Hao Chen,Ying Li,Lirong Chen,Jin Yin

DOI: https://doi.org/10.1108/jeim-10-2019-0318

2020-01-01

Journal of Enterprise Information Management

Abstract:PurposeWhile the bring-your-own-device (BYOD) trend provides benefits for employees, it also poses security risks to organizations. This study explores whether and how employees decide to adopt BYOD practices when they encounter information security–related conflict.Design/methodology/approachUsing survey data from 235 employees of Chinese enterprises and applying partial least squares based structural equation modeling (PLS-SEM), we test a series of hypotheses.FindingsThe results suggest that information security–related conflict elicits information security fatigue among employees. As their information security fatigue increases, employees become less likely to adopt BYOD practices. In addition, information security–related conflict has an indirect effect on employee's BYOD adoption through the full mediation of information security fatigue.Practical implicationsThis study provides practical implications to adopt BYOD in the workplace through conflict management measures and emotion management strategies. Conflict management measures focused on the reducing of four facets of information security–related conflict, such as improve organization's privacy policies and help employees to build security habits. Emotion management strategies highlighted the solutions to reduce fatigue through easing conflict, such as involving employees in the development or update of information security policies to voice their demands of privacy and other rights.Originality/valueOur study extends knowledge by focusing on the barriers to employees' BYOD adoption when considering information security in the workplace. Specifically, this study takes a conflict perspective and builds a multi-faceted construct of information security–related conflict. Our study also extends information security behavior research by revealing an emotion-based mediation effect, that of information security fatigue, to explore the mechanism underlying the influence of information security–related conflict on employee behavior.

Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Kathleen Downer,Maumita Bhattacharya

DOI: https://doi.org/10.48550/arXiv.2202.11498

2022-02-23

Cryptography and Security

Abstract:The prevalence and maturity of Bring Your Own Device (BYOD) security along with subsequent frameworks and security mechanisms in Australian organisations is a growing phenomenon somewhat similar to other developed nations. During the COVID 19 pandemic, even organisations that were previously reluctant to embrace BYOD have been forced to accept it to facilitate remote work. The aim of this paper is to discover, through a study conducted using a survey questionnaire instrument, how employees practice and perceive the BYOD security mechanisms deployed by Australian businesses which can help guide the development of future BYOD security frameworks. Three research questions are answered by this study - What levels of awareness do Australian businesses have for BYOD security aspects? How are employees currently responding to the security mechanisms applied by their organisations for mobile devices? What are the potential weaknesses in businesses IT networks that have a direct effect on BYOD security? Overall, the aim of this research is to illuminate the findings of these research objectives so that they can be used as a basis for building new and strengthening existing BYOD security frameworks in order to enhance their effectiveness against an ever-growing list of attacks and threats targeting mobile devices in a virtually driven work force.

Ezer Osei Yeboah-Boateng,Francis Edmund Boaten

DOI: https://doi.org/10.48550/arXiv.1609.01821

2016-09-05

Cryptography and Security

Abstract:This study evaluates the cyber-risks to Business Information Assets posed by the adoption of Bring-Your-Own-Device (BYOD) to the workplace. BYOD is an emerging trend where employees bring and use personal computing devices on the companys network to access applications and sensitive data like emails, calendar and scheduling applications, documents, etc. Employees are captivated by BYOD because they can have access to private items as well as perform certain job functions while being unrestricted to their desks. This is however usually done on the blind side of management or the system administrator; a situation that tends to expose vital and sensitive corporate information to various threats like unwanted network traffic, unknown applications, malwares, and viruses. Expert opinions were elicited in this exploratory study. The study evaluated the characteristics of BYOD, assessed associated risks, threats and vulnerabilities. The findings indicate that little or no security measures were instituted to mitigate risks associated with BYOD. Though, profound benefits abound with BYOD adoption, they could be eroded by security threats and costs of mitigation in curing breaches. The most significant risk was found to be Data Loss which was in consonance with similar studies on Smartphone security risks. Some mitigation measures are then recommended.

Xue Yang,Wei T. Yue,Choon Lin Sia

DOI: https://doi.org/10.1007/978-3-642-29873-8_17

2012-01-01

Abstract:IS security policy is one of the essential tools to ensure the secure use of information systems and technological assets. To enhance the effectiveness of policy implementation, organizations rely on security training, education and awareness (STEA) programs to help employees understand the IS security issues of the organization. However, different levels of STEA informativeness may have conflicting effects on employees' compliance decisions. In addition, the urgency of a task may also lead employees to abandon the compliance decision occasionally. The existing corporate information security policy (ISP) could also serve as a deterrence message that would influence compliance decisions. An experimental survey was conducted to examine this phenomenon and test the related hypotheses. The results of this study can be used to inform and guide researchers and practitioners as to how to better enforce an IS security policy through better implementation of STEA programs and improved design of ISP in different task scenarios.

Joel Chigada,Naailah Daniels

DOI: https://doi.org/10.1177/02663821211036400

2021-08-11

Business Information Review

Abstract:This study explores information systems security implications posed by Bring Your Own Device concept in financial services firms. Thus, the findings and recommendations from this study will help financial services and other organisations to be cognisant of the importance of BYOD policy formulation. The use of BYOD has become prevalent in the workplace due to the increased dependence on the Internet and advancements in technologies. It is beneficial to the organisation in that employees buy, use and insure their own devices, thus, the organisation does not bear these costs. However, there is a huge cost to the company if the use and connection of BYODs to the company’s Information Technology infrastructure is not regulated and monitored. BYODs expose information and information systems assets to threat actors. Financial institutions handle very sensitive information, making them a target for data breach and the adoption of BYODs more hazardous. A qualitative research method was conducted with eight (8) purposefully selected participants working in the Risk, IT and Information Systems Security departments of the financial institution. Telephonic interviews were conducted in line with the national protocols of the global Corona Virus Disease-2019 (COVID-19) pandemic. The study revealed the absence of a BYOD policy and employees could use any number of personal devices without restrictions. Users were aware of information systems security policies and protocols because of the annual training and awareness programmes.

Melva Ratchford,Omar El-Gayar,Cherie Noteboom,Yong Wang

DOI: https://doi.org/10.1080/19393555.2021.1923873

2021-07-22

Information Security Journal: A Global Perspective

Abstract:Organizations are exposed to new security risks when they allow employees' personal mobile devices to access the network and the corporate data (a phenomenon called 'Bring Your Own Device' or BYOD). They are confronted with inherent security issues that need to be addressed in order to protect the organization and its information. What are the security issues and considerations associated with BYOD environments? With this in mind, the objective of this paper is to present a systematic literature review of scholarly literature (2010–2019) with respect to BYOD security, and to suggest a classification scheme that depicts a holistic approach to securing BYOD environments. The results of this review include the analysis of 38 scholarly articles, where 22 security issues were identified. Based on the proposed classification scheme, the analysis of the findings shows that 86% of the articles identified security issues and considerations associated with the IT domain, 51% identified security issues related to the Management domain, 45% related to the Users domain, and 19% related to the Mobile Device domain. The results also show that BYOD security issues corresponding to policies are among the most frequently addressed concerns, followed by network security, data protection, user's attitude/behavior and governance.

Yves Barlette,Annabelle Jaouen,Paméla Baillette

DOI: https://doi.org/10.1016/j.ijinfomgt.2020.102212

Abstract:The adoption of Bring Your Own Device (BYOD), initiated by employees, refers to the provision and use of personal mobile devices and applications for both private and business purposes. This bottom-up phenomenon, not initiated by managers, corresponds to a reversed IT adoption logic that simultaneously entails business opportunities and threats. Managers are thus confronted with this unchosen BYOD usage by employees and consequently adopt different coping strategies. This research aims to investigate the adaptation strategies embraced by managers to cope with the BYOD phenomenon. To this end, we operationalized the coping model of user adaptation (CMUA) in the organizational decision-making context to conduct a survey addressing 337 top managers. Our main results indicate that the impact of the CMUA constructs varies according to the period (pre- or post-implementation). The coping strategies differ between those who have already implemented measures to regulate BYOD usage and those who have not. We contribute to theory by integrating the perception of BYOD-related opportunities and threats and by shedding light on the decisional processes in the adoption of coping strategies. The managerial contributions of this research correspond to the improved protection of corporate information and the maximization of BYOD-related benefits.

Hai-Ning Liang,Charles Fleming,Ka Lok Man

DOI: https://doi.org/10.1007/s11042-019-7349-2

IF: 2.577

2019-01-01

Multimedia Tools and Applications

Abstract:This research examines the use of personal mobile devices at work and what factors affect people’s adoption of enhanced levels of security mechanisms for their devices. Mobile devices make the delineation between work and personal life less clear or even non-existent. Mobile devices, such as smartphones and tablets and in the foreseeable future together with smartwatches and smart glasses, will be inseparable to people, whether they be at work or outside. Alongside with their devices being brought into work environments, they will be used to carry out activities that are work related and very likely to host company-sensitive information within them. The mobile nature of the devices means they frequently operate in insecure environments, providing numerous opportunities for attackers to obtain critical information and use it for unwanted purposes. This can pose a dilemma for companies given that, on the one hand, they cannot stop their employees from using their personal devices for work-related activities and storing company-sensitive data and, on the other, attacks to steal data from devices are constantly growing in terms of sophistication, frequently, and effectiveness. In this research, we want to understand better the usage patterns of people bringing their devices to work and their predisposition to adopt secure mechanisms to protect the data found in their devices. We aim to find what factors impact the adoption of these mechanisms. The results indicate there are a number of factors that can predict their adoption, which are useful for designers of interfaces with security in mind and companies who would like to see their employees adopt more sophisticated and better methods to secure data located in these devices.

Zauwiyah Ahmad,Thian Song Ong,Yen Wen Gan,Tze Hui Liew,Mariati Norhashim

DOI: https://doi.org/10.3390/app12094198

2022-04-21

Applied Sciences

Abstract:Personal mobile devices form an integral part of business activities today. Mobile devices, nevertheless, pose various security issues and data privacy threats, which require a close attention. The rational choice theory was utilized to examine the determinants of employees’ security behavior in relation to mobile device usage. Employees were postulated to rationally evaluate the costs and benefits of mobile security measures and decide on the option that is perceived to provide the best expected outcome. Twelve out of thirteen hypotheses examined in this study were found to be significant. We also hypothesized that demographics and work-related variables significantly affect employees’ mobile security practices, examined using ordinal logistic regression analysis. The findings indicate the efficacy of the rational choice theory in explaining mobile security behavior. Security inconvenience has been found to be a significant cost to information security measures. Moreover, the findings also showed the influence of gender, job function, past security experience, and perceived risk on the dependent variable. In conclusion, we would like to draw considerable attention to the contribution of security awareness programs and security training to good mobile security behaviors.

Andre Sobers

DOI: https://doi.org/10.48550/arXiv.1512.03911

2015-12-12

Computers and Society

Abstract:Bring Your Own Device, also known under the term BOYD refers to the trend in employees bringing their personal mobile devices into organisations to use as a primary device for their daily work activities. With the rapid development in computing technology in smartphones and tablet computers and innovations in mobile software and applications, mobile devices are becoming ever more powerful tools for consumers to access information. Consumers are becoming more inseparable from their personal mobile devices and development in mobile technologies within the consumer space has led to the significance of Consumerization. Enterprises everywhere want to introduce BYOD strategies to improve mobility and productivity of their employees. However making the necessary organizational changes to adopt BYOD may require a shift away from centralized systems towards more open enterprise systems and this change can present challenges to enterprises in particular over security, control, technology and policy to the traditional IT model within organisations. This paper explores some of the present challenges and solutions in relation to mobile security, technology and policy that enterprise systems within organisations can encounter. This paper also reviews real-life studies where such changes were made in organisations aiming to implement BYOD. This paper proposes a mobile enterprise model that aims to address security concerns and the challenges of technology and policy change. This paper ends with looking ahead to the future of mobile enterprise systems.

Jimshith V. T,V. Mary Amala Bai

DOI: https://doi.org/10.1080/00051144.2024.2310458

IF: 1.79

2024-02-28

Automatika

Abstract:The widespread practice of Bring your own device (BYOD) to work significantly raises cybersecurity risks. All organization's employees and employers will greatly benefit from this trend. The growth of spyware, malware and other dubious downloads on individual devices has compelled the government to review its data security guidelines. Without user knowledge, hazardous apps are downloaded to personal devices. Both people and governments could suffer tragic consequences as a result of this. In this situation, BYODs are problematic since they can alter policies without permission and release private information. The main goal of the research was to detect fraudulent communications coming from BYOD environments. A network monitoring and managing information configuration settings of mobile devices in the network is established by providing policies and authenticating endpoint devices in the BYOD network using a mix of NAC and MDM. This framework deals with Security Manager (SaaS) as the second module is briefly described. The study's early results were positive and suggested that the framework would lessen access control-related issues.

automation & control systems,engineering, electrical & electronic

K. Downer,Maumita Bhattacharya

DOI: https://doi.org/10.48550/arXiv.1601.01230

2016-01-07

Abstract:Bring Your Own Device (BYOD) is a rapidly growing trend in businesses concerned with information technology. BYOD presents a unique list of security concerns for businesses implementing BYOD policies. Recent publications indicate a definite awareness of risks involved in incorporating BYOD into business, however it is still an underrated issue compared to other IT security concerns. This paper focuses on two key BYOD security issues: security challenges and available frameworks. A taxonomy specifically classifying BYOD security challenges is introduced alongside comprehensive frameworks and solutions which are also analysed to gauge their limitations.

Cryptography and Security,Networking and Internet Architecture

Han Li,X. Luo,Jie Zhang,R. Sarathy

2014-01-01

Abstract:Employees’ violation of Internet use policy exposes firms to increasing security risks from cyber-attacks. Extant studies on security policy compliance have largely ignored the role of dispositional and contextual factors in employees’ decision. Drawing on the literature in criminology, this paper extended the rational choice theory by integrating low self-control and two organizational context factors to have a fine-grained understanding of the decision making process involved in Internet use policy compliance. The results will help indicate whether employees’ compliance intention is influenced by the cost-benefit calculus adjusted by their low self-control disposition, procedural justice perception and organizational moral climate. Research results are expected to be presented at the conference.

Political Science

Tafheem Ahmad Wani,Antonette Mendoza,Kathleen Gray

DOI: https://doi.org/10.1016/j.ijmedinf.2024.105606

2024-08-30

Abstract:Background/objective: The use of personal devices for work purposes (Bring-your-own-device) has increased in hospitals, as it facilitates productivity and mobility for clinicians. However, owing to increased risk of leaking patient information, and heavy reliance of patient data privacy on user actions, BYOD is a major challenge for hospitals. There has been a dearth of empirical research studying clinicians' BYOD security behaviour. Therefore, the study's aim was to attain subjective understanding of clinicians' attitudes and preferences towards protecting patient data on their devices through a qualitative study. Methods: 14 semi-structured interviews were conducted among Australian hospital-based clinicians. A hybrid thematic analysis was conducted using the framework method to explore socio-technical themes pertaining to the clinicians' BYOD security behavioural practices. Results: Limited use of secure tools like antivirus and passcodes, and inadequate separation of patient and personal data on BYOD devices was found. Key technology concerns included malware introduction into hospital network, inadvertent patient data sharing, and slow remote access. Hospitals lacked dedicated BYOD policies and training, resulting in unsafe practices. Participants also cited misalignment of BYOD policies with workflow needs, privacy maintenance challenges and fears of personal data breaches, while calling for improved communication between technical and clinical staff and a strong cybersecurity culture. Conclusion: This study provides a comprehensive understanding of BYOD related user behaviour and the usefulness of security controls used in time-sensitive and complex hospital environments. It can inform future policies or processes by advocating for secure and productive BYOD use.

Han Li,X. Luo

2014-01-01

Abstract:Employees’ violation of Internet use policy exposes firms to increasing security risks from cyber-attacks. Extant studies on security policy compliance have largely ignored the role of dispositional and contextual factors in employees’ decision. Drawing on the literature in criminology, this paper extended the rational choice theory by integrating low self-control and two organizational context factors to have a fine-grained understanding of the decision making process involved in Internet use policy compliance. The results will help indicate whether employees’ compliance intention is influenced by the cost-benefit calculus adjusted by their low self-control disposition, procedural justice perception and organizational moral climate. Research results are expected to be presented at the conference.

Guangyu Zhou,Mengke Gou,Yiqun Gan,Ralf Schwarzer

DOI: https://doi.org/10.3389/fpsyg.2020.01066

IF: 3.8

2020-01-01

Frontiers in Psychology

Abstract:It is widely acknowledged that non-compliance with smartphone security behaviors is widespread and may cause severe harm to people and devices. In addition to device-based security issues, there are psychological factors involved in these behaviors such as self-efficacy, risk awareness, and social support. The present study examines associations of these three factors with smartphone security behaviors and explores possible mechanisms among these variables. In a longitudinal survey with 192 Chinese college students (73.4% women, mean age 24.46 years, SD = 5.15), self-efficacy, risk awareness, and social support were assessed with psychometric scales at two points in time, 2 weeks apart. Hierarchical regression analyses were performed with follow-up smartphone security behaviors as the dependent variable, controlling for baseline values and demographic and IT-related covariates. Main effects of self-efficacy, risk awareness, and social support on smartphone security behaviors were identified. Moreover, a triple interaction among the three predictors emerged in a synergistic way, indicating that their combination yielded more favorable levels of secure smartphone use. The total model accounted for 50% of the behavioral variance, with all covariates included, and the triple interaction among self-efficacy, risk awareness, and social support accounted for 2.3% of variance. Results document that psychological factors are involved in smartphone security behaviors beyond demographic and IT-related covariates. Interventions could be designed to improve smartphone security behaviors not only by developing privacy-enhancing technologies but also by considering psychological factors such as self-efficacy, risk awareness, and social support.

Ding Long Huang,Pei Luen Patrick Rau,Gavriel Salvendy,XiaoLi Shang,Ying Liu,Xia Wang

DOI: https://doi.org/10.1177/154193120805202002

2008-01-01

Abstract:Information security is of great concern to IT users, who may hesitate or refuse to adopt IT appliances because of worries about security problems. The objective of this study was to investigate the antecedences and consequences of people's perception of information security. This study included three phases. In phase 1, a six-factor structure modeling people's perception of information security was developed through a survey study and exploratory factor analysis. In phase 2, the relations between people's perception of information security and their intention to adopt IT appliances were tested through a laboratory experiment and path analysis. Significant effects were found and a path model was developed. In phase 3, the implications of people's perception of information security for mobile phone were discussed through focus group. Mobile users' perception of mobile security in seven scenarios was summarized. Three personas of mobile security were developed.

Ying Li,Ting Pan,Nan Zhang,Nan (Andy) Zhang

DOI: https://doi.org/10.1108/jeim-01-2019-0018

2019-09-23

Journal of Enterprise Information Management

Abstract:Purpose This paper is to investigate how employees respond to information security policies (ISPs) when they view the policies as a challenge rather than a hindrance to work. Specifically, the authors examine the roles of challenge security demands (i.e. continuity and mandatory) and psychological resources (i.e. personal and job resources) in influencing employees’ ISP non-compliance. Design/methodology/approach Applying a hypothetical scenario-based survey method, the authors tested our proposed model in six typical ISPs violation scenarios. In sum, 347 responses were collected from a global company. The data were analyzed using partial least square-based structural equation model. Findings Findings indicated that continuity and mandatory demands increased employees’ level of perseverance of effort, which, in turn, decreased their ISPs non-compliance intention. In addition, job resources, such as the trust enhancement gained from co-workers and the opportunities for professional development, enhanced the perseverance of effort. Practical implications The findings offer implications to practice by suggesting that organizations should design training programs to persuade employees to understand the ISPs in a positive way. Meanwhile, organizations should encourage employees to invest more personal resources by creating a trusting atmosphere and providing them opportunities to learn security knowledge and skills. Originality/value This study is among the few to empirically explore how employees respond and behave when they view the security policies as challenge stressors. The paper also provides a novel understanding of how psychological resources contribute to buffering ISP non-compliance.

information science & library science,management

Yun Zhou,Lianyong Qi,Alexander Raake,Tao Xu,Marta Piekarska,Xuyun Zhang

DOI: https://doi.org/10.1002/cpe.4884

2019-01-01

Abstract:SummaryThe fine‐grained access control has been proved to be a reliable tool to ensure preserving of privacy of end users. In fog computing, one of the challenges is to understand users' attitudes and behaviors toward personalized control. However, few of studies have given a clear view on users' perception of the burden of interactivity when they set complex privacy settings. To this end, we conducted a user study including a lab study with 26 participants and an evaluation with 223 participants. From the lab study, we found that participants were satisfied with improved privacy settings but did not adapt well to complex personalized interfaces. We proposed effective methods to assist users to balance between the full control and the additional interaction burden, including sorting, recommendations, and establishing profiles. After this lab study, we organized a survey evaluation additionally to explore users' current usage of privacy features. Results from the evaluation showed that the principle reason that users failed to use privacy features was that they were not appropriately aware of these features. A key conclusion is that privacy settings should not only let users take over the control of smartphones but also inform them of the knowledge on privacy practices.