Search results

The study focuses on adolescents and the influence the big five great personality traits – extroversion, agreeableness, neuroticism, openness to experiences and conscientiousness – on self-disclosure. These personality traits, combined with the ability to cope with stress, determine the degree of threat felt by an individual towards their information, their evaluation of their personal ability to keep their information secure, and their willingness to secure information.

Five questionnaires relating to the big five personality traits, self-disclosure, cognitive assessment, self-efficacy and IS awareness were distributed among 157 adolescents.

Readiness for IS. Furthermore, the study showed that the more ostentatiousness, agreeable, goal oriented and open the subjects are, the lower they will evaluate the threat to their information. A relationship was also revealed between the subjects' agreeableness, goal orientation and their information threat assessment. It was also found that the more extroverted, agreeable, conscientious and the more inclined to self-disclosure, the higher they evaluate their self-ability to handle threats to their information.

For IS behavior to become second nature to adolescents they must first be educated and trained to do so. Knowing what motivates them and, on the other hand, what hinders them, to practice IS can help build training models for teachers which may be adapted according to their personal traits, thus getting the most out of such programs.

The purpose of this paper is to investigate the human-based information security (InfoSec) vulnerabilities in three Australian government organisations.

A Web-based survey was developed to test attitudes, knowledge and behaviour across eight policy-based focus areas. It was completed by 203 participants across the three organisations. This was complemented by interviews with senior management from these agencies.

Overall, management and employees had reasonable levels of InfoSec awareness. However, weaknesses were identified in the use of wireless technology, the reporting of security incidents and the use of social networking sites. These weaknesses were identified in the survey data of the employees and corroborated in the management interviews.

As with all such surveys, responses to the questions on attitude and behaviour (but not knowledge) may have been influenced by the social desirability bias. Further research should establish more extensive baseline data for the survey and examine its effectiveness in assessing the impact of training and risk communication interventions.

A new survey tool is presented and tested which is of interest to academics as well as management and IT systems (security) auditors.

The aim of this study was first to confirm that a specific bank’s employees were generally more information security-aware than employees in other Australian industries and second to identify the major factors that contributed to this bank’s high levels of information security awareness (ISA).

A Web-based questionnaire (the Human Aspects of Information Security Questionnaire – HAIS-Q) was used in two separate studies to assess the ISA of individuals who used computers at their workplace. The first study assessed 198 employees at an Australian bank and the second study assessed 500 working Australians from various industries. Both studies used a Qualtrics-based questionnaire that was distributed via an email link.

The results showed that the average level of ISA among bank employees was consistently 20 per cent higher than that among general workforce participants in all focus areas and overall. There were no significant differences between the ISA scores for those who received more frequent training compared to those who received less frequent training. This result suggests that the frequency of training is not a contributing factor to an employee’s level of ISA.

This current research did not investigate the information security (InfoSec) culture that prevailed within the bank in question because the objective of the research was to compare a bank’s employees with general workforce employees rather than compare organisations. The Research did not include questions relating to the type of training participants had received at work.

This study provided the bank’s InfoSec management with evidence that their multi-channelled InfoSec training regime was responsible for a substantially higher-than-average ISA for their employees. Future research of this nature should examine the effectiveness of various ISA programmes in light of individual differences and learning styles. This would form the basis of an adaptive control framework that would complement many of the current international standards, such as ISO’s 27000 series, NIST’s SP800 series and ISACA’s COBIT5.

Based on the literature on information security (InfoSec) education and uses and gratifications theory, the purpose of this paper is to propose and test a research model to examine the impact of InfoSec education on social media usage.

The authors employed structural equation modeling to test the research model, with a survey data set of 293 valid subjects from a WeChat subscription about InfoSec education named secrecy view.

The results reveal the significant impacts of perceived content quality, perceived social influence and perceived entertainment on user satisfaction in the context of security education and social media. User satisfaction is significantly associated with user stickiness and security knowledge improvement. Additionally, the authors found that user’s security awareness moderated the effect of perceived entertainment on user satisfaction.

Using a single sample might constrain the contributions of this study.

The authors suggest practical guidelines for InfoSec education on social media by enhancing perceived content quality. Moreover, due to diverse user attributes, the social media operators should recommend targeted content to different users.

This study contributes to studies on InfoSec education of social media usage and identifies factors that affect user satisfaction with social media. Furthermore, the study enriches the security education practices by uncovering differences in security awareness with regard to user satisfaction.

Information security (InfoSec) policy violations are of great concern to all organisations worldwide, especially in the financial industry. Although the importance of InfoSec policy has been highlighted for many decades, InfoSec breaches still occur due to a low level of employee compliance and a lack of engagement and competence in high-level management. However, previous studies have primarily investigated the behavioural aspects of InfoSec policy compliance at the individual level rather than the managerial factors involved in constructing InfoSec policy and developing its effectiveness. Thus, drawing on neo-institutional theory and a transformational leadership framework, this research investigated the influence of external mechanisms and transformational leadership on InfoSec policy effectiveness.

The research model was implemented using field survey data from professional managers in the financial sector.

The results reported that neo-institutional mechanisms and transformational leadership shape InfoSec policy effectiveness in an organisation.

This study broadens current InfoSec policy research from an individual level to a managerial perspective and enhances the existing literature on neo-institutional and transformational leadership in the context of InfoSec. It highlights the need to evaluate InfoSec policy based on external factors and to support transformational leadership styles that promote InfoSec policy enforcement and effectiveness.

This paper presents a qualitative study of penetration testing, the practice of attacking information systems to find security vulnerabilities and fixing them. The purpose of this paper is to understand whether and to what extent penetration testing can reveal various socio-organisational factors of information security in organisations. In doing so, the paper innovates theory by using Routine Activity Theory together with phenomenology of information systems concepts.

The articulation of Routine Activity Theory and phenomenology emerged inductively from the data analysis. The data consists of 24 qualitative interviews conducted with penetration testers, analysed with thematic analysis.

The starting assumption is that penetration testers are akin to offenders in a crime situation, dealing with targets and the absence of capable guardians. A key finding is that penetration testers described their targets as an installed base, highlighting how vulnerabilities, which make a target suitable, often emerge from properties of the existing built digital environments. This includes systems that are forgotten or lack ongoing maintenance. Moreover, penetration testers highlighted that although the testing is often predicated on planned methodologies, often they resort to serendipitous practices such as improvisation.

This paper contributes to theory, showing how Routine Activity Theory and phenomenological concepts can work together in the study of socio-organisational factors of information security. This contribution stems from considering that much research on information security focuses on the internal actions of organisations. The study of penetration testing as a proxy of real attacks allows novel insights into socio-organisational factors of information security in organisations.

Since the emergence of the Internet in the twentieth century and the rapid growth of different types of information technologies (IT), our lives, either personal or professional, have become digitised. Adoption and diffusion of IT enhance individuals and organisational performance, yet scholars discovered a dual nature of IT in which IT usage may have negative aspects too. First, the inability to cope with IT in a healthy manner creates stress in users, termed technostress. Second, digitisation and adoption of new technologies (e.g. IoT and multi-cloud environments) have increased vulnerabilities to information security (InfoSec) threats. Although organisations utilise counteraction strategies (e.g., security systems, security policies), end-users remain the top source of security incidents. Existing behavioural research has approached technostress and InfoSec independently. However, it is not clear how technology-stressors influence employees’ security-related behaviours. This chapter reviews the interaction effect of these concepts in detail by proposing a conceptual model that explains that technostress is the main reason for employees’ non-compliance with security policies in which users with high-level perceptions of technostress are more likely to violate InfoSec policies. Counteraction strategies to mitigate technostress and security threats are also discussed.

The purpose of this paper is to report on the use of two studies that assessed the attitudes of typical computer users. The aim of the research was to compare a self-reporting online survey with a set of one-on-one repertory grid technique interviews. More specifically, this research focussed on participant attitudes toward naive and accidental information security behaviours.

In the first study, 23 university students responded to an online survey within a university laboratory setting that captured their attitudes toward behaviours in each of seven focus areas. In the second study, the same students participated in a one-on-one repertory grid technique interview that elicited their attitudes toward the same seven behaviours. Results were analysed using Spearman correlations.

There were significant correlations for three of the seven behaviours, although attitudes relating to password management, use of social networking sites, information handling and reporting of security incidents were not significantly correlated.

The small sample size (n = 23) and the fact that participants were not necessarily representative of typical employees, may have impacted on the results.

This study contributes to the challenge of developing a reliable instrument that will assess individual InfoSec awareness. Senior management will be better placed to design intervention strategies, such as training and education of employees, if individual attitudes are known. This, in turn, will reduce risk-inclined behaviour and a more secure organisation.

The literature review indicates that this study addresses a genuine gap in the research.

This paper aims to examine the influence of response awareness on behavioral intent, and introduces instructional self-efficacy, a construct rarely examined within the context of information security (ISec).

A Web-based survey was conducted and a total of 211 valid responses were analyzed. The relationships among response awareness, instructional self-efficacy and behavioral intent were examined through a three-phase structural equation modeling analysis.

The results indicate that even at low levels, response awareness has a strong influential effect on the behavioral intent to perform the secure response and on the self-efficacy to instruct others to perform the response. Instructional self-efficacy was also found to be a significant predictor of behavioral intent to perform the response. Finally, evidence was found indicating instructional self-efficacy fully mediates the response awareness to the behavioral intent relationship.

Because of the characteristics of the population, the focus on a single ISec response and the dependent variable of behavioral intent rather than actual behavior, the generalizability of the findings is impacted.

The results contribute to practice by confirming the importance of response awareness and of instructional self-efficacy within an ISec context. Specific implications include the indication that informal communications about ISec issues among peers should be encouraged and that instructional self-efficacy should be targeted within ISec awareness training programs.

This paper’s parsimonious model defined response awareness as vicarious experience with a response and presented instructional self-efficacy, a construct novel to ISec studies that was found to be a significant influence within the relationship between response awareness and behavioral intent.

As insiders remain to be a main reason behind security breaches, effective information security awareness campaigns become critical in protecting organizations from security incidents. The purpose of this paper is to identify factors that influence organizational adoption and acceptance of computer-based security awareness training tools.

The paper uses content analysis of online reviews of the top ten computer-based security awareness training tools that received Gartner peer insights Customers’ Choice 2019 award.

This study identifies nine critical adoption and success factors. These are synthesized into a conceptual framework based on the technology–organization–environment framework. The findings reveal that technological, organizational and environmental factors come into play in adoption decisions but with varying degrees of importance.

This study highlights key factors that technology vendors should take into consideration when designing computer-based security awareness training tools to increase adoption rates.

This research offers a novel contribution to the literature on information security awareness delivery methods by identifying key factors that influence organizational adoption and acceptance of computer-based security awareness training tools. Those factors were identified using content analysis of online reviews, which is a new methodological approach to the information security awareness literature.