|
1
|
Jiang R, Zhang J. The impact of work pressure and work completion justification on intentional nonmalicious information security policy violation intention. Comput Secur 2023; 130:103253. [PMID: 37091524 PMCID: PMC10079594 DOI: 10.1016/j.cose.2023.103253] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 09/05/2022] [Revised: 02/23/2023] [Accepted: 04/05/2023] [Indexed: 04/25/2023]
Abstract
As businesses have had to change how they operate due to the coronavirus pandemic, the need for remote work has risen. With the continuous advancements in technology and increases in typical job demands, employees need to increase their work productivity beyond regular work hours in the office. This type of work environment creates even more opportunities for security breaches due to employees intentionally violating information security policy violations. Although explicitly prohibited by information security policies (ISP), organizations have observed that employees bring critical data out of the office to complete their work responsibilities remotely. Consequently, developing a deeper understanding of how work pressure may influence employees to violate ISPs intentionally is crucial for organizations to protect their critical information better. Based upon the fraud triangle theory, this study proposes the opportunity to copy critical data, work pressure, and work completion justification as the primary motivational factors behind why employees copy critical company data to unsecured storage devices to work at home. A survey was conducted of 207 employees from a marketing research firm. The results suggest that opportunity, work pressure, and work completion justification are positively related to nonmalicious ISP violation intentions. Furthermore, the interaction effect between work completion justification and work pressure on the ISP violation intention is significant and positive. This study provides new insights into our understanding of the roles of work pressure and work completion justification on intentional nonmalicious ISP violation behaviors.
Collapse
Affiliation(s)
- Randi Jiang
- School of Accounting, Grand Valley State University, MI, United States
| | - Jianru Zhang
- School of Management, Xi'an Jiaotong University, Xi'an, China
| |
Collapse
|
|
2
|
Apolinário S, Yoshikuni AC, Larieira CLC. Resistance to information security due to users’ information safety behaviors: Empirical research on the emerging markets. COMPUTERS IN HUMAN BEHAVIOR 2023. [DOI: 10.1016/j.chb.2023.107772] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 03/30/2023]
|
|
3
|
Da Veiga A. A model for information security culture with creativity and innovation as enablers – refined with an expert panel. INFORMATION AND COMPUTER SECURITY 2023. [DOI: 10.1108/ics-11-2022-0178] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 02/12/2023]
Abstract
Purpose
This study aims to elicit an understanding of creativity and innovation to enable a totally aligned information security culture. A model is proposed to encourage creativity and innovation as part of the information security culture.
Design/methodology/approach
The study first applied a theoretical approach with a scoping literature review using the preferred reporting items for systematic reviews and meta-analyses method to propose a conceptual model for engendering employee creativity and innovation as part of the information security culture. A qualitative research method was further applied with expert interviews and qualitative data analysis in Atlas.ti to validate and refine the conceptual model.
Findings
A refined and validated information security culture model enabled through creativity and innovation is presented. The input from the expert panel was used to extend the model by 18 elements highlighting that the risk appetite of an organisation defines how much creativity and innovation can be tolerated to reach a balance with the potential risks it might introduce. Embedding creativity and innovation as part of the organisational culture to facilitate it further as part of the information security culture can aid in combating cyber threats and incidents; however, it should be managed through a decision-making process while governed within policies that define the boundaries of creativity and innovation in information security.
Research limitations/implications
The research serves as a point of reference for further research about the influence of creativity and innovation in information security culture which can be investigated through structural equation modelling.
Practical implications
This study offers novel insights for managerial practice to encourage creativity and innovation as part of information security.
Originality/value
The research proposes a novel concept of introducing creativity and innovation as part of the information security culture and presents a novel model to facilitate this.
Collapse
|
|
4
|
Examining the effect of regulatory factors on avoiding online blackmail threats on social media: A structural equation modeling approach. COMPUTERS IN HUMAN BEHAVIOR 2023. [DOI: 10.1016/j.chb.2023.107702] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 02/25/2023]
|
|
5
|
Tejay GP, Mohammed ZA. Cultivating Security Culture for Information Security Success: A Mixed-Methods Study Based on Anthropological Perspective. INFORMATION & MANAGEMENT 2022. [DOI: 10.1016/j.im.2022.103751] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 12/31/2022]
|
|
6
|
Stewart H. Digital Transformation Security Challenges. JOURNAL OF COMPUTER INFORMATION SYSTEMS 2022. [DOI: 10.1080/08874417.2022.2115953] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 10/14/2022]
|
|
7
|
Amankwa E, Loock M, Kritzinger E. The determinants of an information security policy compliance culture in organisations: the combined effects of organisational and behavioural factors. INFORMATION AND COMPUTER SECURITY 2022. [DOI: 10.1108/ics-10-2021-0169] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security policy compliance culture (ISPCC) in organisations.
Design/methodology/approach
Based on factors derived from the organisational culture theory, social bond theory and accountability theory, a testable research model was developed and evaluated in an online survey that involves the use of a questionnaire to collect quantitative data from 313 employees, from ten different organisations in Ghana. The data collected were analysed using the partial least squares-structural equation modelling approach, involving the measurement and structural model tests.
Findings
The study reveals that the individual measures of accountability – identifiability (2.4%), expectations of evaluation (38.8%), awareness of monitoring (55.7%) and social presence (−41.2%) – had weak to moderate effects on employees’ attitudes towards information security policy compliance. However, the combined effect showed a significant influence. In addition, organisational factors – supportive organisational culture (15%), security compliance leadership (2%) and user involvement (63%) – showed positive effects on employees’ attitudes. Further, employees’ attitudes had a substantial influence (65%), while behavioural intentions demonstrated a weak effect (24%) on the establishment of an ISPCC in the organisation. The combined effect also had a substantial statistical influence on the establishment of an ISPCC in the organisation.
Practical implications
Given the findings of the study, information security practitioners should implement organisational and behavioural factors that will have an impact on compliance, in tandem, with the organisational effort to build a culture of compliance for information security policies.
Originality/value
The study provides new insights on how to address the problem of non-compliance with regard to the information security policy in organisations through the combined application of organisational and behavioural factors to establish an information security policy compliance culture, which has not been considered in any past research.
Collapse
|
|
8
|
Goel L, Zhang JZ, Williamson S. IT assimilation: construct, measurement, and implications in cybersecurity. ENTERP INF SYST-UK 2022. [DOI: 10.1080/17517575.2022.2052187] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/18/2022]
Affiliation(s)
- Lakshmi Goel
- Department of Management, University of North Florida, Jacksonville, Florida, United States
| | - Justin Zuopeng Zhang
- Department of Management, University of North Florida, Jacksonville, Florida, United States
| | - Steven Williamson
- Department of Management, University of North Florida, Jacksonville, Florida, United States
| |
Collapse
|
|
9
|
Palanisamy R, Norman AA, Mat Kiah L. BYOD Security Risks and Mitigation Strategies: Insights from IT Security Experts. JOURNAL OF ORGANIZATIONAL COMPUTING AND ELECTRONIC COMMERCE 2022. [DOI: 10.1080/10919392.2022.2028530] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 10/19/2022]
Affiliation(s)
- Rathika Palanisamy
- Department of Computer System and Technology, Faculty of Computer Science and Information Technology, Universiti of Malaya, Jalan Universiti, Malaysia
| | - Azah Anir Norman
- Department of Information Systems, Faculty of Computer Science and Information Technology, University of Malaya, Jalan Universiti, Malaysia
| | - Laiha Mat Kiah
- Department of Computer System and Technology, Faculty of Computer Science and Information Technology, Universiti of Malaya, Jalan Universiti, Malaysia
| |
Collapse
|
|
10
|
Md Azmi NAA, Teoh AP, Vafaei-Zadeh A, Hanifah H. Predicting information security culture among employees of telecommunication companies in an emerging market. INFORMATION AND COMPUTER SECURITY 2021. [DOI: 10.1108/ics-02-2021-0020] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
The purpose of this study is to examine factors, which influence information security culture among employees of telecommunications companies. The motivation for this study was the rise in the number of data breach incidents caused by the organizations’ own employees.
Design/methodology/approach
A total of 139 usable responses were collected via a Web-based questionnaire survey from employees of Malaysian telecommunications companies. Data were analysed by using SmartPLS 3.
Findings
Security education, training and awareness (SETA) programmes and information security awareness were found to have a positive and significant impact on Information Security Culture. Additionally, self-reported employees’ security behaviour was found to act as a partial mediator on the relationship between information security awareness and information security culture.
Research limitations/implications
The study was cross-sectional in nature. Therefore, it could not measure changes in population over time.
Practical implications
The empirical data provides a new perspective on significant elements that influence information security culture in an emerging market. Organizations in the telecommunications industry can now recognize that SETA programmes and information security awareness have a significant impact on information security culture. Employees’ security behaviour also mediates the relationship between information security awareness and information security culture.
Originality/value
This is the first study to analyse the mediating effect of employees’ security behaviour on the relationship between information security awareness and information security culture in the Malaysian telecommunications context.
Collapse
|
|
11
|
Snyman DP, Kruger H. Collective information security behaviour: a technology-driven framework. INFORMATION AND COMPUTER SECURITY 2021. [DOI: 10.1108/ics-11-2020-0180] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
This paper aims to present the development of a framework for evaluating group behaviour in information security in practice.
Design/methodology/approach
Information security behavioural threshold analysis is used as the theoretical foundation for the proposed framework. The suitability of the proposed framework is evaluated based on two sets of qualitative measures (general frameworks and information security frameworks) which were identified from literature. The successful evaluation of the proposed framework, guided by the identified evaluation measures, is presented in terms of positive practical applications, as well as positive peer review and publication of the underlying theory.
Findings
A methodology to formalise a framework to analyse group behaviour in information security can successfully be applied in a practical environment. This application takes the framework from only a theoretical conceptualisation to an implementable solution to evaluate and positively influence information security group behaviour.
Practical implications
Behavioural threshold analysis is identified as a practical mechanism to evaluate information security group behaviour. The suggested framework, as implemented in a management decision support system (DSS), allows practitioners to assess the security behaviour and awareness in their organisation. The resulting information can be used to exert an influence for positive change in the information security of the organisation.
Originality/value
A novel conceptual mapping of two sets of qualitative evaluation measures is presented and used to evaluate the proposed framework. The resulting framework is made practical through its encapsulation in a DSS.
Collapse
|
|
12
|
Uchendu B, Nurse JR, Bada M, Furnell S. Developing a cyber security culture: Current practices and future needs. Comput Secur 2021. [DOI: 10.1016/j.cose.2021.102387] [Citation(s) in RCA: 4] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/21/2022]
|
|
13
|
Arbanas K, Spremic M, Zajdela Hrustek N. Holistic framework for evaluating and improving information security culture. ASLIB J INFORM MANAG 2021. [DOI: 10.1108/ajim-02-2021-0037] [Citation(s) in RCA: 2] [Impact Index Per Article: 0.5] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
PurposeThe objective of this research was to propose and validate a holistic framework for information security culture evaluation, built around a novel approach, which includes technological, organizational and social issues. The framework's validity and reliability were determined with the help of experts in the information security field and by using multivariate statistical methods.Design/methodology/approachThe conceptual framework was constructed upon a detailed literature review and validated using a range of methods: first, measuring instrument was developed, and then content and construct validity of measuring instrument was confirmed via experts' opinion and by closed map sorting method. Convergent validity was confirmed by factor analysis, while the reliability of the measuring instrument was tested using Cronbach's alpha coefficient to measure internal consistency.FindingsThe proposed framework was validated based upon the results of empirical research and the usage of multivariate analysis. The resulting framework ultimately consists of 46 items (manifest variables), describing eight factors (first level latent variables), grouped into three categories (second level latent variables). These three categories were built around technological, organizational and social issues.Originality/valueThis paper contributes to the body of knowledge in information security culture by developing and validating holistic framework for information security culture evaluation, which does not observe information security culture in only one aspect but takes into account its organizational, sociological and technical component.
Collapse
|
|
14
|
Respite for SMEs: A Systematic Review of Socio-Technical Cybersecurity Metrics. APPLIED SCIENCES-BASEL 2021. [DOI: 10.3390/app11156909] [Citation(s) in RCA: 4] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 02/02/2023]
Abstract
Cybersecurity threats are on the rise, and small- and medium-sized enterprises (SMEs) struggle to cope with these developments. To combat threats, SMEs must first be willing and able to assess their cybersecurity posture. Cybersecurity risk assessment, generally performed with the help of metrics, provides the basis for an adequate defense. Significant challenges remain, however, especially in the complex socio-technical setting of SMEs. Seemingly basic questions, such as how to aggregate metrics and ensure solution adaptability, are still open to debate. Aggregation and adaptability are vital topics to SMEs, as they require the assimilation of metrics into an actionable advice adapted to their situation and needs. To address these issues, we systematically review socio-technical cybersecurity metric research in this paper. We analyse aggregation and adaptability considerations and investigate how current findings apply to the SME situation. To ensure that we provide valuable insights to researchers and practitioners, we integrate our results in a novel socio-technical cybersecurity framework geared towards the needs of SMEs. Our framework allowed us to determine a glaring need for intuitive, threat-based cybersecurity risk assessment approaches for the least digitally mature SMEs. In the future, we hope our framework will help to offer SMEs some deserved respite by guiding the design of suitable cybersecurity assessment solutions.
Collapse
|
|
15
|
Pollini A, Callari TC, Tedeschi A, Ruscio D, Save L, Chiarugi F, Guerri D. Leveraging human factors in cybersecurity: an integrated methodological approach. COGNITION, TECHNOLOGY & WORK (ONLINE) 2021; 24:371-390. [PMID: 34149309 PMCID: PMC8195225 DOI: 10.1007/s10111-021-00683-y] [Citation(s) in RCA: 6] [Impact Index Per Article: 1.5] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Figures] [Subscribe] [Scholar Register] [Received: 01/06/2021] [Accepted: 05/24/2021] [Indexed: 06/12/2023]
Abstract
Computer and Information Security (CIS) is usually approached adopting a technology-centric viewpoint, where the human components of sociotechnical systems are generally considered as their weakest part, with little consideration for the end users' cognitive characteristics, needs and motivations. This paper presents a holistic/Human Factors (HF) approach, where the individual, organisational and technological factors are investigated in pilot healthcare organisations to show how HF vulnerabilities may impact on cybersecurity risks. An overview of current challenges in relation to cybersecurity is first provided, followed by the presentation of an integrated top-down and bottom-up methodology using qualitative and quantitative research methods to assess the level of maturity of the pilot organisations with respect to their capability to face and tackle cyber threats and attacks. This approach adopts a user-centred perspective, involving both the organisations' management and employees, The results show that a better cyber-security culture does not always correspond with more rule compliant behaviour. In addition, conflicts among cybersecurity rules and procedures may trigger human vulnerabilities. In conclusion, the integration of traditional technical solutions with guidelines to enhance CIS systems by leveraging HF in cybersecurity may lead to the adoption of non-technical countermeasures (such as user awareness) for a comprehensive and holistic way to manage cyber security in organisations.
Collapse
Affiliation(s)
- Alessandro Pollini
- BSD Design, Via Lazzaretto, 19, 20124 Milano, IT Italy
- Deep Blue Srl, Via Manin, 53, 00185 Rome, IT Italy
| | - Tiziana C. Callari
- Socio-Technical Centre, Leeds University Business School, University of Leeds, Maurice Keyworth Building, Leeds, LS2 9JT UK
| | | | | | - Luca Save
- Deep Blue Srl, Via Manin, 53, 00185 Rome, IT Italy
| | | | - Davide Guerri
- Dedalus, Via di Collodi, 6, 50141 Florence, IT Italy
| |
Collapse
|
|
16
|
Erdoğdu F, Gökoğlu S, Kara M. “What about users?”: Development and validation of the mobile information security awareness scale (MISAS). ONLINE INFORMATION REVIEW 2020. [DOI: 10.1108/oir-04-2020-0129] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.2] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
PurposeThe current study aimed to develop and validate Mobile Information Security Awareness Scale (MISAS) based on the prototype model for measuring information security awareness and the relevant literature.Design/methodology/approachThe scale was developed and validated with the participation of 562 students from four universities. The construct validity of the scale was tested through exploratory factor analysis and confirmatory factor analysis.FindingsThe reliability of the scale was tested through corrected item-total correlations and Cronbach alpha. The MISAS includes six factors and 17 items. The identified factors were labeled as backup, instant messaging and navigation, password protection, update, access permission and using others' devices.Research limitations/implicationsThe scale included only the human aspects of mobile information security. The technical aspects are not within the scope of this study. For this reason, future studies might develop and validate a different scale focusing on the technical aspects of mobile information security.Originality/valueThe developed scale contributes to the literature on the human aspects of mobile information security.
Collapse
|
|
17
|
Alshaikh M. Developing cybersecurity culture to influence employee behavior: A practice perspective. Comput Secur 2020. [DOI: 10.1016/j.cose.2020.102003] [Citation(s) in RCA: 15] [Impact Index Per Article: 3.0] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/23/2022]
|
|
18
|
Solomon G, Brown I. The influence of organisational culture and information security culture on employee compliance behaviour. JOURNAL OF ENTERPRISE INFORMATION MANAGEMENT 2020. [DOI: 10.1108/jeim-08-2019-0217] [Citation(s) in RCA: 6] [Impact Index Per Article: 1.2] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
PurposeOrganisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in facilitating compliance. The purpose of this paper is to explain the nature of the combined influence of organisational culture and information security culture on employee information security compliance. This study also aims to explain the influence of organisational culture on information security culture.Design/methodology/approachA theoretical model was developed showing the relationships between organisational culture, information security culture and employee compliance. Using an online survey, data was collected from a sample of individuals who work in organisations having information security policies. The data was analysed with Partial Least Square Structural Equation Modelling (PLS-SEM) to test the model.FindingsOrganisational culture and information security culture have significant, yet similar influences on employee compliance. In addition, organisational culture has a strong causal influence on information security culture.Practical implicationsControl-oriented organisational cultures are conducive to information security compliant behaviour. For an information security subculture to be effectively embedded in an organisation's culture, the dominant organisational culture would have to be considered first.Originality/valueThis research provides empirical evidence that information security subculture is influenced by organisational culture. Compliance is best explained by their joint influence.
Collapse
|
|
19
|
The “Right” recipes for security culture: a competing values model perspective. INFORMATION TECHNOLOGY & PEOPLE 2020. [DOI: 10.1108/itp-08-2019-0438] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
PurposeThis study argues that the effect of perceived organizational culture on the formation of security-related subjective norms and the level of compliance pressure will vary based on how the employees perceive their organization's cultural values. These perceptions reflect on the assumptions and principles that organizations use to guide their security-related behaviors. To make these arguments, we adopt the competing values model (CVM), which is a model used to understand the range of organizational values and resulting cultural archetypes.Design/methodology/approachThis study conducted a survey of working professionals in the banking and higher education industries and used partial least squares (PLS)-structural equation model (SEM) to analyze the data. In a series of post hoc analyses, we ran a set of multi-group analyses to compare the perceived organizational cultural effects between the working professionals in both industries.FindingsOur study reveals that perceived organizational cultures in favor of stability and control promoted more positive security-related behaviors. However, the different effects were more pronounced when comparing the effects between the working professionals in both industries.Originality/valueThis study is one of the few that examines which cultural archetypes are more effective at fostering positive security behaviors. These findings suggest that we should be cautious about generalizing the effects of organizational culture on security-related actions across different contexts and industries.
Collapse
|
|
20
|
Wong WP, Tan KH, Chuah SHW, Tseng ML, Wong KY, Ahmad S. Information sharing and the bane of information leakage: a multigroup analysis of contract versus noncontract. JOURNAL OF ENTERPRISE INFORMATION MANAGEMENT 2020. [DOI: 10.1108/jeim-11-2019-0368] [Citation(s) in RCA: 4] [Impact Index Per Article: 0.8] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
PurposeThis study investigates information quality, information security technology and information sharing with moderation by information security culture and information leakage and how they all play out to influence supply chain performance for contract suppliers (Contract), noncontract suppliers (Noncontract) and pooled suppliers (Contract and Noncontract combined).Design/methodology/approachMultigroup analysis was deployed to compare the impact on Contract and Noncontract.FindingsThe finding on pooled suppliers confirmed the hypothesis that, in the multigroup analysis, information security culture negatively impacted the information quality–information sharing relationship of Contract.Practical implicationsThe practical learning point is that Noncontract could still share information and perform and in some instances better than Contract. Noncontract suppliers are still workable.Originality/valueInformation security culture motivated Noncontract to share and perform better than Contract. This result presents a dilemma.
Collapse
|
|
21
|
Alhogail A. Enhancing information security best practices sharing in virtual knowledge communities. VINE JOURNAL OF INFORMATION AND KNOWLEDGE MANAGEMENT SYSTEMS 2020. [DOI: 10.1108/vjikms-01-2020-0009] [Citation(s) in RCA: 2] [Impact Index Per Article: 0.4] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
Sharing information security best practices between experts via knowledge management systems is valuable for improving information security practices, exchanging expertise, mitigating security risks, spreading knowledge, reducing costs and saving efforts. The purpose of this paper is developing a conceptual model to enhance the transfer of information security best practices between professionals in virtual communities through a Web-based knowledge management system to exchange their successful experience in handling different information security situations.
Design/methodology/approach
The model is validated by surveying 17 experts’ reviews on the correctness of the model’s structure and its related components through applying deep rich peer debriefing to test suitability. Quantitative data has been collected to achieve confirmatory results.
Findings
The resulting model incorporates five main components that support the formal mechanism for the acquisition and dissemination of knowledge: identification, classification, storage, validation and sharing. The success of knowledge sharing is highly dependent on the active collaboration of community members and highly influenced by motivation. Validating transferred knowledge is vital for ensuring the credibility of the system.
Originality/value
To the best of the author’s knowledge, this paper is one of the first to highlight the role of integrating knowledge management to enhance the effective share and reuse of information security best practices knowledge. The research results can support researchers investigating the topic and generate trustworthy literature to guide information security virtual community developers.
Collapse
|
|
22
|
da Veiga A, Astakhova LV, Botha A, Herselman M. Defining organisational information security culture—Perspectives from academia and industry. Comput Secur 2020. [DOI: 10.1016/j.cose.2020.101713] [Citation(s) in RCA: 39] [Impact Index Per Article: 7.8] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/30/2022]
|
|
23
|
Diesch R, Pfaff M, Krcmar H. A comprehensive model of information security factors for decision-makers. Comput Secur 2020. [DOI: 10.1016/j.cose.2020.101747] [Citation(s) in RCA: 31] [Impact Index Per Article: 6.2] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/27/2022]
|
|
24
|
Pérez-González D, Preciado ST, Solana-Gonzalez P. Organizational practices as antecedents of the information security management performance. INFORMATION TECHNOLOGY & PEOPLE 2019. [DOI: 10.1108/itp-06-2018-0261] [Citation(s) in RCA: 15] [Impact Index Per Article: 2.5] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
The purpose of this paper is to expand current knowledge about the security organizational practices and analyze its effects on the information security management performance.
Design/methodology/approach
Based on the literature review, the authors propose a research model together with hypotheses. The survey questionnaires were developed to collect data, which then validated the measurement model. The authors collected 111 responses from CEOs at manufacturing small- and medium-sized enterprises (SMEs) that had already implemented security policies. The hypothesized relationships were tested using the structural equation model approach with EQS 6.1 software.
Findings
Results validate that information security knowledge sharing, information security education and information security visibility, as well as security organizational practices, have a positive effect on the information security management performance.
Research limitations/implications
The consideration of organizational aspects of information security should be taken into account by academics, practitioners and policymakers in SMEs. Besides, the work helps validate novel constructs used in recent research (information security knowledge sharing and information security visibility).
Practical implications
The authors extend previous works by analyzing how security organizational practices affect the performance of information security. The results suggest that an improved performance of information security in the industrial SMEs requires innovative practices to foster knowledge sharing among employees.
Originality/value
The literature recognizes the need to develop empirical research on information security focused on SMEs. Besides the need to identify organizational practices that improve information security, this paper empirically investigates SMEs’ organizational practices in the security of information and analyzes its effects on the performance of information security.
Collapse
|
|
25
|
Nel F, Drevin L. Key elements of an information security culture in organisations. INFORMATION AND COMPUTER SECURITY 2019. [DOI: 10.1108/ics-12-2016-0095] [Citation(s) in RCA: 12] [Impact Index Per Article: 2.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
The purpose of this paper is to report on a study that investigated the information security culture in organisations in South Africa, with the aim of identifying key aspects of the culture. The unique aspects for building an information security culture were examined and presented in the form of an initial framework. These efforts are necessary to address the critical human aspect of information security in organisations where risky cyber behaviour is still experienced.
Design/methodology/approach
Literature was investigated with the focus on the main keywords security culture and information security. The information security culture aspects of different studies were compared and analysed to identify key elements of information security culture after which an initial framework was constructed. An online survey was then conducted in which respondents were asked to assess the importance of the elements and to record possible missing elements/aspects regarding their organisation’s information security culture to construct an enhanced framework.
Findings
A list of 21 unique security culture elements was identified from the literature. These elements/aspects were divided into three groups based on the frequency each was mentioned or discussed in studies. The number of times an element was found was interpreted as an indication of how important that element/aspect is. A further four aspects were added to the enhanced framework based on the results that emerged from the survey.
Originality/value
The value of this research is that an initial framework of information security culture aspects was constructed that can be used to ensure that an organisation incorporates all key aspects in its own information security culture. This framework was further enhanced from the results of the survey. The framework can also assist further studies related to the information security culture in organisations for improved security awareness and safer cyber behaviour of employees.
Collapse
|
|
26
|
Evans M, He Y, Maglaras L, Yevseyeva I, Janicke H. Evaluating information security core human error causes (IS-CHEC) technique in public sector and comparison with the private sector. Int J Med Inform 2019; 127:109-119. [PMID: 31128822 DOI: 10.1016/j.ijmedinf.2019.04.019] [Citation(s) in RCA: 6] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 09/23/2018] [Revised: 01/08/2019] [Accepted: 04/23/2019] [Indexed: 10/26/2022]
Abstract
BACKGROUND The number of reported public sector information security incidents has significantly increased recently including 22% related to the UK health sector. Over two thirds of these incidents pertain to human error, but despite this, there are limited published related works researching human error as it affects information security. METHOD This research conducts an empirical case study into the feasibility and implementation of the Information Security Core Human Error Causes (IS-CHEC) technique which is an information security adaptation of Human Error Assessment and Reduction Technique (HEART). We analysed 12 months of reported information security incidents for a participating public sector organisation providing healthcare services and mapped them to the IS-CHEC technique. RESULTS The results show that the IS-CHEC technique is applicable to the field of information security but identified that the underpinning HEART human error probability calculations did not align to the recorded incidents. The paper then proposes adaptation of the IS-CHEC technique based on the feedback from users during the implementation. We then compared the results against those of a private sector organisation established using the same approach. CONCLUSIONS The research concluded that the proportion of human error is far higher than reported in current literature. The most common causes of human error within the participating public sector organisation were lack of time for error detection and correction, no obvious means of reversing an unintended action and people performing repetitious tasks.
Collapse
Affiliation(s)
- Mark Evans
- Cyber Security Centre, De Montfort University, England, United Kingdom
| | - Ying He
- Cyber Security Centre, De Montfort University, England, United Kingdom.
| | - Leandros Maglaras
- Cyber Security Centre, De Montfort University, England, United Kingdom
| | - Iryna Yevseyeva
- Cyber Security Centre, De Montfort University, England, United Kingdom
| | - Helge Janicke
- Cyber Security Centre, De Montfort University, England, United Kingdom
| |
Collapse
|
|
27
|
Khan HU, AlShare KA. Violators versus non-violators of information security measures in organizations—A study of distinguishing factors. JOURNAL OF ORGANIZATIONAL COMPUTING AND ELECTRONIC COMMERCE 2019. [DOI: 10.1080/10919392.2019.1552743] [Citation(s) in RCA: 12] [Impact Index Per Article: 2.0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 10/27/2022]
Affiliation(s)
- Habib Ullah Khan
- Department of Accounting and Information Systems, College of Business & Economics, Qatar University, Doha, Qatar
| | - Khalid A. AlShare
- Department of Accounting and Information Systems, College of Business & Economics, Qatar University, Doha, Qatar
| |
Collapse
|
|
28
|
Nasir A, Arshah RA, Hamid MRA, Fahmy S. An analysis on the dimensions of information security culture concept: A review. JOURNAL OF INFORMATION SECURITY AND APPLICATIONS 2019. [DOI: 10.1016/j.jisa.2018.11.003] [Citation(s) in RCA: 12] [Impact Index Per Article: 2.0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 10/27/2022]
|
|
29
|
Da Veiga A. An approach to information security culture change combining ADKAR and the ISCA questionnaire to aid transition to the desired culture. INFORMATION AND COMPUTER SECURITY 2018. [DOI: 10.1108/ics-08-2017-0056] [Citation(s) in RCA: 14] [Impact Index Per Article: 2.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
PurposeEmployee behaviour is a continuous concern owing to the number of information security incidents resulting from employee behaviour. The purpose of this paper is to propose an approach to information security culture change management (ISCCM) that integrates existing change management approaches, such as the ADKAR model of Prosci, and the Information Security Culture Assessment (ISCA) diagnostic instrument (questionnaire), to aid in addressing the risk of employee behaviour that could compromise information security.Design/methodology/approachThe ISCCM approach is constructed based on literature and the inclusion of the ISCA diagnostic instrument. The ISCA diagnostic instrument statements are also presented in this paper. The ISCCM approach using ISCA is illustrated using data from an empirical study.FindingsThe ISCCM approach was found to be useful in defining change management interventions for organisations using the data of the ISCA survey. Employees’ perception and acceptance of change to ensure information security and the effectiveness of the information security training initiatives improved significantly from the as-is survey to the follow-up survey.Research limitations/implicationsThe research illustrates the ISCCM approach and shows how it should be combined with the ISCA diagnostic instrument. Future research will focus on including a qualitative assessment of information security culture to complement the empirical data.Practical implicationsOrganisations do not have to rely on or adapt organisational development approaches to change their information security culture – they can use the proposed ISCCM approach, which has been customised from information security and change management approaches, together with the presented ISCA questionnaire, to address information security culture change purposefully.Originality/valueThe proposed ISCCM approach can be applied to complement existing information security management approaches through a holistic and structured approach that combines the ADKAR model, Prosci’s approach of change management and the ISCA diagnostic instrument. It will enable organisations to focus on transitioning to a positive or desired information security culture that mitigates the risk of the human element in the protection of information.
Collapse
|
|
30
|
Amankwa E, Loock M, Kritzinger E. Establishing information security policy compliance culture in organizations. INFORMATION AND COMPUTER SECURITY 2018. [DOI: 10.1108/ics-09-2017-0063] [Citation(s) in RCA: 14] [Impact Index Per Article: 2.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of factors such as supportive organizational culture, end-user involvement and compliance leadership to influence employees’ attitudes and behaviour intentions towards ISP in organizations. This paper also aims to develop a testable research model that might be useful for future researchers in predicting employees’ behavioural intentions.
Design/methodology/approach
In view of the study’s aim, a research model to show how three key constructs can influence the attitudes and behaviours of employees towards the establishment of security policy compliance culture (ISPCC) was developed and validated in an empirical field survey.
Findings
The study found that factors such as supportive organizational culture and end-user involvement significantly influenced employees’ attitudes towards compliance with ISP. However, leadership showed the weakest influence on attitudes towards compliance. The overall results showed that employees’ attitudes and behavioural intentions towards ISP compliance together influenced the establishment of ISPCC for ISP compliance in organizations.
Practical implications
Organizations should influence employees’ attitudes towards compliance with ISP by providing effective ISP leadership, encouraging end-user involvement during the draft and update of ISP and nurturing a culture that is conducive for ISP compliance.
Originality/value
The study provides some insights on how to effectively address the problem of non-compliance with ISP in organizations through the establishment of ISPCC, which has not been considered in any past research.
Collapse
|
|
31
|
Safa NS, Maple C, Watson T, Von Solms R. Motivation and opportunity based model to reduce information security insider threats in organisations. JOURNAL OF INFORMATION SECURITY AND APPLICATIONS 2018. [DOI: 10.1016/j.jisa.2017.11.001] [Citation(s) in RCA: 35] [Impact Index Per Article: 5.0] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/25/2022]
|
|
32
|
Hina S, Dominic PDD. Information security policies’ compliance: a perspective for higher education institutions. JOURNAL OF COMPUTER INFORMATION SYSTEMS 2018. [DOI: 10.1080/08874417.2018.1432996] [Citation(s) in RCA: 2] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 10/17/2022]
Affiliation(s)
- Sadaf Hina
- Department of Computers and Information Science, Universiti Teknologi PETRONAS, Tronoh, Malaysia
| | | |
Collapse
|
|
33
|
Nicho M. A process model for implementing information systems security governance. INFORMATION AND COMPUTER SECURITY 2018. [DOI: 10.1108/ics-07-2016-0061] [Citation(s) in RCA: 20] [Impact Index Per Article: 2.9] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
The frequent and increasingly potent cyber-attacks because of lack of an optimal mix of technical as well as non-technical IT controls has led to increased adoption of security governance controls by organizations. The purpose of this paper, thus, is to construct and empirically validate an information security governance (ISG) process model through the plan–do–check–act (PDCA) cycle model of Deming.
Design/methodology/approach
This descriptive research using an interpretive paradigm follows a qualitative methodology using expert interviews of five respondents working in the ISG domain in United Arab Emirates (UAE) to validate the theoretical model.
Findings
The findings of this paper suggest the primacy of the PDCA Deming cycle for initiating ISG through a risk-based approach assisted by industry-wide best practices in ISG. Regarding selection of ISG frameworks, respondents preferred to have ISO 27K supported by NIST as the core framework with other relevant ISG frameworks/standards forming the peripheral layer. The implementation focus of the ISG model is on mapping ISO 27K/NIST IT controls relevant IT controls selected from ISG frameworks from a horizontal and vertical perspective. Respondents asserted the automation of measurement and control mechanism through automation to assist in the feedback loop of the PDCA cycle.
Originality/value
The validated model helps academics and practitioners gain insight into the methodology of the phased implementation of an information systems governance process through the PDCA model, as well as the positioning of ITG and ITG frameworks in ISG. Practitioners can glean valuable insights from the empirical section of the research where experts detail the success factors, the sequential steps and justification of these factors in the ISG implementation process.
Collapse
|
|
34
|
da Veiga A, Martins N. Defining and identifying dominant information security cultures and subcultures. Comput Secur 2017. [DOI: 10.1016/j.cose.2017.05.002] [Citation(s) in RCA: 17] [Impact Index Per Article: 2.1] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/19/2022]
|
|
35
|
Burns A, Posey C, Roberts TL, Benjamin Lowry P. Examining the relationship of organizational insiders' psychological capital with information security threat and coping appraisals. COMPUTERS IN HUMAN BEHAVIOR 2017. [DOI: 10.1016/j.chb.2016.11.018] [Citation(s) in RCA: 50] [Impact Index Per Article: 6.3] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/20/2022]
|
|
36
|
Kearney W, Kruger H. Can perceptual differences account for enigmatic information security behaviour in an organisation? Comput Secur 2016. [DOI: 10.1016/j.cose.2016.05.006] [Citation(s) in RCA: 5] [Impact Index Per Article: 0.6] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/21/2022]
|
|
37
|
Sohrabi Safa N, Von Solms R, Furnell S. Information security policy compliance model in organizations. Comput Secur 2016. [DOI: 10.1016/j.cose.2015.10.006] [Citation(s) in RCA: 167] [Impact Index Per Article: 18.6] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/29/2022]
|