A rich stream of research has identified numerous antecedents to employee compliance (and noncompliance) with information security policies. However, the number of competing theoretical perspectives ...and inconsistencies in the reported findings have hampered efforts to attain a clear understanding of what truly drives this behavior. To address this theoretical stalemate and build toward a consensus on the key antecedents of employees' security policy compliance in different contexts, we conducted a meta-analysis of the relevant literature. Drawing on 95 empirical papers, we classified 401 independent variables into 17 distinct categories and analyzed each category's relationship with security policy compliance, including an analysis for possible domain-specific moderators. A meta-analytic relative weight analysis determined the relative importance of each category in predicting security policy compliance, while adding robustness to our findings. At a broad level, our results suggest that much of the security policy compliance literature is plagued by suboptimal theoretical framing. Our findings can facilitate more refined theory-building efforts in this research domain and serve as a guide for practitioners to manage security policy compliance initiatives.
The main purpose of this study was to examine the relationship between individuals' Information Security Awareness (ISA) and individual difference variables, namely age, gender, personality and ...risk-taking propensity. Within this study, ISA was defined as individuals' knowledge of what policies and procedures they should follow, their understanding of why they should adhere to them (their attitude) and what they actually do (their behaviour). This was measured using the Human Aspects of Information Security Questionnaire (HAIS-Q). Individual difference variables were examined via a survey of 505 working Australians. It was found that conscientiousness, agreeableness, emotional stability and risk-taking propensity significantly explained variance in individuals’ ISA, while age and gender did not. Findings highlighted the need for future research to examine individual differences and their impact on ISA. Results of the study can be applied by industry to develop tailored InfoSec training programs.
•Emotional stability was positively associated with Information Security Awareness (ISA).•Conscientiousness and agreeableness were positively associated with ISA.•Individuals with a propensity to take fewer risks scored higher on ISA.
The rapid digital transformation and technological disruption in modern organisations demand the development of people-centric security workplaces, whereby the employees can build up their security ...awareness and accountability for their actions via participation in the organisation's social networks. The social network analysis approach offers a wide array of analytical capabilities to examine in-depth the interactions and relations within an organisation, which assists the development of such security workplaces. This paper proposes the novel and practical adoption of social network analysis methods in behavioural information security field. To this end, we discuss the core features of the social network analysis approach and describe their empirical applications in a real case study of a large organisation in Vietnam, which utilised these methods to improve employees' information security awareness. Towards the end of the paper, a framework detailing the strategies for conducting social network analysis in the behavioural information security field is developed and presented.
According to research, the number of attacks on the Internet has been increasing each year. Hence, information security awareness is a very significant skill. Accordingly, this study aimed to ...investigate the effects of students’ personal factors on their information security awareness. The researchers conducted a quantitative study that examines a theoretical model. The data were collected from 684 undergraduate students via three data tools. The effects of variables on information security awareness were explained via path analysis. The mediating role of technology attitude was examined in the relationship between information security awareness and the individual variables for the first time. The findings showed that gender and grade did not directly affect information security awareness levels, while attending information security training, department and technology attitude had a significant effect. On the other hand, some personal factors indirectly affected information security awareness. This analysis offered substantial contributions to the literature in uncovering the effects of variables on students’ information security awareness in a holistic way. The results can guide planning for information security training to increase information security awareness by considering personal factors.
Information security was the main topic in this paper. An investigation of the compliance to information security policies were discussed. The author mentions that the insignificant relationship ...between rewards and actual compliance with information security policies does not make sense. Quite possibly this relationship results from not applying rewards for security compliance. Also mentions that based on the survey conducted, careless employee behavior places an organization's assets and reputation in serious jeopardy. The major threat to information security arises from careless employees who fail to comply with organizations' information security policies and procedures.
The purpose of this paper is to present a conceptual view of an Information Security Retrieval and Awareness (ISRA) model that can be used by industry to enhance information security awareness among ...employees. A common body of knowledge for information security that is suited to industry and that forms the basis of this model is accordingly proposed. This common body of knowledge will ensure that the technical information security issues do not overshadow the non-technical human-related information security issues. The proposed common body of knowledge also focuses on both professionals and low-level users of information. The ISRA model proposed in this paper consists of three parts, namely the ISRA dimensions (non-technical information security issues, IT authority levels and information security documents), information security retrieval and awareness, and measuring and monitoring. The model specifically focuses on the non-technical information security that forms part of the proposed common body of knowledge because these issues have, in comparison with the technical information security issues, always been neglected.
A principal concern of organizations is the failure of employees to comply with information security policies (ISPs). Deterrence theory is one of the most frequently used theories for examining ISP ...violations, yet studies using this theory have produced mixed results. Past research has indicated that cultural differences may be one reason for these inconsistent findings and have hence called for cross-cultural research on deterrence in information security. To address this gap, we formulated a model including deterrence, moral beliefs, shame, and neutralization techniques and tested it with the employees from 48 countries working for a large multinational company.
PDF
