Search results

The protection of organisational information assets is a human problem. It is widely acknowledged that an organisation's employees are the weakest link in the protection of the organisation's information assets. Most current approaches towards addressing this human problem focus on awareness and educational activities and do not necessarily view the problem from a holistic viewpoint. Combating employee apathy and motivating employees to see information security as their problem is often not adequately addressed by “isolated” awareness activities. The purpose of this paper is to show how employee apathy towards information security can be addressed through the use of existing theory from the social sciences.

By means of a literature study, three key organizational environments that could exist are identified and explored. Goal‐setting theory is then investigated. Finally, arguments are presented to show how goal‐setting theory could be used to actively foster an organizational environment in which employees will view their roles and responsibilities towards information security as prosocial behaviour.

The work in the paper is primarily of a conceptual nature. However, the authors believe that encouraging such prosocial behaviour could contribute towards an organizational culture of information security.

The paper examines the motivation of employees to actively contribute towards information security from an organisational science perspective.

The purpose of this paper is to investigate the relations among job resources, value conflicts, information security climate and information security behaviour in the nuclear industry.

Longitudinal questionnaire data on information security climate and psychosocial working conditions were collected from two organisations in Sweden (response rate 62% and 59%, respectively).

A high occurrence of value conflicts decreased the participative information security behaviour, while psychosocial job resources and high job demands had positive effects on such behaviour. High rule-compliant information security behaviour led to fewer perceived value conflicts. When job resources were high, high job demands had a positive effect on rule compliance. Information security climate had a strong and positive cross-sectional relationship with information security behaviour but no longitudinal influence on behaviour. This suggests that the time interval, one year between measurements, may have been too long and events between measurements may have masked the causal process.

As one of very few longitudinal studies of information security, this study illuminated causal relationships regarding information security behaviour that have not been possible to identify in previous cross-sectional research. This enables better understanding of psychosocial phenomena and processes of importance for information security. This study does not provide conclusive results but indicates new important directions for research.

Understanding user behavior is increasingly critical for information security in the use of smartphones. There is, however, lack of empirical studies about the behavior of smartphone users for information security in China. The purpose of this paper is to present an empirical analysis of the behavior of smartphone users in China in relation to information security.

A review of the related literature is conducted, leading to the development of a questionnaire for investigating the behavior of smartphone users. An online survey of the smartphone users in China is conducted. The collected data are analyzed with the use of descriptive analysis and Pearson’s chi-square test to better understand the behavior of smartphone users on information security.

The paper shows that there are serious concerns about information security in the use of smartphones in China including the ignorance of security information in downloading and using applications, inadequate phone settings, inappropriate enabling of add-on utilities and lack of proper disaster recovery plans. The study also reveals that there is a significant difference between different groups of users on information security in smartphone use.

This paper is based on a purposeful sample of smartphone users in China. It is exploratory in nature.

The paper can lead to a better understanding of the behavior of smartphone users and information security in China and provide relevant government departments and institutions with useful information for developing appropriate strategies and policies and designing specific training programs to improve information security in the smartphone use.

This paper is the first of this kind to collect quantitative data from users in China for better understanding the behavior of smartphone users on information security. It provides insight towards the adoption of various measures for information security from the perspective of smartphone users in China.

The purpose of this research is to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour. Security assurance behaviour represents employees’ intentional and effortful actions aimed towards protecting information systems. The behaviour is highly desired as it tackles the human factor within the information security framework. The authors posited that security assurance behaviour is a learned behaviour that can be enhanced by the implementation of information security monitoring.

Theoretical framework underlying this study with six constructs, namely, subjective norm, outcome expectation, information security monitoring, information security policy, self-efficacy and perceived inconvenience, were identified as significant in determining employees’ security assurance behaviour (SAB). The influence of these constructs on SAB could be explained by social cognitive theory and is empirically supported by past studies. An online questionnaire survey as the main research instrument is adopted to elicit information on the six constructs tested in this study. Opinion from industry and academic expert panels on the relevance and face validity of the questionnaire were obtained prior to the survey administration.

Findings from this research indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy. This study also demonstrates that employees tend to abandon security behaviour when the behaviour is perceived as inconvenient. Hence, organisations must find ways to reduce the perceived inconvenience using various security automation methods and specialised security training. Reducing perceived inconvenience is a challenge to information security practitioners.

There are some limitations in the existing work that could be addressed in future studies. One of them is the possible social desirability bias due to the self-reported measure adopted in the study. Even though the authors have made every effort possible to collect representative responses via anonymous survey, it is still possible that the respondents may not reveal true behaviour as good conduct is generally desired. This may lead to a bias towards favourable behaviour.

In general, the present research provides a number of significant insights and valuable information related to security assurance behaviour among employees. The major findings could assist security experts and organisations to develop better strategies and policies for information security protection. Findings of this research also indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy.

In this research, the social cognitive learning theory is used to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour; the finding implies that monitoring emphases expected behaviours and helps to reinforce organisational norms. Monitoring may also accelerate learning when employees become strongly mindful of their behaviours. Hence, it is important for organisations to communicate the monitoring practices implemented, even more imperative whenever security monitoring employed is unobtrusive in nature. Nonetheless, care must be taken in this communication to avoid resentment and mistrust among employees.

This study is significant in a number of ways. First, this study highlights significant antecedents of security assurance behaviour, which helps organisations to assess their current practices, which may nurture or suppress information security. Second, using users’ perspective, this study provides recommendations pertaining to monitoring as a form of information security measure. Third, this study provides theoretical contribution to the existing information security literature via the application of the social cognitive learning theory.

This paper aims to challenge the assumption that the theory of planned behaviour (TPB) includes all constructs that explain information security policy compliance and investigates if anticipated regret or constructs from the protection motivation theory add explanatory power. The TPB is an established theory that has been found to predict compliance with information security policies well.

Responses from 306 respondents at a research organization were collected using a questionnaire-based survey. Extensions in terms of anticipated regret and constructs drawn from the protection motivation theory are tested using hierarchical regression analysis.

Adding anticipated regret and the threat appraisal process results in improvements of the predictions of intentions. The improvements are of sufficient magnitude to warrant adjustments of the model of the TPB when it is used in the area of information security policy compliance.

This study is the first test of anticipated regret as a predictor of information security policy compliance and the first to assess its influence in relation to the TPB and the protection motivation theory.

The purpose of this paper was to analyse existing theories from the social sciences to gain a better understanding of factors which contribute to student mobile phone users’ poor information security behaviour. Two key aspects associated with information security behaviour were considered, namely, awareness and behavioural intent. This paper proposes that the knowing-and-doing gap can possibly be reduced by addressing both awareness and behavioural intent. This research paper explores the relationship between student mobile phone user information security awareness and behavioural intent in a developmental university in South Africa.

Information security awareness interventions were implemented in this action research study, and student information security behavioural intent was observed after each cycle.

The poor security behaviour exhibited by student mobile phone users, which was confirmed by the findings of this study, is of particular interest in the university context, as most undergraduate students are offered a computer-related course which covers certain information security-related principles. Existing researchers in the field of information security still grapple with the “knowing-and-doing” gap, where user information security knowledge/awareness sometimes does not result in safer behavioural practises.

Zhang et al. (2009) suggest that understanding human behaviour is important when dealing with the problems caused by human errors. Harnesk and Lindstrom (2011) expressed a concern that existing research does not address the interlinked relationship between anticipated security behaviour and the enactment of security procedures. This study acknowledges Choi et al. (2008) contribution in their discussions on the “knowing-and-doing gap” suggests a link between awareness and actual behaviour that is confirmed by the findings of this study.

This paper aims to present the development of a framework for evaluating group behaviour in information security in practice.

Information security behavioural threshold analysis is used as the theoretical foundation for the proposed framework. The suitability of the proposed framework is evaluated based on two sets of qualitative measures (general frameworks and information security frameworks) which were identified from literature. The successful evaluation of the proposed framework, guided by the identified evaluation measures, is presented in terms of positive practical applications, as well as positive peer review and publication of the underlying theory.

A methodology to formalise a framework to analyse group behaviour in information security can successfully be applied in a practical environment. This application takes the framework from only a theoretical conceptualisation to an implementable solution to evaluate and positively influence information security group behaviour.

Behavioural threshold analysis is identified as a practical mechanism to evaluate information security group behaviour. The suggested framework, as implemented in a management decision support system (DSS), allows practitioners to assess the security behaviour and awareness in their organisation. The resulting information can be used to exert an influence for positive change in the information security of the organisation.

A novel conceptual mapping of two sets of qualitative evaluation measures is presented and used to evaluate the proposed framework. The resulting framework is made practical through its encapsulation in a DSS.

The purpose of this study is to understand the information security behaviour of the students of the University of Dhaka, Bangladesh in the use of smartphones. Bangladesh is well-known as one of the largest and fastest growing mobile phone market of the world, and the University of Dhaka is also the largest student’s assembly in the country in terms of using smartphones. Besides, the rising use of smartphones is also likely to be typical of other sub-continent countries.

To gain an understanding of the information security behaviours of the students of University of Dhaka, Bangladesh, a quantitative survey method was deployed in revealing the approaches of the students towards avoidance of various security risks. A total of 356 students participated in the study, although eight of the participants did not carry out the full survey because they do not use smartphones. The collected data were analysed with suitable statistical methods.

The findings of the study reveal that students of University of Dhaka possess a moderately secure behaviour in terms of avoiding harmful behaviours, using useful phone settings and add-on utilities and disaster recovery. This study also shows that the students do not behave securely in all aspects of using different security features in the same way, and it also varies somewhat according to gender, and between faculties and institutions. The university library is recommended as the focus for instruction and guidance on the best practice in smartphone use by students.

The study does not include any other universities of Bangladesh except University of Dhaka due to the shortage of time. A further study can be conducted to gain an understanding in a greater extent by including students of the other universities and perhaps also other countries.

This is the first paper in Bangladesh related to the study of information security behaviour regarding the use of smartphone among the student of University of Dhaka. This study will help to raise information security awareness among the students and encourage the authorities to adopt appropriate strategies and policies to resolve information security risks in the use of smartphones. Specially, the university library can take some initiatives in this case, such as providing advice, seminars, workshops and lectures to make the students aware about security issues.

Information technology users often fail to adopt necessary security and privacy measures, leading to increased risk of cybercrimes. There has been limited research on how demographic differences influence information security behaviour and understanding this could be important in identifying users who may be more likely to have poor information security behaviour. This study aims to investigate whether there are any gender differences in security and privacy behaviours and perceptions, to identify potential differences that may have implications for protecting users’ privacy and securing their devices, software and data.

This paper addresses this research gap by investigating security behaviours and perceptions in the following two studies: one focussing on information security and one on information privacy. Data was collected in both studies using anonymous online surveys.

This study finds significant differences between men and women in over 40% of the security and privacy behaviours considered, suggesting that overall levels of both are significantly lower for women than for men, with behaviours that require more technical skill being adopted less by female users. Furthermore, individual perceptions exhibited some gender differences.

This research suggests that potential gender differences in some security and privacy behaviours and perceptions should be taken into account when designing information security education, training and awareness initiatives for both organisations and the broader community. This study also provides a strong foundation to explore information security individual differences more deeply.

The purpose of this paper is to discuss and theorise on the appropriateness and potential impact of risk homeostasis in the context of information security.

The discussion is mainly based on a literature survey backed up by illustrative empirical examples.

Risk homeostasis in the context of information security is an under-explored topic. The principles, assumptions and methodology of a risk homeostasis framework offer new insights and knowledge to explain and predict contradictory human behaviour in information security.

The paper shows that explanations for contradictory human behaviour (e.g. the privacy paradox) would gain from considering risk homeostasis as an information security risk management model. The ideas discussed open up the prospect to theorise on risk homeostasis as a framework in information security and should form a basis for further research and practical implementations. On a more practical level, it offers decision makers useful information and new insights that could be advantageous in a strategic security planning process.

This is the first systematic comprehensive review of risk homeostasis in the context of information security behaviour and readers of the paper will find new theories, guidelines and insights on risk homeostasis.