Ashraf Mady,Saurabh Gupta,Merrill Warkentin

DOI: https://doi.org/10.1111/isj.12424

IF: 7.767

2023-01-11

Information Systems Journal

Abstract:Organisations implement a variety of knowledge mechanisms such as information security education, training and awareness (SETA) programs and information security policies, to influence employees' secure behaviour. Despite increased efforts to provide information systems (IS) security knowledge to employees, data breaches and other security incidents resulting from insider behaviour continue. Recent IS security research, primarily grounded on assumptions of employees' rational assessment of numerous factors, has yielded inconsistent results. Challenging this paradigm, we model secure behaviour on security knowledge mechanisms, which focuses on the multidimensional nature of security knowledge breadth, depth and finesse to represent the full array of managerial levers. We further draw on construal level theory to conceptualise users' perceptual judgements of security messages. Two studies support our model, with the second building on the first. Study 1, an experiment with 312 participants, focused on validating the treatments. Study 2, a survey with 219 participants, validated the entire model. Results showed that our model has significantly more explanatory and predictive power than the orthodox paradigm. Our results have practical implications for optimising the organisation of knowledge mechanisms by emphasising the personal relevance of threats and defining the factors that lead to secure behaviour. We also contribute to the discourse on information security research and provide a template for integrating theories, thus opening new avenues for future research.

information science & library science

Akankhya Panda

DOI: https://doi.org/10.55041/ijsrem25258

2023-08-16

INTERANTIONAL JOURNAL OF SCIENTIFIC RESEARCH IN ENGINEERING AND MANAGEMENT

Abstract:In work settings, different leadership styles significantly impact employee well-being, potentially leading to improved health or heightened stress levels. This research posits that leadership focused on providing security can serve as a crucial asset in mitigating employee job burnout. The study explores the correlation between employees' perceptions of their leaders' security-oriented leadership and their experience of job-related burnout. This research explores how security- providing leaders impact burnout, highlighting the mediating roles of organizational climate (psychological safety) and organizational dehumanization. The study surveyed 655 Spanish employees (53.7% women) through non- discriminative snowball sampling. Using Partial Least Squares Structural Equation Modeling (PLS-SEM), results confirm a negative link between security-providing leadership and burnout. The study also finds that this relationship is influenced by psychological safety climate and organizational dehumanization. These findings support attachment-based leadership, indicating ways to create better organizational environments. Leaders focusing on security enhance employee well-being by promoting psychological safety and reducing organizational dehumanization, thus mitigating job burnout. Key Words: leadership; attachment theory; security provider; organizational climate; organizational dehumanization, burnout.

Aristotle Onumo,Irfan Ullah-Awan,Andrea Cullen

DOI: https://doi.org/10.1145/3424282

2021-06-01

ACM Transactions on Management Information Systems

Abstract:The increase in cybersecurity threats and the challenges for organisations to protect their information technology assets has made adherence to organisational security control processes and procedures a critical issue that needs to be adequately addressed. Drawing insight from organisational theory literature, we develop a multi-theory model, combining the elements of the theory of planned behaviour, competing value framework, and technology—organisational and environmental theory to examine how the organisational mechanisms interact with espoused cultural values and employee cognitive belief to influence cybersecurity control procedures. Using a structured questionnaire, we deployed structural equation modelling (SEM) to analyse the survey data obtained from public sector information technology organisations in Nigeria to test the hypothesis on the relationship of socio-organisational mechanisms and techno-cultural factors with other key determinants of employee security behaviour. The results showed that knowledge of cybersecurity and employee cognitive belief significantly influence the employees’ intentions to comply with organisational cybersecurity control mechanisms. The research further noted that the influence of organisational elements such as leadership on employee security behaviour is mediated by espoused cultural values while the impact of employee cognitive belief is moderated by security technologies. For effective cybersecurity compliance, leaders and policymakers are therefore to promote organisational security initiatives that ensure incorporation of cybersecurity principles and practices into job descriptions, routines, and processes. This study contributes to behavioural security research by highlighting the critical role of leadership and cultural values in fostering organisational adherence to prescribed security control mechanisms.

Saif Hussein Abdallah Alghazo,Norshima Humaidi,Shereen Noranee

DOI: https://doi.org/10.22610/imbr.v15i1(i)si.3408

2023-05-11

Information Management and Business Review

Abstract:Cybersecurity threats are a serious issue faced by many organizations in this new information era. Therefore, security leaders play a significant role not only to ensure that all their employees are practicing good security behavior to protect organizational information assets but also to ensure that security technology has been installed properly to protect network infrastructure. This study aims to examine cybersecurity protective behavior (CPB) among employees in the organization and focus on the role of leadership competencies and information security countermeasure awareness. The questionnaires were distributed via email and self-administered, and the study managed to obtain 245 responses. Partial Least Squares-Structural Equation Modeling (PLS-SEM) analysis was used to analyze the final data. Confirmatory factor analysis (CFA) testing shows that all the measurement items of each construct were adequate in their validity individually based on their factor loading value. Moreover, each construct is valid based on its parameter estimates and statistical significance. The research findings show that Procedural Information Security Countermeasure (PCM) awareness strongly influences CPB compared to a leader's information security competencies (ISI). Meanwhile, ISI significantly influences PCM awareness. This study adapts the theory of leadership competencies in the context of cybersecurity, which is particularly beneficial to any industry in improving organizational information security strategic plans.

Paul Benjamin Lowry,Clay Posey,Rebecca J. Bennett,Tom L. Roberts,Rebecca Becky J. Bennett

DOI: https://doi.org/10.1111/isj.12063

IF: 7.767

2015-02-24

Information Systems Journal

Abstract:Research shows that organisational efforts to protect their information assets from employee security threats do not always reach their full potential and may actually encourage the behaviours they attempt to thwart, such as reactive computer abuse (CA). To better understand this dilemma, we use fairness theory (FT) and reactance theory (RT) to explain why employees may blame organisations for and retaliate against enhanced information security policies (ISPs). We tested our model with 553 working professionals and found support for most of it. Our results show that organisational trust can decrease reactive CA. FT suggests that explanation adequacy (EA) is an important factor that builds trust after an event. Our results also suggest that trust both fully mediates the relationship between EA and CA and partially mediates the relationship between perceived freedom restrictions related to enhanced ISPs and reactive CA. EA also had a strong negative relationship with freedom restrictions. Moreover, organisational security education, training and awareness (SETA) initiatives decreased the perceptions of external control and freedom restrictions and increased EA, and advance notification of changes increased EA. We also included 14 control variables and rival explanations to determine with more confidence what drove reactive CA in our context. Notably, the deterrence theory (DT)‐based constructs of sanction severity, certainty and celerity had no significant influence on reactive CA. We provide support for the importance of respectful communication efforts and SETA programmes, coupled with maximising employee rights and promoting trust and fairness to decrease reactive CA. These efforts can protect organisations from falling victim to their own organisational security efforts.

information science & library science

Marten de Bruin,Konstantinos Mersinas

2024-05-29

Abstract:Cyber security incidents are increasing and humans play an important role in reducing their likelihood and impact. We identify a skewed focus towards technical aspects of cyber security in the literature, whereas factors influencing the secure behaviour of individuals require additional research. These factors span across both the individual level and the contextual level in which the people are situated. We analyse two datasets of a total of 37,075 records from a) self-reported security behaviours across the EU, and b) observed phishing-related behaviours from the industry security awareness training programmes. We identify that national culture, industry type, and organisational security culture play are influential Variables (antecedents) of individuals' security behaviour at contextual level. Whereas, demographics (age, gender, and level or urbanisation) and security-specific factors (security awareness, security knowledge, and prior experience with security incidents) are found to be influential variables of security behaviour at individual level. Our findings have implications for both research and practice as they fill a gap in the literature and provide concrete statistical evidence on the variables which influence security behaviour. Moreover, findings provides practical insights for organisations regarding the susceptibility of groups of people to insecure behaviour. Consequently, organisations can tailor their security training and awareness efforts (e.g., through behaviour change interventions and/or appropriate employee group profiles), adapt their communications (e.g., of information security policies), and customise their interventions according to national culture characteristics to improve security behaviour.

Cryptography and Security

John D’Arcy,Anat Hovav

DOI: https://doi.org/10.1007/s10551-008-9909-7

IF: 6.331

2008-08-27

Journal of Business Ethics

Abstract:Research from the fields of criminology and social psychology suggests that the deterrent effect of security countermeasures is not uniform across individuals. In this study, we examine whether certain individual characteristics (i.e., computer self-efficacy) or work arrangement (i.e., virtual status) moderate the influence of␣security policies, security education, training, and awareness (SETA) program, and computer monitoring on information systems misuse. The results suggest that computer savvy individuals are less deterred by SETA programs and computer monitoring, while these countermeasures are also less influential (from a deterrence perspective) on employees that spend more working days outside the office. Implications for both the research and practice of information security are discussed.

business,ethics

Sulistio Sulistio

DOI: https://doi.org/10.33050/itee.v2i1.411

2023-10-30

Abstract:In an ever-evolving digital landscape, the imperative of robust cybersecurity measures to safeguard sensitive data, systems, and operations cannot be overstated. This research undertakes a comprehensive evaluation of the intricate factors that collectively contribute to cybersecurity effectiveness within organizational contexts. Employing the Partial Least Squares Structural Equation Modeling (PLS-SEM) methodology, this research dissect the complex relationships among pivotal constructs including Security Measures Effectiveness, Incident Response Capability, Vulnerability Management, User Training Impact, Security Policy Adherence, External Threat Mitigation, Data Protection Effectiveness, and System Resilience. Through data derived from surveys and meticulous assessments, our analysis utilizes PLS-SEM to quantitatively scrutinize how these constructs interconnect and impact the overarching goal of cybersecurity: the proactive prevention, swift detection, and effective mitigation of cyber threats. By elucidating the constructs with the most significant influence, our study not only enhances scholarly discourse but also empowers organizations to refine cybersecurity strategies, strengthen user training initiatives, and implement robust policies in alignment with the ever-adapting threat landscape. Ultimately, this research furnishes organizations with insights to bolster their cybersecurity defenses, fortify digital assets, and counteract the escalating sophistication of cyber threats.

Mansour Naser Alraja,Usman Javed Butt,Maysam Abbod

DOI: https://doi.org/10.1016/j.cose.2023.103208

IF: 5.105

2023-06-01

Computers & Security

Abstract:Information security threats have a severe negative impact on enterprises. Organizations rely on employee compliance with information security policies to eliminate or reduce these hazards. The Unified Model of Information Security Policies Compliance (UMISPC) is employed to identify the factors that may affect employees' intention towards compliance with information systems security policy and reactance in a global setting. The study was assessed in two phases. The model's validity and measurement reliability were evaluated in the first phase, while in the second phase, all preliminary model relationships were appraised. This was achieved utilizing structural equation modelling to establish whether the proposed constructs, i.e. neutralization, response efficacy, fear, threat, habit and role values were good predictors for intention or reactance towards compliance with information systems security policy. Participants included 348 employees from 7 nations, i.e. the USA, the UK, Oman, India, Pakistan, Malaysia, and the Philippines. SmartPLS v. 3.3.9 was used for data analysis. The models' measurement reliability and validity were affirmed. Fear and role values have a significant influence on intention toward ISPC. RE significantly predicted threat which in turn significantly predicted fear, and the latter demonstrated a significant effect on reactance as well as Neutralization predicted reactance. In contrast, habit failed to reach a significant influence on intention towards ISPC. The implications are presented, together with proposals for further studies. Our findings are helpful for ISS literature and application by supporting the crucial functions of role values in encouraging employees to behave in a compliant manner. Additionally, it is regarded as the first empirical attempt to estimate intended compliance concerning ISPs in higher education from a worldwide viewpoint.

computer science, information systems

Nader Sohrabi Safa,Carsten Maple,Steve Furnell,Muhammad Ajmal Azad,Charith Perera,Mohammad Dabbagh,Mehdi Sookhak

DOI: https://doi.org/10.1016/j.future.2019.03.024

IF: 7.307

2019-08-01

Future Generation Computer Systems

Abstract:Previous studies show that information security breaches and privacy violations are important issues for organisations and people. It is acknowledged that decreasing the risk in this domain requires consideration of the technological aspects of information security alongside human aspects. Employees intentionally or unintentionally account for a significant portion of the threats to information assets in organisations. This research presents a novel conceptual framework to mitigate the risk of insiders using deterrence and prevention approaches. Deterrence factors discourage employees from engaging in information security misbehaviour in organisations, and situational crime prevention factors encourage them to prevent information security misconduct. Our findings show that perceived sanctions certainty and severity significantly influence individuals’ attitudes and deter them from information security misconduct. In addition, the output revealed that increasing the effort, risk and reducing the reward (benefits of crime) influence the employees’ attitudes towards prevent information security misbehaviour. However, removing excuses and reducing provocations do not significantly influence individuals’ attitudes towards prevent information security misconduct. Finally, the output of the data analysis also showed that subjective norms, perceived behavioural control and attitude influence individuals’ intentions, and, ultimately, their behaviour towards avoiding information security misbehaviour.

Xue Yang,Wei T. Yue,Choon Lin Sia

DOI: https://doi.org/10.1007/978-3-642-29873-8_17

2012-01-01

Abstract:IS security policy is one of the essential tools to ensure the secure use of information systems and technological assets. To enhance the effectiveness of policy implementation, organizations rely on security training, education and awareness (STEA) programs to help employees understand the IS security issues of the organization. However, different levels of STEA informativeness may have conflicting effects on employees' compliance decisions. In addition, the urgency of a task may also lead employees to abandon the compliance decision occasionally. The existing corporate information security policy (ISP) could also serve as a deterrence message that would influence compliance decisions. An experimental survey was conducted to examine this phenomenon and test the related hypotheses. The results of this study can be used to inform and guide researchers and practitioners as to how to better enforce an IS security policy through better implementation of STEA programs and improved design of ISP in different task scenarios.

Boon-Yuen Ng,Atreyi Kankanhalli,Yunjie (Calvin) Xu

DOI: https://doi.org/10.1016/j.dss.2008.11.010

IF: 6.969

2009-01-01

Decision Support Systems

Abstract:The damage due to computer security incidents is motivating organizations to adopt protective mechanisms. While technological controls are necessary, computer security also depends on individual's security behavior. It is thus important to investigate what influences a user to practice computer security. This study uses the Health Belief Model, adapted from the healthcare literature, to study users' computer security behavior. The model was validated using survey data from 134 employees. Results show that perceived susceptibility, perceived benefits, and self-efficacy are determinants of email related security behavior. Perceived severity moderates the effects of perceived benefits, general security orientation, cues to action, and self-efficacy on security behavior.

Kuang-Ming Kuo,Paul C Talley,Chi-Hsien Huang

DOI: https://doi.org/10.1016/j.cose.2020.101928

2020-09-01

Abstract:Deterrence theory has been widely adopted in the study of information security management; however, evidence frequently presents sometimes contradictory results. Prior meta-analytic studies have focused primarily on the use of formal deterrence constructs to predict security-compliant behavior, while informal deterrence constructs and security-risk behavior are often neglected as a result. This study aims to meta-analyze the relationships formed between both formal/informal deterrence constructs and security-compliant/risk behaviors in a comprehensive manner beyond what has taken place in prior IS security meta-analysis based on deterrence theory. By searching multiple electronic databases, we have located 40 studies, along with 108 effect sizes, pertinent to our study's purpose. Inverse variance method weighted with sample sizes was used to determine mean effect sizes. The random-effects model was used to report meta-analysis results since Q, I2, and H index showed some degree of heterogeneity existent in the collected data. Publication bias was assessed by means of fail-safe N. All proposed relationships occurring between formal/informal deterrence constructs and security-compliant/-risk behaviors were supported. Formal deterrence constructs exerted weak to moderate effects on security behavior, while informal deterrence constructs exerted moderate to strong effects on security behavior. Further, informal deterrence constructs showed greater mean effect sizes than formal deterrence constructs. Additionally, prediction intervals of deterrence constructs, along with detection certainty, included zero, which indicated that moderators may be present. Based on these findings, the mean effect sizes of deterrence constructs may be more clearly identified when dividing security behavior into both compliant- and risk- behaviors. Further moderators might be employed to improve the inconsistent findings evidenced in deterrence theory.

computer science, information systems

Sunil Chaudhary

DOI: https://doi.org/10.1016/j.cose.2024.103858

IF: 5.105

2024-04-27

Computers & Security

Abstract:Organisations implementing cybersecurity awareness (CSA) should strive to positively change employees' attitudes and behaviours. In practice, though, most of such initiatives only manage to increase employees' knowledge. In cybersecurity, knowledge on its own will have no significant value unless it is used to guide decisions and inspire actions. This study, therefore, has investigated the attributes that could influence and contribute to positive changes in employees' cybersecurity behaviours. The study used a literature review for questionnaire design and then employed the Delphi method with 22 experts, which consequently identified seven such attributes. These attributes are as follows: i) obtain senior management support and participation in CSA activities; ii) consider CSA as a continuous process that needs to be updated and improved on a regular basis; iii) cultivate and spread 'cybersecurity' as a norm in the organisation; iv) encourage cybersecurity activities and behaviours through incentives; v) craft and use persuasive CSA messages; vi) employ innovative and effective approaches to disseminate CSA messages; and vii) recommend security activities that are achievable and pertinent for the audience.

computer science, information systems

Zhengchuan Xu,Ken H. Guo

DOI: https://doi.org/10.1108/JEIM-10-2018-0229

2019-01-01

Journal of Enterprise Information Management

Abstract:Purpose Human factor is often cited as one of the biggest challenges for organizational information security management. The purpose of this paper is to investigate how and why employees fail to carry out required security tasks. Design/methodology/approach On the basis of coping theory, this paper develops a theoretical model to examine employee effortful security behavior (ESB). The model is tested with the data collected through a survey of computer users. Findings The results suggest that employee procrastination of security tasks and psychological detachment from security issues are two antecedents of ESB. Psychological detachment and procrastination are in turn influenced by perceived externalities of security risk and triage of business tasks over security issues by employees. Originality/value This paper contributes to the information systems security literature by providing a nuanced understanding of the antecedents and process of how employees cope with security task demands. It also offers some insights for practitioners in terms of the importance of designing and implementing security measures that are viewed as relevant to employees.

Ofir Turel,Zhengchuan Xu,Ken Guo

DOI: https://doi.org/10.1080/08874417.2017.1400928

2017-01-01

Journal of Computer Information Systems

Abstract:This study takes a relational perspective to introduce the concept of organizational citizenship behavior regarding security (OCB-S) and to examine its predictors. Utilizing social exchange and role theories, we develop a model explicating the indirect effects of the way information systems (IS) departments lead IS initiatives and manages its relationships with end-users on end-users' OCB-S. Based on survey data from 223 employees of Chinese firms, we demonstrate that IS departments' management approaches play an important role in influencing business users-IS department exchange (BIX) and user perceptions regarding whether IS security is their responsibility (extra-role perceptions regarding security). These factors, in turn, influence the extent to which end-users engage in OCB-S. Theoretically, this study advances our understanding of end-user security-related behaviors and their antecedents. Practically, this study highlights the importance of business users-IS department relationships and role perceptions for improving organizational security management.

Charlette Donalds,Kweku-Muata Osei-Bryson

DOI: https://doi.org/10.1016/j.ijinfomgt.2019.102056

IF: 18.958

2020-04-01

International Journal of Information Management

Abstract:Recent information and cybersecurity research have focused on improving individuals' security compliance behavior. However, improved security performance remains a challenge since individuals often fail to comply with security best practices. In this study, we investigate a new individual cybersecurity compliance behavior model proposed by Donalds and Osei-Bryson (2017). Specifically, we investigate the influence of individual decision styles on their cybersecurity compliance behavior and other antecedents of such behavior. To empirically validate the hypotheses in the Donalds & Osei-Bryson model, we used data collected from 248 individuals and then use multiple regression to examine the assertions of the model. Our findings confirm that individual's decision styles, specifically, dominant orientation and dominant decision style, influence their individual cybersecurity compliance behavior and other antecedents of such behavior. Our research offers new dimensions for investigating individual cybersecurity compliance behavior and new insights into factors that may influence individual's cybersecurity compliance behavior.

Lennart Jaeger,Andreas Eckhardt

DOI: https://doi.org/10.1111/isj.12317

IF: 7.767

2020-12-17

Information Systems Journal

Abstract:<p>Most contemporary studies on information security focus on largely static phenomena in examining security‐related behaviours. We take a more dynamic, situational and interactionist approach that proposes that security‐related behaviours result from an interaction between the person and the perception of a threatening situation. We derive and define situational information security awareness based on situation awareness literature, and examine how individual‐level (innate traits, experience) and system‐level factors (design variations, warning signal) influence awareness, and how it influences subsequent threat and coping appraisals, and ultimately security‐related behaviours in a multi‐method phishing experiment including eye tracking and survey components with 107 employees. The results underscore the importance of situational information security awareness and show that past experience with phishing and a security warning increase awareness, while phishing emails' contextual relevance and misplaced salience decrease awareness. Situational information security awareness, in turn, increases perceived threat and perceived coping efficacy and, ultimately, actual behavioural responses to phishing attacks.</p>

information science & library science

Jiaqing Zhao,Yuxiang Hong,Wenqing Chen,Chouyong Chen

DOI: https://doi.org/10.1080/08874417.2024.2403571

2024-09-19

Journal of Computer Information Systems

Abstract:Combining cognitive and affective influences, as well as considering role-breadth constructs is critical to the study of employees' information security policy (ISP) compliance. This paper presents an improved model by integrating psychological capital (PsyCap), psychological ownership (PsyOwn), and the theory of planned behavior (TPB) based on the Conservation of Resources (COR) theory. A valid sample of 382 Chinese employees was used for model testing. The results imply that PsyCap is an important motivational antecedent to the cognitive decision-making processes theorized by the TPB. Also, PsyOwn moderates the effect of PsyCap on subjective norms, along with ISP compliance attitudes and behavioral intentions. Finally, theoretical contributions and managerial implications are addressed.

computer science, information systems

Qing Hu,Zhengchuan Xu

DOI: https://doi.org/10.24251/hicss.2018.466

2018-01-01

Abstract:We draw on recent advances in cognitive neural science to articulate an employee security behavioral model. Cognitive neural science studies suggest two neurological processes occurring in human brain when making decisions: the automatic or reflexive process, which is the default mode for decision making, and the controlled or reflective process, which interrupts the automatic process when the brain encounters unexpected events or novel decisions. We map rational choice to the controlled process and self-control to the automatic process and test a decision model using survey data in the context of employee non-compliance behavior to organization information security policies.