Hwee-Joo Kam,Dan J. Kim,Wu He

DOI: https://doi.org/10.1080/0144929X.2021.1917659

2021-04-26

Behaviour and Information Technology

Abstract:The United States higher education is facing a unique challenge in information security management due to its distinctive characteristics, such as decentralised structure, academic freedom, and shared governance. These characteristics sharply distinguish higher education from traditional corporations. Gradually, this is beginning to pose a challenge for higher education institutions to adopt the appropriate information technology governance framework, which, for traditional corporations, mostly addresses security governance and leadership in a top-down manner. To address this issue, we examine the effect of perceived information security management approaches on perceived security practices. Our results show that the perceived flexible-oriented approach of information security management is more effective to use in implementing security controls in high education institutions. This seems to contradict most of the findings in the literature that suggest that a control-oriented approach is more effective in enforcing information security policies. Research contributions and implications are discussed, accordingly.

ergonomics,computer science, cybernetics

Mansour Naser Alraja,Usman Javed Butt,Maysam Abbod

DOI: https://doi.org/10.1016/j.cose.2023.103208

IF: 5.105

2023-06-01

Computers & Security

Abstract:Information security threats have a severe negative impact on enterprises. Organizations rely on employee compliance with information security policies to eliminate or reduce these hazards. The Unified Model of Information Security Policies Compliance (UMISPC) is employed to identify the factors that may affect employees' intention towards compliance with information systems security policy and reactance in a global setting. The study was assessed in two phases. The model's validity and measurement reliability were evaluated in the first phase, while in the second phase, all preliminary model relationships were appraised. This was achieved utilizing structural equation modelling to establish whether the proposed constructs, i.e. neutralization, response efficacy, fear, threat, habit and role values were good predictors for intention or reactance towards compliance with information systems security policy. Participants included 348 employees from 7 nations, i.e. the USA, the UK, Oman, India, Pakistan, Malaysia, and the Philippines. SmartPLS v. 3.3.9 was used for data analysis. The models' measurement reliability and validity were affirmed. Fear and role values have a significant influence on intention toward ISPC. RE significantly predicted threat which in turn significantly predicted fear, and the latter demonstrated a significant effect on reactance as well as Neutralization predicted reactance. In contrast, habit failed to reach a significant influence on intention towards ISPC. The implications are presented, together with proposals for further studies. Our findings are helpful for ISS literature and application by supporting the crucial functions of role values in encouraging employees to behave in a compliant manner. Additionally, it is regarded as the first empirical attempt to estimate intended compliance concerning ISPs in higher education from a worldwide viewpoint.

computer science, information systems

Kholekile L. Gwebu,Jing Wang,Michael Y. Hu

DOI: https://doi.org/10.1111/isj.12257

2020-01-01

Abstract:Despite the significant advancements made in understanding the factors that drive employees' compliance and noncompliance behaviours with information security policy (ISP), less is known about how different factors interact to impact such behaviours. Having been drawn on the social information processing theory, this research develops an integrative model that investigates how ethical work climate, beliefs, and neutralization interact to jointly explain ISP noncompliance. The model is tested via a survey of a broad cross section of employees. Neutralization, perceived cost of compliance, and perceived cost of noncompliance are found to significantly impact ISP noncompliance. Egoistic, benevolent, and principled climates are found to differentially influence neutralization and individuals' cognitive beliefs about the cost and benefit of ISP compliance versus noncompliance. Neutralization appears to be a more important moderator of the belief‐noncompliance relationship than the principled climate.

Rao Faizan Ali,P. D. D. Dominic,Syed Emad Azhar Ali,Mobashar Rehman,Abid Sohail

DOI: https://doi.org/10.3390/app11083383

2021-04-09

Applied Sciences

Abstract:A grave concern to an organization’s information security is employees’ behavior when they do not value information security policy compliance (ISPC). Most ISPC studies evaluate compliance and noncompliance behaviors separately. However, the literature lacks a comprehensive understanding of the factors that transform the employees’ behavior from noncompliance to compliance. Therefore, we conducted a systematic literature review (SLR), highlighting the studies done concerning information security behavior (ISB) towards ISPC in multiple settings: research frameworks, research designs, and research methodologies over the last decade. We found that ISPC research focused more on compliance behaviors than noncompliance behaviors. Value conflicts, security-related stress, and neutralization, among many other factors, provided significant evidence towards noncompliance. At the same time, internal/external and protection motivations proved positively significant towards compliance behaviors. Employees perceive internal and external motivations from their social circle, management behaviors, and organizational culture to adopt security-aware behaviors. Deterrence techniques, management behaviors, culture, and information security awareness play a vital role in transforming employees’ noncompliance into compliance behaviors. This SLR’s motivation is to synthesize the literature on ISPC and ISB, identifying the behavioral transformation process from noncompliance to compliance. This SLR contributes to information system security literature by providing a behavior transformation process model based on the existing ISPC literature.

Noor Suhani Sulaiman,Muhammad Ashraf Fauzi,Walton Wider,Jegatheesan Rajadurai,Suhaidah Hussain,Siti Aminah Harun

DOI: https://doi.org/10.3390/socsci11090386

2022-08-30

Social Sciences

Abstract:Cyber and information security (CIS) is an issue of national and international interest. Despite sophisticated security systems and extensive physical countermeasures to combat cyber-attacks, organisations are vulnerable due to the involvement of the human factor. Humans are regarded as the weakest link in cybersecurity systems as development in digital technology advances. The area of cybersecurity is an extension of the previously studied fields of information and internet security. The need to understand the underlying human behavioural factors associated with CIS policy warrants further study, mainly from theoretical perspectives. Based on these underlying theoretical perspectives, this study reviews literature focusing on CIS compliance and violations by personnel within organisations. Sixty studies from the years 2008 to 2020 were reviewed. Findings suggest that several prominent theories were used extensively and integrated with another specific theory. Protection Motivation Theory (PMT), the Theory of Planned Behaviour (TPB), and General Deterrence Theory (GDT) were identified as among the most referred-to theories in this area. The use of current theories is discussed based on their emerging importance and their suitability in future CIS studies. This review lays the foundation for future researchers by determining gaps and areas within the CIS context and encompassing employee compliance and violations within an organisation.

English Else

Akhyari Nasir,Ruzaini Abdullah Arshah,Mohd Rashid Ab Hamid,Syahrul Fahmy,,,,

DOI: https://doi.org/10.30880/ijie.2022.14.03.017

2022-06-20

International Journal of Integrated Engineering

Abstract:This paper examines the factors determining a positive Information Security Culture (ISC) concept and the influence of ISC towards ISP compliance intention (INT) between IT and non-IT professionals in Malaysian public universities. Partial least square structural equation modelling, using PLS MGA, is used to assess the measurement and structural models, and to compare the results between the two groups. Results indicate all factors have significant contribution towards ISC in both groups, with two out of seven ISC factors have significant differences. This study has revealed that although both groups have the same ISC factors, IT and non-IT professionals have significant difference in terms of believe that Top Management Commitment and Information Security Knowledge are required for implementing apositive ISC. In addition, there is a significant difference between these two groups in terms of the influence of ISC towards ISP compliance intention. ISC has less influence towards INT for Non-IT professionals compared to IT professionals within the same ISC. These empirical findings would benefit in formulating better security strategies by providing appropriate efforts for different groups of employees in the organizations. This study also provides a total cyber security solution for improving information security culture and employees’ compliance towards Information Security Policy.

W. Alec Cram,Jeffrey G. Proudfoot,John D’Arcy

DOI: https://doi.org/10.1057/s41303-017-0059-9

2017-11-01

European Journal of Information Systems

Abstract:A major stream of research within the field of information systems security examines the use of organizational policies that specify how users of information and technology resources should behave in order to prevent, detect, and respond to security incidents. However, this growing (and at times, conflicting) body of research has made it challenging for researchers and practitioners to comprehend the current state of knowledge on the formation, implementation, and effectiveness of security policies in organizations. Accordingly, the purpose of this paper is to synthesize what we know and what remains to be learned about organizational information security policies, with an eye toward a holistic understanding of this research stream and the identification of promising paths for future study. We review 114 influential security policy-related journal articles and identify five core relationships examined in the literature. Based on these relationships, we outline a research framework that synthesizes the construct linkages within the current literature. Building on our analysis of these results, we identify a series of gaps and draw on additional theoretical perspectives to propose a revised framework that can be used as a basis for future research.

information science & library science,management,computer science, information systems

Ghulam Farid,Nosheen Fatima Warraich,Sadaf Iftikhar

DOI: https://doi.org/10.1177/01655515231160026

2023-04-07

Journal of Information Science

Abstract:Journal of Information Science, Ahead of Print. Digital information security management (DISM) is considered an important tool to ensure the privacy and protection of data and resources in an electronic environment. The purpose of this research is to look into the applications of DISM policies in terms of practices and implementation in academic libraries. It also identifies the challenges faced by academic libraries in applying these DISM practices regarding policy. A systematic literature review was conducted to achieve the objectives of the study. The data were collected from well-known different databases, that is, Library Information Science and Technology s (LISTA), Library and Information Science s (LISA), IEEE Xplore, Emerald Insight, ACM Digital Library, Scopus, Sage journals, Taylor & Francis, ProQuest, Science Direct, Wiley Online Library, and Google Scholar. It followed the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) guidelines to choose relevant articles with keyword searching. Some academic libraries have developed DISM policies on data protection, data backup, information security (IS) systems, the development of hardware and software, the training of library staff, data protection from malware and social engineering, and data security and privacy. A few libraries have developed a mechanism to protect and secure users' sensitive data from hackers, viruses, malware and social engineering. Findings indicated that both organisations and users trust libraries due to their strict privacy and data security policies. However, some academic libraries did not adopt and implement DISM policies in their organisations, even though they had written DISM policies. Libraries have been facing issues with the DISM policy on data security and privacy, data backup, IS systems, hardware and software upgrades and technical support of library staff. They also face budgetary challenges and a lack of readiness among librarians to adopt emerging tools and technology such as DISM. Library professionals faced challenges in developing and implementing the DISM policy. For data security and privacy, stakeholders, administrators and library professionals must promote the DISM policy culture in academics. This study is beneficial for library professionals, policymakers, administrators and management to make DISM policies and implement them in their organisation or libraries to secure sensitive, personal data and resources. This article is the first review of DISM policy in academic libraries of its kind and would be useful for information professionals, stakeholders and administrators.

computer science, information systems,information science & library science

Rajasekar Ramalingam,Ramkumar Lakshminarayanan,Shimaz Khan

DOI: https://doi.org/10.48550/arXiv.1605.05580

2016-05-17

Abstract:The gap between the knowledge and the practices regarding the computer and Internet use are the major factors which influence security of Information. A survey was performed on the education institutions in Oman to investigate the level of information security awareness among various entities. The survey focused on the following factors of IT Security: Demographics, Internet usage, Awareness about organizations network Security threats experience, Awareness on Password management, Email security awareness and Knowledge on security practices. The survey attracted 173 respondents: the level of information security awareness and knowledge on security practices were correlated and analyzed. The areas of weakness related to the security implementation, awareness and practice were identified.

Computers and Society,Cryptography and Security

Puzant Balozian,Dorothy Leidner

DOI: https://doi.org/10.1145/3130515.3130518

2017-08-02

Abstract:An understanding of insider threats in information systems (IS) is important to help address one of the dangers lurking within organizations. This article provides a review of the literature on insider compliance (and failure of compliance) with information systems' policies in order to understand the status of IS research regarding negligent and malicious insiders. We begin by defining the terms, developing a new taxonomy of insiders, and then providing a comprehensive review of articles on IS policy compliance for the past 26 years. Grounding the analysis in the literature, we inductively identify four themes to foster Information Security policy compliance among employees. The themes are: 1) IS management philosophy, 2) procedural countermeasures, 3) technical countermeasures, and 4) environmental countermeasures. We propose that future research can draw upon these themes and use them as the building blocks of an indigenous IS security theory.

Charlette Donalds,Corlane Barclay

DOI: https://doi.org/10.1080/0960085X.2021.1978344

2021-09-23

European Journal of Information Systems

Abstract:The evolving sophistication of threats and the impact of security breaches have caused managers to continually grapple with strategies to reduce these risks. One common security control is the adoption of information security policies (ISPs) geared at improving employees' compliance behaviour. However, there is mounting empirical evidence that shows that ISP compliance is a challenging undertaking with less than satisfactory outcomes. Further, little attention is placed on developing economies in the study of this phenomenon. This research adopts a values-based methodology to determine fundamental and means objectives in maximising employees' compliance with ISPs in a developing economy context. The research identifies 30 objectives and demonstrates that risk mitigation, people, technical and organisational factors are essential to improving compliance. The results contribute objectives, contextualised to the people for whom the results are relevant, thus promoting deeper understanding. The research offers utility to managers in the design and implementation of InfoSec strategies and policies. The findings can also inform investment decisions regarding compliance tools, methods and technologies. Recognising that security (information and cyber) threats are a global dilemma, we contend that investigating forms of security risks and potential solutions can mitigate the social and economic costs of security incidents.

information science & library science,management,computer science, information systems

Harrison Stewart,Jan Jürjens

DOI: https://doi.org/10.1108/ics-07-2016-0054

2017-11-13

Information and Computer Security

Abstract:Purpose The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset. Design/methodology/approach Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B. Findings Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own. Research limitations/implications The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings. Practical implications In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed. Social implications The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps. Originality/value The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

Ankur Shukla,Basel Katt,Livinus Obiora Nweke,Prosper Kandabongee Yeng,Goitom Kahsay Weldehawaryat

DOI: https://doi.org/10.1016/j.cosrev.2022.100496

2022-07-29

Abstract:System security assurance provides the confidence that security features, practices, procedures, and architecture of software systems mediate and enforce the security policy and are resilient against security failure and attacks. Alongside the significant benefits of security assurance, the evolution of new information and communication technology (ICT) introduces new challenges regarding information protection. Security assurance methods based on the traditional tools, techniques, and procedures may fail to account new challenges due to poor requirement specifications, static nature, and poor development processes. The common criteria (CC) commonly used for security evaluation and certification process also comes with many limitations and challenges. In this paper, extensive efforts have been made to study the state-of-the-art, limitations and future research directions for security assurance of the ICT and cyber-physical systems (CPS) in a wide range of domains. We conducted a systematic review of requirements, processes, and activities involved in system security assurance including security requirements, security metrics, system and environments and assurance methods. We highlighted the challenges and gaps that have been identified by the existing literature related to system security assurance and corresponding solutions. Finally, we discussed the limitations of the present methods and future research directions.

Cryptography and Security,Software Engineering

Rajasekar Ramalingam,Shimaz Khan,Shameer Mohammed

DOI: https://doi.org/10.48550/arXiv.1602.06510

2016-02-21

Cryptography and Security

Abstract:The revolution of internet technology and its usage have led a significant increase in the number of online transactions and electronic data transfer, parallely increased the number of cybercrime incidents around the world. Steady economic growth in the Sultanate of Oman accelerated the volume of online utilization for e-commerce, banking, communication, education and so forth. Normally attackers target the users who ignore security practices due to the lack of information security awareness. Unawareness of information security practices, user negligence, lack of awareness programs and trainings are the root cause for information security threats. Earlier studies reveal there is a considerable and continuous cybercrime incident in Oman which compromises the security policy of the organizations, affecting the business continuity and the economic growth. In this study, a survey was performed among the educational institutions in Oman to investigate the level of information security awareness and based on the study, a security awareness model is proposed to enable information security practices in the educational institutions.

Craig A. Horne,Atif Ahmad,Sean B. Maynard

DOI: https://doi.org/10.48550/arXiv.1606.03528

2016-06-11

Abstract:Dependence on information, including for some of the world's largest organisations such as governments and multi-national corporations, has grown rapidly in recent years. However, reports of information security breaches and their associated consequences continue to indicate that attacks are still escalating on organisations when conducting these information-based activities. Clearly, more research is needed to better understand how organisations should formulate strategy to secure their information. Through a thematic review of academic security literature, we (1) analyse the antecedent conditions that motivate the potential adoption of a comprehensive information security strategy, (2) the current perspectives of strategy and (3) the yields and benefits that could be enjoyed post-adoption. Our contributions include a definition of information security strategy. We argue for a paradigm shift to extend from internally-focussed protection of organisation-wide information towards a strategic view that considers the inter-organisational level. Our findings are then used to suggest future research directions.

Computers and Society,Cryptography and Security

Puspita Kencana Sari,Putu Wuri Handayani,Achmad Nizar Hidayanto,Setiadi Yazid,Rizal Fathoni Aji

DOI: https://doi.org/10.3390/healthcare10122531

2022-12-15

Health Care

Abstract:This study aims to review the literature on antecedent factors of information security related to the protection of health information systems (HISs) in the healthcare organization. We classify those factors into organizational and individual aspects. We followed the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) framework. Academic articles were sourced from five online databases (Scopus, PubMed, IEEE, ScienceDirect, and SAGE) using keywords related to information security, behavior, and healthcare facilities. The search yielded 35 studies, in which the three most frequent individual factors were self-efficacy, perceived severity, and attitudes, while the three most frequent organizational factors were management support, cues to action, and organizational culture. Individual factors for patients and medical students are still understudied, as are the organizational factors of academic healthcare facilities. More individual factors have been found to significantly influence security behavior. Previous studies have been dominated by the security compliance behavior of clinical and non-clinical hospital staff. These research gaps highlight the theoretical implications of this study. This study provides insight for managers of healthcare facilities and governments to consider individual factors in establishing information security policies and programs for improving security behavior.

health care sciences & services,health policy & services

Adam Semlambo,Edison Wazoel Lubua,Catherine Mkude

DOI: https://doi.org/10.59645/tji.v2i1.91

2022-12-16

Abstract:This study developed an Information Systems Security Policy Framework relevant in governing Information and Communication Technologies (ICT) in public institutions of Tanzania. It used higher learning institutions as the case for study, The framework is to guide professionals on how to secure ICT environment. Operationally, this study used a qualitative approach. It began with a review of the literature, followed by a focus group discussion to formulate new themes for the proposed Information System Security policy framework. The output of the study suggests a policy framework with the following themes: Data and information handling, Internet and network Services Governance, the use of company-owned devices, physical security, guidelines on how to acquire new hardware and software, incident handling and reporting, monitoring and compliance, and policy administration. This study recommends the use of a new comprehensive and harmonised Information Systems Security policy framework for all public higher education institutions, for a more secure environment. In addition, the study recommends additional studies including other types of organisations for comparison.

Sean Maynard,Atif Ahmad

DOI: https://doi.org/10.48550/arXiv.2208.13087

2022-08-27

Cryptography and Security

Abstract:In the digital age, the protection of information resources is critical to the viability of organizations. Information Security Management (ISM) is a protective function that preserves the confidentiality, integrity and availability of information resources in organizations operating in a complex and evolving security threat landscape. This paper analyses ISM research themes, methods, and theories in high quality IS journals over a period of 30 years (up to the end of 2017). Although our review found that less than 1 percent of papers to be in the area of ISM, there has been a dramatic increase in the number of ISM publications as well as new emerging themes in the past decade. Further, past trends towards subjective-argumentative papers have reversed in favour of empirically validated research. Our analysis of research methods and approaches found ISM studies to be dominated by one-time surveys rather than case studies and action research. The findings suggest that although ISM research has improved its empirical backing over the years, it remains relatively disengaged from organisational practice.

Noly M. De Ramos,Francisco Dente Esponilla II

DOI: https://doi.org/10.11591/ijere.v11i3.22863

2022-09-01

International Journal of Evaluation and Research in Education (IJERE)

Abstract:Digital technology has become an integral aspect of an educational system. Every state university funded the creation of Information Technology Offices to secure its Management Information System. The challenge on cybersecurity threatens the intellectual capital of students especially in a research university, theft of crucial information, and financial loss. The current study is a multiple case study of cybersecurity threats and challenges of Selected Philippine State Universities and Colleges in the National Capital Region. Sample participants were purposively selected Information Technology experts from various selected State College and Universities. A structured interview as the main instrument of the study investigated threats and challenges of cybersecurity to assess active and proactive approaches to developing a model framework for security resources in respective academic institutions. Responses gathered from the interview were consolidated and analyzed through a thematic coding process. The result of the study revealed the following challenges in cybersecurity are user education, cloud security, information security strategy, and unsecured personal devices. The creation of a program logic model will provide an informed cybersecurity planning, implementation, and assessment framework to the commission on higher education in collaboration with the Department of Information and Communication Technology, and the Philippine Association of the State Colleges and Universities.

Rohani Rohan,Debajyoti Pal,Jari Hautamäki,Suree Funilkul,Wichian Chutimaskul,Himanshu Thapliyal

DOI: https://doi.org/10.1016/j.heliyon.2023.e14234

IF: 3.776

2023-03-01

Heliyon

Abstract:Information Security Awareness (ISA) is a significant concept that got considerable attention recently and can assist in minimizing the risks associated with information security breaches. Several measurement scales have been developed in this regard, as measuring users' ISA is paramount. Although ISA specific scales are very important, yet what methodological rigor they use in terms of initial conceptualization of ISA, data collection and analysis during the development, and scale validation of such scales are some unknown aspects. Therefore, we provide a comprehensive review of the existing ISA specific scales to address all the above concerns. A popular method, PRISMA, is utilized, and a total of 24 articles that match with criteria of this research are included for the final in-depth analysis. Also, a holistic evaluation framework is developed containing three phases and 19 criteria. Findings revealed that most studies treat ISA as a multi-dimensional construct, and ISA researchers rarely conduct both pilot testing and pre-text evaluation while validating and refining the initial scales. Additionally, several articles did not report some of the essential elements used for checking the rigor of factor analysis, and evidence for validities of the identified scales is inadequate. Consequently, existing ISA specific scales must be improved both in terms of the methodological thoroughness of the scale development procedure and their validities. Moreover, not only justifying why the development of a new scale is necessary, but also improving the quality of the existing scales by doing multiple iterations is significant in the future. Likewise, the inclusion of all the dimensions of ISA, while generating the initial items pool is an important aspect to be considered. A thorough discussion, recommendations for future research, conclusions, and study limitations are provided.