Ying Li,Nan Zhang,Mikko Siponen

DOI: https://doi.org/10.1080/0144929x.2018.1539519

2019-01-01

Abstract:Employees' violation of information security policies is a major threat to an organisation. Some violations such as using an easy-to-guess password or storing confidential data on personal unencrypted flash drives usually do not cause immediate harm; instead, these actions create security flaws that can be attacked in the future and cause delayed consequences. We call such behaviour consequence-delayed information security violation (CDISV). The ignorance or denial of the possible delayed consequences is the main reason employees engage in such insecure behaviour. Due to the delay between the action and the consequence, a long-term mindset could play an important role in employees' current decision-making. Specifically, in this study, we propose that long-term orientation is an influential factor in decreasing CDISV. The long-term orientation includes three dimensions: continuity, futurity, and perseverance. In addition, based on the stewardship theory and the needs theory, we further propose that value identification and the fulfilment of higher-order needs (trusted relationship and growth) are important drivers for employees to have a long-term orientation. We collected survey data using the 170 responses we received from a global company's employees. The empirical results support our arguments. Our findings provide implications to organisations to encourage employees' information security behaviours.

Ding-Long Huang,Pei-Luen Patrick Rau,Gavriel Salvendy,Fei Gao,Jia Zhou

DOI: https://doi.org/10.1016/j.ijhcs.2011.07.007

IF: 4.866

2011-01-01

International Journal of Human-Computer Studies

Abstract:The gap between the perceived security of an information system and its real security level can influence people' decisions and behavior. The objective of this study is to find effective ways to adjust people's perception of information security, in order to enhance their intention to adopt IT appliances and compliance to security practices. Two separate experiments were conducted. In experiment I, 64 participants were asked to transfer money through an e-banking system. Their intention to adopt e-banking was measured by a questionnaire. In experiment II, 64 participants were asked to register on an online forum. Their subjective intention to create a strong password was measured by a questionnaire, and the objective strength of the passwords they created was calculated. Results of the ANOVA and the path models derived from the path analysis indicated that people's adoption intention, such as their intention to adopt e-banking, can be enhanced by changing their perceived Knowledge, Controllability and Awareness, while changing the perceived Controllability is most effective. The results also indicated that people's compliance to security practices, such as setting strong passwords for IT systems, can be enhanced by changing their perceived Knowledge, Severity and Possibility, while changing their perceived Knowledge and Severity is most effective. Implications for further research and practice were also discussed.

Philip Menard,Gregory J. Bott,Robert E. Crossler

DOI: https://doi.org/10.1080/07421222.2017.1394083

IF: 7.582

2017-10-02

Journal of Management Information Systems

Abstract:Managers desiring to protect information systems must understand how to most effectively motivate users to engage in secure behaviors. Information security researchers have frequently studied individuals’ performance of secure behaviors in response to threats. Protection motivation theory (PMT) has been used to explain individuals’ propensity to engage in voluntary secure behaviors, but the adaptation of this theory has yielded inconsistent results. Motivation as a measurable construct, as derived from self-determination theory (SDT), has never been included in or compared against PMT. In this study, we construct security messages that appeal to individuals’ intrinsic motivation, rather than fear, as a way to elicit secure responses. Using three sets of respondents, we integrated the SDT and PMT models and compared the native models in the context of security behaviors. We demonstrate that by using data- and individual-focused appeals and providing choices for users, managers may observe greater intention to engage in secure behavior among employees.

information science & library science,management,computer science, information systems

Harrison Stewart,Jan Jürjens

DOI: https://doi.org/10.1108/ics-07-2016-0054

2017-11-13

Information and Computer Security

Abstract:Purpose The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset. Design/methodology/approach Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B. Findings Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own. Research limitations/implications The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings. Practical implications In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed. Social implications The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps. Originality/value The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

Marten de Bruin,Konstantinos Mersinas

2024-05-29

Abstract:Cyber security incidents are increasing and humans play an important role in reducing their likelihood and impact. We identify a skewed focus towards technical aspects of cyber security in the literature, whereas factors influencing the secure behaviour of individuals require additional research. These factors span across both the individual level and the contextual level in which the people are situated. We analyse two datasets of a total of 37,075 records from a) self-reported security behaviours across the EU, and b) observed phishing-related behaviours from the industry security awareness training programmes. We identify that national culture, industry type, and organisational security culture play are influential Variables (antecedents) of individuals' security behaviour at contextual level. Whereas, demographics (age, gender, and level or urbanisation) and security-specific factors (security awareness, security knowledge, and prior experience with security incidents) are found to be influential variables of security behaviour at individual level. Our findings have implications for both research and practice as they fill a gap in the literature and provide concrete statistical evidence on the variables which influence security behaviour. Moreover, findings provides practical insights for organisations regarding the susceptibility of groups of people to insecure behaviour. Consequently, organisations can tailor their security training and awareness efforts (e.g., through behaviour change interventions and/or appropriate employee group profiles), adapt their communications (e.g., of information security policies), and customise their interventions according to national culture characteristics to improve security behaviour.

Cryptography and Security

Ying Li,Ting Pan,Nan Zhang,Nan (Andy) Zhang

DOI: https://doi.org/10.1108/jeim-01-2019-0018

2019-09-23

Journal of Enterprise Information Management

Abstract:Purpose This paper is to investigate how employees respond to information security policies (ISPs) when they view the policies as a challenge rather than a hindrance to work. Specifically, the authors examine the roles of challenge security demands (i.e. continuity and mandatory) and psychological resources (i.e. personal and job resources) in influencing employees’ ISP non-compliance. Design/methodology/approach Applying a hypothetical scenario-based survey method, the authors tested our proposed model in six typical ISPs violation scenarios. In sum, 347 responses were collected from a global company. The data were analyzed using partial least square-based structural equation model. Findings Findings indicated that continuity and mandatory demands increased employees’ level of perseverance of effort, which, in turn, decreased their ISPs non-compliance intention. In addition, job resources, such as the trust enhancement gained from co-workers and the opportunities for professional development, enhanced the perseverance of effort. Practical implications The findings offer implications to practice by suggesting that organizations should design training programs to persuade employees to understand the ISPs in a positive way. Meanwhile, organizations should encourage employees to invest more personal resources by creating a trusting atmosphere and providing them opportunities to learn security knowledge and skills. Originality/value This study is among the few to empirically explore how employees respond and behave when they view the security policies as challenge stressors. The paper also provides a novel understanding of how psychological resources contribute to buffering ISP non-compliance.

information science & library science,management

John D'Arcy,Paul Benjamin Lowry

DOI: https://doi.org/10.1111/isj.12173

IF: 7.767

2017-11-08

Information Systems Journal

Abstract:We present a model of employee compliance with information security policy (ISP) that (1) explicates stable, cognitive beliefs regarding the consequences of compliance and noncompliance as well as state‐based affective constructs, namely, positive and negative mood states and episodic, security‐related work‐impediment events, and (2) provides an expanded conceptualisation of moral considerations and normative influences regarding employees' ISP compliance. Because affect is central to this theorisation, we ensure that the model captures and explains differences in day‐to‐day affective constructs to account for the often fleeting nature of affective states. We test our multilevel model using an experience‐sampling methodology design, in which employees completed daily surveys over a 2‐week period, followed by a hierarchal linear modelling statistical assessment. Our contribution to theory is a unique account of ISP compliance that integrates affective factors with constructs from rational choice theory and theory of planned behaviour and that diverges from prior conceptualisations of ISP compliance as a purely stable and reason‐based phenomenon. For practitioners, our results suggest that a combination of cognitive and affective influences may produce discrete episodes of ISP compliance that do not coincide with prior behavioural trends.

information science & library science

Andrea Ceschi,Matilde Dusi,Michela Ferrara,Francesco Tommasi,Riccardo Sartori

DOI: https://doi.org/10.1108/ijoa-02-2024-4251

2024-08-02

International Journal of Organizational Analysis

Abstract:Purpose The way in which managers differ when confronted with risky options or when evaluating different alternatives constitutes a fundamental part of organizational risk management. This study aims to investigate how managerial risk-taking attitudes (i.e. ethical and financial risk-taking as a trade-off between benefit and riskiness) change over time and based on gender. Design/methodology/approach The authors conducted a cross-sectional study on a sample of Italian executives and measured their perceptions of risk-taking, risk perception and risk-benefit, all referring to the company they worked for in the ethical and financial domain. The study also collected demographic data to gather information on age and gender. The authors analyzed data collected using multilevel analysis. Findings The results show that perceived benefits are the main drivers of risk-taking attitudes in both domains. Age and gender are not significant direct predictors of risk, but interactions with domains reveal insightful patterns. Originality/value Overall, this study highlights the need to assess the whole pattern of relationships emerging from the range of situational variables characterizing a specific population. Concerning the organizational context, it means addressing the role of organizational variables in influencing risk-taking so as to determine the extent to which organizational policies are indeed effective in fostering efficient organizational risk management.

Jaeung Lee,Jingguo Wang,Melchor C. de Guzman,Manish Gupta,H. Raghav Rao

DOI: https://doi.org/10.1109/tts.2024.3418621

2024-01-01

IEEE Transactions on Technology and Society

Abstract:Employees’ extra-role security behaviors can help organizations reduce safety and security threats in their operational environment and protect organizational assets. What antecedents can foster employees’ engagement in such behaviors is an important question. In this study, we consider such extra-role security behaviors as protective behaviors that are driven by employees’ motivation to protect organizational digital assets. This study draws upon Protection Motivation Theory (PMT) and suggests that employees’ threat appraisal and security self-efficacy are key to such extra-role security behaviors. Also, the study opens the black box of threat appraisal using Routine Activity Theory (RAT), proposing that employees’ appraisal of the threat of data breach is from an understanding of routine activities within their organization. The research model is developed based on the above and test the model with employees working in financial organizations. The analyses show that both perceived threat of data breaches and perceived security efficacy increase employees’ engagement in extra-role behaviors. Further, security efficacy reinforces the effect of the threat of data breaches on extra-role behavior. Finally, the suitability of data as well as, interestingly, the presence of guardianship, increases the perceived threat of data breach.

Jonas Hielscher,Simon Parkin

2024-04-29

Abstract:Security awareness campaigns in organizations now collectively cost billions of dollars annually. There is increasing focus on ensuring certain security behaviors among employees. On the surface, this would imply a user-centered view of security in organizations. Despite this, the basis of what security awareness managers do and what decides this are unclear. We conducted n=15 semi-structured interviews with full-time security awareness managers, with experience across various national and international companies in European countries, with thousands of employees. Through thematic analysis, we identify that success in awareness management is fragile while having the potential to improve; there are a range of restrictions, and mismatched drivers and goals for security awareness, affecting how it is structured, delivered, measured, and improved. We find that security awareness as a practice is underspecified, and split between messaging around secure behaviors and connecting to employees, with a lack of recognition for the measures that awareness managers regard as important. We discuss ways forward, including alternative indicators of success, and security usability advocacy for employees.

Cryptography and Security

Dustin Ormond,Merrill Warkentin,Robert E. Crossler,,,

DOI: https://doi.org/10.17705/1jais.00586

2019-01-01

Journal of the Association for Information Systems

Abstract:Information systems security behavioral research has primarily focused on individual <em>cognitive processes</em> and their impact on information security policy noncompliance. However, <em>affective processes</em> (operationalized by affective absorption and affective flow) may also significantly contribute to misuse or information security policy noncompliance. Our research study evaluated the impact of affective absorption (i.e., the trait or disposition to allow one's emotions to drive decision-making) and affective flow (i.e., a state of immersion with one's emotions) on cognitive processes in the context of attitude toward and compliance with information security policies. Our conceptual model was evaluated using a laboratory research design. We found that individuals who were frustrated by work-related tasks experienced negative affective flow and violated information security policies. Furthermore, perceptions of organizational injustice increased negative affective flow. Our findings underscore the need for understanding affective processes as well as cognitive processes which may lead to a more holistic understanding regarding information security policy compliance.

information science & library science,computer science, information systems

Zhengchuan Xu,Ken H. Guo

DOI: https://doi.org/10.1108/JEIM-10-2018-0229

2019-01-01

Journal of Enterprise Information Management

Abstract:Purpose Human factor is often cited as one of the biggest challenges for organizational information security management. The purpose of this paper is to investigate how and why employees fail to carry out required security tasks. Design/methodology/approach On the basis of coping theory, this paper develops a theoretical model to examine employee effortful security behavior (ESB). The model is tested with the data collected through a survey of computer users. Findings The results suggest that employee procrastination of security tasks and psychological detachment from security issues are two antecedents of ESB. Psychological detachment and procrastination are in turn influenced by perceived externalities of security risk and triage of business tasks over security issues by employees. Originality/value This paper contributes to the information systems security literature by providing a nuanced understanding of the antecedents and process of how employees cope with security task demands. It also offers some insights for practitioners in terms of the importance of designing and implementing security measures that are viewed as relevant to employees.

Jingguo Wang,Zhe Shan,Manish Gupta,H. Raghav Rao

DOI: https://doi.org/10.25300/misq/2019/14751

IF: 7.3

2019-01-01

MIS Quarterly

Abstract:This study investigates employee behavior of unauthorized access attempts on information systems (IS) applications in a financial institution and examines how opportunity contexts facilitate such behavior. By contextualizing multilevel criminal opportunity theory, we develop a model that considers both employee- and department-level opportunity contexts. At the employee level, we hypothesize that the scope and data value of the applications that an employee has legitimately accessed, together with the time when and location where the employee initiates access, affect the likelihood of the employee making unauthorized access attempts. At the department level, we hypothesize that department size moderates the impact of employee-level contextual variables on the likelihood of an employee making unauthorized attempts. To test these hypotheses, we collected six months of access log data from an enterprise single sign-on system of a financial institution. We find the hypothesized main effects of all employee-level contextual variables and department size are supported. In addition, department size reinforces the effects of data value, off-hour access, off-site access, and their interaction term, except for that of scope, on the outcome variable. Robustness analyses indicate that the proposed model does not align with those employees who might not know the systems well enough or who might make honest mistakes. We also discuss the theoretical and practical implications of the study.

Amilson de Araujo Durans,Emerson Wagner Mainardes

DOI: https://doi.org/10.1108/ijbm-04-2024-0243

2024-09-21

The International Journal of Bank Marketing

Abstract:Purpose This study assesses whether the strategic orientation of financial institutions to provide value to customers influences the dimensions of personal data privacy perceived by consumers of banking services. We also analysed whether these dimensions directly influence the value in use and, indirectly, the reputation of financial institutions. Design/methodology/approach Based on the literature, a model was developed to verify the proposed relationships. To test the model, we collected data via an online questionnaire from 2,422 banking customers, with analysis using structural equation modelling with partial least squares estimation. Findings The results suggest that strategic value orientation tends to have a direct positive influence on the constructs knowledge, control, willingness to value privacy and trust in sharing personal information and a direct negative influence on the personal data privacy experience. Three dimensions of personal data privacy (knowledge, willingness to value privacy and trust in sharing personal information) tend to have a direct positive influence on value in use. The results showed that the dimensions of personal data privacy experience and control had a significant and negative impact on the value in use construct. Another finding is the positive influence of value in use on organizational reputation. Investing in strategic value orientation can generate consumer perceptions of personal data privacy, which is reflected in the value in use and reputation of banks. Originality/value This study is theoretically original because it brings up the organizational reputation of financial institutions based on the strategic orientation to offer value to customers, personal data privacy and the value in use of banking services. The study of these relationships is unprecedented in the literature.

business

Princely Ifinedo

DOI: https://doi.org/10.1080/08874417.2022.2065553

2022-04-20

Journal of Computer Information Systems

Abstract:Organizations whose employees participate in risky cybersecurity behaviors (RCySecB) could suffer disastrous consequences either directly or indirectly from actions linked to such behaviors. This study used conceptualizations facilitated by Attribution Theory to examine the effects of dispositional factors (self-control and knowledge of IS security threats/risks and their potential consequences) and situational factors (security, education, training, and awareness (SETA) programs and computer monitoring) in reducing employee participation in RCySecB. Data was collected from a survey of working professionals in India, and relevant hypotheses were formulated. The PLS technique was used for data analysis. This study investigated the direct effects of the factors on the dependent construct and analyzed the interacting effects of the constructs as well. The results indicate that all factors reduce employee participation in RCySecB. However, the joint effects of the situational factor elements and the dispositional factor of personal knowledge security threats/risks and their potential consequences were insignificant in the model.

computer science, information systems

Alaa Nehme,Meng (Leah) Li,Merrill Warkentin

DOI: https://doi.org/10.1016/j.cose.2024.103941

IF: 5.105

2024-06-08

Computers & Security

Abstract:Robust password management is crucial for users' information security. The use of password manager technology, which constitutes adaptive coping, is the dominant method for robust password management. Nonetheless, many users engage in maladaptive coping, adopting poor password management behaviors, such as using easy-to-remember passwords and using the same password across multiple accounts. Against this backdrop, this paper considers both adaptive and maladaptive coping factors for studying password manager use. As such, we incorporate the adaptive coping factor of password manager trustworthiness and the maladaptive coping factor of password mismanagement convenience into a research model that draws upon Hope-extended Protection Motivation Theory. We tested our model with a survey of US users. Our main findings indicate that password manager trustworthiness drives users' appraised coping potential and that password mismanagement convenience has a context-specific (i.e., specific to the password manager use context) intricacy in how it reduces password manager use. Our theoretical contributions include expanding the range of Protection Motivation Theory's input sources, expanding the range of the studied context-specific factors in the password manager use context, and unveiling the uniqueness of the password manager context. This work also informs practice, especially with respect to how messages that aim to promote password manager use may be designed.

computer science, information systems

Adam J. Aviv,Ravi Kuber

DOI: https://doi.org/10.48550/arXiv.1801.07518

2018-01-23

Cryptography and Security

Abstract:In this study, we examine the ways in which user attitudes towards privacy and security relating to mobile devices and the data stored thereon may impact the strength of unlock authentication, focusing on Android's graphical unlock patterns. We conducted an online study with Amazon Mechanical Turk ($N=750$) using self-reported unlock authentication choices, as well as Likert scale agreement/disagreement responses to a set of seven privacy/security prompts. We then analyzed the responses in multiple dimensions, including a straight average of the Likert responses as well as using Principle Component Analysis to expose latent factors. We found that responses to two of the seven questions proved relevant and significant. These two questions considered attitudes towards general concern for data stored on mobile devices, and attitudes towards concerns for unauthorized access by known actors. Unfortunately, larger conclusions cannot be drawn on the efficacy of the broader set of questions for exposing connections between unlock authentication strength (Pearson Rank $r=-0.08$, $p<0.1$). However, both of our factor solutions exposed differences in responses for demographics groups, including age, gender, and residence type. The findings of this study suggests that there is likely a link between perceptions of privacy/security on mobile devices and the perceived threats therein, but more research is needed, particularly on developing better survey and measurement techniques of privacy/security attitudes that relate to mobile devices specifically.

Charlette Donalds,Kweku-Muata Osei-Bryson

DOI: https://doi.org/10.1016/j.ijinfomgt.2019.102056

IF: 18.958

2020-04-01

International Journal of Information Management

Abstract:Recent information and cybersecurity research have focused on improving individuals' security compliance behavior. However, improved security performance remains a challenge since individuals often fail to comply with security best practices. In this study, we investigate a new individual cybersecurity compliance behavior model proposed by Donalds and Osei-Bryson (2017). Specifically, we investigate the influence of individual decision styles on their cybersecurity compliance behavior and other antecedents of such behavior. To empirically validate the hypotheses in the Donalds &amp; Osei-Bryson model, we used data collected from 248 individuals and then use multiple regression to examine the assertions of the model. Our findings confirm that individual's decision styles, specifically, dominant orientation and dominant decision style, influence their individual cybersecurity compliance behavior and other antecedents of such behavior. Our research offers new dimensions for investigating individual cybersecurity compliance behavior and new insights into factors that may influence individual's cybersecurity compliance behavior.

DOI: https://doi.org/10.1108/hrmid-05-2023-0096

2023-06-15

Human Resource Management International Digest

Abstract:Purpose This paper aims to review the latest management developments across the globe and pinpoint practical implications from cutting-edge research and case studies. Design/methodology/approach This briefing is prepared by an independent writer who adds their own impartial comments and places the articles in context. Findings European researchers have investigated the influence of positive change orientation on perceived change uncertainty and behavioral change support at two large IT companies. The results of the study of employees and supervisors indicate that self-change efficacy and attitudes towards change partially mediate the negative relationship between perceived change uncertainty and behavioral change support. Originality/value The briefing saves busy executives, strategists and researchers hours of reading time by selecting only the very best, most pertinent information and presenting it in a condensed and easy-to-digest format.

Eryn Ma,Summer Hasama,Eshaan Lumba,Eleanor Birrell

DOI: https://doi.org/10.48550/arXiv.2201.01350

2022-01-04

Cryptography and Security

Abstract:User-chosen passwords remain essential to online security, and yet people continue to choose weak, insecure passwords. In this work, we investigate whether prospect theory, a behavioral model of how people evaluate risk, can provide insights into how users choose passwords and whether it can motivate new designs for password selection mechanisms that will nudge users to select stronger passwords. We ran a user study with 762 participants, and we found that an intervention guided by prospect theory -- which leverages the reference-dependence effect by framing selecting weak passwords as a loss relative to choosing a stronger password -- causes approximately 25% of users to improve the strength of their password (significantly more than alternative interventions) and reduced the final number of weak passwords by approximately 25%. We also evaluate the relation between user behavior and users' mental models of hacking and password attacks. These results provide guidance for designing and implementing account registration mechanisms that will significantly improve the strength of user-selected passwords, thereby leveraging insights from prospect theory to improve the security of systems that use password-based authentication.