From Information Security Awareness to Reasoned Compliant Action

Reconceptualizing cybersecurity awareness capability in the data-driven digital economy

Data breaches have become a formidable challenge for business operations in the twenty-first century. The emergence of big data in the ever-growing digital economy has created the necessity to secure critical organizational information. The lack of cybersecurity awareness exposes organizations to potential cyber threats. Thus, this research aims to identify the various dimensions of cybersecurity awareness capabilities. Drawing on the dynamic capabilities framework, the findings of the study show personnel (knowledge, attitude and learning), management (training, culture and strategic orientation) and infrastructure capabilities (technology and data governance) as thematic dimensions to tackle cybersecurity awareness challenges.

Theory-Based Model and Prediction Analysis of Information Security Compliance Behavior in the Saudi Healthcare Sector

The adoption of health information systems provides many potential healthcare benefits. The government of the Kingdom of Saudi Arabia has subsidized this field. However, like those of other less developed countries, organizations in the Kingdom of Saudi Arabia struggle to secure their health information systems. This issue may stem from a lack of awareness regarding information security. To date, most related studies have not considered all of the factors affecting information security compliance behavior (ISCB), which include psychological traits, cultural and religious beliefs, and legal concerns. This paper aims to investigate the usefulness of a theory-based model and determine the predictors of ISCB among healthcare workers at government hospitals in the Kingdom of Saudi Arabia. The study investigated 433 health workers in Arar, the capital of the Northern Borders Province in the Kingdom of Saudi Arabia. Two phases involved in this study were the hypothetical model formulation and identification of ISCB predictors. The results suggest that moderating and non-common factors (e.g., religion and morality) impact ISCB, while demographic characteristics (e.g., age, marital status, and work experience) do not. All published instruments and theories were embedded to determine the most acceptable theories for Saudi culture. The theory-based model of ISCB establishes the main domains of theory for this study, which were religion/morality, self-efficacy, legal/punishment, personality traits, cost of compliance/noncompliance, subjective norms, information security policy, general information security, and technology awareness. Predictors of ISCB indicate that general information security, followed by self-efficacy and religion/morality, is the most influential factor on ISCB among healthcare workers in the Kingdom of Saudi Arabia. This study is considered as the first to present the symmetry between theory and actual descriptive results, which were not investigated before.

The role of norms in information security policy compliance

Purpose

The purpose of this paper is to determine which factors influence information system security policy compliance. It examines how different norms influence compliance intention.

Design/methodology/approach

Based on relevant literature on information system security policy compliance, a research model was developed and validated. An online questionnaire was used to gather data from respondents and partial least square structural equation modelling (PLS-SEM) was used to analyse 432 responses received.

Findings

The results indicated that attitude towards information security compliance mediates the effects of personal norms on compliance intention. In addition, descriptive and subjective norms are significant predictors of personal norms.

Originality/value

Though advancement in technology has reached significant heights, it is still inadequate to guaranteed information systems’ security. Researchers have identified humans to be central in ensuring information security. To this effect, this study provides empirical evidence of the role of norms in influence information security behaviour.

The hunt for computerized support in information security policy management

Purpose

The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about.

Design/methodology/approach

The results are based on a literature review of ISP management research published between 1990 and 2017.

Findings

Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare.

Research limitations/implications

Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process.

Practical implications

The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners.

Originality/value

Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.

Response awareness and instructional self-efficacy: influences on intent

Purpose

This paper aims to examine the influence of response awareness on behavioral intent, and introduces instructional self-efficacy, a construct rarely examined within the context of information security (ISec).

Design/methodology/approach

A Web-based survey was conducted and a total of 211 valid responses were analyzed. The relationships among response awareness, instructional self-efficacy and behavioral intent were examined through a three-phase structural equation modeling analysis.

Findings

The results indicate that even at low levels, response awareness has a strong influential effect on the behavioral intent to perform the secure response and on the self-efficacy to instruct others to perform the response. Instructional self-efficacy was also found to be a significant predictor of behavioral intent to perform the response. Finally, evidence was found indicating instructional self-efficacy fully mediates the response awareness to the behavioral intent relationship.

Research limitations/implications

Because of the characteristics of the population, the focus on a single ISec response and the dependent variable of behavioral intent rather than actual behavior, the generalizability of the findings is impacted.

Practical implications

The results contribute to practice by confirming the importance of response awareness and of instructional self-efficacy within an ISec context. Specific implications include the indication that informal communications about ISec issues among peers should be encouraged and that instructional self-efficacy should be targeted within ISec awareness training programs.

Originality/value

This paper’s parsimonious model defined response awareness as vicarious experience with a response and presented instructional self-efficacy, a construct novel to ISec studies that was found to be a significant influence within the relationship between response awareness and behavioral intent.

Secure Behavior over Time

Research has investigated the role of numerous influences on individual information security behaviors, including protection motivation, deterrence, and various dispositional and environmental factors. Various theories have been applied to study these influences on security behaviors. One major research stream has looked at threat and coping appraisals by IT users. However, users' beliefs, attitudes, appraisals, and intentions are not static, and there has been little attention to how these factors interact over time. When users (directly or vicariously) experience a security threat, they tend to engage in improved security hygiene, but often only for a limited time. A major theory that can provide comprehensive and unified insights into the phenomenon of continuous secure behavior is the Theory of Process Memory which explains the role of prior experience effects and the underlying mechanisms of continuous behavior, including feedback mechanism, sequential updating mechanism, behavioral automaticity (habit), and reason-based action. The application of this theory to behavioral information security research can foster a deep understanding about how each cognitive mechanism can influence IT users' continuous secure behavior, and through which type of human memory each mechanism can act. This rich theory, which is well-established in cognitive psychology, can help behavioral information security scholars to rigorously investigate the very important, yet understudied, phenomenon of continuance secure behavior.

Roles of Organizational Climate, Social Bonds, and Perceptions of Security Threats on IS Security Policy Compliance Intentions

Collapse