Information Security Behavior Research Articles

Human factors in remote work: examining cyber hygiene practices

Purpose The purpose of this paper is to investigate the cyber hygiene practices of remote workers. Design/methodology/approach This paper used two instruments: first, the Cyber Hygiene Inventory scale, which measures users’ information and computer security behaviors; second, the Recsem Inventory, developed within this paper’s context, to evaluate the cybersecurity measures adopted by organizations for remote workers. It was conducted on remote workers to examine their information security practices. The instrument was administered to a sample of 442 employees reached via the LinkedIn platform. Analyses were performed with SPSS v26, Python programming language and Seaborn library. Findings The findings indicate a significant correlation between the security measures implemented by companies and their employees’ cyber hygiene practices. A sector comparison revealed a significant difference in cyber hygiene levels between public and private sector workers. Research limitations/implications This paper aims to provide policymakers with suggestions for enhancing the cyber hygiene of remote workers to facilitate compliance with corporate security protocols. Originality/value This paper’s conclusions highlight the importance of companies increasing their cybersecurity investments as remote work becomes more prevalent. This should consider not only corporate-level factors but also employees' information and computer security behaviors.

Using the theory of interpersonal behaviour to explain employees’ cybercrime preventative behaviour during the pandemic

Purpose The COVID-19 pandemic necessitated a significant shift in how employees executed their professional responsibilities. Concurrently, the incidence of cybercrime experienced a noteworthy surge due to the increased utilisation of cyberspace. The abrupt transition to telecommuting altered the interpersonal dynamics inherent in traditional work environments. This paper aims to examine the impact of interpersonal factors on the cybercrime preventative measures adopted by telecommuting employees. Design/methodology/approach A conceptual model, grounded in the Theory of Interpersonal Behaviour, is evaluated through an online survey. The data set comprises responses from 209 employees in South Africa, and the analysis uses partial least squares structural equation modelling. Findings The results reveal substantial predictive power to explain cybercrime preventative behaviours. Notably, the study underscores the significant influence of habit and affect on intention and subsequent behaviour. Practical implications The results suggest that practitioners should give due attention to emotional dimensions (affect) as a catalyst for information security behaviour. The formulation of employees’ information security responsibilities should be pragmatic, fostering subconscious compliance to establish routine behaviour (habit). Originality/value This research underscores the pivotal roles played by habit and emotions in shaping behavioural patterns related to information security. Furthermore, it provides researchers with an illustrative model for operationalising these constructs within the realm of security. The results contribute additional perspectives on the repercussions of the COVID-19 pandemic on cybercrime preventative behaviours.

An Investigation of the Factors That Influence Information Security Culture in Government Organizations in Bhutan

ABSTRACT Organizations make large investments to secure data and networks, but information security breaches as a result of insiders continue to rise. One possible contributor to this is poor information security culture. This study investigated the key factors that contribute to effective information security culture in government organizations in Bhutan and how information security culture influences employee security behavior. A research model was developed for the study based on an analysis of the information security literature. Data was collected using an online survey of 181 government employees. Senior management support, information security policy, training and awareness campaigns, interpersonal trust, and job- versus employee-oriented organizational culture were all found to influence information security culture, and information security culture contributed to information security behavior. The study extends understanding of the roles of trust and different dimensions of organizational culture in improving information security culture and behavior. The findings should help government policy makers and information security practitioners when developing information security strategies and programs.

Evaluating the Influence of Attitude versus Knowledge and Individual Factor versus Intervention Factor on Information Security Awareness in Local Government

Local government as a public organization that typically collects mass amounts of sensitive data is one of the vulnerable and targeted sectors for information security attacks. The human aspect is the most critical but weak link to information security incidents. Among government organizations, local governments usually have more limited human resources either in number and competencies including information security awareness. This study aims to validate the Information Security Awareness (ISA) model for local government, including confirming the influence of knowledge and attitude on information security behavior, evaluating the stronger predictor between knowledge and attitude toward information security behavior, and analyzing the influence of gender (as an individual factor) and training (as an intervention factor) on the information security behavior. Utilizing the HAIS-Q assessment tool, this study collected responses from 704 employees of 68 departments/units under the government of East Java Province, Indonesia. The results suggest that in the local government context, there is a significant direct relationship between Knowledge of information security and information security Behavior and its indirect relationship via Attitude toward information security behavior. However, Attitude toward information security behavior has a stronger effect on Behavior than Knowledge. This study also suggests significant differences in information security behavior between employees who have trained and those who have not, regardless of gender. The proposed model suggests that to improve Information Security Awareness among employees, local government should focus on improving employees’ Attitudes toward information security behavior, either by improving their Knowledge of Information Security via training or their affective attitude toward information security behavior.

An exploration of dark and light triad personality traits towards situational crime prevention and compliant information security behaviour

Purpose This investigation serves a dual purpose: providing preliminary results and serving as a pilot study to confirm the viability of the hypotheses advanced towards a full-scale study. This paper aims to present the preliminary findings of an investigation that explored the constructs of personality traits and situational crime prevention theory (SCPT) as antecedents to social cognitive determinants (attitude, perceived behavioural control and subjective norms using the theory of planned behaviour [TPB] framing) and how these elements subsequently estimate compliant information security behaviour. Moreover, this paper delves into the contrasting influences of light and dark personality traits on insider information security compliance. Design/methodology/approach A cross-sectional survey was conducted to study SCPT measures and the personality factors dyad using a diverse but limited sample (n = 82). Findings There were ten significant direct relationships between SCPT factors and personality traits related to the components of the TPB. Seventeen hypotheses were not supported. However, these findings highlight the complexity of the topic under study. Practical implications Understanding individual differences within the compliance model could be used for custom training protocols, employee selection, assignment and specific types of information security interventions. Originality/value There is a scarcity of studies considering the effects of situational and personality factors, specifically the dark versus light triad of personality traits within the information security domain. Therefore, this preliminary result provides early insight that could guide further studies. This research could have important implications for organisations at risk of insider attacks.

Examining the Factors That Influence User Information Security Behavior toward COVID-19 Scams

Amidst the COVID-19 pandemic, cybercriminals have capitalized on the situation and targeted online users. As a result, there has been a surge in the number of complaints related to new types of scams and fraud that have emerged during the pandemic. This study utilizes Protection Motivation Theory (PMT), Cultivation Theory (CT), and other constructs, including fear, attitude, general security awareness, general security orientation, subjective norms, openness, stress, and conscientiousness, to investigate the user information security behavior (ISB) against COVID-19 scams. The study gathered data from 423 internet users through a cross-sectional survey and used Partial Least Square Structural Equation Modeling (PLS-SEM) to test the conceptual framework. The results indicate that stress, government social media, general security awareness, response efficacy, and attitude were all positive determinants of the users’ ISB. The findings also highlight the impact of emotions, such as stress and fear, as well as government social media, on decision-making during a crisis. Additionally, the study found that the combined effects of the two threat appraisal factors on coping behaviors, which are mediated by fear, and the combined effect of the two coping appraisal factors on coping behaviors, which are mediated by attitude, were significant. However, the subjective norms on ISB did not show any variations and surprisingly, the study found that conscientiousness did not moderate the association between attitude and ISB.

BYOA and Security: Examining Perspective-Taking and Self-Determination

ABSTRACT Bring your own applications (BYOA) in organizational networks introduces security risks. We examine whether individuals who BYOA at work are motivated to use multi-factor authentication (MFA) to protect the organization’s security, a practice we describe as bring your own security (BYOS). The behaviors are examined through dual theoretical lenses (a) intrinsic motivation, capturing the personal satisfaction related to the use, and (b) perspective-taking, capturing the user’s ability to consider information security from the organization’s perspective. We analyzed survey data of 154 samples using partial least squares structural equation modeling (PLS-SEM). Our results demonstrate that while the intrinsic motivation path is instrumental in influencing MFA use, perspective-taking offers significant explanatory power to information security behaviors. This article extends the current knowledge of the impact of perspective-taking on voluntary security behavior, which makes a novel and significant contribution to cybersecurity research and practice.

The antecedents of employees' proactive information security behaviour: The perspective of proactive motivation

AbstractOrganisational information security (ISec) protection is undergoing a turbulent shift in the workplace environment. In an environment of ever‐increasing risks of insider threats and external cyberattacks, individual employees are often expected to take the initiative to solve organisational security problems. This study therefore focuses on employees' proactive information security behaviours (ISBs)—behaviours that are self‐initiated, change‐oriented, and future‐focused—and the motivations that compel employees to protect organisational assets. We ground our study in Parker et al. (2010) proactive motivation theory (ProMT) and develop an integrated multilevel model to examine the respective effects of proactive motivational states, that is, can‐do, reason‐to, and energised‐to motivations, on employees' proactive ISBs. We also explore the roles of individual differences and contextual factors—namely, proactive personality and supervisory ISec support—and their influences on proactive motivational states. Data were collected from 210 employees situated in 55 departments distributed among multiple organisations located in China. The results show that supervisory ISec support positively influences employees' proactive motivational states and thereby boosts employees' proactive ISBs. Proactive personality negatively moderates the effect of supervisory ISec support on flexible security role orientation (reason‐to motivation). By identifying the antecedents of employees' proactive ISBs, we make key theoretical contributions to ISec research and valuable practical contributions to organisational ISec management.

Informational inequality: the role of resources and attributes in information security awareness

PurposeThe rapid expansion of internet usage and device connectivity has underscored the importance of understanding the public’s cyber behavior and knowledge. Despite this, there is little research that examines the public’s objective knowledge of secure information security practices. The purpose of this study is to examine how objective cyber awareness is distributed throughout society.Design/methodology/approachThis study draws on a large national survey of adults to examine the relationship between individual factors – such as demographic attributes and socioeconomic resources – and information security awareness. The study estimates several statistical models using weighted logistic regression to model objective information security awareness.FindingsThe results indicate that socioeconomic resources such as income and education have a significant effect on individuals’ information security awareness with richer and more highly educated individuals exhibiting greater awareness of important security practices and tools. Additionally, age and gender represent consistent and clear informational gaps in society as older individuals and females are significantly less knowledgeable about an array of information security practices than younger individuals and males, respectively.Social implicationsThe findings have important implications for our understanding of information security behavior and user vulnerability in an increasingly digital and connected society. Despite the growing importance of cybersecurity for all individuals in nearly all domains of daily life, there is substantial inequality in awareness about secure cyber practices and the tools and techniques used to protect one’s self from attacks. While digital technology will continue to permeate many aspects of daily life – from financial transactions to health services to social interactions – the findings here indicate that some users may be far more exposed and vulnerable to attack than others.Originality/valueThis study contributes to our understanding of general user information security awareness using a large survey and statistical models to generalize about the public’s information security awareness across multiple domains and stimulates future research on public knowledge of information security. The findings indicate that some users may be far more exposed and vulnerable to attack than others. Despite the growing importance of cybersecurity for all individuals in nearly all domains of daily life, there is substantial inequality in awareness about secure cyber practices and the tools and techniques used to protect one’s self from attacks.

Enforcing Information System Security

Every year brings numerous security breaches that lead to highly destructive ransomware attacks, data leaks, and reputational damage to governments, companies, and other organizations around the world. As a result, there is a growing need to ensure that workers comply with critical policies put in place to avoid such incidents. This study investigated how factors from social bond theory and involvement theory affected compliance with information security policies and procedures. All of the factors examined were found to have a significant influence on attitudes about compliance, and attitude had a significant impact on intention to comply. The findings of this study revealed that it is vital to raise employees' awareness about compliance with security policies by improving their information security behavior. Moreover, all the factors were found to have a significant influence on the attitude of employees towards compliance with their organizational information security policies and procedures.

Demographic Comparison of Information Security Behavior Toward Health Information System Protection: Survey Study.

The health information system (HIS) functions are getting wider with more diverse users. Information security in the health industry is crucial because it involves comprehensive and strategic information that might harm human life. The human factor is one of the biggest security threats to HIS. This study aims to investigate the information security behavior (ISB) of HIS users using a comprehensive assessment scale suited to the information security concerns in health care. Patients are increasingly being asked to submit their own data into HIS systems. As a result, this study examines the security behavior of health workers and patients, as well as their demographic variables. We used a quantitative approach using surveys of health workers and patients. We created a research instrument from 4 existing measurement scales to measure prosecurity and antisecurity behavior. We analyzed statistical differences to test the hypotheses, that is, the Kruskal-Wallis test and the Mann-Whitney test. The descriptive analysis was used to determine whether the group exhibited exemplary behavior when processing the survey results. A correlational test using the Spearman correlation coefficient was performed to establish the significance of the relationship between ISB and age as well as level of education. We analyzed 421 responses from the survey. According to demographic factors, the hypotheses tested for full and partial security behavior reveal substantial differences. Education levels most significantly affect security behavior differences, followed by user type, gender, and age. The health workers' ISB is higher than that of the patients. Women are more likely than men to engage in prosecurity actions while avoiding antisecurity behaviors. The older the HIS user, the more likely it is that they will participate in prosecurity behavior and the less probable it is that they will engage in antisecurity behavior. According to this study, differences in prosecurity behavior are mostly impacted by education level. Higher education, on the other hand, does not guarantee improved ISB for HIS users. All demographic characteristics, particularly concerning user type, show discrepancies that are caused mainly by antisecurity behavior rather than prosecurity behavior. Since patients engage in antisecurity behavior more frequently than health workers and may pose security risks, health care facilities should start to consider information security education for patients. More comprehensive research on ISB in health care facilities is required to better understand the patient's perspective, which is currently understudied.

Nurse Information Security Policy Compliance, Information Competence, and Information Security Attitudes Predict Information Security Behavior.

Nurses' attitudes toward information security can influence the hospital's information resources management and development. This study investigated the relationships between nurses' information security policy compliance, information competence, and information security attitudes, which are factors that influence information security behavior. Data were collected during September 2020. The participants were 200 clinical nurses from a general hospital in Korea. The self-reported questionnaire included questions on nurses' general characteristics, information security policy compliance, information competence, and information security attitudes. Information security policy compliance (r = 0.554, P < .001) and information competence (r = 0.614, P < .001) were positively associated with information security attitudes. Predictors of nurses' information security attitudes were information competence (β = .439), information security policy compliance (β = .343), prior information security-related education (β = .113), and job position (nurse manager; β = .101). Implications for practice include the need for strategies to develop information security policy compliance and information competence to improve information security behavior, including different approaches tailored to nurses' job positions and previous information security education.

Employees' in-role and extra-role information security behaviors from the P-E fit perspective

Organizations are increasingly seeking ways to encourage employee in-role and extra-role information security (InfoSec) behaviors for enhancing organizational InfoSec. One important consideration is the InfoSec congruence between the person and the organizational environment. Accordingly, drawing on person–environment (P–E) fit theory, we conducted an empirical investigation that examined (1) the effect of key components in organizational InfoSec management practice on InfoSec value P–E fit, and (2) the role of InfoSec value P–E fit on employees’ InfoSec in-role and extra-role behaviors in the organization. The results suggest that three practices—InfoSec policies; security education, training, and awareness programs; and computer monitoring—cultivate InfoSec value P–E fit, leading to an increase in employees’ InfoSec in-role and extra-role behaviors.

THE RELATIONSHIP BETWEEN THE CHARACTERISTICS OF SOFTWARE DEVELOPERS AND SECURITY BEHAVIOR INTENTION

Software security is integral to information security, requiring software developers to be aware of software security as implementers and information security as employees. Little is known about the impact of software developers’ characteristics on their information security behaviors. This study examined the relationship between software developer characteristics such as their application security awareness (AW), training, and self-efficacy (SE) and their information security behavior intention (SeBI). Data from a survey of 200 software developers in the United States were analyzed using correlational statistical methods. AW and SE positively correlated with SeBI, while application security training did not correlate. Developers’ AW and SeBI mean score was found to be poor. Information security managers should aim to improve software developers’ application security awareness and self-efficacy to help improve their information security behavior. Application security training infused with information security awareness and conducted by application security experts is recommended.

The influence of organizational values on employee attitude and information security behavior: the mediating role of psychological capital

PurposeWith increased remote working, employers are concerned with employees’ commitment and compliance with security procedures. Through the lens of psychological capital, this study aims to investigate whether strong organizational values can improve employees’ commitment to the organization and security behaviors.Design/methodology/approachUsing Qualtrics platform, the authors conducted an online survey. The survey participants are college-educated, full-time employees. The authors used structural equation modeling to analyze 289 responses.FindingsThe results indicate perceived importance of organizational values is associated with increased organizational commitment and information security behavior. The authors find that psychological capital partially mediates these relations suggesting that employees’ psychological capital effectively directs employees toward an affinity for the organization and information security behavior. The results highlight the importance of organizational values for improving security behavior and organizational commitment. Second, the results suggest that psychological capital is an effective mechanism for this influence. Finally, the authors find that individual differences (gender, organizational level and education) are boundary conditions on their findings, providing a nuanced view of their results and offering opportunities for further investigation.Originality/valueTo the best of the authors’ knowledge, this study is the first to explore organizational values in relation to information security behaviors. In addition, this study investigates the underlying mechanism of this relationship by showing psychological capital’s mediating role in this relationship. Therefore, the authors suggest organizations create a supportive environment that appreciates innovation, quality services, diversity and collaboration. Furthermore, organizations should communicate the importance of these values to their employees to motivate them to have a stronger affective commitment and a more careful set of security behaviors.

Digital Workplaces and Information Security Behavior of Business Employees: An Empirical Study of Saudi Arabia

In the post pandemic era, the telecommuting of business employees has widely become acceptable in organizations, which demands extensive dependence on digital technologies. In addition, this poses additional security threats for business employees as well as organizations. In order to better respond to security threats, business employees must have a higher level of awareness of the potential threats that are relevant to digital infrastructure used within the workplace. In this paper, we present a quantitative study conducted in line with the theory of planned behavior to gain insight into employee behavior toward information security within different business sectors in Saudi Arabia. The key factors chosen for our model were password management, infrastructure security management, email management, organizational security policy, organizational support and training, and the perception of the level of security. We have applied structured equation modelling to identify most of the relevant factors based on the respondents’ feedback. The results based on the business employee behavior showed that they respondents did not perceive all of the constructs of our model as relevant security factors, which can potentially result in security lapses. This indicates that more security-related measures should be put in place and that business employees should be updated periodically about potential security threats. To this effect, we divided the studied security measures into those which should be implemented at organizational and individual levels. The results will potentially help business managers to design appropriate security trainings, guidelines, and policies for their employees to ensure more information security awareness and protect their technological infrastructure, especially within home office environments.

Differences in Information Security Behavior of Smartphone Users in Indonesia Using Pearson’s Chi-square and Post Hoc Test

The risk of data theft is still a negative impact of smartphone technology development that harms its users. One cause of data theft is information security behavior. Therefore, this study was conducted to determine information security behavior and its differences among smartphone users in Indonesia based on the demographic variables (i.e., gender, generation, educational background, and operating system) and four approaches, namely Avoiding Harmful Behavior, Settings, and Add-on Utilities, Preventive Behavior, and Disaster/Data Recovery. The data obtained from 400 respondents were processed using Pearson's chi-square and post hoc tests. The results showed that there are significant differences between the demographic variables and approaches. It was revealed that men behave better than women in terms of adopting settings and add-on utilities, preventive behavior, and disaster/data recovery. On the other hand, men tend to have riskier behavior than women in avoiding harmful behavior. Based on generation, it was found that Generation Z exhibits more secure behavior than Generation Y in terms of settings and add-on utilities regarding remote device locking. Meanwhile, Generation Z has better behavior than Generations X and Y in preventive behavior as they uninstall/remove unused applications. Furthermore, undergraduate users behave better than high schoolers in avoiding harmful behaviors such as sharing PIN/passwords. Lastly, iOS users were found to have better data recovery behavior than Android users in automatically backing up data in the cloud. These results can be considered when designing security education, training, and awareness programs to improve information security.

Examining the effect of different knowledge aspects on information security awareness

PurposeThe purpose of this paper is to identify the different aspects of knowledge and how they associate with information security awareness (ISA). The paper also explores how ISA differs based on demographic characteristics.Design/methodology/approachSurvey data was collected from 609 respondents in Malaysia.FindingsThe results show that increasing access to informal, multimedia learning mediums, declarative, schematic and strategic knowledge positively impacts an individual's ISA, whereas textual learning medium decreases the ISA. Respondents with different education levels significantly prefer different types of knowledge. Males learn better for ISA with schematic and strategic knowledge compared to females.Practical implicationsThe research provides implications for governments and organizations in designing effective ISA campaigns.Originality/valueStudies show that ISA is crucial in improving information systems policy compliance behavior. The literature has examined various topics ranging from the factors influencing the ISA to how ISA impacts information security behavior. However, there is a lack of study on how different aspects of knowledge impact ISA. This study identified various knowledge aspects from the literature and grouped them into the source, type of knowledge, emotion toward knowledge and learning medium.

Financial information security behavior in online banking

The ubiquitous use of information technology in modern life leads to many problems of financial information security. Such security issues could be due to users’ insecure behaviors during their financial transactions. The purpose of this study was to investigate the university teacher's financial information security behavior (FISB) and to examine the factors that influence their FISB. By using a survey method, the study collected primary data quantitatively. A closed-ended questionnaire based on IMB Model (Information Motivation Behavioral Skills Model) was developed. The population of the study comprised teachers from six faculties of University of the Punjab, Lahore, Pakistan. A simple random sampling technique was used to collect the data from the teachers via a print-format based questionnaire. The structural equation model (SEM) was used to test the proposed model by using ADANCO (2.1). ADANCO is a software that is used for SEM analysis. The results exhibited that a majority of the teachers are frequent users of online banking. The findings confirmed that measures familiarity and self-efficacy have a direct impact on the financial information security behavior of the respondents and self-efficacy mediates the relation between threat awareness and financial information security behavior. The study concludes that online banking users can perform secure behavior during online transactions if they are familiar with security measures and are confident to perform different online banking-related tasks. It is, therefore, suggested that individuals may be familiarized with the financial information security measures so that they may believe in their selves and develop secure financial information behavior. This can be done through awareness seminars and hands-on training by the Federal Investigation Agency in liaison with banks and educational institutions. The present study has contributed to the domain of financial information security behavior in the local context.

How Information Security Management Systems Influence the Healthcare Professionals’ Security Behavior in a Public Hospital in Indonesia

Aim/Purpose: This study analyzes health professionals’ information security behavior (ISB) as health information system (HIS) users concerning associated information security controls and risks established in a public hospital. This work measures ISB using a complete measuring scale and explains the relevant influential factors from the perspectives of Protection Motivation Theory (PMT) and General Deterrence Theory (GDT) Background: Internal users are the primary source of security concerns in hospitals, with malware and social engineering becoming common attack vectors in the health industry. This study focuses on HIS user behavior in developing countries with limited information security policies and resources. Methodology: The research was carried out in three stages. First, a semi-structured interview was conducted with three hospital administrators in charge of HIS implementation to investigate information security controls and threats. Second, a survey of 144 HIS users to determine ISB based on hospital security risk. Third, a semi-structured interview was conducted with 11 HIS users to discuss the elements influencing behavior and current information security implementation. Contribution: This study contributes to ISB practices in hospitals. It discusses how HIS managers could build information security programs to enhance health professionals’ behavior by considering PMT and GDT elements. Findings: According to the findings of this study, the hospital has implemented particular information security management system (ISMS) controls based on international standards, but there is still room for improvement. Insiders are the most prevalent information security dangers discovered, with certain working practices requiring HIS users to disclose passwords with others. The top three most common ISBs HIS users practice include appropriately disposing of printouts, validating link sources, and using a password to unlock the device. Meanwhile, the top three least commonly seen ISBs include transferring sensitive information online, leaving a password in an unsupervised area, and revealing sensitive information via social media. Recommendations for Practitioners: Hospital managers should create work practices that align with information security requirements. HIS managers should provide incentives to improve workers’ perceptions of the benefit of robust information security measures. Recommendation for Researchers: This study suggests more research into the components that influence ISB utilizing diverse theoretical foundations such as Regulatory Focus Theory to compare preventive and promotion motivation to enhance ISB. Impact on Society: This study can potentially improve information security in the healthcare industry, which has substantial risks to human life but still lags behind other vital sector implementations. Future Research: Future research could look into the best content and format for an information security education and training program to promote the behaviors of healthcare professionals that need to be improved based on this ISB measurement and other influential factors.