Search results

The purpose of this preliminary empirical research study is to understand how environmental disruption such as brought on by the COVID-19 pandemic induces shifts in organisational culture, information security culture and subsequently employee information security compliance behaviour.

A single-organisation case study was used to develop understanding from direct experiences of organisational life. Both quantitative and qualitative data were collected using a sequential mixed methods approach, with the qualitative phase following the quantitative to achieve complementarity and completeness in analysis. For the quantitative phase, 48 useful responses were received after a questionnaire was sent to all 150–200 employees. For the qualitative phase, eight semi-structured interviews were conducted. Statistical software was used to analyse the quantitative data and NVivo software was used to analyse the qualitative data.

The pandemic-induced environmental disruption manifested as a sudden shift to work-from-home for employees, and relatedly an increase in cybercrime. The organisational response to this gave rise to shifts in both organisational and information security culture towards greater control (rule and goal orientations) and greater flexibility (support and innovation orientations), most significantly with information security culture flexibility. The net effect was an increase in employee information security compliance.

The vast literature on organisational culture and information security culture was drawn on to theoretically anchor and develop parsimonious measures of information security culture. Environmental disruptions such as those caused by the pandemic are unpredictable and their effects uncertain, hence, the study provides insight into the consequences of such disruption on information security in organisations.

The purpose of this research is to study how compliance evaluation becomes performed in practice. Compliance evaluation is a common practice among organizations that need to evaluate their posture against a set of criteria (e.g. a standard, legislative framework and “best practices”). The results of these evaluations have significant importance for organizations, especially in the context of information security and continuity. The author argues that how these evaluations become performed is not merely a “social” activity but shaped by the materiality of the evaluation criteria

The authors adopt a sociomaterial practice-based view to study the compliance evaluation through in situ participant observations from compliance evaluation workshops to evaluate organizational compliance against a information security and business continuity criteria. The empirical material was analyzed to construct vignettes that serve to illustrate the practice of compliance evaluation.

The research analysis shows how the information security and business continuity criteria themselves partake in the compliance evaluations by operating through (ventriloqually) the evaluators on three strata: the material, the textual and the structural. The author also provides a conceptualization of a hybrid agency.

This research contributes to lack of studies on the organizational-level compliance. Further, the research is an original contribution to information security and business continuity management by focusing on the practices of compliance evaluation. Further, the research has theoretical novelty by adopting the ventriloqual agency as a hybrid agency to study the sociomateriality of a phenomenon.

This investigation serves a dual purpose: providing preliminary results and serving as a pilot study to confirm the viability of the hypotheses advanced towards a full-scale study. This paper aims to present the preliminary findings of an investigation that explored the constructs of personality traits and situational crime prevention theory (SCPT) as antecedents to social cognitive determinants (attitude, perceived behavioural control and subjective norms using the theory of planned behaviour [TPB] framing) and how these elements subsequently estimate compliant information security behaviour. Moreover, this paper delves into the contrasting influences of light and dark personality traits on insider information security compliance.

A cross-sectional survey was conducted to study SCPT measures and the personality factors dyad using a diverse but limited sample (n = 82).

There were ten significant direct relationships between SCPT factors and personality traits related to the components of the TPB. Seventeen hypotheses were not supported. However, these findings highlight the complexity of the topic under study.

Understanding individual differences within the compliance model could be used for custom training protocols, employee selection, assignment and specific types of information security interventions.

There is a scarcity of studies considering the effects of situational and personality factors, specifically the dark versus light triad of personality traits within the information security domain. Therefore, this preliminary result provides early insight that could guide further studies. This research could have important implications for organisations at risk of insider attacks.

This study aims to investigate the impact of employees’ engagement in government social media (GSM) on their cybersecurity compliance attitude, protection motivation and protective behavior, thereby contributing to effective cybersecurity practices at organizations.

A quantitative cross-sectional field survey was conducted to collect primary data in big cities and large provinces in Vietnam. The final data set of 323 responses was analyzed using the partial least squares-structural equation modeling approach to interpret the results and test research hypotheses.

Engagement in GSM positively influences employees’ cybersecurity compliance attitude (ATT). Perceived threat vulnerability and response efficacy also contribute to a positive compliance attitude, although self-efficacy has a negative impact. Moreover, the cybersecurity compliance ATT significantly explains the information protection motivation, which in turn influences employee protective behaviors. However, the relationship between compliance attitude and protective behaviors is weak, unlike previous studies that found a strong correlation.

Although recent studies have explored specific information security practices in corporate and home contexts, the influence of GSM on individuals’ cybersecurity behaviors has received limited attention because of its novelty. This study contributes to the existing body of knowledge by investigating the impact of GSM on cybersecurity behaviors. This study provides significant contributions to understanding social media’s effects of social media on individuals’ cultivation processes, by expanding upon the protective motivation theory and cultivation theory. The results lead to practical suggestions for organizational managers and policymakers so that they can enhance their understanding of the importance of cybersecurity, encourage the implementation of self-defense strategies and highlight the significance of threat and coping evaluations in influencing attitudes and motivations.

A research line has emerged that is concerned with investigating human factors in information systems and cyber-security in organizations using various behavioural and socio-cognitive theories. This study aims to explore human and contextual factors influencing cyber security behaviour in organizations while drawing implications for cyber-security in higher education institutions.

A systematic literature review has been implemented. The reviewed studies have revealed various human and contextual factors that influence cyber-security behaviour in organizations, notably higher education institutions.

This review study offers practical implications for constructing and keeping a robust cyber-security organizational culture in higher education institutions for the sustainable development goals of cyber-security training and education.

The value of the current review arises in that it presents a comprehensive account of human factors affecting cyber-security in organizations, a topic that is rarely investigated in previous related literature. Furthermore, the current review sheds light on cyber-security in higher education from the weakest link perspective. Simultaneously, the study contributes to relevant literature by gaining insight into human factors and socio-technological controls related to cyber-security in higher education institutions.

IT security compliance is critical to the organization’s success, and such compliance depends largely on IT leadership. Considering the prevalence of unconscious gender biases and stereotyping at the workplace and growing female leadership in IT, the authors examine how the internalization of stereotype beliefs, in the form of the employee’s gender, impacts the relationships between leadership characteristics and IT security compliance intentions.

A controlled experiment using eight different vignettes manipulating Chief Information Officer (CIO) gender (male/female), Information Technology (IT) expertise (low/high) and leadership style (transactional/transformational) was designed in Qualtrics. Data were gathered from MTurk workers from all over the US.

The findings suggest that both CIOs' and employees' gender play an important role in how IT leadership characteristics – perceived expertise and leadership style – influence the employees' intentions and reactance to comply with CIO security recommendations.

This study's findings enrich the security literature by examining the role of leadership styles on reactance and compliance intentions. They also provide important theoretical implications based on gender stereotype theory alone: First, the glass ceiling effects can be witnessed in how men and women employees demonstrate prejudice against women CIO leaders through their reliance on perceived quadratic CIO IT expertise in forming compliance intentions. Secondly, this study's findings related to gender role internalization show men and women have a prejudice against gender-incongruent roles wherein women employees are least resistive to transactional male CIOs, and men employees are less inclined to comply with transactional female CIOs confirm the findings related to gender internationalization from Hentschel et al. (2019).

This study highlights the significance of organizations and individuals actively promoting gender equality and fostering environments that recognize women's achievements. It also underscores the importance of educating men and women about the societal implications of stereotyping gender roles that go beyond the organizational setting. This research demonstrates that a continued effort is required to eradicate biases stemming from gender stereotypes and foster social inclusion. Such efforts can positively influence how upcoming IT leaders and employees internalize gender-related factors when shaping their identities.

This study shows that more work needs to be done to eliminate gender stereotype biases and promote social inclusion to positively impact how future IT leaders and employees shape their identities through internalization.

This study redefines the concept of “sticky floors” to explain how subordinates can hinder and undermine female leaders, thereby contributing to the glass ceiling effect. In addition, the study elucidates how gender roles shape employees' responses to different leadership styles through gender stereotyping and internalization.

Current research aims to investigate whether it would be possible to identify all information security policy (ISP) writing styles and how these would influence ISP compliance. Almost all businesses use ISPs to establish boundaries and require secure behaviour from their employees. Unfortunately, professional surveys and academic research demonstrate a high level of non-compliance with the ISP. While the justification for the employee’s behaviour has been discussed, very few research papers have investigated whether the ISP writing style impacted the intent to comply with ISP. The research methodology incorporates content analysis and a quantitative descriptive review of published papers on ISP and non-IS policy compliance. The theoretical research allowed the identification of five major ISP writing styles: belonging, deterrence, goal, motivation, and specialist, as well as writing style influencers such as timeliness and readability. To achieve a higher level of compliance with the ISP, it was suggested that the writing styles of belonging, goal, and motivation be used primarily. Deterrence is generally discouraged. The study enabled us to determine when ISP writing styles were mentioned and the type of influence on the intent to comply with ISP. It also allowed for comparison and possible differences in ISPs versus standard workplace policies. There are proposals on which writing styles to put forward, along with recommendations on creating an ISP.

Organisations use a variety of technical, formal and informal security controls but also rely on employees to safeguard information assets. This relies heavily on compliance and constantly challenges employees to manage security-related risks. The purpose of this research is to explore the homeostatic mechanism proposed by risk homeostasis theory (RHT), as well as security fatigue, in an organisational context.

A case study approach was used to investigate the topic, focusing on data specialists who regularly work with sensitive information assets. Primary data was collected through semi-structured interviews with 12 data specialists in a large financial services company.

A thematic analysis of the data revealed risk perceptions, behavioural adjustments and indicators of security fatigue. The findings provide examples of how these concepts manifest in practice and confirm the relevance of RHT in the security domain.

This research illuminates homeostatic mechanisms in an organisational security context. It also illustrates links with security fatigue and how this could further impact risk. Examples and indicators of security fatigue can assist organisations with risk management, creating “employee-friendly” policies and procedures, choosing appropriate technical security solutions and tailoring security education, training and awareness activities.

This paper aims to explore the factors affecting cybersecurity implementation in organizations in various countries and develop a cybersecurity framework to improve cybersecurity practices within organizations for cybersecurity risk management through a systematic literature review (SLR) approach.

This SLR adhered to RepOrting Standards for Systematics Evidence Syntheses (ROSES) publication standards and used various research approaches. The study’s article selection process involved using Scopus, one of the most important scientific databases, to review articles published between 2014 and 2023.

This review identified the four main themes: individual factors, organizational factors, technological factors and governmental role. In addition, nine subthemes that relate to these primary topics were established.

This research sheds light on the multifaceted nature of cybersecurity by exploring factors influencing implementation and developing an improvement framework, offering valuable insights for researchers to advance theoretical developments, assisting industry practitioners in tailoring cybersecurity strategies to their needs and providing policymakers with a basis for creating more effective cybersecurity regulations and standards.

Purpose: The study is designed to investigate internal audit functions in banks’ cyber security governance processes by assessing the pros and cons of blockchain technology through swot analysis.

Need of the Study: The study is needed to clarify the complexities in internal audit fields integrated into cyber security governance and explore the blockchain application opportunities.

Methodology: Blockchain technology is explored from the point of technical concepts and policy framework by swot analysis to propose a set of solutions for continuous audit methods in cyber security governance.

Limitations: The sample of this study is limited to the personal ideas and evaluations of academicians, experts in the banking sector and legal regulators of Türkiye, with the data received between March and December 2021.

Findings: Blockchain technology can be applied as an alternative to conventional risk control methods as a mechanism of continuous audit methods to reduce human mistakes and special causes.

Practical Implications: The control of risk management operations for cyber security processes should be performed with the support of audit units of the banks. Therefore, innovations are being implemented to cyber-risk controls to drop the defects that cause technical and ethical issues with blockchain technology as a way of using automation. So, this advancement can be applied in audit operations practically for unanticipated events which can emerge in cyberspace to mitigate inherent risk to residual levels. However, there is ample room to adapt this technology for cyber security management and audit practices from the point of view of the labour force, regulations and environmental issues.