Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Ding-Long Huang,Pei-Luen Patrick Rau,Gavriel Salvendy,Fei Gao,Jia Zhou

DOI: https://doi.org/10.1016/j.ijhcs.2011.07.007

IF: 4.866

2011-01-01

International Journal of Human-Computer Studies

Abstract:The gap between the perceived security of an information system and its real security level can influence people' decisions and behavior. The objective of this study is to find effective ways to adjust people's perception of information security, in order to enhance their intention to adopt IT appliances and compliance to security practices. Two separate experiments were conducted. In experiment I, 64 participants were asked to transfer money through an e-banking system. Their intention to adopt e-banking was measured by a questionnaire. In experiment II, 64 participants were asked to register on an online forum. Their subjective intention to create a strong password was measured by a questionnaire, and the objective strength of the passwords they created was calculated. Results of the ANOVA and the path models derived from the path analysis indicated that people's adoption intention, such as their intention to adopt e-banking, can be enhanced by changing their perceived Knowledge, Controllability and Awareness, while changing the perceived Controllability is most effective. The results also indicated that people's compliance to security practices, such as setting strong passwords for IT systems, can be enhanced by changing their perceived Knowledge, Severity and Possibility, while changing their perceived Knowledge and Severity is most effective. Implications for further research and practice were also discussed.

Richard Apaua,Harjinder Singh Lallie

DOI: https://doi.org/10.48550/arXiv.2201.03052

2022-01-10

Abstract:Mobile banking applications have gained popularity and have significantly revolutionised the banking industry. Despite the convenience offered by M-Banking Apps, users are often distrustful of the security of the applications due to an increasing trend of cyber security compromises, cyber-attacks, and data breaches. Considering the upsurge in cyber security vulnerabilities of M-Banking Apps and the paucity of research in this domain, this study was conducted to empirically measure user-perceived security of M-Banking Apps. A total of 315 responses from study participants were analysed using covariance-based structural equation modelling (CB-SEM). The results indicated that most constructs of the baseline Extended Unified Theory of Acceptance and Use of Technology (UTAUT2) structure were validated. Perceived security, institutional trust and technology trust were confirmed as factors that affect user's intention to adopt and use M-Banking Apps. However, perceived risk was not confirmed as a significant predictor. The current study further revealed that in the context of M-Banking Apps, the effects of security and trust are complex. The impact of perceived security and institutional trust on behavioural intention was moderated by age, gender, experience, income, and education, while perceived security on use behaviour was moderated by age, gender, and experience. The effect of technology trust on behavioural intention was moderated by age, education, and experience. Overall, the proposed conceptual model achieved acceptable fit and explained 79% of the variance in behavioural intention and 54.7% in use behaviour of M-Banking Apps, higher than that obtained in the original UTAUT2. The guarantee of enhanced security, advanced privacy mechanisms and trust should be considered paramount in future strategies aimed at promoting M-Banking Apps adoption and use.

Human-Computer Interaction,Cryptography and Security,Computers and Society

Ashraf Mady,Saurabh Gupta,Merrill Warkentin

DOI: https://doi.org/10.1111/isj.12424

IF: 7.767

2023-01-11

Information Systems Journal

Abstract:Organisations implement a variety of knowledge mechanisms such as information security education, training and awareness (SETA) programs and information security policies, to influence employees' secure behaviour. Despite increased efforts to provide information systems (IS) security knowledge to employees, data breaches and other security incidents resulting from insider behaviour continue. Recent IS security research, primarily grounded on assumptions of employees' rational assessment of numerous factors, has yielded inconsistent results. Challenging this paradigm, we model secure behaviour on security knowledge mechanisms, which focuses on the multidimensional nature of security knowledge breadth, depth and finesse to represent the full array of managerial levers. We further draw on construal level theory to conceptualise users' perceptual judgements of security messages. Two studies support our model, with the second building on the first. Study 1, an experiment with 312 participants, focused on validating the treatments. Study 2, a survey with 219 participants, validated the entire model. Results showed that our model has significantly more explanatory and predictive power than the orthodox paradigm. Our results have practical implications for optimising the organisation of knowledge mechanisms by emphasising the personal relevance of threats and defining the factors that lead to secure behaviour. We also contribute to the discourse on information security research and provide a template for integrating theories, thus opening new avenues for future research.

information science & library science

B. Phillps,D. Kim,Young U. Ryu

DOI: https://doi.org/10.1109/NCS.2018.00014

2018-06-01

Abstract:Information risk is an increasing concern for researchers and practitioners. By utilizing Technology Threat Avoidance and Social Comparison Theory, we examine the role of perceived risk, perceived risk controllability and self-efficacy secure intention. Findings indicate that users optimistically biased in their risk perceptions and controllability compared with their social counterparts.

Psychology,Computer Science

Philip Menard,Gregory J. Bott,Robert E. Crossler

DOI: https://doi.org/10.1080/07421222.2017.1394083

IF: 7.582

2017-10-02

Journal of Management Information Systems

Abstract:Managers desiring to protect information systems must understand how to most effectively motivate users to engage in secure behaviors. Information security researchers have frequently studied individuals’ performance of secure behaviors in response to threats. Protection motivation theory (PMT) has been used to explain individuals’ propensity to engage in voluntary secure behaviors, but the adaptation of this theory has yielded inconsistent results. Motivation as a measurable construct, as derived from self-determination theory (SDT), has never been included in or compared against PMT. In this study, we construct security messages that appeal to individuals’ intrinsic motivation, rather than fear, as a way to elicit secure responses. Using three sets of respondents, we integrated the SDT and PMT models and compared the native models in the context of security behaviors. We demonstrate that by using data- and individual-focused appeals and providing choices for users, managers may observe greater intention to engage in secure behavior among employees.

information science & library science,management,computer science, information systems

Princely Ifinedo

DOI: https://doi.org/10.1080/08874417.2022.2065553

2022-04-20

Journal of Computer Information Systems

Abstract:Organizations whose employees participate in risky cybersecurity behaviors (RCySecB) could suffer disastrous consequences either directly or indirectly from actions linked to such behaviors. This study used conceptualizations facilitated by Attribution Theory to examine the effects of dispositional factors (self-control and knowledge of IS security threats/risks and their potential consequences) and situational factors (security, education, training, and awareness (SETA) programs and computer monitoring) in reducing employee participation in RCySecB. Data was collected from a survey of working professionals in India, and relevant hypotheses were formulated. The PLS technique was used for data analysis. This study investigated the direct effects of the factors on the dependent construct and analyzed the interacting effects of the constructs as well. The results indicate that all factors reduce employee participation in RCySecB. However, the joint effects of the situational factor elements and the dispositional factor of personal knowledge security threats/risks and their potential consequences were insignificant in the model.

computer science, information systems

Wilson Cheong Hin Hong,ChunYang Chi,Jia Liu,YunFeng Zhang,Vivian Ngan-Lin Lei,XiaoShu Xu

DOI: https://doi.org/10.1007/s10639-022-11121-5

2022-07-02

Education and Information Technologies

Abstract:A multitude of studies have suggested potential factors that influence internet security awareness (ISA). Some, for example, used GDP and nationality to explain different ISA levels in other countries but yielded inconsistent results. This study proposed an extended knowledge-attitude-behaviour (KAB) model, which postulates an influence of the education level of society at large is a moderator to the relationship between knowledge and attitude . Using exposure to a full-time working environment as a proxy for the influence, it was hypothesized that significant differences would be found in the attitude and behaviour dimensions across groups with different conditions of exposure and that exposure to full-time work plays a moderating role in KAB. To test the hypotheses, a large-scale survey adopting the Human Aspects of Information Security Questionnaire (HAIS-Q) was conducted with three groups of participants, namely 852 Year 1–3 students, 325 final-year students (age = 18–25) and 475 full-time employees (age = 18–50) in two cities of China. MANOVA and subsequent PROCESS regression analyses found a significant negative moderating effect of work exposure , which confirmed the proposed model. However, the effect was more pervasive than expected and moderation was found in the interaction between work exposure and all three ISA dimensions. The social influence does not only reshape the cybersecurity attitude of the highly educated, but also knowledge and behaviour . Findings contribute theoretically, methodologically and practically, offering novel perspectives on ISA research and prompting new strategies to respond to human factors.

education & educational research

Ding Long Huang,Pei Luen Patrick Rau,Gavriel Salvendy,XiaoLi Shang,Ying Liu,Xia Wang

DOI: https://doi.org/10.1177/154193120805202002

2008-01-01

Abstract:Information security is of great concern to IT users, who may hesitate or refuse to adopt IT appliances because of worries about security problems. The objective of this study was to investigate the antecedences and consequences of people's perception of information security. This study included three phases. In phase 1, a six-factor structure modeling people's perception of information security was developed through a survey study and exploratory factor analysis. In phase 2, the relations between people's perception of information security and their intention to adopt IT appliances were tested through a laboratory experiment and path analysis. Significant effects were found and a path model was developed. In phase 3, the implications of people's perception of information security for mobile phone were discussed through focus group. Mobile users' perception of mobile security in seven scenarios was summarized. Three personas of mobile security were developed.

Guangyu Zhou,Mengke Gou,Yiqun Gan,Ralf Schwarzer

DOI: https://doi.org/10.3389/fpsyg.2020.01066

IF: 3.8

2020-01-01

Frontiers in Psychology

Abstract:It is widely acknowledged that non-compliance with smartphone security behaviors is widespread and may cause severe harm to people and devices. In addition to device-based security issues, there are psychological factors involved in these behaviors such as self-efficacy, risk awareness, and social support. The present study examines associations of these three factors with smartphone security behaviors and explores possible mechanisms among these variables. In a longitudinal survey with 192 Chinese college students (73.4% women, mean age 24.46 years, SD = 5.15), self-efficacy, risk awareness, and social support were assessed with psychometric scales at two points in time, 2 weeks apart. Hierarchical regression analyses were performed with follow-up smartphone security behaviors as the dependent variable, controlling for baseline values and demographic and IT-related covariates. Main effects of self-efficacy, risk awareness, and social support on smartphone security behaviors were identified. Moreover, a triple interaction among the three predictors emerged in a synergistic way, indicating that their combination yielded more favorable levels of secure smartphone use. The total model accounted for 50% of the behavioral variance, with all covariates included, and the triple interaction among self-efficacy, risk awareness, and social support accounted for 2.3% of variance. Results document that psychological factors are involved in smartphone security behaviors beyond demographic and IT-related covariates. Interventions could be designed to improve smartphone security behaviors not only by developing privacy-enhancing technologies but also by considering psychological factors such as self-efficacy, risk awareness, and social support.

Saud A. Alsulaiman,Terry L. Rentner

DOI: https://doi.org/10.4081/jphr.2021.2273

2021-10-26

Journal of Public Health Research

Abstract:Background This study utilized the Health Belief Model to examine college students’ perceptions of the COVID-19 pandemic. It examined the extent to which the Health Belief Model and perceived threat are associated with the adoption of COVID-19 preventive measures among college students. Design and methods An online questionnaire was utilized and sent to a simple random sample of college students at a large Midwestern university in the United States between May and July of 2020. The number of undergraduate and graduate students who participated in this study was 1,723. Results The study found that the Health Belief Model and perceived threat are significantly associated with COVID-19 preventive measures. College students with higher Health Belief Model scores were more likely to adhere to COVID-19 preventive measures than those with lower scores. College students also reported high cues to action and low perceived barriers to most of the COVID-19 preventive measures. Conclusion Applying the Health Belief Model is crucial for health professionals and university administrators for developing effective communication messages for COVID-19 prevention and future health outbreaks.

Chen Yang,Tingting Liu,Lulu Zuo,Zhiyong Hao

DOI: https://doi.org/10.1109/ICSSSM.2019.8887825

2019-01-01

Abstract:Recently, several health care wearable devices which can intervene in health and collect personal health data have emerged in the medical market. Although health care wearable devices promote the integration of multi-layer medical resources and bring new ways of health applications for users, it is inevitable that some problems will be brought. This is mainly manifested in the safety protection of medical and health data and the protection of user' s privacy. From the users' point of view, the irrational use of medical and health data may bring psychological and physical negative effects to users. From the government's perspective, it may be sold by private businesses in the international arena and threaten national security. The most direct precaution against the problem is users' initiative. For better understanding, a research model is designed by the following five aspects: Security knowledge (SK), Security attitude (SAT), Security practice (SP), Security awareness (SAW) and Security conduct (SC). To verify the model, structural equation analysis which is an empirical approach was applied to examine the validity and all the results showed that SK, SAT, SP, SAW and SC are important factors affecting users' data security and privacy protection awareness.

Soumya Ray,Terence Ow,Sung S. Kim

DOI: https://doi.org/10.1111/j.1540-5915.2011.00316.x

2011-01-01

Decision Sciences

Abstract:Security researchers agree that security control is a difficult to observe credence quality of online services that Internet users cannot easily assess through research or experience. Yet there is evidence that users form perceptions of security control that strongly determine how much trust they put in online services. This study investigates whether users’ security control perceptions arise solely from their predispositions or whether online service providers can influence them. The study also examines whether these seemingly undependable perceptions of security control lead to trust or whether more traditional factors might offer a better explanation of trust under security risks. To address these issues, this study proposes a new theory of security assurance that integrates the frameworks of trust and quality signals. The results show that rather than being guided by predispositions, users appear to mainly assess security control based on indirect cues controlled by service providers. Importantly, Internet users do not treat the credence quality of security the same way they treat qualities that can be understood through search and experience. Although returning users develop security control perceptions and trust from the usual heuristics of ongoing relationships, they also continue to evaluate market information about service providers like they do in new relationships. The proposed model offers a new perspective of how users respond to the uncertain and technically challenging qualities prevalent in online services.

Tianyue Mi,Mengke Gou,Guangyu Zhou,Yiqun Gan,Ralf Schwarzer

DOI: https://doi.org/10.1016/j.cose.2020.101954

IF: 5.105

2020-01-01

Computers & Security

Abstract:Smartphone users are often said to be the weakest link in information security. They often install apps from unknown sources, connect to open WIFI in public places, and check and open dangerous email attachments on their phones. The current study aims to uncover psychological mechanisms that may be responsible for individual differences in smartphone security behavior, theoretically based on the health action process approach (HAPA). In a longitudinal survey, 192 students in the age range from 18 to 47 years (141 of them women) completed psychometric assessments at baseline and two weeks later. Intention, planning, action control, and smartphone security behaviors were measured along with socio-demographic information. The path analysis revealed that planning and action control mediated sequentially the relationship between intention and smartphone security behavior. The model accounted for 52.30% of the variance in smartphone security behavior. The result supported the theoretical assumptions of the HAPA, with a focus on the mediation by planning and action control. Interventions that focus on such factors might help improve compliance with recommendations for smartphone security behavior.

Puspita Kencana Sari,Putu Wuri Handayani,Achmad Nizar Hidayanto

DOI: https://doi.org/10.2196/49439

2023-08-24

Abstract:Background: The health information system (HIS) functions are getting wider with more diverse users. Information security in the health industry is crucial because it involves comprehensive and strategic information that might harm human life. The human factor is one of the biggest security threats to HIS. Objective: This study aims to investigate the information security behavior (ISB) of HIS users using a comprehensive assessment scale suited to the information security concerns in health care. Patients are increasingly being asked to submit their own data into HIS systems. As a result, this study examines the security behavior of health workers and patients, as well as their demographic variables. Methods: We used a quantitative approach using surveys of health workers and patients. We created a research instrument from 4 existing measurement scales to measure prosecurity and antisecurity behavior. We analyzed statistical differences to test the hypotheses, that is, the Kruskal-Wallis test and the Mann-Whitney test. The descriptive analysis was used to determine whether the group exhibited exemplary behavior when processing the survey results. A correlational test using the Spearman correlation coefficient was performed to establish the significance of the relationship between ISB and age as well as level of education. Results: We analyzed 421 responses from the survey. According to demographic factors, the hypotheses tested for full and partial security behavior reveal substantial differences. Education levels most significantly affect security behavior differences, followed by user type, gender, and age. The health workers' ISB is higher than that of the patients. Women are more likely than men to engage in prosecurity actions while avoiding antisecurity behaviors. The older the HIS user, the more likely it is that they will participate in prosecurity behavior and the less probable it is that they will engage in antisecurity behavior. According to this study, differences in prosecurity behavior are mostly impacted by education level. Higher education, on the other hand, does not guarantee improved ISB for HIS users. All demographic characteristics, particularly concerning user type, show discrepancies that are caused mainly by antisecurity behavior rather than prosecurity behavior. Conclusions: Since patients engage in antisecurity behavior more frequently than health workers and may pose security risks, health care facilities should start to consider information security education for patients. More comprehensive research on ISB in health care facilities is required to better understand the patient's perspective, which is currently understudied.

Nader Sohrabi Safa,Carsten Maple,Steve Furnell,Muhammad Ajmal Azad,Charith Perera,Mohammad Dabbagh,Mehdi Sookhak

DOI: https://doi.org/10.1016/j.future.2019.03.024

IF: 7.307

2019-08-01

Future Generation Computer Systems

Abstract:Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a significant portion of the threats to information assets in organisations. This research presents a novel conceptual framework to mitigate the risk of insiders using deterrence and prevention approaches. Deterrence factors discourage employees from engaging in information security misbehaviour in organisations, and situational crime prevention factors encourage them to prevent information security misconduct. Our findings show that perceived sanctions certainty and severity significantly influence individuals’ attitudes and deter them from information security misconduct. In addition, the output revealed that increasing the effort, risk and reducing the reward (benefits of crime) influence the employees’ attitudes towards prevent information security misbehaviour. However, removing excuses and reducing provocations do not significantly influence individuals’ attitudes towards prevent information security misconduct. Finally, the output of the data analysis also showed that subjective norms, perceived behavioural control and attitude influence individuals’ intentions, and, ultimately, their behaviour towards avoiding information security misbehaviour.

Zhenya Tang,Andrew S Miller,Zhongyun Zhou,Merrill Warkentin,Andrew S. Miller

DOI: https://doi.org/10.1016/j.giq.2021.101572

IF: 8.49

2021-04-01

Government Information Quarterly

Abstract:Cybercriminals are taking advantage of the COVID-19 outbreak and offering COVID-19-related scams to unsuspecting people. Currently, there is a lack of studies that focus on protecting people from COVID-19-related cybercrimes. Drawing upon Cultivation Theory and Protection Motivation Theory, we develop a research model to examine the cultivation effect of government social media on peoples' information security behavior towards COVID-19 scams. We employ structural equation modeling to analyze 240 survey responses collected from social media followers of government accounts. Our results suggest that government social media account followers' participation influences their information security behavior through perceived severity, perceived vulnerability, self-efficacy, and response efficacy. Our study highlights the importance of government social media for information security management during crises.

information science & library science

Marten de Bruin,Konstantinos Mersinas

2024-05-29

Abstract:Cyber security incidents are increasing and humans play an important role in reducing their likelihood and impact. We identify a skewed focus towards technical aspects of cyber security in the literature, whereas factors influencing the secure behaviour of individuals require additional research. These factors span across both the individual level and the contextual level in which the people are situated. We analyse two datasets of a total of 37,075 records from a) self-reported security behaviours across the EU, and b) observed phishing-related behaviours from the industry security awareness training programmes. We identify that national culture, industry type, and organisational security culture play are influential Variables (antecedents) of individuals' security behaviour at contextual level. Whereas, demographics (age, gender, and level or urbanisation) and security-specific factors (security awareness, security knowledge, and prior experience with security incidents) are found to be influential variables of security behaviour at individual level. Our findings have implications for both research and practice as they fill a gap in the literature and provide concrete statistical evidence on the variables which influence security behaviour. Moreover, findings provides practical insights for organisations regarding the susceptibility of groups of people to insecure behaviour. Consequently, organisations can tailor their security training and awareness efforts (e.g., through behaviour change interventions and/or appropriate employee group profiles), adapt their communications (e.g., of information security policies), and customise their interventions according to national culture characteristics to improve security behaviour.

Cryptography and Security

Stacey R Kessler,Shani Pindek,Gary Kleinman,Stephanie A Andel,Paul E Spector

DOI: https://doi.org/10.1177/1460458219832048

2019-03-14

Health Informatics Journal

Abstract:Since 2009, over 176 million patients in the United States have been adversely impacted by data breaches affecting Health Insurance Portability and Accountability Act–covered institutions. While the popular press often attributes data breaches to external hackers, most breaches are the result of employee carelessness and/or failure to comply with information security policies and procedures. To change employee behavior, we borrow from the organizational climate literature and introduce the Information Security Climate Index, developed and validated using two pilot samples. In this study, four categories of healthcare professionals (certified nursing assistants, dentists, pharmacists, and physician assistants) were surveyed. Likert-type items were used to assess the Information Security Climate Index, information security motivation, and information security behaviors. Study results indicated that the Information Security Climate Index was related to better employee information security motivation and information security behaviors. In addition, there were observed differences between occupational groups with pharmacists reporting a more favorable climate and behaviors than physician assistants.

health care sciences & services,medical informatics

Zhengchuan Xu,Ken H. Guo

DOI: https://doi.org/10.1108/JEIM-10-2018-0229

2019-01-01

Journal of Enterprise Information Management

Abstract:Purpose Human factor is often cited as one of the biggest challenges for organizational information security management. The purpose of this paper is to investigate how and why employees fail to carry out required security tasks. Design/methodology/approach On the basis of coping theory, this paper develops a theoretical model to examine employee effortful security behavior (ESB). The model is tested with the data collected through a survey of computer users. Findings The results suggest that employee procrastination of security tasks and psychological detachment from security issues are two antecedents of ESB. Psychological detachment and procrastination are in turn influenced by perceived externalities of security risk and triage of business tasks over security issues by employees. Originality/value This paper contributes to the information systems security literature by providing a nuanced understanding of the antecedents and process of how employees cope with security task demands. It also offers some insights for practitioners in terms of the importance of designing and implementing security measures that are viewed as relevant to employees.