Organisational culture, procedural countermeasures, and employee security behaviour

Collective information security behaviour: a technology-driven framework

Purpose

This paper aims to present the development of a framework for evaluating group behaviour in information security in practice.

Design/methodology/approach

Information security behavioural threshold analysis is used as the theoretical foundation for the proposed framework. The suitability of the proposed framework is evaluated based on two sets of qualitative measures (general frameworks and information security frameworks) which were identified from literature. The successful evaluation of the proposed framework, guided by the identified evaluation measures, is presented in terms of positive practical applications, as well as positive peer review and publication of the underlying theory.

Findings

A methodology to formalise a framework to analyse group behaviour in information security can successfully be applied in a practical environment. This application takes the framework from only a theoretical conceptualisation to an implementable solution to evaluate and positively influence information security group behaviour.

Practical implications

Behavioural threshold analysis is identified as a practical mechanism to evaluate information security group behaviour. The suggested framework, as implemented in a management decision support system (DSS), allows practitioners to assess the security behaviour and awareness in their organisation. The resulting information can be used to exert an influence for positive change in the information security of the organisation.

Originality/value

A novel conceptual mapping of two sets of qualitative evaluation measures is presented and used to evaluate the proposed framework. The resulting framework is made practical through its encapsulation in a DSS.

Enhancing supply chain resilience by counteracting the Achilles heel of information sharing

Purpose

In the face of information leakage, this study aims to demonstrate pathways to supply chain resilience (SCR) during information sharing by deploying organizational ethical climate (OEC) and information security culture (ISC) as non-punitive mitigation approaches.

Design/methodology/approach

This empirical study was conducted to verify the framework using a questionnaire distributed to Malaysian multinational corporations (MNCs) of the manufacturing sector. The data were analysed using structural equation modeling (SEM) techniques with the AMOS software.

Findings

This study has confirmed the adverse impact of intentional and unintentional leakages on information sharing effectiveness. The findings showed ISC could reduce the impact of information leakage, but an OCE could not. This study provides evidence that information sharing effectiveness could impact SCR. The former is a mediator between information leakage and SCR, with information leakage moderated by information security culture. These findings convey that multinationals should set up an ISC to reduce information leakage and enhance their SCR.

Originality/value

Prior studies lacked the explanation of the impact of mitigating factors on information leakage in information sharing effectiveness affecting SCR. A framework that explains the relationships add value to organizations making available strategic decisions to curb information leakage and manage SCR.

Mapping the Psychosocialcultural Aspects of Healthcare Professionals' Information Security Practices: Systematic Mapping Study

Background

Data breaches in health care are on the rise, emphasizing the need for a holistic approach to mitigation efforts.

Objective

The purpose of this study was to develop a comprehensive framework for modeling and analyzing health care professionals’ information security practices related to their individual characteristics, such as their psychological, social, and cultural traits.

Methods

The study area was a hospital setting under an ongoing project called the Healthcare Security Practice Analysis, Modeling, and Incentivization (HSPAMI) project. A literature review was conducted for relevant theories and information security practices. The theories and security practices were used to develop an ontology and a comprehensive framework consisting of psychological, social, cultural, and demographic variables.

Results

In the review, a number of psychological, social, and cultural theories were identified, including the health belief model, protection motivation theory, theory of planned behavior, and social control theory, in addition to some social demographic variables, to form a comprehensive set of health care professionals’ characteristics. Furthermore, an ontology was developed from these theories to systematically organize the concepts. The framework, called the psychosociocultural (PSC) framework, was then developed from the various combined psychological and sociocultural attributes of the ontology. The Human Aspect of Information Security Questionnaire was adopted as a comprehensive tool for gathering staff security practices as mediating variables in the framework.

Conclusions

Data breaches occur often in health care today. This frequency has been attributed to the lack of experience of health care professionals in information security, the lack of development of conscious care security practices, and the lack of motivation to incentivize health care professionals. The frequent data breaches in health care threaten the mutual trust between health care professionals and patients, which implicitly impacts the quality of the health care service. The modeling and analysis of health care professionals’ security practices can be conducted with the PSC framework by combining methods of statistical survey, observations, and interviews in relation to PSC variables, such as perceptions (perceived benefits, perceived threats, and perceived barriers) or psychological traits, social factors, cultural factors, and social demographics.

Assessing the Moderating Effect of Security Technologies on Employees Compliance with Cybersecurity Control Procedures

The increase in cybersecurity threats and the challenges for organisations to protect their information technology assets has made adherence to organisational security control processes and procedures a critical issue that needs to be adequately addressed. Drawing insight from organisational theory literature, we develop a multi-theory model, combining the elements of the theory of planned behaviour, competing value framework, and technology—organisational and environmental theory to examine how the organisational mechanisms interact with espoused cultural values and employee cognitive belief to influence cybersecurity control procedures. Using a structured questionnaire, we deployed structural equation modelling (SEM) to analyse the survey data obtained from public sector information technology organisations in Nigeria to test the hypothesis on the relationship of socio-organisational mechanisms and techno-cultural factors with other key determinants of employee security behaviour. The results showed that knowledge of cybersecurity and employee cognitive belief significantly influence the employees’ intentions to comply with organisational cybersecurity control mechanisms. The research further noted that the influence of organisational elements such as leadership on employee security behaviour is mediated by espoused cultural values while the impact of employee cognitive belief is moderated by security technologies. For effective cybersecurity compliance, leaders and policymakers are therefore to promote organisational security initiatives that ensure incorporation of cybersecurity principles and practices into job descriptions, routines, and processes. This study contributes to behavioural security research by highlighting the critical role of leadership and cultural values in fostering organisational adherence to prescribed security control mechanisms.

Information security awareness in a developing country context: insights from the government sector in Saudi Arabia

Purpose

The purpose of this paper is to increase understanding of employee information security awareness in a government sector setting and illuminate the problems that public sector organisations in a developing context face when seeking to establish an information security awareness programme.

Design/methodology/approach

An interpretive research design was followed to develop an empirically enriched understanding of information security awareness perceptions, aspirations, challenges and enablers in the context of Saudi Arabia as a developing country. The study adopts a single-case study approach, including face-to-face interviews with senior employees, as well as document analysis.

Findings

The paper theorises the importance of individual information security awareness, knowledge and behaviour and identifies a number of facilitating conditions: customisation to employee and organisational needs, interactivity, innovation, frequency, integration of both electronic and physical learning resources and rewarding the acquisition of in-depth security-related actionable knowledge.

Originality/value

This study is one of the first to examine information security awareness as a socio-technical process within a government sector organisation in a developing country context.

An approach to information security culture change combining ADKAR and the ISCA questionnaire to aid transition to the desired culture

Purpose

Employee behaviour is a continuous concern owing to the number of information security incidents resulting from employee behaviour. The purpose of this paper is to propose an approach to information security culture change management (ISCCM) that integrates existing change management approaches, such as the ADKAR model of Prosci, and the Information Security Culture Assessment (ISCA) diagnostic instrument (questionnaire), to aid in addressing the risk of employee behaviour that could compromise information security.

Design/methodology/approach

The ISCCM approach is constructed based on literature and the inclusion of the ISCA diagnostic instrument. The ISCA diagnostic instrument statements are also presented in this paper. The ISCCM approach using ISCA is illustrated using data from an empirical study.

Findings

The ISCCM approach was found to be useful in defining change management interventions for organisations using the data of the ISCA survey. Employees’ perception and acceptance of change to ensure information security and the effectiveness of the information security training initiatives improved significantly from the as-is survey to the follow-up survey.

Research limitations/implications

The research illustrates the ISCCM approach and shows how it should be combined with the ISCA diagnostic instrument. Future research will focus on including a qualitative assessment of information security culture to complement the empirical data.

Practical implications

Organisations do not have to rely on or adapt organisational development approaches to change their information security culture – they can use the proposed ISCCM approach, which has been customised from information security and change management approaches, together with the presented ISCA questionnaire, to address information security culture change purposefully.

Originality/value

The proposed ISCCM approach can be applied to complement existing information security management approaches through a holistic and structured approach that combines the ADKAR model, Prosci’s approach of change management and the ISCA diagnostic instrument. It will enable organisations to focus on transitioning to a positive or desired information security culture that mitigates the risk of the human element in the protection of information.