents indicate knowledge of a physical system has little, if any, effect on security awareness. However, security education, policy, visibility and managerial security participation are important for producing security awareness. Furthermore, managerial participation strengthens the links between organizational security efforts and security awareness. We discuss the implications of our study for future security compliance research and practice.

computer science, information systems

Nader Sohrabi Safa,Carsten Maple,Steve Furnell,Muhammad Ajmal Azad,Charith Perera,Mohammad Dabbagh,Mehdi Sookhak

DOI: https://doi.org/10.1016/j.future.2019.03.024

IF: 7.307

2019-08-01

Future Generation Computer Systems

Abstract:Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a significant portion of the threats to information assets in organisations. This research presents a novel conceptual framework to mitigate the risk of insiders using deterrence and prevention approaches. Deterrence factors discourage employees from engaging in information security misbehaviour in organisations, and situational crime prevention factors encourage them to prevent information security misconduct. Our findings show that perceived sanctions certainty and severity significantly influence individuals’ attitudes and deter them from information security misconduct. In addition, the output revealed that increasing the effort, risk and reducing the reward (benefits of crime) influence the employees’ attitudes towards prevent information security misbehaviour. However, removing excuses and reducing provocations do not significantly influence individuals’ attitudes towards prevent information security misconduct. Finally, the output of the data analysis also showed that subjective norms, perceived behavioural control and attitude influence individuals’ intentions, and, ultimately, their behaviour towards avoiding information security misbehaviour.

Wenqin Li,Rongmin Liu,Linhui Sun,Zigu Guo,Jie Gao

DOI: https://doi.org/10.3390/ijerph192316038

IF: 4.614

2022-12-01

International Journal of Environmental Research and Public Health

Abstract:Employee security compliance behavior has become an important safeguard to protect the security of corporate information assets. Focusing on human factors, this paper discusses how to regulate and guide employees' compliance with information security systems through effective methods. Based on protection motivation theory (PMT), a model of employees' intention to comply with the information security system was constructed. A questionnaire survey was adopted to obtain 224 valid data points, and SPSS 26.0 was applied to verify the hypotheses underlying the research model. Then, based on the results of a regression analysis, fuzzy set qualitative comparative analysis (fsQCA) was used to explore the conditional configurations that affect employees' intention to comply with the information security system from a holistic perspective. The empirical results demonstrated that perceived severity, perceived vulnerability, response efficacy, and self-efficacy all positively influenced the employees' intention to comply with the information security system; while rewards and response costs had a negative effect. Threat appraisal had a greater effect on employees' intention to comply with the information security system compared to response appraisal. The fsQCA results showed that individual antecedent conditions are not necessary to influence employees' intention to comply with an information security system. Seven pathways exist that influence an employees' intention to comply with an information security system, with reward, self-efficacy, and response cost being the core conditions having the highest probability of occurring in each configuration of pathways, and with perceived severity and self-efficacy appearing in the core conditions of configurations with an original coverage greater than 40%. Theoretically, this study discusses the influence of the elements of PMT on employees' intention to comply with an information security system, reveals the mechanism of influence of the combination of the influencing factors on the outcome variables, and identifies the core factors and auxiliary factors in the condition configurations, providing a new broader perspective for the study of information security compliance behavior and providing some theoretical support for strengthening enterprise security management. Practically, targeted suggestions are proposed based on the research results, to increase the intention of enterprise employees to comply with information security systems, thereby improving the effectiveness of enterprise information security management and the degree of information security in enterprises.

public, environmental & occupational health,environmental sciences

Mansour Naser Alraja,Usman Javed Butt,Maysam Abbod

DOI: https://doi.org/10.1016/j.cose.2023.103208

IF: 5.105

2023-06-01

Computers & Security

Abstract:Information security threats have a severe negative impact on enterprises. Organizations rely on employee compliance with information security policies to eliminate or reduce these hazards. The Unified Model of Information Security Policies Compliance (UMISPC) is employed to identify the factors that may affect employees' intention towards compliance with information systems security policy and reactance in a global setting. The study was assessed in two phases. The model's validity and measurement reliability were evaluated in the first phase, while in the second phase, all preliminary model relationships were appraised. This was achieved utilizing structural equation modelling to establish whether the proposed constructs, i.e. neutralization, response efficacy, fear, threat, habit and role values were good predictors for intention or reactance towards compliance with information systems security policy. Participants included 348 employees from 7 nations, i.e. the USA, the UK, Oman, India, Pakistan, Malaysia, and the Philippines. SmartPLS v. 3.3.9 was used for data analysis. The models' measurement reliability and validity were affirmed. Fear and role values have a significant influence on intention toward ISPC. RE significantly predicted threat which in turn significantly predicted fear, and the latter demonstrated a significant effect on reactance as well as Neutralization predicted reactance. In contrast, habit failed to reach a significant influence on intention towards ISPC. The implications are presented, together with proposals for further studies. Our findings are helpful for ISS literature and application by supporting the crucial functions of role values in encouraging employees to behave in a compliant manner. Additionally, it is regarded as the first empirical attempt to estimate intended compliance concerning ISPs in higher education from a worldwide viewpoint.

computer science, information systems

Wilson Cheong Hin Hong,ChunYang Chi,Jia Liu,YunFeng Zhang,Vivian Ngan-Lin Lei,XiaoShu Xu

DOI: https://doi.org/10.1007/s10639-022-11121-5

2022-07-02

Education and Information Technologies

Abstract:A multitude of studies have suggested potential factors that influence internet security awareness (ISA). Some, for example, used GDP and nationality to explain different ISA levels in other countries but yielded inconsistent results. This study proposed an extended knowledge-attitude-behaviour (KAB) model, which postulates an influence of the education level of society at large is a moderator to the relationship between knowledge and attitude . Using exposure to a full-time working environment as a proxy for the influence, it was hypothesized that significant differences would be found in the attitude and behaviour dimensions across groups with different conditions of exposure and that exposure to full-time work plays a moderating role in KAB. To test the hypotheses, a large-scale survey adopting the Human Aspects of Information Security Questionnaire (HAIS-Q) was conducted with three groups of participants, namely 852 Year 1–3 students, 325 final-year students (age = 18–25) and 475 full-time employees (age = 18–50) in two cities of China. MANOVA and subsequent PROCESS regression analyses found a significant negative moderating effect of work exposure , which confirmed the proposed model. However, the effect was more pervasive than expected and moderation was found in the interaction between work exposure and all three ISA dimensions. The social influence does not only reshape the cybersecurity attitude of the highly educated, but also knowledge and behaviour . Findings contribute theoretically, methodologically and practically, offering novel perspectives on ISA research and prompting new strategies to respond to human factors.

education & educational research

Saif Hussein Abdallah Alghazo,Norshima Humaidi,Shereen Noranee

DOI: https://doi.org/10.22610/imbr.v15i1(i)si.3408

2023-05-11

Information Management and Business Review

Abstract:Cybersecurity threats are a serious issue faced by many organizations in this new information era. Therefore, security leaders play a significant role not only to ensure that all their employees are practicing good security behavior to protect organizational information assets but also to ensure that security technology has been installed properly to protect network infrastructure. This study aims to examine cybersecurity protective behavior (CPB) among employees in the organization and focus on the role of leadership competencies and information security countermeasure awareness. The questionnaires were distributed via email and self-administered, and the study managed to obtain 245 responses. Partial Least Squares-Structural Equation Modeling (PLS-SEM) analysis was used to analyze the final data. Confirmatory factor analysis (CFA) testing shows that all the measurement items of each construct were adequate in their validity individually based on their factor loading value. Moreover, each construct is valid based on its parameter estimates and statistical significance. The research findings show that Procedural Information Security Countermeasure (PCM) awareness strongly influences CPB compared to a leader's information security competencies (ISI). Meanwhile, ISI significantly influences PCM awareness. This study adapts the theory of leadership competencies in the context of cybersecurity, which is particularly beneficial to any industry in improving organizational information security strategic plans.

Van Dat Tran,Tuan Dat Nguyen

DOI: https://doi.org/10.1080/23311908.2022.2035530

2022-02-08

Cogent Psychology

Abstract:This study aimed to investigate the relationship between security, individuality, reputation on cognitive trust, perceived risk, consumer attitudes, and purchase intention of online shopping. This study extended the model of customers “online shopping intention, including from the positive impact of customer trust and the negative impact on customers” perceived risk on online sales businesses. The research method used to evaluate and test the scale and theoretical model in the study is quantitative research with sample size n = 358 through the survey to deliver questionnaires directly to subjects in Vietnam. Structural equation modeling (SEM) was employed for data analyses. The results showed that security, and reputation positively affect cognitive trust, whereas it negatively affects perceived risk. Additionally, privacy has a negatively influence cognitive trust and perceived risk. Besides, cognitive trust had a positive influence on attitudes towards online shopping, but perceived risks negatively affect attitudes towards online shopping. In addition, the attitude towards online shopping positively affected customers’ intention to purchase online. Finally, attitude as a mediator, we confirm that there exists an indirect relationship between cognitive trust, perceived risk and purchase intention, which make a considerable contribution to a better insight into consumer behavior on online shopping in Vietnam. This study gave enterprises owners’ recommendations which is understanding the nature of online transactions which are customers and enterprises interact and transact mainly through websites and interfaces, which needs to build trust and peace of mind for customers is definitely consider seriously. The results may be generalized to a limited extent.

Marten de Bruin,Konstantinos Mersinas

2024-05-29

Abstract:Cyber security incidents are increasing and humans play an important role in reducing their likelihood and impact. We identify a skewed focus towards technical aspects of cyber security in the literature, whereas factors influencing the secure behaviour of individuals require additional research. These factors span across both the individual level and the contextual level in which the people are situated. We analyse two datasets of a total of 37,075 records from a) self-reported security behaviours across the EU, and b) observed phishing-related behaviours from the industry security awareness training programmes. We identify that national culture, industry type, and organisational security culture play are influential Variables (antecedents) of individuals' security behaviour at contextual level. Whereas, demographics (age, gender, and level or urbanisation) and security-specific factors (security awareness, security knowledge, and prior experience with security incidents) are found to be influential variables of security behaviour at individual level. Our findings have implications for both research and practice as they fill a gap in the literature and provide concrete statistical evidence on the variables which influence security behaviour. Moreover, findings provides practical insights for organisations regarding the susceptibility of groups of people to insecure behaviour. Consequently, organisations can tailor their security training and awareness efforts (e.g., through behaviour change interventions and/or appropriate employee group profiles), adapt their communications (e.g., of information security policies), and customise their interventions according to national culture characteristics to improve security behaviour.

Cryptography and Security

Xue Yang,Wei T. Yue,Choon Lin Sia

DOI: https://doi.org/10.1007/978-3-642-29873-8_17

2012-01-01

Abstract:IS security policy is one of the essential tools to ensure the secure use of information systems and technological assets. To enhance the effectiveness of policy implementation, organizations rely on security training, education and awareness (STEA) programs to help employees understand the IS security issues of the organization. However, different levels of STEA informativeness may have conflicting effects on employees' compliance decisions. In addition, the urgency of a task may also lead employees to abandon the compliance decision occasionally. The existing corporate information security policy (ISP) could also serve as a deterrence message that would influence compliance decisions. An experimental survey was conducted to examine this phenomenon and test the related hypotheses. The results of this study can be used to inform and guide researchers and practitioners as to how to better enforce an IS security policy through better implementation of STEA programs and improved design of ISP in different task scenarios.

Ashraf Mady,Saurabh Gupta,Merrill Warkentin

DOI: https://doi.org/10.1111/isj.12424

IF: 7.767

2023-01-11

Information Systems Journal

Abstract:Organisations implement a variety of knowledge mechanisms such as information security education, training and awareness (SETA) programs and information security policies, to influence employees' secure behaviour. Despite increased efforts to provide information systems (IS) security knowledge to employees, data breaches and other security incidents resulting from insider behaviour continue. Recent IS security research, primarily grounded on assumptions of employees' rational assessment of numerous factors, has yielded inconsistent results. Challenging this paradigm, we model secure behaviour on security knowledge mechanisms, which focuses on the multidimensional nature of security knowledge breadth, depth and finesse to represent the full array of managerial levers. We further draw on construal level theory to conceptualise users' perceptual judgements of security messages. Two studies support our model, with the second building on the first. Study 1, an experiment with 312 participants, focused on validating the treatments. Study 2, a survey with 219 participants, validated the entire model. Results showed that our model has significantly more explanatory and predictive power than the orthodox paradigm. Our results have practical implications for optimising the organisation of knowledge mechanisms by emphasising the personal relevance of threats and defining the factors that lead to secure behaviour. We also contribute to the discourse on information security research and provide a template for integrating theories, thus opening new avenues for future research.

information science & library science

Sulistio Sulistio

DOI: https://doi.org/10.33050/itee.v2i1.411

2023-10-30

Abstract:In an ever-evolving digital landscape, the imperative of robust cybersecurity measures to safeguard sensitive data, systems, and operations cannot be overstated. This research undertakes a comprehensive evaluation of the intricate factors that collectively contribute to cybersecurity effectiveness within organizational contexts. Employing the Partial Least Squares Structural Equation Modeling (PLS-SEM) methodology, this research dissect the complex relationships among pivotal constructs including Security Measures Effectiveness, Incident Response Capability, Vulnerability Management, User Training Impact, Security Policy Adherence, External Threat Mitigation, Data Protection Effectiveness, and System Resilience. Through data derived from surveys and meticulous assessments, our analysis utilizes PLS-SEM to quantitatively scrutinize how these constructs interconnect and impact the overarching goal of cybersecurity: the proactive prevention, swift detection, and effective mitigation of cyber threats. By elucidating the constructs with the most significant influence, our study not only enhances scholarly discourse but also empowers organizations to refine cybersecurity strategies, strengthen user training initiatives, and implement robust policies in alignment with the ever-adapting threat landscape. Ultimately, this research furnishes organizations with insights to bolster their cybersecurity defenses, fortify digital assets, and counteract the escalating sophistication of cyber threats.

Jiaqing Zhao,Yuxiang Hong,Wenqing Chen,Chouyong Chen

DOI: https://doi.org/10.1080/08874417.2024.2403571

2024-09-19

Journal of Computer Information Systems

Abstract:Combining cognitive and affective influences, as well as considering role-breadth constructs is critical to the study of employees' information security policy (ISP) compliance. This paper presents an improved model by integrating psychological capital (PsyCap), psychological ownership (PsyOwn), and the theory of planned behavior (TPB) based on the Conservation of Resources (COR) theory. A valid sample of 382 Chinese employees was used for model testing. The results imply that PsyCap is an important motivational antecedent to the cognitive decision-making processes theorized by the TPB. Also, PsyOwn moderates the effect of PsyCap on subjective norms, along with ISP compliance attitudes and behavioral intentions. Finally, theoretical contributions and managerial implications are addressed.

computer science, information systems

Thinh-Van Vu,Tan Vo-Thanh,Nguyen Phong Nguyen,Duy Van Nguyen,Hsinkuang Chi

DOI: https://doi.org/10.1016/j.ssci.2021.105527

Abstract:How do organizations and employees react to the COVID-19 pandemic? Can workplace safety management practices (WSPs) maintain employees' organizational citizenship behavior (OCB) in this time of global health crisis? Can employees' perceptions of the risk associated with COVID-19 and job insecurity mediate the WSPs-OCB relationship? Drawing upon social exchange and protection motivation theories, this research aims to answer such questions. Analyzing the survey data from 501 Vietnamese employees using SmartPLS software, we find that WSPs positively influence the OCB and negatively influence the perceived job insecurity. Furthermore, the perceived risk associated with COVID-19 positively affects perceived job insecurity and OCB. Unexpectedly, in the context of Vietnam, a developing country with a collectivist culture, WSPs increase the employees' perceived risk associated with COVID-19 instead of reducing their fear. Also, employees' perceptions of job insecurity are not statistically correlated with OCB. In addition, we reveal a partial mediating role of the perceived risk associated with COVID-19 in the WSPs-OCB relationship. This research highlights the power of WSPs as well as measures to psychologically reassure employees during the pandemics.

Jessica Janice Tang,Stavroula Leka,Nigel Hunt,Sara MacLennan

DOI: https://doi.org/10.1007/s00420-013-0890-9

2013-07-05

International Archives of Occupational and Environmental Health

Abstract:PurposeIt is widely acknowledged that teachers are at greater risk of work-related health problems. At the same time, employee perceptions of different dimensions of organizational climate can influence their attitudes, performance, and well-being at work. This study applied and extended a safety climate model in the context of the education sector in Hong Kong. Apart from safety considerations alone, the study included occupational health considerations and social capital and tested their relationships with occupational safety and health (OSH) outcomes.MethodsSeven hundred and four Hong Kong teachers completed a range of questionnaires exploring social capital, OSH climate, OSH knowledge, OSH performance (compliance and participation), general health, and self-rated health complaints and injuries. Structural equation modeling (SEM) was used to analyze the relationships between predictive and outcome variables.ResultsSEM analysis revealed a high level of goodness of fit, and the hypothesized model including social capital yielded a better fit than the original model. Social capital, OSH climate, and OSH performance were determinants of both positive and negative outcome variables. In addition, social capital not only significantly predicted general health directly, but also had a predictive effect on the OSH climate–behavior–outcome relationship.ConclusionsThis study makes a contribution to the workplace social capital and OSH climate literature by empirically assessing their relationship in the Chinese education sector.

public, environmental & occupational health

Ahmed Alkalbani,Hepu Deng,Booi Kam

DOI: https://doi.org/10.48550/arXiv.1606.00875

2016-05-28

Computers and Society

Abstract:The increase reliance on information systems has created unprecedented challenges for organizations to protect their critical information from different security threats that have direct consequences on the corporate liability, loss of credibility, and monetary damage. As a result, the security of information has become a top priority in many organizations. This study investigates the role of socio-organizational factors by drawing the insights from the organizational theory literature in the adoption of information security compliance in organizations. Based on the analysis of the survey data collected from 294 employees from different organizations, the study indicates management commitment, awareness and training, accountability, technology capability, technology compatibility, processes integration, and audit and monitoring have a significant positive impact on the adoption of information security compliance in organizations. The study contributes to the information security compliance research by exploring the criticality of socio-organizational factors at the organizational level for information security compliance.

Hung Trong Hoang

DOI: https://doi.org/10.1177/1839334921998873

2021-03-09

Australasian Marketing Journal

Abstract:By integrating social exchange and social identity theories, this article examines the mechanism through which employee perceived service climate enhances employee brand citizenship behavior (BCB). Specifically, we propose that this relationship is mediated by perceived brand image and moderated by employees’ power distance orientation. Using data from hotel employees in Vietnam, the findings show that service climate positively affects employee BCB. Furthermore, the mediating effect of perceived brand image and the negative moderating effect of employees’ power distance orientation on the linkage between service climate and employee BCB are found to be significant. This article enriches the existing knowledge by incorporating both social exchange and social identity perspectives in explaining an underexplored linkage between service climate and employee BCB. We suggest that hotel providers should put an emphasis on fostering a supportive service climate and should take into account the role of employee’s power distance orientation in promoting employee BCB.