A rich stream of research has identified numerous antecedents to employee compliance (and noncompliance) with information security policies. However, the number of competing theoretical perspectives ...and inconsistencies in the reported findings have hampered efforts to attain a clear understanding of what truly drives this behavior. To address this theoretical stalemate and build toward a consensus on the key antecedents of employees' security policy compliance in different contexts, we conducted a meta-analysis of the relevant literature. Drawing on 95 empirical papers, we classified 401 independent variables into 17 distinct categories and analyzed each category's relationship with security policy compliance, including an analysis for possible domain-specific moderators. A meta-analytic relative weight analysis determined the relative importance of each category in predicting security policy compliance, while adding robustness to our findings. At a broad level, our results suggest that much of the security policy compliance literature is plagued by suboptimal theoretical framing. Our findings can facilitate more refined theory-building efforts in this research domain and serve as a guide for practitioners to manage security policy compliance initiatives.
Full text
Available for:
CEKLJ, IZUM, KILJ, NUK, PILJ, SAZU, UL, UM, UPUK
The main purpose of this study was to examine the relationship between individuals' Information Security Awareness (ISA) and individual difference variables, namely age, gender, personality and ...risk-taking propensity. Within this study, ISA was defined as individuals' knowledge of what policies and procedures they should follow, their understanding of why they should adhere to them (their attitude) and what they actually do (their behaviour). This was measured using the Human Aspects of Information Security Questionnaire (HAIS-Q). Individual difference variables were examined via a survey of 505 working Australians. It was found that conscientiousness, agreeableness, emotional stability and risk-taking propensity significantly explained variance in individuals’ ISA, while age and gender did not. Findings highlighted the need for future research to examine individual differences and their impact on ISA. Results of the study can be applied by industry to develop tailored InfoSec training programs.
•Emotional stability was positively associated with Information Security Awareness (ISA).•Conscientiousness and agreeableness were positively associated with ISA.•Individuals with a propensity to take fewer risks scored higher on ISA.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK, ZRSKP
The rapid digital transformation and technological disruption in modern organisations demand the development of people-centric security workplaces, whereby the employees can build up their security ...awareness and accountability for their actions via participation in the organisation's social networks. The social network analysis approach offers a wide array of analytical capabilities to examine in-depth the interactions and relations within an organisation, which assists the development of such security workplaces. This paper proposes the novel and practical adoption of social network analysis methods in behavioural information security field. To this end, we discuss the core features of the social network analysis approach and describe their empirical applications in a real case study of a large organisation in Vietnam, which utilised these methods to improve employees' information security awareness. Towards the end of the paper, a framework detailing the strategies for conducting social network analysis in the behavioural information security field is developed and presented.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK
Aim/Purpose: This paper examines the behavior of financial firm employees with regard to information security procedures instituted within their organization. Furthermore, the effect of information ...security awareness and its importance within a firm is explored.
Background: The study focuses on employees’ attitude toward compliance with information security policies (ISP), combined with various norms and personal abilities.
Methodology: A self-reported questionnaire was distributed among 202 employees of a large financial Corporation
Contribution: As far as we know, this is the first paper to thoroughly explore employees’ awareness of information system procedures, among financial organizations in Israel, and also the first to develop operative recommendations for these organizations aimed at increasing ISP compliance behavior. The main contribution of this study is that it investigates compliance with information security practices among employees of a defined financial corporation operating under rigid regulatory governance, confidentiality and privacy of data, and stringent requirements for compliance with information security procedures.
Findings: Our results indicate that employees’ attitudes, normative beliefs and personal capabilities to comply with firm’s ISP, have positive effects on the firm’s ISP compliance. Also, employees’ general awareness of IS, as well as awareness to ISP within the firm, positively affect employees’ ISP compliance.
Recommendations for Practitioners: This study can help information security managers identify the motivating factors for employee behavior to maintain information security procedures, properly channel information security resources, and manage appropriate information security behavior.
Recommendation for Researchers: Researchers can see that corporate rewards and sanctions have significant effects on employee security behavior, but other motivational factors also reinforce the ISP’s compliance behavior. Distinguishing between types of corporations and organizations is essential to understanding employee compliance with information security procedures.
Impact on Society: This study offers another level of understanding of employee behavior with regard to information security in organizations and comprises a significant contribution to the growing knowledge in this area. The research results form an important basis for IS policymakers, culture designers, managers, and those directly responsible for IS in the organization.
Future Research: Future work should sample employees from another type of corporation from other fields and should apply qualitative analysis to explore other aspects of behavioral patterns related to the subject matter.
According to research, the number of attacks on the Internet has been increasing each year. Hence, information security awareness is a very significant skill. Accordingly, this study aimed to ...investigate the effects of students’ personal factors on their information security awareness. The researchers conducted a quantitative study that examines a theoretical model. The data were collected from 684 undergraduate students via three data tools. The effects of variables on information security awareness were explained via path analysis. The mediating role of technology attitude was examined in the relationship between information security awareness and the individual variables for the first time. The findings showed that gender and grade did not directly affect information security awareness levels, while attending information security training, department and technology attitude had a significant effect. On the other hand, some personal factors indirectly affected information security awareness. This analysis offered substantial contributions to the literature in uncovering the effects of variables on students’ information security awareness in a holistic way. The results can guide planning for information security training to increase information security awareness by considering personal factors.
Full text
Available for:
NUK, OILJ, SAZU, UKNU, UL, UM, UPUK
Information security was the main topic in this paper. An investigation of the compliance to information security policies were discussed. The author mentions that the insignificant relationship ...between rewards and actual compliance with information security policies does not make sense. Quite possibly this relationship results from not applying rewards for security compliance. Also mentions that based on the survey conducted, careless employee behavior places an organization's assets and reputation in serious jeopardy. The major threat to information security arises from careless employees who fail to comply with organizations' information security policies and procedures.
The article discusses information security in the system of an industrial enterprise. Attention is focused on the need to implement a continuous information security process to protect all ...information assets from leaks, theft and unauthorized disclosure, the main provisions of information security management standards are analyzed. Objective: To optimize the methods of software protection of modern industrial enterprises, as well as to reduce threats and vulnerabilities related to information security at enterprises. Method or methodology of the work: In the process of investigating the problem, analytical methods of analysis were used. Results: The need to use ISO/IEC 27001 standards and the PDCA (Plan-Do-Check-Act) model at industrial enterprises of high-tech sectors of the economy in order to reduce threats and losses of information security, identify critical factors that negatively affect business processes and the enterprises themselves. Practical implications: The results obtained can be used as a theoretical basis for existing assessments of information security tools and automated security systems at high-tech industrial enterprises in modern economic conditions.
The purpose of this paper is to present a conceptual view of an Information Security Retrieval and Awareness (ISRA) model that can be used by industry to enhance information security awareness among ...employees. A common body of knowledge for information security that is suited to industry and that forms the basis of this model is accordingly proposed. This common body of knowledge will ensure that the technical information security issues do not overshadow the non-technical human-related information security issues. The proposed common body of knowledge also focuses on both professionals and low-level users of information. The ISRA model proposed in this paper consists of three parts, namely the ISRA dimensions (non-technical information security issues, IT authority levels and information security documents), information security retrieval and awareness, and measuring and monitoring. The model specifically focuses on the non-technical information security that forms part of the proposed common body of knowledge because these issues have, in comparison with the technical information security issues, always been neglected.
Full text
Available for:
GEOZS, IJS, IMTLJ, KILJ, KISLJ, NUK, OILJ, PNG, SAZU, SBCE, SBJE, UL, UM, UPCLJ, UPUK
Information Security is a crucial asset within an organization, and it needs to be protected, Information System (IS) Security is still threats a significant concern for many organizations. Is ...profoundly crucial for any organization to preserve Information System (IS) Security and computer resources, hardware, software, and networks, etc.The Information System (IS)assets against malicious attacks such as unauthorized access and improper use. This research, we developed a theoretical model for the adoption process of IS Security innovations in organizations, are numerous measures available that provides protection for organization IS assets, including (hardware, software, networks, etc.) and antivirus, firewall, filters, Intrusion Detection System (IDS), encryption tools, authorization mechanisms, authentication systems, and proxy devices. The model is to derive by the four combining theoretical models of innovation adoption, namely, the Theory of Planned Behaviour (TPB, Diffusion of Innovation theory (DOI), the Technology Acceptance Model (TAM),) and the Technology-Organisation-Environment (TOE) framework. The Computer security education needs to consider as a means of to combat against threats Arachchilage and Arachchilage et al., 2016). (Arachchilage and Love, 2013; While the process of innovation assimilation is as a result of the user acceptance of innovation within the organization. This model depicts security innovation adoption in organizations, as a two decision proceeding for any organization. The stage until its acquisition of innovation and adoption process from the initiation is considered as a decision made any organization. The The model also introduces several factors that influence the different stages of information Security and the innovation adoption process Adoption of IS security measures by the individuals and organizations