Information security data breaches are becoming larger and more frequent. Incorporating information security into the culture of the information technology (IT) staff members that support these ...technologies is a key function that must be considered in parallel to improved security technology. The framework proposed in this paper considers focusing on cost-reducing products, services and structures while building the correct behaviour and values in IT staff members and strengthening their ability to improve information security assessment capabilities in the organization to better support information security management. A tool to evaluate the framework is also described as well as concise feedback on how the framework and tool was tested in a few organizations.
Full text
Available for:
EMUNI, FIS, FZAB, GEOZS, GIS, IJS, IMTLJ, KILJ, KISLJ, MFDPS, NLZOH, NUK, OILJ, PNG, SAZU, SBCE, SBJE, SBMB, SBNM, UKNU, UL, UM, UPUK, VKSCE, ZAGLJ
Information Security (InfoSec) research is far reaching and includes many approaches to deal with protecting and mitigating threats to the information assets and technical resources available within ...computer based systems. Although a predominant weakness in properly securing information assets is the individual user within an organization, much of the focus of extant security research is on technical issues. The purpose of this paper is to highlight future directions for Behavioral InfoSec research, which is a newer, growing area of research. The ensuing paper presents information about challenges currently faced and future directions that Behavioral InfoSec researchers should explore. These areas include separating insider deviant behavior from insider misbehavior, approaches to understanding hackers, improving information security compliance, cross-cultural Behavioral InfoSec research, and data collection and measurement issues in Behavioral InfoSec research.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK
•We analyze the personal information security behavior and awareness of 881 IS users.•We propose four scales to measure how risky individuals' behavior is when using IS.•The more the respondents ...perceive threats, their behavior becomes more protective.•Students, compared to other groups, are more vulnerable against risks.•The education level and information security awareness are positively correlated.
Hardware and software security mechanisms are widely used to strengthen information systems (IS) against attacks. However, these systems are still highly vulnerable to threats from users' undesirable behaviors, which are closely related to IS users' information security awareness. This study has been carried out in an effort to investigate the IS users' risky behaviors that may threaten information security. The preventive actions employed by users, the threats they may be exposed to, or whether they had an adverse experience or to what extent they perceive risks have also been investigated. Four scales: Risky Behavior Scale (RBS), Conservative Behavior Scale (CBS), Exposure to Offence Scale (EOS) and Risk Perception Scale (RPS), were developed depending on the data collected with the use of surveys. The scales developed from the content of the survey were applied to students, academics and administrative staff of a university, which also embodies hospitals and educational organizations located in different geographical and socio-economical regions of Turkey. On the base of developed scales, the results of the study show that there are significant differences within samples and according to the habits of Internet usage.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK
This paper identifies 10 essential aspects, which, if not taken into account in an information security governance plan, will surely cause the plan to fail, or at least, cause serious flaws in the ...plan. These 10 aspects can be used as a checklist by management to ensure that a comprehensive plan has been defined and introduced.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK
Organizations are intensifying their information security levels, as information security has become an essential element in business management. However, excessive focus on the mere reinforcement of ...information security has placed employees under stress. Studies have confirmed that the negative effects of stress include reduced employee productivity. Therefore, it is important to manage employee stress while enforcing information security in an organization. Based on person–environment fit theory, this study examines how employees become stressed, the factors behind information security stress (ISS), and the differences between managerial and technical security-oriented organizations. The results show that work overload and invasion of privacy are information security stressors. Furthermore, work overload has a greater effect on ISS in managerial security-oriented organizations, while invasion of privacy exerts a greater influence on ISS in technical security-oriented organizations. In addition, attitude to compliance with the information security policy mitigates work overload and invasion of privacy. These findings can be used as a basic reference for the establishment of employee stress management measures and the evaluation of information security stress levels.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK
Purpose
This paper aims to develop an effective information security policy (ISP), which is an important mechanism to combat insider threats.
Design/methodology/approach
A general framework based on ...the Nine-Five-circle was proposed for developing, implementing and evaluating an organisation's ISP.
Findings
The proposed framework outlines the steps involved in developing, implementing and evaluating a successful ISP.
Research limitations/implications
The study took place in Germany, and most of the data was collected virtually due to the different locations of the organisation.
Practical implications
In practice, this study can be a guide for managers to design a robust ISP that employees will read and follow.
Social implications
Employee compliance with the ISP is a critical aspect in any organisation and therefore a rigorous strategy based on a systematic approach is required.
Originality/value
The main contribution of the paper is the application of a comprehensive and coherent model that can be the first step in defining a “checklist” for creating and managing ISPs.
International information security management guidelines play a key role in managing and certifying organizational IS. We analyzed BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP, and the SSE-CMM to ...determine and compare how these guidelines are validated, and how widely they can be applied. First, we found that BS7799, BS ISO/IEC17799: 2000, GASPP/GAISP and the SSE-CMM were generic or universal in scope; consequently they do not pay enough attention to the differences between organizations and the fact that their security requirements are different. Second, we noted that these guidelines were validated by appeal to common practice and authority and that this was not a sound basis for important international information security guidelines. To address these shortcomings, we believe that information security management guidelines should be seen as a library of material on information security management for practitioners.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK
Knowledge sharing plays an important role in the domain of information security, due to its positive effect on employees' information security awareness. It is acknowledged that security awareness is ...the most important factor that mitigates the risk of information security breaches in organizations. In this research, a model has been presented that shows how information security knowledge sharing (ISKS) forms and decreases the risk of information security incidents. The Motivation Theory and Theory of Planned Behavior besides Triandis model were applied as the theoretical backbone of the conceptual framework. The results of the data analysis showed that earning a reputation, and gaining promotion as an extrinsic motivation and curiosity satisfaction as an intrinsic motivation have positive effects on employees' attitude toward ISKS. However, self-worth satisfaction does not influence ISKS attitude. In addition, the findings revealed that attitude, perceived behavioral control, and subjective norms have positive effects on ISKS intention and ISKS intention affects ISKS behavior. The outcomes also showed that organizational support influences ISKS behavior more than trust. The results of this research should be of interest to academics and practitioners in the domain of information security.
•Information security knowledge sharing mitigates information security breaches.•Intrinsic motivations influence information security knowledge sharing in firms.•Extrinsic motivations influence information security knowledge sharing in firms.•Organizational support facilitates information security knowledge sharing in firms.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK, ZRSKP
Purpose
The purpose of this paper is to propose a theory of information security intelligence and examine the effects of managers’ information security intelligence (MISI) on employees’ procedural ...countermeasure awareness and information security policy (ISP) compliance intention.
Design/methodology/approach
A survey approach and structural equation modeling is utilized. Partial least squares (WarpPLS 6.0) and nonlinear algorithm are employed to analyze and examine the hypotheses. In total, 324 employees from companies in South Korea participated in the survey, which was conducted by a professional survey service company.
Findings
MISI positively affects employees’ awareness of information security procedural countermeasures; information security knowledge and problem-solving skills have positive effects on procedural countermeasures awareness; MISI increases employees’ compliance intention through procedural countermeasure awareness; and information security procedural countermeasures positively affect employees’ ISP compliance intention.
Research limitations/implications
This study proposes a theory of information security intelligence and examines its impacts on employees’ compliance intentions. The study highlights the mediating role of information security procedural countermeasures between information security intelligence and employees’ compliance intentions.
Practical implications
Managers should improve and explicitly demonstrate information security knowledge and problem-solving skills to increase employees’ ISP compliance intention. To protect the organization’s intellectual capital, managers should champion the development and promotion of PCM, rather than leave these functions to the information security group.
Originality/value
This is the first empirical study to propose and validate MISI.
Existing behavioral information security research proposes continuum or non-stage models that focus on finding static determinants for information security behavior (ISB) that remains unchanged. Such ...models cannot explain a case where the reasons for ISB change. However, the underlying reasons and motives for users’ ISB are not static but may change over time. To understand the change in reasoning between different antecedents, we examine stage theorizing in other fields and develop the requirements for an emergent theory of the development of employees’ ISB: (1) the content of stages based on the stage elements and their stage-specific attributes; (2) the stage-independent element explaining the instability of ISB; and (3) the temporal order of stages based on developmental progression. To illustrate the stage theory requirements in an information security context, we suggest four stages: intuitive thinking, declarative thinking, agency-related thinking, and routine-related thinking. We propose that learning is a key driver of change between the stages. According to our theorizing, employees start with intuitive beliefs and later develop routine-related thinking. Furthermore, using interview data collected from employees in a multinational company, we illustrate the differences in the stages. For future information security research, we conceptualize ISB change in terms of stages and contribute a theoretical framework that can be empirically validated. In relation to practice, understanding the differences between the stages offers a foundation for identifying the stage-specific challenges that lead to non-compliance and the corresponding information security training aimed at tackling these challenges. Given that users’ ISB follows stages, although not in a specific order, identifying such stages can improve the effectiveness of information security training interventions within organizations.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK