To read this content please select one of the options below:

Hey “CSIRI”, should I report this? Investigating the factors that influence employees to report cyber security incidents in the workplace

Kristiina Ahola (Defence Science and Technology Group Edinburgh, Edinburgh, Australia)
Marcus Butavicius (Australian Defence Science and Technology Group, Edinburgh, Australia)
Agata McCormac (Defence Science and Technology Group Edinburgh, Edinburgh, Australia)
Daniel Sturman (School of Psychology, The University of Adelaide, Adelaide, Australia)

Information and Computer Security

ISSN: 2056-4961

Article publication date: 16 August 2024

179

Abstract

Purpose

Cyber security incidents pose a major threat to organisations. Reporting cyber security incidents and providing organisations with information about their true nature, type and volume, is crucial to inform risk-based decisions. Despite the importance of reporting cyber security incidents, little research has addressed employees’ motivations to do so. Therefore, the purpose of this study is to investigate the factors that influence employees to report cyber security incidents using the theory of planned behaviour as a theoretical framework.

Design/methodology/approach

Survey data were collected from a sample of 549 working Australian adults. Demographics were gathered, in addition to data using the Cyber Security Incident Reporting Inventory (CSIRI; pronounced, “Siri”).

Findings

Attitude towards reporting, subjective norms and perceived behavioural control each significantly predicted intention-to-report cyber security incidents. Perceived behavioural control also significantly predicted actual reporting behaviour.

Research limitations/implications

The results of this study validate the application of the theory of planned behaviour to the cyber security incident reporting context, also indicating that the relationship between intention to report a cyber security incident and actual reporting behaviour may be facilitated by perceived behavioural control.

Practical implications

These findings can be applied to inform the development of strategies that increase employees’ cyber security incident reporting behaviour.

Originality/value

This study outlines the development of a new tool to measure attitudes, subjective norms and perceived behavioural control in relation to the reporting of cyber security incidents. To the best of the authors’ knowledge, this is the first study of its kind to identify the relationship between these factors and intentions to report cyber security incidents.

Keywords

Acknowledgements

The authors would like to acknowledge the help of Dr Andrew Reeves and Dr Malcolm Pattinson for discussions on the refinement of the Cyber Security Incident Reporting Inventory. This work was supported by Defence Science and Technology Group via completion of an Industry Experience Placement.

Declaration statement: The authors declare that there are no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Citation

Ahola, K., Butavicius, M., McCormac, A. and Sturman, D. (2024), "Hey “CSIRI”, should I report this? Investigating the factors that influence employees to report cyber security incidents in the workplace", Information and Computer Security, Vol. ahead-of-print No. ahead-of-print. https://doi.org/10.1108/ICS-11-2023-0214

Publisher

:

Emerald Publishing Limited

Copyright © 2024, Emerald Publishing Limited

Related articles