Are Information Security Practices Driven by the Likelihood and potential Impact of Security Events?

2023 | Americas Conference on Information Systems | Citations: 0

Authors: Batra, Gunjan; Saeed, Khawaja; Zafar, Humayun

Abstract: Organizations have opened up various digital interfaces through which customers ... Expand

Abstract: Organizations have opened up various digital interfaces through which customers gain access to online services. Digital interaction between the organization and its customers increases security risks. This study examines how the risk profile of customers defined by their perception of the likelihood and potential impact of a security incident is related to their information security behaviors. We collected data in the context of online banking services to empirically evaluate this research question. The results showed that individuals with low likelihood and high impact perceptions of security incidents had authentication and device security practices significantly higher than that of other groups. Surprisingly, there was no difference in security practices across groups with high likelihood/high impact and low likelihood/low impact perceptions of security incidents. Implications of these results are discussed along with ways we plan to extend this research study. Collapse

Topics: electronic authentication cybersecurity behavior password online banking information security practice

Methods: cluster analysis survey exploratory factor analysis data transformation descriptive statistic

An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks

2023 | Information Systems Frontiers | Citations: 0

Authors: Herath, Tejaswini C.; Herath, Hemantha S. B.; Cullum, David

Abstract: As organizations have become increasingly reliant on information systems, senior ... Expand

Abstract: As organizations have become increasingly reliant on information systems, senior managers are keen in assessing the progress of implemented information security strategies. Although the balanced scorecard approach has been suggested for security governance, a critical issue affecting information security practitioners is complexity, as there are many standards and frameworks, with duplication and overlaps to adhere to when organizing the data. Consequently, the article attempts to develop a more inclusive framework for information security governance, a research gap recently identified in the literature. The article maps five governance and control frameworks (COBIT, SABSA, ISG, ITIL, and ISO 27000) to the information security balanced scorecard (InfoSec BSC) to develop a conceptual design of an effective information security performance measurement tool that can be used by senior managers. Using a real-life case application and interviews with a panel of experts, the article identifies IS initiatives, performance measures for each of the mapped objectives derived from governance and control frameworks that may provide guidance for practitioners. Collapse

Topics: data security COBIT IT security ITIL information security management

Methods: qualitative interview case study personal interview survey delphi study

Theories: theory of everything

A DEVOPS PERSPECTIVE: THE IMPACT OF ROLE TRANSITIONS ON SOFTWARE SECURITY CONTINUITY

2023 | European Conference On Information Systems | Citations: 0

Authors: Kam, Hwee-Joo; D’Arcy, John

Abstract: Prior studies have claimed that, with evolving technologies, continuity process ... Expand

Abstract: Prior studies have claimed that, with evolving technologies, continuity processes in Development and Operations (DevOps) needs to be re-evaluated consistently. In this context, this study examines a relatively new continuity process --continuous software security. With regulatory compliance and ubiquitous cyberattacks, it becomes increasingly important to integrate security into DevOps. Presently, DevOps developers assume the role of systems operators and software developers to facilitate Continuous Integration/Continuous Deployment (CI/CD). Assuming multiple roles involves role transitioning that requires developers to psychologically disengage from their current role and engage in another. Gradually, this may cause mental exhaustion. Therefore, implementing continuous security may add more complexity to DevOps, instigating more stress to software developers. Given this concern, we draw on Role Transition Theory and Cognitive Load Theory to examine whether integrating security into DevOps would aggravate developers' job burnout, which would eventually undermine continuous security practices. Collapse

Topics: devops software developer IT security information security practice systems development

Methods: theory development literature study

Theories: cognitive load theory

Addressing Organisational, Individual and Technological Aspects and Challenges in Information Security Management: Applying a framework for a case study

2023 | HICSS | Citations: 0

Authors: Topa, I.; Karyda, M.

Abstract: This study investigates information security management challenges in a large o ... Expand

Abstract: This study investigates information security management challenges in a large organisation. The aim of this study is to apply the Technological-Organisational-Individual (TOI) Framework in this organisation to determine to what extent current security management practices are informed by findings of relevant literature and standards on information security incorporated in the framework. The TOI framework is used to map factors influencing security behavior to current practices applied by the organisation and to analyse them. Conclusions suggest that some factors that play a critical role in information security management are not adequately covered. This study also aims to provide recommendations to security managers on how to address these factors to implement security management practices that can improve ISP compliance, and inform literature on any additional security management practices. Further, this study includes insights into how organisations may exploit key strengths in applying information security management to achieve good security behaviour among their employees and take an adaptive approach to changing conditions, such as teleworking. Collapse

Topics: pandemic IT security information security management security policy IT supported collaboration

Methods: qualitative interview

Introduction to the Minitrack on Innovative Behavioral IS Security and Privacy Research

2023 | HICSS | Citations: 0

Authors: Vance, Anthony; Warkentin, Merrill; Johnston, Allen

Abstract: ... Expand

Abstract: Collapse

Topics: IT security information security policy compliance cybersecurity behavior security policy personality

Theories: social learning theory

Security is Local: The Influence of the Immediate Workgroup on Information Security

2023 | Journal of the Association for Information Systems | Citations: 0

Authors: Wang, Dawei; Durcikova, Alexandra; Dennis, Alan

Abstract: Information security is a multilevel phenomenon with employee security decision ... Expand

Abstract: Information security is a multilevel phenomenon with employee security decisions being influenced by macrolevel factors (e.g., organizational policies), mesolevel factors (e.g., one's immediate workgroup-IW), and microlevel factors (e.g., individual personalities). We argue that an employee's local IW (i.e., immediate supervisor and coworkers) has a strong effect on security. This paper focuses on the effects of these mesolevel factors in the presence of macro-and microlevel factors. Drawing on the social structure and social learning framework as well as workgroup research, we hypothesize that the security behavior of an employee's IW supervisor and coworkers moderated by the nature of these relationships influences information security decisions. Our research, based on a sample of 217 full-time employees, reveals that the IW significantly affects security decisions, over and above the micro-and macrolevel factors. These effects are moderated by the nature of the relationship between employees and their IW supervisor (leader-member exchange) and coworkers (team-member exchange). A post hoc analysis shows that the mesolevel factors alone had the same explanatory power as the micro-and macrolevels combined. Our research suggests that future theory and research should include the IW and that organizations should share security responsibilities with line managers and help them understand their substantial impact on information security. Security training programs should ask employees about the behaviors of their IW supervisor and coworkers and, where needed, deliver anti-neutralization training to mitigate the effects of the IW's noncompliance behaviors.Alexandra Durcikova is an associate professor of MIS at the Price College of Business, University of Oklahoma. Her research focuses on knowledge management, knowledge repositories, and human compliance with security policy and characteristics of successful phishing attempts within the area of computer security, and health information systems. Collapse

Topics: data security IT security threat IT security password self efficacy

Methods: survey theory development descriptive statistic data transformation factor analysis

Theories: big five model social learning theory leader–member exchange theory

When good blocks go bad: Managing unwanted blockchain data

2021 | International Journal of Information Management | Citations: 15

Authors: Carvalho, Arthur; Merhout, Jeffrey W.; Kadiyala, Yogesh; Bentley II, John

Abstract: Blockchain has been praised for providing the technical infrastructure that enab ... Expand

Abstract: Blockchain has been praised for providing the technical infrastructure that enables a group of self-interested entities to share data without relying on intermediaries. Technically, blockchain is a distributed and decen­ tralized append-only database. This latter aspect leads to an important, yet overlooked governance issue, namely what should the network members do when erroneous or malicious data are added to the blockchain ledger? We start by describing three public cases when the above happened. For each case, we elaborate on the adopted solution, which we refer to as the “rollback,” the “do nothing,” and the “overturn” solution. Drawing from these previous cases, discussions with experts, and from our own experience with blockchain research and develop­ ment, we provide suggestions concerning managerial, technical, and information security policies and practices organizations should follow when contemplating enterprise-level applications of the blockchain technology. Collapse

Topics: blockchain data security research and development smart contract cryptocurrency

Methods: qualitative interview

Protecting Organizational Information Assets: Exploring the Influence of Regulatory Focus on Rational Choices

2021 | HICSS | Citations: 0

Authors: Burns, Aj

Abstract: Protecting organizational information assets is an essential objective for most ... Expand

Abstract: Protecting organizational information assets is an essential objective for most organizations. More than ever, information security relies on insiders with access to information in their work. This research integrates regulatory focus theory with rational choice theory to help shed light on these insiders’ motivations to protect organizational information. The result of these exploratory analyses indicates that promotion and prevention foci each distinctly relate to perceived costs and benefits of protecting organizational information assets. Additionally, the findings show that the overall benefit of protecting mediates an expanded set of costs and benefits. Ultimately, the model explains 57.1% of the variance in insiders’ intentions to protect organizational information assets. Collapse

Topics: data security information security practice IT security cybersecurity behavior anonymity

Methods: PLS tool partial least squares regression mediation analysis self reported survey theoretical contribution

Theories: regulatory focus theory rational choice theory

Can financial incentives help with the struggle for security policy compliance?

2021 | Information & Management | Citations: 3

Authors: Goel, Sanjay; Williams, Kevin J.; Huang, Jingyi; Warkentin, Merrill

Abstract: This study examined the effects of financial incentives on security policy compl ... Expand

Abstract: This study examined the effects of financial incentives on security policy compliance. Participants were recruited for a computerized in-basket job simulation and randomly assigned to one of three groups: (1) control group with no financial incentives for compliance; (2) positive frame (gain) group where participants could gain up to $5 for compliance; (3) negative frame (loss) group where participants were awarded $5, but would lose a portion with each compliance failure. Incentives increased individuals’ vigilance toward phishing emails and decreased likelihood of clicking on links, with the negative frame incentive having the strongest effects. Incentives worked better for non-contextualized emails. Collapse

Topics: electronic mail email phishing phishing security policy cloud computing

Methods: chi squared test experimental group survey longitudinal research binomial logistic regression

Theories: behavioral economics prospect theory loss aversion

The Mediating Role of Psychological Empowerment in Information Security Compliance Intentions

2020 | Journal of the Association for Information Systems | Citations: 5

Authors: Dhillon, Gurpreet; Talib, Yurita Yakimini Abdul; Picoto, Winnie Ng

Abstract: The issue of employee noncompliance with information security policies is univer ... Expand

Abstract: The issue of employee noncompliance with information security policies is universal. Noncompliance increases the possibility of invasive information security threats, which can result in compromised organizational assets. Although research has empirically revealed a relationship between structural empowerment and employee intention to comply with information security policies, the mediating role of psychological empowerment in the relationship has received limited attention. This study conceptualizes the role of psychological empowerment as a mediator between structural empowerment and the intention to comply with information security policy. It suggests that empowerment work structures, which include information security education, training, and awareness (SETA), access to information security strategic goals, and participation in information security decision-making all increase employees’ feelings of being psychologically empowered, which consequently leads to positive intentions to comply with information security policy. Collapse

Topics: data security decision making security policy intrinsic motivation missing data

Methods: SEM tool chi squared test structural equation modeling survey factor analysis