Employee Information Security Research Articles

A field experiment on ISP training designs for enhancing employee information security compliance

ABSTRACT Information security policy (ISP) training plays an important role in enhancing organisational resilience against cyber threats by providing employees with the necessary knowledge and skills to effectively identify, prevent, and respond to security breaches. This research aims to explore how the use of deterrence arguments and threat arguments can enhance the effectiveness of ISP training. We theorise how ISP training affects employees’ ISP compliance behaviour by arguing for a transfer of training lens to study the effectiveness of ISP training. The results of our field experiment with triangulated data suggest that the effect of argumentative-enhanced ISP training is twofold. First, employees who participated in enhanced training sessions with deterrence and threat arguments demonstrated superior training outputs after the training, which, in turn, translated into a sustained training outcome three weeks after the training. Second, we also find evidence that threat arguments can reinforce the application of training outputs in the maintenance stage of learned behaviours. With this applied research study, we contribute to the research and practice by providing empirical evidence of the effectiveness of ISP training designs.

The security environment in Indian commercial banks: an employee's information security behaviour perspective

The security environment in Indian commercial banks: an employee's information security behaviour perspective

Measurement of Employee Information Security Awareness: A Case Study of National Civil Service Agency

National Civil Service Agency is a State institution tasked with the role and function of overseeing and implementing national civil servant management using information technology. There are 4.2 million civil servant data distributed throughout Indonesia that must be safeguarded by BKN. As the utilization of information systems grows, it also leads to an increase in information security risks. Based on the reports from Id-SIRTII/CC and BKN's internal report, there has been an increase in cyber attacks targeting BKN. In addition, there are other types of attacks that occur, such as online defacement, phishing, DDOS, and employee data theft, as well as the presence of employees who are still indifferent to information security. Based on this, the objective of this research is to measure the level of information security awareness among BKN employees and identify the factors that influence it. The Human Aspects of Information Security Questionnaire (HAIS-Q) using the Knowledge, Attitude, and Behavior (KAB) model was selected for measurement, with an additional focus on the Management of Information Systems/Technology Assets, consisting of a total of 75 statements. The quantitative measurements conducted yielded a result of 88.80% for the level of information security awareness among BKN employees, categorized as good. Furthermore, there is a significant influence on information security awareness from the dimensions of knowledge towards attitude, attitude towards behavior, and knowledge towards behavior.

Research Review on Measuring Information Security Awareness

One of the factors that contributes to unauthorized parties releasing confidential company information, including employee personal information, is a lack of awareness of employee information security. This is a critical concern that needs to be addressed immediately by strengthening the company's information security culture and raising employee awareness of security. To enhance the clarity and emphasis of the reform policy, it is crucial to evaluate employee awareness of information security. This paper discusses several approaches that have been employed, either as models or frameworks, to evaluate an organization's level of information security awareness. With the aid of inclusion and exclusion criteria, we chose 16 papers out of the 842 that were included in the systematic literature review. Three components are commonly used to assess information security awareness: knowledge (what is already known), attitude (what is thought to be appropriate to do), and habit (what is usually done). Measurements that encompass these three aspects employ the Knowledge, Attitude, and Behavior (KAB) paradigm. This study might be a reference for organizations to measure their employees’ security awareness. Several findings are also discussed in this paper.

The role of ethical climates in employee information security policy violations

In the context of information security, the organizational social environment plays an important role in deterring employee violations of the Information Security Policy (ISP). As extant research has not yet determined the role ethical climates may play, this study seeks to understand their influence on employee ISP violations. To this end, we classified ISPs into two major categories: those related to communal information technology (IT) resources in the organization, such as databases or software applications, and those related to connective IT resources, such as email or Internet access. Then, we explored how rules-, performance-, and friendship-oriented organizational ethical climates affect ISP violations. Based on a survey of 177 professionals employed in the United States, we found that rules-oriented and friendship-oriented ethical climates deter ISP violations, whereas a performance-oriented one does not. Moreover, rules- and friendship-oriented ethical climates lead to fewer communal ISP violations, while performance-oriented ethical climates lead to more connectivity ISP violations. These findings underscore the importance of considering the type of IT resources that an ISP aims to protect as well as the ethical climate of an organization in order to better understand the causes of ISP violations.

The influence of organizational values on employee attitude and information security behavior: the mediating role of psychological capital

PurposeWith increased remote working, employers are concerned with employees’ commitment and compliance with security procedures. Through the lens of psychological capital, this study aims to investigate whether strong organizational values can improve employees’ commitment to the organization and security behaviors.Design/methodology/approachUsing Qualtrics platform, the authors conducted an online survey. The survey participants are college-educated, full-time employees. The authors used structural equation modeling to analyze 289 responses.FindingsThe results indicate perceived importance of organizational values is associated with increased organizational commitment and information security behavior. The authors find that psychological capital partially mediates these relations suggesting that employees’ psychological capital effectively directs employees toward an affinity for the organization and information security behavior. The results highlight the importance of organizational values for improving security behavior and organizational commitment. Second, the results suggest that psychological capital is an effective mechanism for this influence. Finally, the authors find that individual differences (gender, organizational level and education) are boundary conditions on their findings, providing a nuanced view of their results and offering opportunities for further investigation.Originality/valueTo the best of the authors’ knowledge, this study is the first to explore organizational values in relation to information security behaviors. In addition, this study investigates the underlying mechanism of this relationship by showing psychological capital’s mediating role in this relationship. Therefore, the authors suggest organizations create a supportive environment that appreciates innovation, quality services, diversity and collaboration. Furthermore, organizations should communicate the importance of these values to their employees to motivate them to have a stronger affective commitment and a more careful set of security behaviors.

An Empirical Examination of Employee Information Security Advice Sharing

ABSTRACT In today’s business world, information security is a top strategic issue. The security issues faced by organizations are complex and addressing them can be expensive. Key findings from previous research suggest that informal methods of enhancing employees’ security awareness are effective and inexpensive. This study builds on previous research and introduces seven hypotheses related to informal security advice sharing in organizations. The model was tested on 334 currently employed technology-using professionals in security conscious organizations. The results indicated that employees’ attitudes, perception of security climate, and perceptions about accountability affected their sharing of security advice. Their desire to earn a reputation was more pronounced with high self-efficacy. The direct association of desire to earn reputation and self-efficacy toward security advice sharing was not supported by data. These findings suggest that higher self-efficacy employees motivated to earn a reputation will likely facilitate the information security advice sharing process in a workplace.

COVID-19 pandemic-induced organisational cultural shifts and employee information security compliance behaviour: a South African case study

PurposeThe purpose of this preliminary empirical research study is to understand how environmental disruption such as brought on by the COVID-19 pandemic induces shifts in organisational culture, information security culture and subsequently employee information security compliance behaviour.Design/methodology/approachA single-organisation case study was used to develop understanding from direct experiences of organisational life. Both quantitative and qualitative data were collected using a sequential mixed methods approach, with the qualitative phase following the quantitative to achieve complementarity and completeness in analysis. For the quantitative phase, 48 useful responses were received after a questionnaire was sent to all 150–200 employees. For the qualitative phase, eight semi-structured interviews were conducted. Statistical software was used to analyse the quantitative data and NVivo software was used to analyse the qualitative data.FindingsThe pandemic-induced environmental disruption manifested as a sudden shift to work-from-home for employees, and relatedly an increase in cybercrime. The organisational response to this gave rise to shifts in both organisational and information security culture towards greater control (rule and goal orientations) and greater flexibility (support and innovation orientations), most significantly with information security culture flexibility. The net effect was an increase in employee information security compliance.Originality/valueThe vast literature on organisational culture and information security culture was drawn on to theoretically anchor and develop parsimonious measures of information security culture. Environmental disruptions such as those caused by the pandemic are unpredictable and their effects uncertain, hence, the study provides insight into the consequences of such disruption on information security in organisations.

A Framework for Analyzing and Improving ISP Compliance

ABSTRACT Even though abundant research has been done on the factors that may impact employee information security policy (ISP) compliance intention, the results are mixed. To more fully capture the dimensions which may influence employee ISP compliance, this paper introduces a framework that is based on the synthesis of the theories of motivation and behavior. The framework was tested with survey data. Key findings of the study are 1) employee ISP compliance intention is influenced by factors involving four distinct dimensions of action: awareness, motivation, capability, and organizational culture; and 2) The factors from the capability and organizational culture dimension may significantly moderate the strength of the relationship between motivation and ISP compliance intention. The implications of the study regarding the theoretical and practical contributions of this study are discussed.

Employee Information Security Awareness in the Power Generation Sector of PT ABC

Employee Information Security Awareness in the Power Generation Sector of PT ABC

Personality and Employees’ Information Security Behavior Among Generational Cohorts

The Big Five Factors Model (FFM) of personality traits theory was tested for its ability to explain employee information security behavior (EISB), when age, measured by generational cohort (GCOHORT), moderated the relationship between the independent variables (IVs) extraversion, agreeableness, conscientiousness, emotional stability, intellect (EACESI) and the dependent variable (DV), employees’ information security behavior (EISB) which is measured by file protection behavior (FPB). Three age groups defined GCOHORT: 52–70 years old (1946–1964, Baby Boomers), 36–51 yrs. old (1965–1980, Generation X), and 18– 35 yrs. Old (1981–1998, Millennial). Results of hierarchical multiple regressions analyses revealed statistically significant relationships between overall personality traits, four individual factors of personality traits, and the DV (p < .05). However, contrary to expectations, GCOHORT did not moderate the relationship between any of the main IVs and the DV (p > .05). Recommendations for future research are offered.

Simulation of the role of emphasis on scheduling in the optimal incentive scheme for marine engineering employee's routine job and information security compliance

In the organizational context of marine engineering, employee individual often prefers to concentrate herself to the day-to-day routine job, but to shirk the responsibilities of the Information Security Policies (ISPs) compliance, after she has been delegated by the employer to perform the two different tasks in the same time period. This would lead to negative influences on the security of marine information systems and the employee's routine job performance. In view of the task structures of employee's routine job and marine ISPs compliance, the variables of emphasis on scheduling are incorporated into a multi-task principal-agent model to explore the optimal incentive scheme to motivate and control the employees to select appropriate effort levels for conducting the two highly structured tasks. The role of emphasis on scheduling on the incentive intensities for the two tasks have been clarified through modeling and simulation, and the corresponding incentive tactics are suggested. The new two-task incentive scheme is expected to provide useful insight for understanding and controlling marine engineering employee's routine job and ISPs compliance behavior.

Ethical leadership and employee information security policy (ISP) violation: exploring dual-mediation paths

PurposeA growing number of studies have investigated the effect of ethical leadership on behavioral outcome of employees. However, considering the important role of ethics in IS security, the security literature lacks a theoretical and empirical investigation of the relationship between ethical leadership and employees' security behavior, such as information security policy (ISP) violation. Drawing on social learning and social exchange theories, this paper empirically tests the impact of ethical leadership on employees' ISP violation intention through both information security climate (i.e. from a moral manager's perspective) and affective commitment (i.e. from a moral person's perspective).Design/methodology/approachThe research was developed based on social learning theory and social exchange theory. To measure the variables in the model, the authors used and adapted measurement items from previous studies. The authors conducted a scenario-based survey with 339 valid responses to test and validate the research model.FindingsResults indicated that information security climate fully mediates the relationship between ethical leadership and ISP violation intention. The authors also found that information security climate enhances the negative effect of affective commitment on ISP violation intention.Originality/valueThis research contributes to the literature of information security by introducing the role of ethical leadership and integrating two theories into our research model. This study also calls attention to how information security climate and affective commitment mediate the relationship between ethical leadership and employees' ISP violation intention. The theory-driven study provides important pragmatic guidance for enhancing the understanding of the importance of ethical leadership in information systems security research.

Understanding Employee Information Security Policy Compliance from Role Theory Perspective

ABSTRACT Previous research indicated security-related stress at the workplace accounts for employee non-compliant behavior with information security policy (ISP). Drawing on the role theory, we investigate stress rooted in employee job role expectations arising from role-ambiguity, role-conflict, and role-overload known as role-stressors. These role-stressors cause employees to endeavor to perform their role tasks and, in turn, provide favorable situations for them to neglect ISP requirements. Using a survey of 350 employees, we found a combination of role-stressors contributes to employees’ ISP violations. Furthermore, we posit that this relationship is partially mediated by organizational commitment. Also, we examined the effect of one mitigating factor: organizational support. However, a statistically significant mitigation effect of organizational support was not found on the relationship between role stress and intention toward ISP compliant behavior. This paper contributes to the behavioral information security literature by demonstrating the importance of role-stressors on employees’ security-related behaviors.

Narrative review: Social media use by employees and the risk to institutional and personal information security compliance in South Africa

Social media platforms have become essential to organisations in developing countries as they can offer a business advantage. This comes with security risks and privacy concerns as numerous scientific literatures have testified. Although the majority of employees are using social media privately and at the workplace (using the same device such as a smartphone), some organisations have not effectively established information security awareness programmes to protect their electronic information backbone. It is a fact that professional hackers are prowling constantly to gain access to systems of organisations and sometimes employees make naïve mistakes that can open the door to cyberattacks, which exploit vulnerabilities in the organisation’s system. The current Coronavirus Disease 2019 (COVID-19) crisis is a prime example where employees and students are encouraged to work from home. No organisation does have complete control over the security measures each employee has in place for his or her private connection. This study applied a desktop review to identify the cyber risks associated with social media use at the workplace. A scoping literature review gathered the data following a qualitative approach. The theories of reasoned action and deterrence were used as a theoretical foundation for the study. A model is proposed to enhance employee information security compliance when using social media at the workplace and demonstrates how awareness strategies can be employed to improve employee information security compliance. It is recommended that organisations implement methods to minimise social media risks to ensure that the integrity of information is preserved through these awareness programmes to employees.

Personality and Employees’ Information Security Behavior among Generational Cohorts

The Big Five Factors Model (FFM) of personality traits theory was tested for its ability to explain employee information security behavior (EISB), when age, measured by generational cohort (GCOHORT), moderated the relationship between the independent variables (IVs) extraversion, agreeableness, conscientiousness, emotional stability, intellect (EACESI) and the dependent variable (DV), employees’ information security behavior (EISB) which is measured by file protection behavior (FPB). Three age groups defined GCOHORT: 52–70 years old (1946–1964, Baby Boomers), 36–51 yrs old (1965–1980, Generation X), and 18– 35 yrs. Old (1981–1998, Millennial). Results of hierarchical multiple regressions analyses revealed statistically significant relationships between overall personality traits, four individual factors of personality traits, and the DV (p < .05). However, contrary to expectations, GCOHORT did not moderate the relationship between any of the main IVs and the DV (p > .05). Recommendations for future research are offered.

Technostress and its influence on employee information security policy compliance

PurposeThis study focuses on unintended negative consequences of IT, called technostress. Given that employees are recognized as a major information security threat, it makes sense to investigate how technostress resulting from employees' constant interaction with IT influences the likelihood of security incidents. Although past research studied the concept of security-related technostress, the effect of IT use itself on employees’ extra-role activities such as security-related behaviors is unanswered. Thus, this paper aims to provide an understanding of the negative impact of technostress on employee information security policy (ISP) compliance.Design/methodology/approachDrawing on technostress literature, this research develops a research model that investigates the effect of technostress on employee intention to violate ISPs. It also extends the dimensionality of technostress construct by adding a new dimension called “techno-unreliability” that shows promising results. The authors use online survey data from a sample of 356 employees who have technology-based professions. We apply the structural equation modeling technique to evaluate the proposed research model.FindingsFindings showed that IT use imposes high-level perceptions of a set of technostress creators, which makes users rationalize their ISP violations and engage in non-compliant behaviors. Further analysis of each dimension of technostress showed that techno-complexity, techno-invasion and techno-insecurity account for higher ISP non-compliant behaviors.Originality/valueThis study provides a new understanding of technostress to the context of information security and emphasizes on its negative impact on employee ISP compliance behaviors.

The influence of organisational culture and information security culture on employee compliance behaviour

PurposeOrganisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in facilitating compliance. The purpose of this paper is to explain the nature of the combined influence of organisational culture and information security culture on employee information security compliance. This study also aims to explain the influence of organisational culture on information security culture.Design/methodology/approachA theoretical model was developed showing the relationships between organisational culture, information security culture and employee compliance. Using an online survey, data was collected from a sample of individuals who work in organisations having information security policies. The data was analysed with Partial Least Square Structural Equation Modelling (PLS-SEM) to test the model.FindingsOrganisational culture and information security culture have significant, yet similar influences on employee compliance. In addition, organisational culture has a strong causal influence on information security culture.Practical implicationsControl-oriented organisational cultures are conducive to information security compliant behaviour. For an information security subculture to be effectively embedded in an organisation's culture, the dominant organisational culture would have to be considered first.Originality/valueThis research provides empirical evidence that information security subculture is influenced by organisational culture. Compliance is best explained by their joint influence.

Digital transformation risk management in forensic science laboratories

Technological advances are changing how forensic laboratories operate in all forensic disciplines, not only digital. Computers support workflow management, enable evidence analysis (physical and digital), and new technology enables previously unavailable forensic capabilities. Used properly, the integration of digital systems supports greater efficiency and reproducibility, and drives digital transformation of forensic laboratories. However, without the necessary preparations, these digital transformations can undermine the core principles and processes of forensic laboratories. Pertinent examples of problems involving technology that have occurred in laboratories are provided, along with opportunities and risk mitigation strategies, based on the authors’ experiences. Forensic preparedness concentrating on digital data reduces the cost and operational disruption of responding to various kinds of problems, including misplaced exhibits, allegations of employee misconduct, disclosure requirements, and information security breaches. This work presents recommendations to help forensic laboratories prepare for and manage these risks, to use technology effectively, and ultimately strengthen forensic science. The importance of involving digital forensic expertise in risk management of digital transformations in laboratories is emphasized. Forensic laboratories that do not adopt forensic digital preparedness will produce results based on digital data and processes that cannot be verified independently, leaving them vulnerable to challenge. The recommendations in this work could enhance international standards such as ISO/IEC 17025 used to assess and accredit laboratories.

Information security awareness in a developing country context: insights from the government sector in Saudi Arabia

PurposeThe purpose of this paper is to increase understanding of employee information security awareness in a government sector setting and illuminate the problems that public sector organisations in a developing context face when seeking to establish an information security awareness programme.Design/methodology/approachAn interpretive research design was followed to develop an empirically enriched understanding of information security awareness perceptions, aspirations, challenges and enablers in the context of Saudi Arabia as a developing country. The study adopts a single-case study approach, including face-to-face interviews with senior employees, as well as document analysis.FindingsThe paper theorises the importance of individual information security awareness, knowledge and behaviour and identifies a number of facilitating conditions: customisation to employee and organisational needs, interactivity, innovation, frequency, integration of both electronic and physical learning resources and rewarding the acquisition of in-depth security-related actionable knowledge.Originality/valueThis study is one of the first to examine information security awareness as a socio-technical process within a government sector organisation in a developing country context.