Sociološki aspekti rukovođenja i usaglašenost ponašanja sa bezbednosnim politikama - uloga svesti zaposlenih o bezbednosti u namenskoj industriji

Employees’ non-compliance with organizational information security policies poses a significant threat to organizations. Enhancing our understanding of compliance behavior is crucial for improving security. Although research has identified numerous psychological factors that affect intentions to comply with security policies, how such intentions map onto actual compliance behavior is not well understood. Building on a well-supported model of security policy compliance intentions, we evaluate compliance with each of six types of information security policies using decision vignettes, and compare parameters across models. The study contributes to information security compliance research by examining each risk separately and exploring heterogeneity across risk types.

A grave concern to an organization’s information security is employees’ behavior when they do not value information security policy compliance (ISPC). Most ISPC studies evaluate compliance and noncompliance behaviors separately. However, the literature lacks a comprehensive understanding of the factors that transform the employees’ behavior from noncompliance to compliance. Therefore, we conducted a systematic literature review (SLR), highlighting the studies done concerning information security behavior (ISB) towards ISPC in multiple settings: research frameworks, research designs, and research methodologies over the last decade. We found that ISPC research focused more on compliance behaviors than noncompliance behaviors. Value conflicts, security-related stress, and neutralization, among many other factors, provided significant evidence towards noncompliance. At the same time, internal/external and protection motivations proved positively significant towards compliance behaviors. Employees perceive internal and external motivations from their social circle, management behaviors, and organizational culture to adopt security-aware behaviors. Deterrence techniques, management behaviors, culture, and information security awareness play a vital role in transforming employees’ noncompliance into compliance behaviors. This SLR’s motivation is to synthesize the literature on ISPC and ISB, identifying the behavioral transformation process from noncompliance to compliance. This SLR contributes to information system security literature by providing a behavior transformation process model based on the existing ISPC literature.

Due to the universal use of technology and its pervasive connection to the world, organisations have become more exposed to frequent and various threats (Rotvold, 2008).Therefore, organisations today are giving more attention to information security as it has become a vital and challenging issue. Mackay (2013) noted that the significance of information security, particularly information security policies and awareness, is growing due to the increasing use of IT and computerization. Accordingly, information security presents a key role in the internet era of technology. Gordon & Loep (2006) stated that information security involves a group of actions intended to protect information and information systems. It involves software, hardware, physical security and human factors, where each element has its own features. Information security not only secures the organisation's security but the complete infrastructure that enables the information's use. Organisations are facing an increase in daily security breach...

Aim/Purpose: This paper examines the behavior of financial firm employees with regard to information security procedures instituted within their organization. Furthermore, the effect of information security awareness and its importance within a firm is explored. Background: The study focuses on employees’ attitude toward compliance with information security policies (ISP), combined with various norms and personal abilities. Methodology: A self-reported questionnaire was distributed among 202 employees of a large financial Corporation Contribution: As far as we know, this is the first paper to thoroughly explore employees’ awareness of information system procedures, among financial organizations in Israel, and also the first to develop operative recommendations for these organizations aimed at increasing ISP compliance behavior. The main contribution of this study is that it investigates compliance with information security practices among employees of a defined financial corporation operating under rigid regulatory governance, confidentiality and privacy of data, and stringent requirements for compliance with information security procedures. Findings: Our results indicate that employees’ attitudes, normative beliefs and personal capabilities to comply with firm’s ISP, have positive effects on the firm’s ISP compliance. Also, employees’ general awareness of IS, as well as awareness to ISP within the firm, positively affect employees’ ISP compliance. Recommendations for Practitioners: This study can help information security managers identify the motivating factors for employee behavior to maintain information security procedures, properly channel information security resources, and manage appropriate information security behavior. Recommendation for Researchers: Researchers can see that corporate rewards and sanctions have significant effects on employee security behavior, but other motivational factors also reinforce the ISP’s compliance behavior. Distinguishing between types of corporations and organizations is essential to understanding employee compliance with information security procedures. Impact on Society: This study offers another level of understanding of employee behavior with regard to information security in organizations and comprises a significant contribution to the growing knowledge in this area. The research results form an important basis for IS policymakers, culture designers, managers, and those directly responsible for IS in the organization. Future Research: Future work should sample employees from another type of corporation from other fields and should apply qualitative analysis to explore other aspects of behavioral patterns related to the subject matter.

ABSTRACTWe develop an individual behavioral model that integrates the role of top management and organizational culture into the theory of planned behavior in an attempt to better understand how top management can influence security compliance behavior of employees. Using survey data and structural equation modeling, we test hypotheses on the relationships among top management participation, organizational culture, and key determinants of employee compliance with information security policies. We find that top management participation in information security initiatives has significant direct and indirect influences on employees’ attitudes towards, subjective norm of, and perceived behavioral control over compliance with information security policies. We also find that the top management participation strongly influences organizational culture which in turn impacts employees’ attitudes towards and perceived behavioral control over compliance with information security policies. Furthermore, we find that the effects of top management participation and organizational culture on employee behavioral intentions are fully mediated by employee cognitive beliefs about compliance with information security policies. Our findings extend information security research literature by showing how top management can play a proactive role in shaping employee compliance behavior in addition to the deterrence oriented remedies advocated in the extant literature. Our findings also refine the theories about the role of organizational culture in shaping employee compliance behavior. Significant theoretical and practical implications of these findings are discussed.

PurposeOrganisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in facilitating compliance. The purpose of this paper is to explain the nature of the combined influence of organisational culture and information security culture on employee information security compliance. This study also aims to explain the influence of organisational culture on information security culture.Design/methodology/approachA theoretical model was developed showing the relationships between organisational culture, information security culture and employee compliance. Using an online survey, data was collected from a sample of individuals who work in organisations having information security policies. The data was analysed with Partial Least Square Structural Equation Modelling (PLS-SEM) to test the model.FindingsOrganisational culture and information security culture have significant, yet similar influences on employee compliance. In addition, organisational culture has a strong causal influence on information security culture.Practical implicationsControl-oriented organisational cultures are conducive to information security compliant behaviour. For an information security subculture to be effectively embedded in an organisation's culture, the dominant organisational culture would have to be considered first.Originality/valueThis research provides empirical evidence that information security subculture is influenced by organisational culture. Compliance is best explained by their joint influence.

PurposeIt is widely acknowledged that non-compliance of employees with information security polices is one of the major challenges facing organisations. This paper aims to propose a model that is intended to provide a comprehensive framework for raising the level of compliance amongst end-users, with the aim of monitoring, measuring and responding to users’ behaviour with an information security policy.Design/methodology/approachThe proposed model is based on two main concepts: a taxonomy of the response strategy to non-compliant behaviour and a compliance points system. The response taxonomy comprises two categories: awareness raising and enforcement of the security policy. The compliance points system is used to reward compliant behaviour and penalise non-compliant behaviour.FindingsA prototype system has been developed to simulate the proposed model and work as a real system that responds to the behaviour of users (reflecting both violations and compliance behaviour). In addition, the model has been evaluated by interviewing experts from academic and industry. They considered the proposed model to offers a novel approach for managing end users’ behaviour with the information security policies.Research limitations/implicationsPsychological factors were out of the research scope at this stage. The proposed model may have some psychological impacts upon users; therefore, this issue needs to be considered by studying the potential impacts and the best solutions.Originality/valueUsers being compliant with the information security policies of their organisation is the key to strengthen information security. Therefore, when employees have a good level of compliance with security policies, this positively affects the overall security of an organisation.

Information security awareness is important among users because it can influence user's behavior towards complying with organization information security policies. Therefore, the current study was conducted to examine information security awareness factors affecting user's compliance behavior towards Health Information System (HIS) security policies based on extended Health Belief Model. The questionnaires were distributed to the respondents at selected public hospitals in Malaysia (N = 454). Statistical results confirm that perceived work experience, perceived severity, perceived benefit, cues to action, self-efficacy and perceived barrier were significant predictors of health information system's security policies compliance behaviour while perceived susceptibility was insignificant. Our findings will prove to be beneficial to fellow researchers and policy makers, especially related to the medical sectors in improving user's behavior toward practicing information security.

As the Internet has become ever more important infrastructure, the threat of electronic crime (e-crime) has increased. Thus, to counter threats to information security, many information security solutions have been introduced and security policies have been made stricter. However, the excessive strictness of these policies may lower the security consciousness of employees and cause the security policy to become a dead letter. The feeling caused by following such strict information security policies is called security fatigue. Security fatigue is gaining attention as a research issue; for example, a workshop was held at SOUPS, one of Usable Security's top conferences, and a report by NIST researchers was published. To contribute to this research, we have proposed a security condition matrix to visualize how IT users feel security fatigue with respect to security countermeasures. The security condition matrix is a two-dimensional model, with the security fatigue degree on the vertical axis and the security countermeasure implementation degree on the horizontal axis. By using this matrix, it becomes possible to visualize how dangerous a person is in terms of information security and facilitate security countermeasures in accordance with each condition on the matrix. In this paper, we evaluated the effectiveness of the proposed security fatigue model for internal e-crime.

IntroductionInformation security policy (ISP) compliance of employees has a profound impact on organization. In the context of information technology innovation and information systems upgrade, employees’ information security behavior is one of the most crucial elements in the information security management of organizations. Based on the two-dimensional model of challenge−hindrance stressor theory and affective events theory, this study explores the mediating effects of emotions on the relationship between challenge information security stress and ISP compliance.MethodsA field quasi-experimental method was used in this study. Materials include the Challenge Information Security Stress Scale, Information System Security Policy Compliance Scale, and Emotions Scale, which were used to form the two-stage questionnaire surveys. Data of 217 employees from three Chinese companies in Shanghai and Beijing that had passed certifications for information security management system (GB/t22080-2008/ISO/IEC 27001:2005) were collected. Bootstrapping method for multiple mediation models and the Process 3.0 plug-in of SPSS 20.0 were used for data analysis.ResultsThe findings indicate that challenge information security stress has a positive effect on ISP compliance. Challenge information security stress has a positive effect on positive emotions and a negative effect on negative emotions. Positive emotions have mediating effect between challenge information security stress and ISP compliance, but negative emotions have no mediating effect.ConclusionThe research results expand the research scope of challenging stress in the two-dimensional model of challenge−hindrance stressor theory in the context of organizational information security. The findings reveal the mediating effect of positive emotions in challenge information security stress and ISP compliance relationship, which provides empirical support for the application of positive psychology in the field of management.

정보보안의 중요성의 증대에 따라, 조직은 정보보안을 위한 정책 개발 및 기술 도입을 위한 지속적인 투자를 하고 있다. 조직 내부의 보안 수준을 높이기 위해서는 조직원들의 보안 준수의도 향상을 위한 조직 차원의 체계적인 지원이 필요하다. 본 연구는 조직의 보안 정책 기획 및 실행에 있어, 조직원의 보안 준수를 개선시킬 수 있는 방법으로서, 보안 정책 목표 설정 및 제재 실행을 제시하고, 조직원의 보안 준수의도를 설명하는 계획된 행동이론(Theory of Planned Behavior)와의 연관 관계를 검증하고자 한다. 연구가설 검증을 위하여 구조방정식 모델링을 사용하며, 정보보안 정책이 도입되어 있는 조직의 조직원들을 대상으로 설문을 실시하였다. 346개의 응답을 기반으로 가설을 검증하였다. 결과는 목표 설정 수준과 제재 실행 수준이 조직원들의 준수의도에 영향을 주는 선행 변수들인 자기효능감과 대처효능감에 긍정적인 영향을 미치는 것을 확인하였다. 결과적으로, 본 연구는 조직원의 보안 준수의도 향상을 위해서 보안정책 목표 설정의 중요성과 제재의 실행의 중요성을 제시함으로써, 조직 내 정보보안부서가 수행해야할 효과적인 조직 보안을 위한 전략적 행동 방향을 제시하였다. In accordance with the increase of the importance of information security, organizations are making continuous investments to develop policies and adapt technology for information security. Organization should provide systemized support to enhance employees' security compliance intention in order to increase the degree of organization's internal security. This research suggests security policy goal setting and sanction enforcement as a method to improve employees' security compliance in planning and enforcing organization's security policy, and verifies the influencing relationship of Theory of Planned Behavior which explains employee's security compliance intention. We use structural equation modeling to verify the research hypotheses, and conducted a survey on the employees of organization with information security policy. We verified the hypotheses based on 346 responses. The result shows that the degree of goal setting and sanction enforcement has positive influence on self-efficacy and coping efficacy which are antecedents that influence employees' compliance intention. As a result, this research suggested directions for strategic approach for enhancing employee's compliance intention on organization's security policy.

The management of Information Security has become more essential and critical for the success of the enterprises nowadays. Managers need to take many security counter measures in a systematic process. The security policies, breach detection systems, access control systems and anti-virus programs are some of the examples which protect the information from potential threats and risks. The companies need to follow an integrated and holistic management approach. Information security managers have limited resources to handle the security demands properly and on time. As a result, an awareness and training program has an important part for the managers and their staff who need to do their jobs. The security requirements, policies and standards should be defined and implemented systematically and continuously across the enterprise for the management of Information Security.

Health information systems are innovative products designed to improve the delivery of effective healthcare, but they are also vulnerable to breaches of information security, including unauthorised access, use, disclosure, disruption, modification or destruction, and duplication of passwords. Greater openness and multi-connectedness between heterogeneous stakeholders within health networks increase the security risk. The focus of this research was on the indirect effects of management support (MS) on user compliance behaviour (UCB) towards information security policies (ISPs) among health professionals in selected Malaysian public hospitals. The aim was to identify significant factors and provide a clearer understanding of the nature of compliance behaviour in the health sector environment. Using a survey design and stratified random sampling method, self-administered questionnaires were distributed to 454 healthcare professionals in three hospitals. Drawing on theories of planned behaviour, perceived behavioural control (self-efficacy (SE) and MS components) and the trust factor, an information system security policies compliance model was developed to test three related constructs (MS, SE and perceived trust (PT)) and their relationship to UCB towards ISPs. Results showed a 52.8% variation in UCB through significant factors. Partial least squares structural equation modelling demonstrated that all factors were significant and that MS had an indirect effect on UCB through both PT and SE among respondents to this study. The research model based on the theory of planned behaviour in combination with other human and organisational factors has made a useful contribution towards explaining compliance behaviour in relation to organisational ISPs, with trust being the most significant factor. In adopting a multidimensional approach to management-user interactions via multidisciplinary concepts and theories to evaluate the association between the integrated management-user values and the nature of compliance towards ISPs among selected health professionals, this study has made a unique contribution to the literature.

Leadership in organizations is important in shaping workers' perceptions, responses to organizational change, and acceptance of innovations, such as evidence-based practices. Transformational leadership inspires and motivates followers, whereas transactional leadership is based more on reinforcement and exchanges. Studies have shown that in youth and family service organizations, mental health providers' attitudes toward adopting an evidence-based practice are associated with organizational context and individual provider differences. The purpose of this study was to expand these findings by examining the association between leadership and mental health providers' attitudes toward adopting evidence-based practice. Participants were 303 public-sector mental health service clinicians and case managers from 49 programs who were providing mental health services to children, adolescents, and their families. Data were gathered on providers' characteristics, attitudes toward evidence-based practices, and perceptions of their supervisors' leadership behaviors. Zero-order correlations and multilevel regression analyses were conducted that controlled for effects of service providers' characteristics. Both transformational and transactional leadership were positively associated with providers' having more positive attitudes toward adoption of evidence-based practice, and transformational leadership was negatively associated with providers' perception of difference between the providers' current practice and evidence-based practice. Mental health service organizations may benefit from improving transformational and transactional supervisory leadership skills in preparation for implementing evidence-based practices.

Employees are considered the weakest link in information security; their compliance with security policies has been a major area of research. However, employees click on phishing links even after receiving training. In this study, we explore the factors that influence information security policy compliance, using the theory of planned behavior (TPB) and integrating trust theories. We conduct a survey in hospitals to investigate the components of compliance intention and match employees’ survey results with their actual clicking data from organizational phishing campaigns. Our analysis (N = 430) revealed that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, have positive effects on compliance intention. However, surprisingly, compliance intention does not predict compliance behavior. Of the variables we tested, only the level of employees’ workload shows a significant relationship to their actual behavior. This study contributes to the information systems literature by understanding factors influencing compliance behavior. Also, unlike studies that assess behavior through a questionnaire, our method was able to measure observable compliance behavior using clicking data. Our findings can help organizations augment employees’ compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.