|
1
|
Almansoori A, Al-Emran M, Shaalan K. Exploring the Frontiers of Cybersecurity Behavior: A Systematic Review of Studies and Theories. APPLIED SCIENCES 2023; 13:5700. [DOI: 10.3390/app13095700] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 09/01/2023]
Abstract
Cybersecurity procedures and policies are prevalent countermeasures for protecting organizations from cybercrimes and security incidents. Without considering human behaviors, implementing these countermeasures will remain useless. Cybersecurity behavior has gained much attention in recent years. However, a systematic review that provides extensive insights into cybersecurity behavior through different technologies and services and covers various directions in large-scale research remains lacking. Therefore, this study retrieved and analyzed 2210 articles published on cybersecurity behavior. The retrieved articles were then thoroughly examined to meet the inclusion and exclusion criteria, in which 39 studies published between 2012 and 2021 were ultimately picked for further in-depth analysis. The main findings showed that the protection motivation theory (PMT) dominated the list of theories and models examining cybersecurity behavior. Cybersecurity behavior and intention behavior counted for the highest purpose for most studies, with fewer studies focusing on cybersecurity awareness and compliance behavior. Most examined studies were conducted in individualistic contexts with limited exposure to collectivistic societies. A total of 56% of the analyzed studies focused on the organizational level, indicating that the individual level is still in its infancy stage. To address the research gaps in cybersecurity behavior at the individual level, this review proposes a number of research agendas that can be considered in future research. This review is believed to improve our understanding by revealing the full potential of cybersecurity behavior and opening the door for further research opportunities.
Collapse
Affiliation(s)
- Afrah Almansoori
- Faculty of Engineering & IT, The British University in Dubai, Dubai P.O. Box 345015, United Arab Emirates
- General Department of Forensic Science and Criminology, Dubai Police G.H.Q., Dubai P.O. Box 1493, United Arab Emirates
| | - Mostafa Al-Emran
- Faculty of Engineering & IT, The British University in Dubai, Dubai P.O. Box 345015, United Arab Emirates
- Department of Computer Techniques Engineering, Dijlah University College, Baghdad 00964, Iraq
| | - Khaled Shaalan
- Faculty of Engineering & IT, The British University in Dubai, Dubai P.O. Box 345015, United Arab Emirates
| |
Collapse
|
|
2
|
Ali RF, Dominic PDD. Investigation of information security policy violations among oil and gas employees: A security-related stress and avoidance coping perspective. J Inf Sci 2022. [DOI: 10.1177/01655515221087680] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/16/2022]
Abstract
Information security is one of the most crucial considerations in digitising Oil and Gas (O&G) organisations. For ensuring information security policy compliance, O&G organisations enforce heavy security requirements. The purpose of this article is to assess how O&G employees cope with stressful information security tasks and how security-related stress (SRS) is related to information security policy violations among O&G employees in developing countries. Based on the coping theory, this article develops a theoretical framework to examine O&G employees’ intention to violate information security policies. The framework is tested using a survey of 270 managers/executives from 150 Malaysian O&G organisations. The results indicated that O&G employees perceive security requirements as stressful to follow and adopt avoidance coping strategies that lead them to violate organisational information security policies. For practitioners, the study findings demonstrate the prevalence of technostress in O&G organisations and suggest alternative mechanisms to address the stressful effects of information security requirements. This article contributes to the information system security literature by testing procrastination and psychological detachment with SRS in the context of developing countries' O&G organisations’ employees and provides an understanding of how O&G employees adopt avoidance coping.
Collapse
Affiliation(s)
- Rao Faizan Ali
- Department of Computer and Information Sciences, Universiti Teknologi PETRONAS, Malaysia
| | - PDD Dominic
- Department of Computer and Information Sciences, Universiti Teknologi PETRONAS, Malaysia
| |
Collapse
|
|
3
|
Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance. APPLIED SCIENCES-BASEL 2021. [DOI: 10.3390/app11083383] [Citation(s) in RCA: 21] [Impact Index Per Article: 5.3] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/16/2022]
Abstract
A grave concern to an organization’s information security is employees’ behavior when they do not value information security policy compliance (ISPC). Most ISPC studies evaluate compliance and noncompliance behaviors separately. However, the literature lacks a comprehensive understanding of the factors that transform the employees’ behavior from noncompliance to compliance. Therefore, we conducted a systematic literature review (SLR), highlighting the studies done concerning information security behavior (ISB) towards ISPC in multiple settings: research frameworks, research designs, and research methodologies over the last decade. We found that ISPC research focused more on compliance behaviors than noncompliance behaviors. Value conflicts, security-related stress, and neutralization, among many other factors, provided significant evidence towards noncompliance. At the same time, internal/external and protection motivations proved positively significant towards compliance behaviors. Employees perceive internal and external motivations from their social circle, management behaviors, and organizational culture to adopt security-aware behaviors. Deterrence techniques, management behaviors, culture, and information security awareness play a vital role in transforming employees’ noncompliance into compliance behaviors. This SLR’s motivation is to synthesize the literature on ISPC and ISB, identifying the behavioral transformation process from noncompliance to compliance. This SLR contributes to information system security literature by providing a behavior transformation process model based on the existing ISPC literature.
Collapse
|
|
4
|
The Effect of Organizational Information Security Climate on Information Security Policy Compliance: The Mediating Effect of Social Bonding towards Healthcare Nurses. SUSTAINABILITY 2021. [DOI: 10.3390/su13052800] [Citation(s) in RCA: 16] [Impact Index Per Article: 4.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 01/10/2023]
Abstract
The advancement of information communication technology in healthcare institutions has increased information security breaches. Scholars and industry practitioners have reported that most security breaches are due to negligence towards organizational information security policy compliance (ISPC) by healthcare employees such as nurses. There is, however, a lack of understanding of the factors that ensure ISPC among nurses, especially in developing countries such as Malaysia. This paper develops and examines a research framework that draws upon the factors of organizational climate of information security (OCIS) and social bond theory to enhance ISPC among nurses. A questionnaire was adopted in which responses were obtained from 241 nurses employed in 30 hospitals in Malaysia. The findings from the study demonstrated that the ISPC among nurses is enhanced through OCIS factors. The influence on ISPC was even more significant when examined by the mediating effect of the social bond. It implies that influential OCIS factors reinforce social bonds among nurses and eventually increase the ISPC. For information security practitioners, the study findings emphasize the prevalence of socio-active information security culture in healthcare organizations to enhance ISP compliance among nurses.
Collapse
|
|
5
|
Nasirpouri Shadbad F, Biros D. Technostress and its influence on employee information security policy compliance. INFORMATION TECHNOLOGY & PEOPLE 2020. [DOI: 10.1108/itp-09-2020-0610] [Citation(s) in RCA: 4] [Impact Index Per Article: 0.8] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
PurposeThis study focuses on unintended negative consequences of IT, called technostress. Given that employees are recognized as a major information security threat, it makes sense to investigate how technostress resulting from employees' constant interaction with IT influences the likelihood of security incidents. Although past research studied the concept of security-related technostress, the effect of IT use itself on employees’ extra-role activities such as security-related behaviors is unanswered. Thus, this paper aims to provide an understanding of the negative impact of technostress on employee information security policy (ISP) compliance.Design/methodology/approachDrawing on technostress literature, this research develops a research model that investigates the effect of technostress on employee intention to violate ISPs. It also extends the dimensionality of technostress construct by adding a new dimension called “techno-unreliability” that shows promising results. The authors use online survey data from a sample of 356 employees who have technology-based professions. We apply the structural equation modeling technique to evaluate the proposed research model.FindingsFindings showed that IT use imposes high-level perceptions of a set of technostress creators, which makes users rationalize their ISP violations and engage in non-compliant behaviors. Further analysis of each dimension of technostress showed that techno-complexity, techno-invasion and techno-insecurity account for higher ISP non-compliant behaviors.Originality/valueThis study provides a new understanding of technostress to the context of information security and emphasizes on its negative impact on employee ISP compliance behaviors.
Collapse
|
|
6
|
Organizational Governance, Social Bonds and Information Security Policy Compliance: A Perspective towards Oil and Gas Employees. SUSTAINABILITY 2020. [DOI: 10.3390/su12208576] [Citation(s) in RCA: 13] [Impact Index Per Article: 2.6] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/16/2022]
Abstract
Information security attacks on oil and gas (O&G) organizations have increased since the last decade. From 2015 to 2019, almost 70 percent of O&G organizations faced at least one significant security breach worldwide. Research has shown that 43 percent of security attacks on O&G organizations occur due to the non-compliant behavior of O&G employees towards information security policy. The existing literature provides multiple solutions for technical security controls of O&G organizations. However, there are very few studies available that address behavioral security controls, specifically for O&G organizations of developing countries. The purpose of this study is to provide a comprehensive framework for information security policy compliance (ISPC) for the O&G sector. A mixed-method approach is used to develop the research framework. Semi-structured interviews from O&G specialists refined the developed framework. Based on qualitative study a survey questionnaire was developed. To evaluate the research framework, structural equation modeling was applied to a sample of 254 managers/executives from 150 Malaysian O&G organizations. The obtained test results confirmed the proposed research model, according to which good social bonding among employees plays a critical role in improving ISPC. However, there was less support for the notion that all organizational governance factors significantly improve the social bonding of Malaysian O&G organizations employees. This paper contributes to the current information system (IS) literature by exploring the interrelationships among organizational governance, social bonding, and information security policy compliance (ISPC) in Malaysian O&G organizations.
Collapse
|
|
7
|
Solomon G, Brown I. The influence of organisational culture and information security culture on employee compliance behaviour. JOURNAL OF ENTERPRISE INFORMATION MANAGEMENT 2020. [DOI: 10.1108/jeim-08-2019-0217] [Citation(s) in RCA: 6] [Impact Index Per Article: 1.2] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
PurposeOrganisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in facilitating compliance. The purpose of this paper is to explain the nature of the combined influence of organisational culture and information security culture on employee information security compliance. This study also aims to explain the influence of organisational culture on information security culture.Design/methodology/approachA theoretical model was developed showing the relationships between organisational culture, information security culture and employee compliance. Using an online survey, data was collected from a sample of individuals who work in organisations having information security policies. The data was analysed with Partial Least Square Structural Equation Modelling (PLS-SEM) to test the model.FindingsOrganisational culture and information security culture have significant, yet similar influences on employee compliance. In addition, organisational culture has a strong causal influence on information security culture.Practical implicationsControl-oriented organisational cultures are conducive to information security compliant behaviour. For an information security subculture to be effectively embedded in an organisation's culture, the dominant organisational culture would have to be considered first.Originality/valueThis research provides empirical evidence that information security subculture is influenced by organisational culture. Compliance is best explained by their joint influence.
Collapse
|
|
8
|
Understanding employees' adoption of the Bring-Your-Own-Device (BYOD): the roles of information security-related conflict and fatigue. JOURNAL OF ENTERPRISE INFORMATION MANAGEMENT 2020. [DOI: 10.1108/jeim-10-2019-0318] [Citation(s) in RCA: 7] [Impact Index Per Article: 1.4] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
PurposeWhile the bring-your-own-device (BYOD) trend provides benefits for employees, it also poses security risks to organizations. This study explores whether and how employees decide to adopt BYOD practices when they encounter information security–related conflict.Design/methodology/approachUsing survey data from 235 employees of Chinese enterprises and applying partial least squares based structural equation modeling (PLS-SEM), we test a series of hypotheses.FindingsThe results suggest that information security–related conflict elicits information security fatigue among employees. As their information security fatigue increases, employees become less likely to adopt BYOD practices. In addition, information security–related conflict has an indirect effect on employee's BYOD adoption through the full mediation of information security fatigue.Practical implicationsThis study provides practical implications to adopt BYOD in the workplace through conflict management measures and emotion management strategies. Conflict management measures focused on the reducing of four facets of information security–related conflict, such as improve organization's privacy policies and help employees to build security habits. Emotion management strategies highlighted the solutions to reduce fatigue through easing conflict, such as involving employees in the development or update of information security policies to voice their demands of privacy and other rights.Originality/valueOur study extends knowledge by focusing on the barriers to employees' BYOD adoption when considering information security in the workplace. Specifically, this study takes a conflict perspective and builds a multi-faceted construct of information security–related conflict. Our study also extends information security behavior research by revealing an emotion-based mediation effect, that of information security fatigue, to explore the mechanism underlying the influence of information security–related conflict on employee behavior.
Collapse
|