Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture*

An Assessment of Data Location Vulnerability for Human Factors Using Linear Regression and Collaborative Filtering

End-user devices and applications (data locations) are becoming more capable and user friendly and are used in various Health Information Systems (HIS) by employees of many health organizations to perform their day to day tasks. Data locations are connected via the internet. The locations have relatively good information security mechanisms to minimize attacks on and through them in terms of technology. However, human factors are often ignored in their security echo system. In this paper, we propose a human factor framework merged with an existing technological framework. We also explore how human factors affect data locations via linear regression computations and rank data location vulnerability using collaborative filtering. Our results show that human factors play a major role in data location breaches. Laptops are ranked as the most susceptible location and electronic medical records as the least. We validate the ranking by root mean square error.

A real-world information security performance assessment using a multidimensional socio-technical approach

Measuring the performance of information security is an essential part of the information security management system within organisations. Studies in the past mainly focused on establishing qualitative measurement approaches. Since these can lead to ambiguous conclusions, quantitative metrics are being increasingly proposed as a useful alternative. Nevertheless, the literature on quantitative approaches remains scarce. Thus, studies on the evaluation of information security performance are challenging, especially since many approaches are not tested in organisational settings. The paper aims to validate the model used for evaluating the performance of information security management system through a multidimensional socio-technical approach, in a real-world settings among medium-sized enterprises in Slovenia. The results indicate that information security is strategically defined and compliant, however, measures are primarily implemented at technical and operational levels, while its strategic management remains underdeveloped. We found that the biggest issues are related to information resources and risk management, where information security measurement-related activities proved to be particularly problematic. Even though enterprises do possess certain information security capabilities and are aware of the importance of information security, their current practices make it difficult for them to keep up with the fast-paced technological and security trends.

Readiness for information security of teachers as a function of their personality traits and their assessment of threats

Purpose

This study examines the impact of personality traits on the degree of challenge experienced by individuals with respect to the threat on their information, the evaluation of their self-efficacy to secure the information and hence, their readiness to secure information.

Design/methodology/approach

The study's population consisted of 157 teachers from various educational institutions across Israel. We used five questionnaires to gather data.

Findings

Findings reveal a link between participants' personality traits, situation evaluation indicators and their readiness to secure information. Further, the greater subjects' information security awareness and familiarity with information security concepts, the better their application of the tools for securing information will be.

Originality/value

The importance of this research lies primarily in that it highlights the importance of individual differences while dealing with information security awareness. The findings constitute a theoretical and empirical basis for building tools toward guiding teachers to protect their information, as well as for devising educational and pedagogic programs for making a cultural change.

Executives' Commitment to Information Security

Two aspects of decision-making on information security spending, executives' varying preferences for how proposals should be presented and the framing of the proposals, are developed. The proposed model of executives' commitment to information security is an interaction model (in addition to the cost of a security solution, and the risk and the potential loss of a security threat) consisting of the interaction between an executive's preferred subordinate influence approach (PSIA), rational or inspirational, and the framing, positive or negative, of a security proposal. The interaction of these two constructs affects the executive's commitment to an information security proposal. The model is tested using a scenario-based experiment that elicited responses from business executives across 100+ organizations. Results show that the interaction of the negative framing of a proposal and the inspirational PSIA of an executive affects his or her commitment to information security. Further, negative framing of a proposal and the cost of the security solution interact to decrease the executive's commitment to information security. This study underscores that prescriptions for business executives from normative models in information security spending must be complemented with appropriately framed messages to account for the differences in executives' PSIA (rational and inspirational) and cognitive biases.

Information security awareness in a developing country context: insights from the government sector in Saudi Arabia

Purpose

The purpose of this paper is to increase understanding of employee information security awareness in a government sector setting and illuminate the problems that public sector organisations in a developing context face when seeking to establish an information security awareness programme.

Design/methodology/approach

An interpretive research design was followed to develop an empirically enriched understanding of information security awareness perceptions, aspirations, challenges and enablers in the context of Saudi Arabia as a developing country. The study adopts a single-case study approach, including face-to-face interviews with senior employees, as well as document analysis.

Findings

The paper theorises the importance of individual information security awareness, knowledge and behaviour and identifies a number of facilitating conditions: customisation to employee and organisational needs, interactivity, innovation, frequency, integration of both electronic and physical learning resources and rewarding the acquisition of in-depth security-related actionable knowledge.

Originality/value

This study is one of the first to examine information security awareness as a socio-technical process within a government sector organisation in a developing country context.

Information system security policy noncompliance: the role of situation-specific ethical orientation

Purpose

This study examines how neutralization strategies affect the efficacy of information system security policies. This paper proposes that neutralization strategies used to rationalize security policy noncompliance range across ethical orientations, extending from those helping the greatest number of people (ethics of care) to those damaging the fewest (ethics of justice). The results show how noncompliance differs between genders based on those ethical orientations.

Design/methodology/approach

A survey was used to measure information system security policy noncompliance intentions across six different hypothetical scenarios involving neutralization techniques used to justify noncompliance. Data was gathered from students at a mid-western, comprehensive university in the United States.

Findings

The empirical analysis suggests that gender does play a role in information system security policy noncompliance. However, its significance is dependent upon the underlying neutralization method used to justify noncompliance. The role of reward and punishment is contingent on the situation-specific ethical orientation (SSEO) which in turn is a combination of internal ethical positioning based on one's gender and external ethical reasoning based on neutralization technique.

Originality/value

This study extends ethical decision-making theory by examining how the use of punishments and rewards might be more effective in security policy compliance based upon gender. Importantly, the study emphasizes the interplay between ethics, gender and neutralization techniques, as different ethical perspectives appeal differently based on gender.

The Impact Mechanisms of Psychological Learning Climate on Employees' Innovative Use of Information Systems

The aim of this study is to explore the impact mechanisms of psychological learning climate on employees' innovative use of information systems (IS). Using structural equation modeling, this study develops a theoretical model to investigate how the psychological learning climate affects innovative IS use by introducing individual motivational factors as mediators. The model is tested through a survey of 163 employees using enterprise resource planning (ERP) systems in China. The results suggest that psychological learning climate is positively related to innovative IS use both directly and indirectly. The indirect effect works through motivating employees' intrinsic motivation and creative self-efficiency. This study adds to the literature on IS use by identifying and examining the role of psychological learning climate as a driver of innovative IS use. The findings could provide managers with an understanding of how management can inspire employees' potential in IS innovation.

Why Employees (Still) Click on Phishing Links: Investigation in Hospitals

Background

Hospitals have been one of the major targets for phishing attacks. Despite efforts to improve information security compliance, hospitals still significantly suffer from such attacks, impacting the quality of care and the safety of patients.

Objective

This study aimed to investigate why hospital employees decide to click on phishing emails by analyzing actual clicking data.

Methods

We first gauged the factors that influence clicking behavior using the theory of planned behavior (TPB) and integrating trust theories. We then conducted a survey in hospitals and used structural equation modeling to investigate the components of compliance intention. We matched employees’ survey results with their actual clicking data from phishing campaigns.

Results

Our analysis (N=397) reveals that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, are positively related to compliance intention. However, compliance intention is not significantly related to compliance behavior. Only the level of employees’ workload is positively associated with the likelihood of employees clicking on a phishing link.

Conclusions

This is one of the few studies in information security and decision making that observed compliance behavior by analyzing clicking data rather than using self-reported data. We show that, in the context of phishing emails, intention and compliance might not be as strongly linked as previously assumed; hence, hospitals must remain vigilant with vulnerabilities that cannot be easily managed. Importantly, given the significant association between workload and noncompliance behavior (ie, clicking on phishing links), hospitals should better manage employees’ workload to increase information security. Our findings can help health care organizations augment employees’ compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.

The hunt for computerized support in information security policy management

Purpose

The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about.

Design/methodology/approach

The results are based on a literature review of ISP management research published between 1990 and 2017.

Findings

Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare.

Research limitations/implications

Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process.

Practical implications

The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners.

Originality/value

Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.

Response biases in policy compliance research

Purpose

The purpose of this study is to use a developed and pre-tested scenario-based measurement instrument for policy compliance and determine whether policy compliance measurements in the current policy compliance research are biased as has been postulated during a pre-study. The expected biases are because of social desirability and because of biases based on identity theory.

Design/methodology/approach

A survey was conducted (n = 54) that used policy compliance scales from literature and the developed self-reporting policy compliance (SRPC) scale, along with the Marlow–Crowne social desirability (MC-SDB) scale. Differences between the policy compliance scales were assessed. Moreover, a transformation of the SRPC measurements into the literature-based scales was examined using pair-wise t-testing. Finally, correlations between the MC-SDB and the policy compliance scales were examined.

Findings

There are no significant influences on the desire for social approval of the respondents as was exhibited by the MC-SDB values and policy compliance on either scale. However, the SRPC scale measurements show deviations from the literature-based policy compliance scales. Individuals that exhibit secure behaviour, which is not rooted in a policy but rather in anything but the policy, are also captured as being policy compliant in the current scales. This shows that a response bias exists in current scales. Respondents, who perceive to exhibit secure behaviours, may think that they are in compliance with the policy, even when they are not.

Practical implications

These findings mean that several contributions in the field of policy compliance must be questioned and that a revisit of several factors influencing policy compliance may be required.

Originality/value

To the best of the authors’ knowledge, response biases in policy compliance research have not been considered to date.

It ain’t my business: a coping perspective on employee effortful security behavior

Purpose

Human factor is often cited as one of the biggest challenges for organizational information security management. The purpose of this paper is to investigate how and why employees fail to carry out required security tasks.

Design/methodology/approach

On the basis of coping theory, this paper develops a theoretical model to examine employee effortful security behavior (ESB). The model is tested with the data collected through a survey of computer users.

Findings

The results suggest that employee procrastination of security tasks and psychological detachment from security issues are two antecedents of ESB. Psychological detachment and procrastination are in turn influenced by perceived externalities of security risk and triage of business tasks over security issues by employees.

Originality/value

This paper contributes to the information systems security literature by providing a nuanced understanding of the antecedents and process of how employees cope with security task demands. It also offers some insights for practitioners in terms of the importance of designing and implementing security measures that are viewed as relevant to employees.

Exploring the inclusion of risk in management accounting and control

Purpose

This paper aims to contribute to the construction of a framework that makes risk management (RM) more effective and visible. This is done by investigating how the concept of “risk” is included in various activities in the management accounting and control (MA&C) system.

Design/methodology/approach

A cross-sectional analysis of 72 Danish organisations extracted from an alumni database is conducted together with a factor analysis and a partial least squares structural equation modelling approach.

Findings

The authors find four latent variables, namely, expectation, attitude, subjective norms, processes and culture, which all have risk activities in MA&C as the depending variable. Attitude seems to be a powerful antecedent, whereas supporting processes and culture play a crucial partial mediator role for the inclusion of risk.

Research limitations/implications

The findings add to the understanding of the interrelationships between risk and MA&C. An important caveat is that the authors use soft and self-reported data for the dependent variable and for the various independent variables.

Practical implications

The authors propose a dynamic and holistic framework for the analysis of risk. This framework eliminates the limitations found in many prior studies that have neglected the interrelated importance of attitude and supporting processes and culture. The results of this study also provide valuable insights for managers who wish to consider and to explore the interrelations of a number of antecedent risk issues that influence different risk activities in MA&C.

Originality/value

This paper is one of the few papers that assess the impact of different risk issues on firms’ different MA&C activities by including the theory of planned behaviour. The potential key role that supporting processes and culture play as partial mediators for risk inclusion is particularly interesting. The research extends prior research by constructing a framework that makes that implementation of RM processes in the MA&C system more effective. It also proposes a validation process that can lessen the model risk possible.

The effects of moral disengagement and organizational ethical climate on insiders’ information security policy violation behavior

Purpose

The purpose of this paper is to develop a model that integrates moral disengagement (MD) and organizational ethical climate (OEC) to understand information security policy (ISP) violation behavior in the workplace. This study extends prior work by identifying the moderating mechanisms of the ethical culture of OECs in the relationship between employees’ MD and ISP violation behavior intention.

Design/methodology/approach

By using scenario-based survey data from 433 employees in Chinese enterprises and by applying PLS-based structural equation modeling, the authors test a series of hypotheses.

Findings

Our empirical results highlight that the concept of MD has a significant effect on employees’ intention to violate ISPs. The authors also find that the OEC has a moderating role in the relationship between MD and ISP violation intention: the moderating role of law-and-rule-oriented OEC is significantly negative, but instrumentalism-oriented OEC positively moderates this relationship.

Originality/value

This study contributes to the literature on information security behavior by integrating two ethical theory frameworks MD and OECs into one theoretical model, and it calls attention to how ethical factors at the individual cognition level and organizational climate level work together to influence personal information security behavior. This study provides a new perspective of OEC from which to understand policy violation caused by moral self-regulation failure, and empirically explores its moderating role.

From theory to practice: guidelines for enhancing information security management

Purpose

This study aims to identify the implications of security behaviour determinants for security management to propose respective guidelines which can be integrated with current security management practices, including those following the widely adopted information security standards ISO 27001, 27002, 27003 and 27005.

Design/methodology/approach

Based on an exhaustive analysis of related literature, the authors identify critical factors influencing employee security behaviour and ISP compliance. The authors use these factors to perform a gap analysis of widely adopted information security standards ISO 27001, 27002, 27003 and 27005 and identify issues not covered or only partially addressed. Drawing on the implications of security behaviour determinants and the identified gaps, the authors provide guidelines which can enhance security management practices.

Findings

The authors uncover the factors shaping security behaviour barely or partly considered in the ISO information security standards ISO 27001, 27002, 27003 and 27005, including top management participation, accommodating individual characteristics, embracing the cultural context, encouraging employees to comply out of habit and considering the cost of compliance. Furthermore, the authors provide guidelines to security managers on enhancing their security management practices when implementing the above ISO Standards.

Practical implications

This study offers guidelines on how to create and design security management practices whilst implementing ISO standards (ISO 27001, ISO 27002, ISO 27003, ISO 27005) so as to enhance ISP compliance.

Originality/value

This study analyses the role and implications of security behaviour determinants, discusses discrepancies and conflicting findings in related literature, provides a gap analysis of commonly used information security standards (ISO 27001, 27002, 27003 and 27005) and proposes guidelines on enhancing security management practices towards improving ISP compliance.

A conceptual model and empirical assessment of HR security risk management

Purpose

This study aims to develop a conceptual model and assess the extent to which pre-, during- and post-employment HR security controls are applied in organizations to manage information security risks.

Design/methodology/approach

The conceptual model is developed based on the agency theory and the review of theoretical, empirical and practitioner literature. Following, empirical data are collected through a survey from 134 IT professionals, internal audit personnel and HR managers working within five major industry sectors in a developing country to test the organizational differences in pre-, during- and post-employment HR security measures.

Findings

Using analysis of variance, the findings reveal significant differences among the organizations. Financial institutions perform better in employee background checks, terms and conditions of employment, management responsibilities, security education, training and awareness and disciplinary process. Conversely, healthcare institutions outperform other organizations in post-employment security management. The government public institutions perform the worst among all the organizations.

Originality/value

An integration of a conceptual model with HR security controls is an area that is under-researched and under-reported in information security and human resource management literature. Accordingly, this research on HR security management contributes to reducing such a gap and adds to the existing HR security risk management literature. It, thereby, provides an opportunity for researchers to conduct comparative studies between developed and developing nations or to benchmark a specific organization’s HR security management.

Information protection behaviors: morality and organizational criticality

Purpose

Organizational insiders play a critical role in protecting sensitive information. Prior research finds that moral beliefs influence compliance decisions. Yet, it is less clear what factors influence moral beliefs and the conditions under which those factors have stronger/weaker effects. Using an ethical decision-making model and value congruence theory, this study aims to investigate how moral intensity and organizational criticality influence moral beliefs and intentions to perform information protection behaviors.

Design/methodology/approach

The hypotheses were tested using a scenario-based survey of 216 organizational insiders. Two of the scenarios depict low criticality information security protection behaviors and two depict high criticality behaviors.

Findings

A major finding is that users rely more on perceived social consensus and magnitude of consequences when organizational criticality is low and on temporal immediacy and proximity when criticality is high. In addition, the moral intensity dimensions explain more variance in moral beliefs when organizational criticality is low.

Research limitations/implications

The study is limited by its sample, which is organizational insiders at a mid-size university. It is also limited in that it only examined four of the six moral intensity dimensions.

Practical implications

The findings can guide management about which moral intensity dimensions are more important to focus on when remediating tone at the top and other leadership weaknesses relating to information security.

Originality/value

This study adds value by investigating the separate dimensions of moral intensity on information protection behaviors. It also is the first to examine moral intensity under conditions of low and high organizational criticality.

Security monitoring and information security assurance behaviour among employees

Purpose

The purpose of this research is to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour. Security assurance behaviour represents employees’ intentional and effortful actions aimed towards protecting information systems. The behaviour is highly desired as it tackles the human factor within the information security framework. The authors posited that security assurance behaviour is a learned behaviour that can be enhanced by the implementation of information security monitoring.

Design/methodology/approach

Theoretical framework underlying this study with six constructs, namely, subjective norm, outcome expectation, information security monitoring, information security policy, self-efficacy and perceived inconvenience, were identified as significant in determining employees’ security assurance behaviour (SAB). The influence of these constructs on SAB could be explained by social cognitive theory and is empirically supported by past studies. An online questionnaire survey as the main research instrument is adopted to elicit information on the six constructs tested in this study. Opinion from industry and academic expert panels on the relevance and face validity of the questionnaire were obtained prior to the survey administration.

Findings

Findings from this research indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy. This study also demonstrates that employees tend to abandon security behaviour when the behaviour is perceived as inconvenient. Hence, organisations must find ways to reduce the perceived inconvenience using various security automation methods and specialised security training. Reducing perceived inconvenience is a challenge to information security practitioners.

Research limitations/implications

There are some limitations in the existing work that could be addressed in future studies. One of them is the possible social desirability bias due to the self-reported measure adopted in the study. Even though the authors have made every effort possible to collect representative responses via anonymous survey, it is still possible that the respondents may not reveal true behaviour as good conduct is generally desired. This may lead to a bias towards favourable behaviour.

Practical implications

In general, the present research provides a number of significant insights and valuable information related to security assurance behaviour among employees. The major findings could assist security experts and organisations to develop better strategies and policies for information security protection. Findings of this research also indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy.

Social implications

In this research, the social cognitive learning theory is used to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour; the finding implies that monitoring emphases expected behaviours and helps to reinforce organisational norms. Monitoring may also accelerate learning when employees become strongly mindful of their behaviours. Hence, it is important for organisations to communicate the monitoring practices implemented, even more imperative whenever security monitoring employed is unobtrusive in nature. Nonetheless, care must be taken in this communication to avoid resentment and mistrust among employees.

Originality/value

This study is significant in a number of ways. First, this study highlights significant antecedents of security assurance behaviour, which helps organisations to assess their current practices, which may nurture or suppress information security. Second, using users’ perspective, this study provides recommendations pertaining to monitoring as a form of information security measure. Third, this study provides theoretical contribution to the existing information security literature via the application of the social cognitive learning theory.

RESPONDING TO KEY EXOGENOUS CHANGES: THE JOINT EFFECT OF NETWORK HETEROGENEITY AND CULTURE OF INNOVATION

Any firm must decide to what extent it should remain open to its environment and which internal competencies it should develop to capitalise on externally sourced information. While addressing these key strategic considerations, this project focuses on the joint effect of heterogeneity of external networks and internal culture of innovation. High heterogeneity of external networks should enable a firm to more quickly learn about and address evolving demands of external markets. Nevertheless, to fully capitalise on new incoming information, a firm must also establish an organisational culture that will mandate strong employee engagement and support for the process of internal transformation. Consequently, this study proposes that the joint effect of two factors — heterogeneous networks and culture of innovation — may empower any organisation to successfully react to key environmental changes. The empirical testing of the proposed model was conducted using regression analyses performed on original data collected in the health industry. Contribution to research and practice is discussed.

Protective Measures and Security Policy Non-Compliance Intention

Internal vulnerabilities and insider threats top the list of information security (InfoSec) incidents; prompting organizations to establish InfoSec policy (ISP). Yet, mitigating user's ISP non-compliance is still an arduous task. Hence, this study aims to minimize user's ISP non-compliance intention by investigating their perception and attitude toward ISP non-compliance. Specifically, protective measures drawing upon the protection motivation theory - perceived severity of ISP non-compliance, rewards and familiarity with ISP - analyze users' attitude toward ISP non-compliance. Further, the new construct, information technology (IT) vision conflict, is the mismatch between the values that users hold and those embedded in the ISP. The misalignment of the two conflicting values moderates the relationship between the protective measures and attitude toward ISP non-compliance. Findings show that IT vision conflict weakens the negative relationship between perceived severity of ISP non-compliance and attitude toward ISP non-compliance; indirectly affecting ISP non-compliance intention.

Work-related groups and information security policy compliance

Purpose

It is widely acknowledged that norms and culture influence decisions related to information security. The purpose of this paper is to investigate how work-related groups influence information security policy compliance intentions and to what extent this influence is captured by the Theory of Planned Behavior, an established model over individual decision-making.

Design/methodology/approach

A multilevel model is used to test the influence of work-related groups using a cluster sample of responses from 2,291 employees from 203 worksites, 119 organizations, 6 industries and 38 professions.

Findings

The results suggest that work-related groups influence individuals’ decision-making in the manner in which contemporary theories of information security culture posit. However, the influence is weak to modest and overshadowed by individual perceptions that are straightforward to measure.

Research limitations/implications

This paper is limited to one national culture and four types of work-related groups. However, the results suggest that the Theory of Planned Behavior captures most of the influence that work-related groups have on decision-making. Future research on security culture and similar phenomena should take this into account.

Practical implications

Information security perceptions in work-related groups are diverse and information security decisions appear to be based on individual perceptions and priorities rather than groupthink or peer-pressure. Security management interventions may be more effective if they target individuals rather than groups.

Originality/value

This paper tests some of the basic ideas related to information security culture and its influence on individuals’ decision-making.

Identifying HRM Practices for Improving Information Security Performance

This article focuses on identifying key human resource management (HRM) practices necessary for improving information security performance from the perspective of IT professionals. The Importance-Performance Map Analysis (IPMA) via SmartPLS 3.0 was employed and 232 samples were collected from information technology (IT) professionals in 43 organizations. The analysis identified information security training, background checks and monitoring as very important HRM practices that could improve the performance of organizational information security. In particular, the study found training on mobile devices security and malware; background checks and monitoring of potential, current and former employees as of high importance but with low performance. Thus, these key areas need to be improved with top priority. Conversely, the study found accountability and employee relations as being overly emphasized by the organisations. The findings raised some useful implications and information for HR and IT leaders to consider in future information security strategy.

Identifying and predicting the factors affecting end-users’ risk-taking behavior

Purpose

The end-user has frequently been identified as the weakest link; however, motivated by the fact that different users react differently to the same stimuli, identifying the reasons behind variations in security behavior and why certain users could be “at risk” more than others is a step toward protecting and defending users against security attacks. This paper aims to explore the effect of personality trait variations (through the Big Five Inventory [BFI]) on users’ risk level of their intended security behaviors. In addition, age, gender, service usage and information technology (IT) proficiency are analyzed to identify what role and impact they have on behavior.

Design/methodology/approach

The authors developed a quantitative-oriented survey that was implemented online. The bi-variate Pearson two-tailed correlation was used to analyze survey responses.

Findings

The results obtained by analyzing 538 survey responses suggest that personality traits do play a significant role in affecting users’ security behavior risk levels. Furthermore, the results suggest that BFI score of a trait has a significant effect as users’ online personality is linked to their offline personality, especially in the conscientiousness personality trait. Additionally, this effect was stronger when personality was correlated with the factors of IT proficiency, gender, age and online activity.

Originality/value

The contributions of this paper are two-fold. First, with the aid of a large population sample, end-users’ security practice is assessed from multiple domains, and relationships were found between end-users’ risk-taking behavior and nine user-centric factors. Second, based upon these findings, the predictive ability for these user-centric factors were evaluated to determine the level of risk a user is subject to from an individual behavior perspective. Of 28 behaviors, 11 were found to have a 60 per cent or greater predictive ability, with the highest classification of 92 per cent for several behaviors. This provides a basis for organizations to use behavioral intent alongside personality traits and demographics to understand and, therefore, manage the human aspects of risk.

Developing an Information Security Risk Taxonomy and an Assessment Model using Fuzzy Petri Nets

In the digital era, organization-wide information security risk assessment has gained importance because it can impact businesses in many ways. In this article, the authors propose a model to assess the information security risk using Fuzzy Petri Nets (FPN). Deeply rooted in the OCTAVE framework, this research presents a taxonomy of risk practice areas and risk factors. The authors apply the constituents of the taxonomy to risk assessment through a well-defined FPN model. The primary motive of the article is to extend the usability of FPNs to newer and less explored domains like audit and evaluation of information security risks. The unique contribution of this article is the definition and development of a comprehensive and measurable model of risk assessment and quantification. The model can also serve as a tool to capture the risk perception of the respondents for validating the criticality of risk and facilitate the top management to invest in information security control eco-system judiciously.

The Looming Cybersecurity Crisis and What It Means for the Practice of Industrial and Organizational Psychology

The persistently changing landscape of cyberspace and cybersecurity has led to a call for organizations’ increased attention toward securing information and systems. Rapid change in the cyber environment puts it on a scale unlike any other performance environment typically of interest to industrial and organizational (I-O) psychologists and related disciplines. In this article, we reflect on the idea of keeping pace with cyber, with a particular focus on the role of practicing I-O psychologists in assisting individuals, teams, and organizations. We focus on the unique roles of I-O psychologists in relation to the cyber realm and discuss the ways in which they can contribute to organizational cybersecurity efforts. As highlighted throughout this article, we assert that the mounting threats within cyberspace amount to a “looming crisis.” Thus, we view assisting organizations and their employees with becoming resilient and adaptive to cyber threats as an imperative, and practicing I-O psychologists should be at the forefront of these efforts.

Strategic value alignment for information security management: a critical success factor analysis

Purpose

Effective information security management is a strategic issue for organizations to safeguard their information resources. Strategic value alignment is a proactive approach to manage value conflict in information security management. Applying a critical success factor (CSF) analysis approach, this paper aims to propose a CSF model based on a strategic alignment approach and test a model of the main factors that contributes to the success of information security management.

Design/methodology/approach

A theoretical model was proposed and empirically tested with data collected from a survey of managers who were involved in decision-making regarding their companies’ information security (N = 219). The research model was validated using partial least squares structural equation modeling approach.

Findings

Overall, the model was successful in capturing the main antecedents of information security management performance. The results suggest that with business alignment, top management support and organizational awareness of security risks and controls, effective information security controls can be developed, resulting in successful information security management.

Originality/value

Findings from this study provide several important contributions to both theory and practice. The theoretical model identifies and verifies key factors that impact the success of information security management at the organizational level from a strategic management perspective. It provides practical guidelines for organizations to make more effective information security management.

Towards a user-centric theory of value-driven information security compliance

Purpose

The purpose of this paper is to fill a gap in the literature, by investigating the relationship between users’ perceptions of the value of the information that they are handling, and their resultant level of compliance with their organisation’s information security policies. In so doing, the authors seek to develop a theory of value-driven information security compliance.

Design/methodology/approach

An interpretive, grounded theory research approach has been adopted to generate a qualitative data set, based upon the results of 55 interviews with key informants from governmental agencies based within Brunei Darussalam, complemented by the results of seven focus groups. The interviews and focus groups were conducted in two phases, so that the results of the first phase could be used to inform the second phase data collection exercise, and the thematic analysis of the research data was conducted using the NVivo 11-Plus software.

Findings

The findings suggest that, when assigning value to their information, users take into account the views of members of their immediate work-group and the espoused views of their organisation, as well as a variety of contextual factors, relating to culture, ethics and education. Perhaps more importantly, it has been demonstrated that the users’ perception of information value has a marked impact upon their willingness to comply with security policies and protocols.

Research limitations/implications

Although the authors have been able to develop a rich model of information value and security compliance, the qualitative nature of this research means that it has not been tested, in the numerical sense. However, this study still has important implications for both research and practice. Specifically, researchers should consider users’ perceptions of information value, when conducting future studies of information security compliance.

Practical implications

Managers and practitioners will be better able to get their colleagues to comply with information security protocols, if they can take active steps to convince them that the information that they are handling is a valuable organisational resource, which needs to be protected.

Originality/value

The central contribution is a novel model of information security compliance that centre stages the role of the users’ perceptions of information value, as this is a factor which has been largely ignored in contemporary accounts of compliance behaviour. This study is also original, in that it fills a methodological gap, by balancing the voices of both user representatives and senior organisational stakeholders, in a single study.