Search results

This paper aims to extend current information security compliance research by adapting “work-stress model” of the extended Job Demands-Resources model to explore how security compliance demands, organization and personal resources influence end-user security compliance. The paper proposes that security compliance burnout and security engagement as the mediating factors between security compliance demands, organizational and personal resources and individual security compliance.

The authors used a multi-case in-depth interview method to explore the relevance and significance of security demands, organizational resources and personal resources on security compliance at work. Seventeen participants in three organizations including a bank, a university and an oil distribution company in Vietnam were interviewed during a four-month period.

The study identified three security demands, three security resources and two aspects of personal resources that influence security compliance. The study demonstrates that the security environment factors such as security demands and resources affected compliance burden and security engagement. Personal resources could play an integral role in moderating the impact of security environment on security compliance.

The findings presented are not generalizable to the wider population of end-users in Vietnam due to the small sample size used in the interviews. Further quantitative studies need to measure the extent of each predictor on security compliance.

The originality of the research stems from proposing not only stress-based but also motivating factors from the security environment on security compliance. By using qualitative approach, the study provides more insight to understand the impact of the security environments on security compliance.

Many organizations struggle to utilize security-as-a-service (SecaaS) advantages effectively, thus challenging the assumption that adopting the SecaaS model will necessarily lead to post-adoption satisfaction. This research paper draws on the organizational mindfulness theory and investigates the factors that lead to satisfaction with SecaaS.

The key informant-based survey approach was employed to collect data from 215 organizations that were using the SecaaS model. PLS was used for data analysis.

Organizations with greater extents of internal security resources report higher satisfaction levels with SecaaS, thanks to the mediating effect of organizational mindfulness, and that organizations with extensive and mature security auditing were especially well-positioned to experience satisfaction with SecaaS.

This research provides new theoretical insights into the conditions under which organizations' post-adoption satisfaction with the SecaaS model is shaped by investigating the role of internal security resources and organizational mindfulness.

This paper is to investigate how employees respond to information security policies (ISPs) when they view the policies as a challenge rather than a hindrance to work. Specifically, the authors examine the roles of challenge security demands (i.e. continuity and mandatory) and psychological resources (i.e. personal and job resources) in influencing employees’ ISP non-compliance.

Applying a hypothetical scenario-based survey method, the authors tested our proposed model in six typical ISPs violation scenarios. In sum, 347 responses were collected from a global company. The data were analyzed using partial least square-based structural equation model.

Findings indicated that continuity and mandatory demands increased employees’ level of perseverance of effort, which, in turn, decreased their ISPs non-compliance intention. In addition, job resources, such as the trust enhancement gained from co-workers and the opportunities for professional development, enhanced the perseverance of effort.

The findings offer implications to practice by suggesting that organizations should design training programs to persuade employees to understand the ISPs in a positive way. Meanwhile, organizations should encourage employees to invest more personal resources by creating a trusting atmosphere and providing them opportunities to learn security knowledge and skills.

This study is among the few to empirically explore how employees respond and behave when they view the security policies as challenge stressors. The paper also provides a novel understanding of how psychological resources contribute to buffering ISP non-compliance.

Although risks are present in any organisation and the importance of their study is obvious, the authors find that risk analysis is an area still in its infancy, as reflected in the small number of existing publications on this topic. Human resources tend to understand risk in an elementary way. The ability of human resources to perceive risk is the ability and competence to identify a potential threat that does not always appear.

Aim: The aim of the this chapter was to provide additional knowledge on human resource competencies, in order to avoid the emergence and spread of risks at the organisational and cyber level.

Methodology: The authors used the quantitative–comparative analysis, by presenting all the details regarding the competencies of the human resource in order to manage the risks at organisational and cybernetic level.

Findings: The findings of this chapter show that the compulsory competencies of the human resource influence both the general competencies and the special competencies: information technology and communications, security ethics and economic ones. These, in turn, can improve or diminish cyber security competencies by almost 50%.

Originality of the Study: This study is highlighted by results obtained from the analysis of the capacity of human resources, to integrate theoretical knowledge and practical competencies on the perception of cyber risk. Of particular importance for this research are the analysis of data and the interpretation of results on human resources competencies. In this sense, throughout the chapter are assessed the skills of human resources, necessary for the management of cyber risks at the organisational level. In terms of future research implications, it could be important research to identify a method of assessing the competencies acquired by human resources applied from the perspective of cyber risk.

This study aims to develop a conceptual model and assess the extent to which pre-, during- and post-employment HR security controls are applied in organizations to manage information security risks.

The conceptual model is developed based on the agency theory and the review of theoretical, empirical and practitioner literature. Following, empirical data are collected through a survey from 134 IT professionals, internal audit personnel and HR managers working within five major industry sectors in a developing country to test the organizational differences in pre-, during- and post-employment HR security measures.

Using analysis of variance, the findings reveal significant differences among the organizations. Financial institutions perform better in employee background checks, terms and conditions of employment, management responsibilities, security education, training and awareness and disciplinary process. Conversely, healthcare institutions outperform other organizations in post-employment security management. The government public institutions perform the worst among all the organizations.

An integration of a conceptual model with HR security controls is an area that is under-researched and under-reported in information security and human resource management literature. Accordingly, this research on HR security management contributes to reducing such a gap and adds to the existing HR security risk management literature. It, thereby, provides an opportunity for researchers to conduct comparative studies between developed and developing nations or to benchmark a specific organization’s HR security management.

The study examines organizational security culture as the driver of supply chain security (SCS) practices (information management security, facility management security and human resource security). Additionally, the study examines the minimization of occurrence of supply chain disruption as the outcome of SCS practices.

A research model grounded on the contingency theory and the dynamic capabilities theory was developed and tested using partial least squares structural equation modelling (PLS-SEM). Data was obtained from 110 manufacturing and service firms in Ghana.

It was revealed that organizational security culture has a positive and a significant impact on information management security, facility management security and human resource security as hypothesized. In addition, facility management security significantly minimized supply chain disruption occurrence as hypothesized but information management security and human resource security did not.

To the best of the researchers' knowledge, this is the first study that examines organizational security culture as the driver of SCS practices. Additionally, the study is novel in examining the interplay between organizational security culture, SCS practices and supply chain disruption.

The aim of this study is to advance research on the position of the CISO by investigating the role that CISOs play before and after an IT security breach. There is a dearth of academic research literature on the role of a chief information security officer (CISO) in the management of Information Technology (IT) security. The limited research literature exists despite the increasing number and complexity of IT security breaches that lead to significant erosions in business value.

The study makes use of content analysis and agency theory to explore a sample of US firms that experienced IT security breaches between 2009 and 2015 and how these firms reacted to the IT security breaches.

The results indicate that following the IT security breaches, a number of the impacted firms adopted a reactive plan that entailed a re-organization of the existing IT security strategy and the hiring of a CISO. Also, there is no consensus on the CISO reporting structure since most of the firms that hired a CISO for the first time had the CISO report either to the Chief Executive Officer or Chief Information Officer.

The findings will inform researchers, IT educators and industry practitioners on the roles of CISOs as well as advance research on how to mitigate IT security vulnerabilities.

The need for research that advances an understanding of how to effectively manage the security of IT resources is timely and is driven by the growing frequency and sophistication of the IT security breaches as well as the significant direct and indirect costs incurred by both the affected firms and their stakeholders.

Using conservation of resources as a theoretical lens, the paper aims to investigate distinct objective meaningful work (OMW) and subjective meaningful work (SMW) domains as resources that contribute to wellbeing.

A cross-sectional questionnaire was conducted with 879 employees, measuring OMW resources (job security and autonomy), SMW using the well-validated multidimensional Comprehensive Meaningful Work Scale (CMWS) focusing on five dimensions (integrity with self, expressing full potential, unity with others, service to others and balancing tensions), and three wellbeing outcomes (positive affect, negative affect and job stress). The authors conducted structural equation modeling, mediation analysis with PROCESS macro including bootstrapping, and dominance analysis, to identify the core relationships between OMW and SMW dimensions and three wellbeing constructs.

OMW resources are largely beneficially related to SMW dimensions; both OMW and SMW resources are mostly beneficially related to wellbeing outcomes; and the overall associations of OMW with the three wellbeing constructs are partially mediated by SMW. The dominance analyses of SMW with wellbeing shows expressing full potential is the most important predictor of positive affect, and integrity with self is the most important (negatively related) predictor of negative affect and job stress.

Our research, in pulling apart the different dimensions of MW, shows that to enhance wellbeing, HR professionals should not just pay attention to practices that support self-transcendent MW but also those that support the self. When not balanced, MW can lead to a loss of wellbeing.

The findings highlight that (1) while the current MW literature places a lot of emphasis on SMW, OMW remains an important consideration, and (2) while the MW literature often focuses on self-transcendent meanings, such as making a difference, the self-oriented dimensions of SMW are more dominant toward wellbeing. This is valuable to employees, managers, and HR professionals considering how to improve MW and wellbeing.

The purpose of this paper is to investigate the relations among job resources, value conflicts, information security climate and information security behaviour in the nuclear industry.

Longitudinal questionnaire data on information security climate and psychosocial working conditions were collected from two organisations in Sweden (response rate 62% and 59%, respectively).

A high occurrence of value conflicts decreased the participative information security behaviour, while psychosocial job resources and high job demands had positive effects on such behaviour. High rule-compliant information security behaviour led to fewer perceived value conflicts. When job resources were high, high job demands had a positive effect on rule compliance. Information security climate had a strong and positive cross-sectional relationship with information security behaviour but no longitudinal influence on behaviour. This suggests that the time interval, one year between measurements, may have been too long and events between measurements may have masked the causal process.

As one of very few longitudinal studies of information security, this study illuminated causal relationships regarding information security behaviour that have not been possible to identify in previous cross-sectional research. This enables better understanding of psychosocial phenomena and processes of importance for information security. This study does not provide conclusive results but indicates new important directions for research.