A principal concern of organizations is the failure of employees to comply with information security policies (ISPs). Deterrence theory is one of the most frequently used theories for examining ISP ...violations, yet studies using this theory have produced mixed results. Past research has indicated that cultural differences may be one reason for these inconsistent findings and have hence called for cross-cultural research on deterrence in information security. To address this gap, we formulated a model including deterrence, moral beliefs, shame, and neutralization techniques and tested it with the employees from 48 countries working for a large multinational company.
Information Security is a crucial asset within an organization, and it needs to be protected, Information System (IS) Security is still threats a significant concern for many organizations. Is ...profoundly crucial for any organization to preserve Information System (IS) Security and computer resources, hardware, software, and networks, etc.The Information System (IS)assets against malicious attacks such as unauthorized access and improper use. This research, we developed a theoretical model for the adoption process of IS Security innovations in organizations, are numerous measures available that provides protection for organization IS assets, including (hardware, software, networks, etc.) and antivirus, firewall, filters, Intrusion Detection System (IDS), encryption tools, authorization mechanisms, authentication systems, and proxy devices. The model is to derive by the four combining theoretical models of innovation adoption, namely, the Theory of Planned Behaviour (TPB, Diffusion of Innovation theory (DOI), the Technology Acceptance Model (TAM),) and the Technology-Organisation-Environment (TOE) framework. The Computer security education needs to consider as a means of to combat against threats Arachchilage and Arachchilage et al., 2016). (Arachchilage and Love, 2013; While the process of innovation assimilation is as a result of the user acceptance of innovation within the organization. This model depicts security innovation adoption in organizations, as a two decision proceeding for any organization. The stage until its acquisition of innovation and adoption process from the initiation is considered as a decision made any organization. The The model also introduces several factors that influence the different stages of information Security and the innovation adoption process Adoption of IS security measures by the individuals and organizations
Information security awareness (ISA) is integral to protecting an organisation from cyber threats. The aim of this paper is to further establish the validity of the Human Aspects of Information ...Security Questionnaire (HAIS-Q), as an effective instrument for measuring ISA. We present two studies to further establish the construct validity of this instrument. In Study 1, 112 university students completed the HAIS-Q and also took part in an empirical lab-based phishing experiment. Results indicated that participants who scored more highly on the HAIS-Q had better performance in the phishing experiment. This means the HAIS-Q can predict an aspect of information security behaviour, and provides evidence for its convergent validity. In Study 2, the HAIS-Q was administered to a larger and more representative population of 505 working Australians to further establish the construct validity of the instrument. The results of a factor analysis and other statistical techniques provide evidence for the validity of the HAIS-Q as a robust measure of ISA. We also describe the practical implications of the HAIS-Q, particularly how it could be used by information security practitioners.
Multi‐dye‐sensitized upconverting nanoparticles (UCNPs), which harvest photons of wide wavelength range (450–975 nm) are designed and synthesized. The UCNPs embedded in a photo‐acid generating layer ...are integrated on destructible nonvolatile resistive memory device. Upon illumination of light, the system permanently erases stored data, achieving enhanced information security.
•Information security culture framework (ISCF) based on five dimensions is proposed.•ISCF incorporates change management principles that guide the security culture cultivation.•Correctness and ...comprehensiveness of ISCF structure and tasks are validated by surveying experts.•Aims to mange human behavior when interacting with information assets.•Assist organizations to develop information security culture to protects information assets.
Establishing information security culture in organizations impacts employees’ perceptions and security behavior in a way that can guard against many information security threats posed by insiders. This paper is concerned with the development of a comprehensive information security culture framework for organizations. The structured STOPE (Strategy; Technology; Organization; People; and Environment) scope has been used as a base for the framework so that the various issues of information security can be integrated. The resulted framework incorporates the four main domains of the human factor diamond: preparedness, responsibility, management, and society and regulations. The framework also incorporates change management principles that guide the cultivation of the information security culture. The framework is validated by surveying experts to provide their views and feedback on the correctness and comprehensiveness of the framework structure and its associated tasks. The framework can assist organizations to develop an effective information security culture that protects their information assets.
Operating systems and programmes are more protected these days and attackers have shifted their attention to human elements to break into the organisation's information systems. As the number and ...frequency of cyber-attacks designed to take advantage of unsuspecting personnel are increasing, the significance of the human factor in information security management cannot be understated. In order to counter cyber-attacks designed to exploit human factors in information security chain, information security awareness with an objective to reduce information security risks that occur due to human related vulnerabilities is paramount. This paper discusses and evaluates the effects of various information security awareness delivery methods used in improving end-users' information security awareness and behaviour. There are a wide range of information security awareness delivery methods such as web-based training materials, contextual training and embedded training. In spite of efforts to increase information security awareness, research is scant regarding effective information security awareness delivery methods. To this end, this study focuses on determining the security awareness delivery method that is most successful in providing information security awareness and which delivery method is preferred by users. We conducted information security awareness using text-based, game-based and video-based delivery methods with the aim of determining user preferences. Our study suggests that a combined delivery methods are better than individual security awareness delivery method.
The aim of the article is to characterise and assess information security management in units of public administration and to define recommended solutions facilitating an increase in the level of ...information security. The article is considered a theoretical-empirical research paper. The aim of theoretical research is to explain the basic terms related to information security management and to define conditions for the implementation of Information Security Management System (ISMS). Within the scope of theoretical considerations, source literature, legislation and reports are being referred to. In the years 2016-2019, empirical research has been conducted, which aim was to assess the efficiency of information security management in public administration offices. The evaluation of results of surveys was accompanied by an analysis of statistical relations between the researched variables, which enabled to define effects of European Union regulations on the delivery of information security in public administration. Results of the empirical data show that in the years 2016-2017, in public administration offices, certain problem areas in the aspect of information security management were present, which include, among others: lack of ISMS organisation, incomplete or outdated ISMS documentation, lack of regular risk analysis, lack of reviews, audits or controls, limited use of physical and technological protection measures, lack of training or professional development. In the years 2018-2019, European Union solutions, i.e. the GDPR Regulation and the NIS Directive, have affected the increase in the security level of information in public administration and have a significantly limited occurrence of identified irregularities. Results of the research enable to assume that the delivery of information security in public administration requires a systemic approach arising from the need for permanent improvement.
As recent cyber-attacks have been increasing exponentially, the importance of security training for employees also has become growing ever than before. In addition, it is suggested that security ...training and education be an effective method for discerning cyber-attacks within academia and industries. Despite the importance and the necessity of the training, prior study did not investigate the quantitative utility of security training in an organizational level. Due to the absence of referential studies, many firms are having troubles in making decisions with respect to arranging optimal security training programs with limited security budgets. The main objective of this study is to find out a relationship between cybersecurity training and the number of incidents of organizations. Thus, this study quantified the effectiveness of security training on security incidents as the first study. This research examined the relationship among three main factors; education time, education participants, and outsourcing with numbers of cybersecurity incidents. 7089 firm level data is analyzed through Poisson regression method. Based on analysis results, we found that the negative relationship between security trainings and the occurrence of cybersecurity incidents. This study sheds light on the role of security training and education by suggesting its positive association with reducing the number of incidents in organizations from the quantitative perspective. The result of this study can be used as a referential guide for information security training decision-making procedure in organizations.
Practitioners and academics ask if and how punishment and moral norms affect the resistance to information systems security in emerging markets. To address this question, this empirical study ...examines the relationship between punishment and moral norms on resistance to information security in the context of a Brazilian IT company. The data were collected from 174 employees by applying structural equation modeling (SEM). The results suggest that the severity of punishment and certainty of detection influence descriptive norms and impact moral norms, which, in sequence, enhance resistance to information security. The findings demonstrate that the national culture of values in emerging markets contributes to the behavior of employees to increase resistance to information security.
•PLS-SEM is employed to analyze a sample comprising 174 employees from an information technology company in Brazil.•Users' safety behaviors to safety norms (descriptive and moral) and their resistance to information security are examined.•Users' perceived severities and certainties of punishment, descriptive norms, and moral norms are assessed.•Based on the “Jeitinho Brasileito” concept, the social norms did not affect the Brazilian context of information security.•Brazilian executives must explore other practices that enhance information security in the Brazilian context.
Purpose
The purpose of this case study is to examine the factors that impact higher education employees’ violations of information security policy by developing a research model based on grounded ...theories such as deterrence theory, neutralization theory and justice theory.
Design/methodology/approach
The research model was tested using 195 usable responses. After conducting model validation, the hypotheses were tested using multiple linear regression.
Findings
The results of the study revealed that procedural justice, distributive justice, severity and celerity of sanction, privacy, responsibility and organizational security culture were significant predictors of violations of information security measures. Only interactional justice was not significant.
Research limitations/implications
As with any exploratory case study, this research has limitations such as the self-reported information and the method of measuring the violation of information security measures. The method of measuring information security violations has been a challenge for researchers. Of course, the best method is to capture the actual behavior. Another limitation to this case study which might have affected the results is the significant number of faculty members in the respondent pool. The shared governance culture of faculty members on a US university campus might bias the results more than in a company environment. Caution should be applied when generalizing the results of this case study.
Practical implications
The findings validate past research and should encourage managers to ensure employees are involved with developing and implementing information security measures. Additionally, the information security measures should be applied consistently and in a timely manner. Past research has focused more on the certainty and severity of sanctions and not as much on the celerity or swiftness of applying sanctions. The results of this research indicate there is a need to be timely (swift) in applying sanctions. The importance of information security should be grounded in company culture. Employees should have a strong sense of treating company data as they would want their own data to be treated.
Social implications
Engaging employees in developing and implementing information security measures will reduce employees’ violations. Additionally, giving employees the assurance that all are given the same treatment when it comes to applying sanctions will reduce the violations.
Originality/value
Setting and enforcing in a timely manner a solid sanction system will help in preventing information security violations. Moreover, creating a culture that fosters information security will help in positively affecting the employees’ perceptions toward privacy and responsibility, which in turn, impacts information security violations. This case study applies some existing theories in the context of the US higher education environment. The results of this case study contributed to the extension of existing theories by including new factors, on one hand, and confirming previous findings, on the other hand.
PDF
