Information Security Behavior Research Articles

A students’ behaviors in information security: Extension of Protection Motivation Theory (PMT)

ABSTRACT This study investigates information security behaviors among university students, focusing on the interplay of psychological and social factors influencing their behavioral intentions and actions. By integrating the Theory of Planned Behavior, Protection Motivation Theory, and General Deterrence Theory, the research offers a comprehensive understanding of factors such as self-efficacy, perceived risk vulnerability, response cost, and response efficacy. Utilizing structural equation modeling (SEM) and Necessary Condition Analysis (NCA), the study assesses the impact of these factors on students’ information security practices. Measurement items were developed based on recent empirical studies, ensuring relevance to the contemporary digital environment. The findings reveal significant associations between these factors and students’ security behaviors, providing insights into effective strategies for promoting information security awareness and practices. This research contributes to the academic discourse on digital security behaviors and offers practical implications for enhancing information security measures within university settings.

Factors Influencing Employees’ Information Security Behavior in the Telework Environment: An Empirical Study of the Philippines

Factors Influencing Employees’ Information Security Behavior in the Telework Environment: An Empirical Study of the Philippines

Technostress and Information Security Behavior Beyond Compliance: A Work-life Resource Perspective

Technostress and Information Security Behavior Beyond Compliance: A Work-life Resource Perspective

Expressing opinions about information security in an organization: the spiral of silence theory perspective

Purpose Expressing views on organizational information security (IS) by employees is vital for improving security processes, policies and trainings, while non-communication may conceal the true state of the human factor of IS and lead to security breaches. The purpose of this paper is to introduce the concept of opinion expressing about organizational IS, provide an explanatory model based on the theory of spiral of silence and offer its empirical validation. Design/methodology/approach Data from a web-based survey among the employees of one the universities in the European Union (n = 504) was analyzed with regression analysis to investigate the proposed hypotheses. Findings The study reveals that employees with positive opinions about IS will be more willing to share their opinions with coworkers and management. However, when employees perceive that their pro-IS opinions are not shared by other coworkers, they will remain silent, which increases the risk of problematic opinions spreading throughout the organization. Research limitations/implications The study highlights the need to focus on the communication perspectives of organizational information security, an area often overlooked in the human factor of information security research. Practical implications The results highlight the need to examine the gap between the dominant climate of opinion about IS in the organization and the display of compliant IS behaviors in order to strengthen IS endeavors. Organizations are encouraged to facilitate open dialogue about IS processes, policies and training and implement mechanisms for considering employees’ feedback in order to improve the organization’s IS. Originality/value The study contributes to a growing body of research that moves beyond viewing employees merely as subjects of compliance, recognizing instead their agency in IS issues that can enhance organizational resilience. To the best of the authors’ knowledge, this is the first study to apply the spiral of silence theory in the IS field, thereby helping to overcome the lack of communication science perspectives in organizational IS research.

Incorrect compliance and correct noncompliance with information security policies: A framework of rule-related information security behaviour

Information security policy (ISP) compliance is recognized as a key measure for dealing with human errors when protecting information. A considerable and growing body of literature has studied the persuasive, deterrent, and coercive antecedents of compliant and noncompliant behaviour. Simultaneously, research indicates that real life situations are too complex and varied to prescribe in terms of a priori rules of acceptable behaviour, and create situations where compliance is in fact harmful for achieving organisational security and business goals. Thus, regarding ISP compliance as inherently “correct” and noncompliance as inherently “incorrect”, may contribute to creating problems that compliance research seeks to alleviate. In this research perspective, we argue that ISP compliance and noncompliance cannot be universally and invariably determined as “correct” or “incorrect” but that they become meaningful only when evaluated against organisational outcomes. We draw on organisational accident theorists to develop our arguments and propose a framework of rule-related information security behaviour (RISB) in order to conceptualize different types of ISP compliant and noncompliant behaviour and their organisational outcomes. Our research argues that compliance and noncompliance are nor inherently correct or incorrect and that making the judgement on the correctness of these actions requires considering the rule, the action, and the outcome.

Promoting Security Behaviors in Remote Work Environments: Personal Values Shaping Information Security Policy Compliance

Organizations worldwide face critical concerns related to cybersecurity threats and information security policy (ISP) compliance. Even though humans are the weakest link in the cybersecurity chain, information security professionals understand the importance of promoting individual information security behaviors because employees are also the first line of defense against ever-increasing cyber threats. Despite a recent trend of working from home, organizations do not make significant differences in their information security interventions for remote workers, relying mainly on VPNs as the only used tool, essentially making employees follow in-office standard information security policies because they are “virtually in-office.” Our study suggests that organizations need to recognize the unique context of remote work and consider personal motivations when shaping information security practices. Furthermore, our study indicates that in order to motivate remote employees to follow secure information security practices, organizations should consider personal characteristics instead of focusing on generic interventions. For instance, our study compares onsite and remote workers, suggesting that personal values are more relevant in remote work settings. Our findings exemplify just one of the many potential personal characteristics to be considered, highlighting how personal values are important motivators for ISP compliance and how they differ for onsite and remote workers in their importance when following information security rules.

Transactions at Your Fingertips: Influential Factors in Information Security Behavior for Mobile Banking Users

Transactions at Your Fingertips: Influential Factors in Information Security Behavior for Mobile Banking Users

Cracking the Code

With the expanding reach of the Internet of Things, information security threats are increasing, including from the very professionals tasked with defending against these threats. This study identified factors impacting information security behavior among these individuals. Protection motivation theory and the theory of planned behavior were employed along with work-related organizational factors as a theoretical framework. Data were collected through a survey of 595 information security professionals working in Saudi information technology companies. Structural equational modeling was used to analyze the data. Threat susceptibility, threat severity, self-efficacy, response cost, fear attitude, behavioral control, subjective norms, and organizational commitment were found to play a significant role in information security protection motivation and behavior, while job satisfaction did not.

"No point worrying" – The role of threat devaluation in information security behavior

Extant information security research is characterized by a focus on problem-focused security behaviours, while overlooking the internal, and emotion-focused coping responses that humans exhibit. Threat devaluation, where severity is downplayed, is an established dimension of risk perception, and yet it has not been considered in information security research to date. We address this gap by developing and empirically testing a research model of how threat and coping factors from Protection Motivation Theory influence both problem-focused and emotion-focused coping responses. Data was collected from 518 users and PLS was used to reveal the determinants of, and the relationship between, problem-focused and emotion-focused coping behaviors. The results demonstrate that threat devaluation is a measurable outcome of all threat and coping appraisals considered, providing evidence that multiple coping strategies may be involved in a security threat situation. We also find that many of the well-established determinants of information security behavior, such as self-efficacy, are significantly related to emotion-focused responses. This has implications for researchers and practitioners who seek to create secure environments where users are more likely to enact constructive and problem-focused security behaviors.

Human factors in remote work: examining cyber hygiene practices

Purpose The purpose of this paper is to investigate the cyber hygiene practices of remote workers. Design/methodology/approach This paper used two instruments: first, the Cyber Hygiene Inventory scale, which measures users’ information and computer security behaviors; second, the Recsem Inventory, developed within this paper’s context, to evaluate the cybersecurity measures adopted by organizations for remote workers. It was conducted on remote workers to examine their information security practices. The instrument was administered to a sample of 442 employees reached via the LinkedIn platform. Analyses were performed with SPSS v26, Python programming language and Seaborn library. Findings The findings indicate a significant correlation between the security measures implemented by companies and their employees’ cyber hygiene practices. A sector comparison revealed a significant difference in cyber hygiene levels between public and private sector workers. Research limitations/implications This paper aims to provide policymakers with suggestions for enhancing the cyber hygiene of remote workers to facilitate compliance with corporate security protocols. Originality/value This paper’s conclusions highlight the importance of companies increasing their cybersecurity investments as remote work becomes more prevalent. This should consider not only corporate-level factors but also employees' information and computer security behaviors.

Using the theory of interpersonal behaviour to explain employees’ cybercrime preventative behaviour during the pandemic

Purpose The COVID-19 pandemic necessitated a significant shift in how employees executed their professional responsibilities. Concurrently, the incidence of cybercrime experienced a noteworthy surge due to the increased utilisation of cyberspace. The abrupt transition to telecommuting altered the interpersonal dynamics inherent in traditional work environments. This paper aims to examine the impact of interpersonal factors on the cybercrime preventative measures adopted by telecommuting employees. Design/methodology/approach A conceptual model, grounded in the Theory of Interpersonal Behaviour, is evaluated through an online survey. The data set comprises responses from 209 employees in South Africa, and the analysis uses partial least squares structural equation modelling. Findings The results reveal substantial predictive power to explain cybercrime preventative behaviours. Notably, the study underscores the significant influence of habit and affect on intention and subsequent behaviour. Practical implications The results suggest that practitioners should give due attention to emotional dimensions (affect) as a catalyst for information security behaviour. The formulation of employees’ information security responsibilities should be pragmatic, fostering subconscious compliance to establish routine behaviour (habit). Originality/value This research underscores the pivotal roles played by habit and emotions in shaping behavioural patterns related to information security. Furthermore, it provides researchers with an illustrative model for operationalising these constructs within the realm of security. The results contribute additional perspectives on the repercussions of the COVID-19 pandemic on cybercrime preventative behaviours.

An Investigation of the Factors That Influence Information Security Culture in Government Organizations in Bhutan

ABSTRACT Organizations make large investments to secure data and networks, but information security breaches as a result of insiders continue to rise. One possible contributor to this is poor information security culture. This study investigated the key factors that contribute to effective information security culture in government organizations in Bhutan and how information security culture influences employee security behavior. A research model was developed for the study based on an analysis of the information security literature. Data was collected using an online survey of 181 government employees. Senior management support, information security policy, training and awareness campaigns, interpersonal trust, and job- versus employee-oriented organizational culture were all found to influence information security culture, and information security culture contributed to information security behavior. The study extends understanding of the roles of trust and different dimensions of organizational culture in improving information security culture and behavior. The findings should help government policy makers and information security practitioners when developing information security strategies and programs.

Evaluating the Influence of Attitude versus Knowledge and Individual Factor versus Intervention Factor on Information Security Awareness in Local Government

Local government as a public organization that typically collects mass amounts of sensitive data is one of the vulnerable and targeted sectors for information security attacks. The human aspect is the most critical but weak link to information security incidents. Among government organizations, local governments usually have more limited human resources either in number and competencies including information security awareness. This study aims to validate the Information Security Awareness (ISA) model for local government, including confirming the influence of knowledge and attitude on information security behavior, evaluating the stronger predictor between knowledge and attitude toward information security behavior, and analyzing the influence of gender (as an individual factor) and training (as an intervention factor) on the information security behavior. Utilizing the HAIS-Q assessment tool, this study collected responses from 704 employees of 68 departments/units under the government of East Java Province, Indonesia. The results suggest that in the local government context, there is a significant direct relationship between Knowledge of information security and information security Behavior and its indirect relationship via Attitude toward information security behavior. However, Attitude toward information security behavior has a stronger effect on Behavior than Knowledge. This study also suggests significant differences in information security behavior between employees who have trained and those who have not, regardless of gender. The proposed model suggests that to improve Information Security Awareness among employees, local government should focus on improving employees’ Attitudes toward information security behavior, either by improving their Knowledge of Information Security via training or their affective attitude toward information security behavior.

The security environment in Indian commercial banks: an employee's information security behaviour perspective

The security environment in Indian commercial banks: an employee's information security behaviour perspective

An exploration of dark and light triad personality traits towards situational crime prevention and compliant information security behaviour

PurposeThis investigation serves a dual purpose: providing preliminary results and serving as a pilot study to confirm the viability of the hypotheses advanced towards a full-scale study. This paper aims to present the preliminary findings of an investigation that explored the constructs of personality traits and situational crime prevention theory (SCPT) as antecedents to social cognitive determinants (attitude, perceived behavioural control and subjective norms using the theory of planned behaviour [TPB] framing) and how these elements subsequently estimate compliant information security behaviour. Moreover, this paper delves into the contrasting influences of light and dark personality traits on insider information security compliance.Design/methodology/approachA cross-sectional survey was conducted to study SCPT measures and the personality factors dyad using a diverse but limited sample (n = 82).FindingsThere were ten significant direct relationships between SCPT factors and personality traits related to the components of the TPB. Seventeen hypotheses were not supported. However, these findings highlight the complexity of the topic under study.Practical implicationsUnderstanding individual differences within the compliance model could be used for custom training protocols, employee selection, assignment and specific types of information security interventions.Originality/valueThere is a scarcity of studies considering the effects of situational and personality factors, specifically the dark versus light triad of personality traits within the information security domain. Therefore, this preliminary result provides early insight that could guide further studies. This research could have important implications for organisations at risk of insider attacks.

Examining the Factors That Influence User Information Security Behavior toward COVID-19 Scams

Amidst the COVID-19 pandemic, cybercriminals have capitalized on the situation and targeted online users. As a result, there has been a surge in the number of complaints related to new types of scams and fraud that have emerged during the pandemic. This study utilizes Protection Motivation Theory (PMT), Cultivation Theory (CT), and other constructs, including fear, attitude, general security awareness, general security orientation, subjective norms, openness, stress, and conscientiousness, to investigate the user information security behavior (ISB) against COVID-19 scams. The study gathered data from 423 internet users through a cross-sectional survey and used Partial Least Square Structural Equation Modeling (PLS-SEM) to test the conceptual framework. The results indicate that stress, government social media, general security awareness, response efficacy, and attitude were all positive determinants of the users’ ISB. The findings also highlight the impact of emotions, such as stress and fear, as well as government social media, on decision-making during a crisis. Additionally, the study found that the combined effects of the two threat appraisal factors on coping behaviors, which are mediated by fear, and the combined effect of the two coping appraisal factors on coping behaviors, which are mediated by attitude, were significant. However, the subjective norms on ISB did not show any variations and surprisingly, the study found that conscientiousness did not moderate the association between attitude and ISB.

BYOA and Security: Examining Perspective-Taking and Self-Determination

ABSTRACT Bring your own applications (BYOA) in organizational networks introduces security risks. We examine whether individuals who BYOA at work are motivated to use multi-factor authentication (MFA) to protect the organization’s security, a practice we describe as bring your own security (BYOS). The behaviors are examined through dual theoretical lenses (a) intrinsic motivation, capturing the personal satisfaction related to the use, and (b) perspective-taking, capturing the user’s ability to consider information security from the organization’s perspective. We analyzed survey data of 154 samples using partial least squares structural equation modeling (PLS-SEM). Our results demonstrate that while the intrinsic motivation path is instrumental in influencing MFA use, perspective-taking offers significant explanatory power to information security behaviors. This article extends the current knowledge of the impact of perspective-taking on voluntary security behavior, which makes a novel and significant contribution to cybersecurity research and practice.

The antecedents of employees' proactive information security behaviour: The perspective of proactive motivation

AbstractOrganisational information security (ISec) protection is undergoing a turbulent shift in the workplace environment. In an environment of ever‐increasing risks of insider threats and external cyberattacks, individual employees are often expected to take the initiative to solve organisational security problems. This study therefore focuses on employees' proactive information security behaviours (ISBs)—behaviours that are self‐initiated, change‐oriented, and future‐focused—and the motivations that compel employees to protect organisational assets. We ground our study in Parker et al. (2010) proactive motivation theory (ProMT) and develop an integrated multilevel model to examine the respective effects of proactive motivational states, that is, can‐do, reason‐to, and energised‐to motivations, on employees' proactive ISBs. We also explore the roles of individual differences and contextual factors—namely, proactive personality and supervisory ISec support—and their influences on proactive motivational states. Data were collected from 210 employees situated in 55 departments distributed among multiple organisations located in China. The results show that supervisory ISec support positively influences employees' proactive motivational states and thereby boosts employees' proactive ISBs. Proactive personality negatively moderates the effect of supervisory ISec support on flexible security role orientation (reason‐to motivation). By identifying the antecedents of employees' proactive ISBs, we make key theoretical contributions to ISec research and valuable practical contributions to organisational ISec management.

Informational inequality: the role of resources and attributes in information security awareness

PurposeThe rapid expansion of internet usage and device connectivity has underscored the importance of understanding the public’s cyber behavior and knowledge. Despite this, there is little research that examines the public’s objective knowledge of secure information security practices. The purpose of this study is to examine how objective cyber awareness is distributed throughout society.Design/methodology/approachThis study draws on a large national survey of adults to examine the relationship between individual factors – such as demographic attributes and socioeconomic resources – and information security awareness. The study estimates several statistical models using weighted logistic regression to model objective information security awareness.FindingsThe results indicate that socioeconomic resources such as income and education have a significant effect on individuals’ information security awareness with richer and more highly educated individuals exhibiting greater awareness of important security practices and tools. Additionally, age and gender represent consistent and clear informational gaps in society as older individuals and females are significantly less knowledgeable about an array of information security practices than younger individuals and males, respectively.Social implicationsThe findings have important implications for our understanding of information security behavior and user vulnerability in an increasingly digital and connected society. Despite the growing importance of cybersecurity for all individuals in nearly all domains of daily life, there is substantial inequality in awareness about secure cyber practices and the tools and techniques used to protect one’s self from attacks. While digital technology will continue to permeate many aspects of daily life – from financial transactions to health services to social interactions – the findings here indicate that some users may be far more exposed and vulnerable to attack than others.Originality/valueThis study contributes to our understanding of general user information security awareness using a large survey and statistical models to generalize about the public’s information security awareness across multiple domains and stimulates future research on public knowledge of information security. The findings indicate that some users may be far more exposed and vulnerable to attack than others. Despite the growing importance of cybersecurity for all individuals in nearly all domains of daily life, there is substantial inequality in awareness about secure cyber practices and the tools and techniques used to protect one’s self from attacks.

Methodological foundations of information security of students at school

The article presents the experience of researching information security issues in modern educational organizations (preschool, general education, professional), which made it possible to conclude that the search for the methodological foundations of this activity in a modern school is relevant. As a methodological basis, the study considers a systematic approach applied to the analysis of objects that have many interrelated elements, united by common functions and goals, management and functioning, and which involves structural and functional modeling of the process of building the information security of school students. The model of organization of this activity is considered, including the target (goal, objectives, principles), content (pedagogical conditions, components of information security behavior as the basis of information security of school students), organizational and technological (the logic of constructing technology stages), control and evaluation (monitoring, evaluation) components. The presented structural and functional model is characterized by reproducibility, provided that the described components and their content are implemented in the presented sequence.