Information security risk management (ISRM) is the primary means by which organizations preserve the confidentiality, integrity and availability of information resources. A review of ISRM literature ...identified deficiencies in the practice of information security risk assessment that inevitably lead to poor decision-making and inadequate or inappropriate security strategies. In this conceptual paper, we propose a situation aware ISRM (SA-ISRM) process model to complement the information security risk management process. Our argument is that the model addresses the aforementioned deficiencies through an enterprise-wide collection, analysis and reporting of risk-related information. The SA-ISRM model is adapted from Endsley's situation awareness model and has been refined using our findings from a case study of the US national security intelligence enterprise.
Display omitted
•We identify from literature 3 deficiencies in information security risk assessment.•We develop a security situational awareness (SA) model from Endsley's SA theory.•We refine our model though an in depth case study of the US intelligence enterprise.•We show how SA can be developed using an intelligence-driven approach.
•An organization with proficient information security controls achieves better compliance, which leads to a decrease in computer based occupational fraud.•Information security control proficiency ...(ISCP) is a function of the quality of information security policy and its enforcement. Effective integration of these two aspects contributes to enhancing information security policy compliance.
As more business processes and information assets are digitized, computer resources are increasingly being misused to perpetrate fraudulent activities. Research shows that fraud committed by (or with) trusted insiders (called occupational fraud or internal organizational fraud) is responsible for significantly more damage than that committed by external actors (for example, cyber fraud). Current fraud research has primarily focused on the person perpetuating the fraud instead of the internal mechanisms organizations can employ in reducing fraud. The study examines the relationship between compliance with organizations' technology controls (primarily focused on information security) and its impact on computer-based occupational fraud. Based on general deterrence and fraud triangle theories, the study proposes information security control proficiency (ISCP) modeled as an integration of the quality of information security policy and its enforcement as a key factor that influences information security policy compliance. We further postulate that compliance with information security policy mediates the relationship between information security control proficiency and computer-based-occupational fraud. Empirical assessment supports the structure of the information security control proficiency construct. Model testing shows that information security control proficiency positively impacts information security policy compliance, which further deters the use of a company's computer systems and resources to conduct fraudulent activities. Thus, if an organization establishes high-quality information security policies and supports the policies with effective enforcement, it correspondingly leads to better compliance. Furthermore, less fraud is committed when compliance with information security controls is high. We offer various managerial implications and future research extension ideas.
In organizations, users' compliance with information security policies (ISP) is crucial for minimizing information security (IS) incidents. To improve users' compliance, IS managers have implemented ...IS awareness (ISA) programs, which are systematically planned interventions to continuously transport security information to a target audience. The underlying research analyzes IS managers' efforts to design effective ISA programs by comparing current design recommendations suggested by scientific literature with actual design practices of ISA programs in three banks. Moreover, this study addresses how users perceive ISA programs and related implications for compliant IS behavior. Empirically, we utilize a multiple case design to investigate three banks from Central and Eastern Europe. In total, 33 semi-structured interviews with IS managers and users were conducted and internal materials of ISA programs such as intranet messages and posters were also considered. The paper contributes to IS compliance research by offering a comparative and holistic view on ISA program design practices. Moreover, we identified influences on users' perceptions centering on IS risks, responsibilities, ISP importance and knowledge, and neutralization behaviors. Finally, the study raises propositions regarding the relationship of ISA program designs and factors, which are likely to influence users' ISP compliance.
Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information ...security. Since employees who comply with the information security rules and regulations of the organization are the key to strengthening information security, understanding compliance behavior is crucial for organizations that want to leverage their human capital. This research identifies the antecedents of employee compliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with requirements of the ISP with regard to protecting the organization's information and technology resources. Drawing on the theory of planned behavior, we posit that, along with normative belief and self-efficacy, an employee's attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee's attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncompliance. We then postulate that these beliefs are shaped by the employee's outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee's attitude toward compliance with the ISP. Our results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee's attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees' following their organizations' information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance.
The article considers the process of information security from the position of cost-benefit assessment that allows to understand economic aspects of feasibility study of measures in the field of ...business information protection. In the practice of Russian business, the issues of information security are focused on compliance with regulatory requirements of the legislation. This leads to the fact that business entities neglect the procedure of comprehensive assessment of measures effectiveness that should consider the costs and benefits of legal, organizational, and technical information protection implementation. At the same time, in order to meet the new conditions of technological development of society, it is necessary to revise the concept of information protection of business entities and to fix in the policy of information security of activities the approaches to risk assessment based on assets value. The study contains a description of the cost/ benefit approach to the constituent components of ensuring information security of business process. To understand the economic aspects of information security, the research focuses on business entities of the market type of economic activity (the enterprise makes profit in its activity). The composition of components of the ensuring information security process has been defined. On the example of risk management costs and benefits of information security have been considered in detail.
Past research suggests that the demands of information security policies (ISPs) cause stress upon employees, leading them to violate the policies. It emphasises the distress process but overlooks a ...possible positive process that may arise from the ISP demands (i.e., the eustress process) and motivate employees to reduce ISP violations. This study explores both the distress and eustress processes. It proposes that the challenge and hindrance aspects of ISP demands induce these processes and subsequently affect ISP violations. Besides, employees' ISP-related self-efficacy may facilitate or impede these processes. To test the research model, a survey was conducted on 375 employees in the U.S. The results show that the challenge aspect of ISP demands elicits a positive psychological response of employees, which in turn triggers their planful problem-solving to deal with these demands. In contrast, the hindrance aspect of ISP demands provokes a negative psychological response that triggers employees' wishful thinking about ISP demands. Meanwhile, employees' self-efficacy strengthens the effect of positive psychological response on planful problem-solving. Subsequently, planful problem-solving reduces employees' intention to violate the ISP, while wishful thinking increases their intention. This dual-process view sheds new light on the connection between ISP demands and ISP violation intention.
The key threat to information security comes from employees who do not comply with information security policies. We developed a new multi-theory based model that explained employees’ adherence to ...security policies. The paradigm combines elements from the Protection Motivation Theory, the Theory of Reasoned Action, and the Cognitive Evaluation Theory. We validated the model by using a sample of 669 responses from four corporations in Finland. The SEM-based results showed that perceived severity of potential information security threats, employees’ belief as to whether they can apply and adhere to information security policies, perceived vulnerability to potential security threats, employees’ attitude toward complying with information security policies, and social norms toward complying with these policies had a significant and positive effect on the employees’ intention to comply with information security policies. Intention to comply with information security policies also had a significant impact on actual compliance with these policies. High level managers must warn employees of the importance of information security and why it is necessary to carry out these policies. In addition, employees should be provided with security education and hands on training.
Purpose This study aims to investigate the moderating role of sociodemographic factors, specifically age and education level, in the knowledge-attitude-behavior (KAB) model concerning information ...security awareness (ISA) amid growing technological threats. Design/methodology/approach This study uses a survey methodology, collecting data from 400 working individuals in Vietnam, to test the applicability of the KAB model and evaluate the moderating effects of age and education on the model’s established relationships. In addition, the theoretical model and hypotheses were evaluated using the partial least squares structural equation model (PLS-SEM) approach. Findings This research confirms the relationships posited in the KAB model. Notably, it shows that younger employees showcase a more positive attitude and behavior toward information security compared with their older counterparts. In addition, higher education levels strengthen the positive association between information security knowledge and attitude. The findings underscore the imperative for organizations to consider sociodemographic variables when formulating strategies to enhance ISA. Originality/value This study extends the KAB model by exploring the impact of sociodemographic factors, focusing on age and education in ISA. Overcoming the oversight in current literature, particularly in the context of technological threats, the research uses PLS-SEM and targets a specific demographic in Vietnam.
•This paper is aimed at synthesizing the existing literature to suggest that why a more holistic approach of information security management is needed in management context.•The paper entertains ...article on the related context for last ten years.•A rigorous method for literature search is used with predetermined inclusion and exclusion criteria.•At first more than 300 articles were downloaded for further processing and finally 39 articles were deemed to be relevant to the context under study.•The paper suggests that management role should be considered in information security management.
Information technology has dramatically increased online business opportunities; however these opportunities have also created serious risks in relation to information security. Previously, information security issues were studied in a technological context, but growing security needs have extended researchers' attention to explore the management role in information security management. Various studies have explored different management roles and activities, but none has given a comprehensive picture of these roles and activities to manage information security effectively. So it is necessary to accumulate knowledge about various managerial roles and activities from literature to enable managers to adopt these for a more holistic approach to information security management. In this paper, using a systematic literature review approach, we synthesised literature related to management's roles in information security to explore specific managerial activities to enhance information security management. We found that numerous activities of management, particularly development and execution of information security policy, awareness, compliance training, development of effective enterprise information architecture, IT infrastructure management, business and IT alignment and human resources management, had a significant impact on the quality of management of information security. Thus, this research makes a novel contribution by arguing that a more holistic approach to information security is needed and we suggest the ways in which managers can play an effective role in information security. This research also opens up many new avenues for further research in this area.
This paper provides a systematic literature review in the information security policies' compliance (ISPC) field, with respect to information security culture, information security awareness, and ...information security management exploring in various settings the research designs, methodologies, and frameworks that have evolved over the last decade. Studies conducted from 2006 to 2016 reporting results from data collected through diverse means have been explored; however, only a few studies have focused primarily on a sensitive infrastructure under risk, as is the case with higher education institutions (HEIs). This study reports that ISPC in HEIs remains scarce, as is the realization of security threats and dissemination of information security policies to end users (employees). This research makes a novel contribution to the body of knowledge as a unique study that has reviewed the influence of institutional governance in HEIs on protection motivation leading towards ISPC.
PDF
