An Information Security Performance Measurement Tool for Senior Managers: Balanced Scorecard Integration for Security Governance and Control Frameworks

2023 | Information Systems Frontiers | Citations: 0

Authors: Herath, Tejaswini C.; Herath, Hemantha S. B.; Cullum, David

Abstract: As organizations have become increasingly reliant on information systems, senior ... Expand

Abstract: As organizations have become increasingly reliant on information systems, senior managers are keen in assessing the progress of implemented information security strategies. Although the balanced scorecard approach has been suggested for security governance, a critical issue affecting information security practitioners is complexity, as there are many standards and frameworks, with duplication and overlaps to adhere to when organizing the data. Consequently, the article attempts to develop a more inclusive framework for information security governance, a research gap recently identified in the literature. The article maps five governance and control frameworks (COBIT, SABSA, ISG, ITIL, and ISO 27000) to the information security balanced scorecard (InfoSec BSC) to develop a conceptual design of an effective information security performance measurement tool that can be used by senior managers. Using a real-life case application and interviews with a panel of experts, the article identifies IS initiatives, performance measures for each of the mapped objectives derived from governance and control frameworks that may provide guidance for practitioners. Collapse

Topics: data security COBIT IT security ITIL information security management

Methods: qualitative interview case study personal interview survey delphi study

Theories: theory of everything

A DEVOPS PERSPECTIVE: THE IMPACT OF ROLE TRANSITIONS ON SOFTWARE SECURITY CONTINUITY

2023 | European Conference On Information Systems | Citations: 0

Authors: Kam, Hwee-Joo; D’Arcy, John

Abstract: Prior studies have claimed that, with evolving technologies, continuity process ... Expand

Abstract: Prior studies have claimed that, with evolving technologies, continuity processes in Development and Operations (DevOps) needs to be re-evaluated consistently. In this context, this study examines a relatively new continuity process --continuous software security. With regulatory compliance and ubiquitous cyberattacks, it becomes increasingly important to integrate security into DevOps. Presently, DevOps developers assume the role of systems operators and software developers to facilitate Continuous Integration/Continuous Deployment (CI/CD). Assuming multiple roles involves role transitioning that requires developers to psychologically disengage from their current role and engage in another. Gradually, this may cause mental exhaustion. Therefore, implementing continuous security may add more complexity to DevOps, instigating more stress to software developers. Given this concern, we draw on Role Transition Theory and Cognitive Load Theory to examine whether integrating security into DevOps would aggravate developers' job burnout, which would eventually undermine continuous security practices. Collapse

Topics: devops software developer IT security information security practice systems development

Methods: theory development literature study

Theories: cognitive load theory

Security is Local: The Influence of the Immediate Workgroup on Information Security

2023 | Journal of the Association for Information Systems | Citations: 0

Authors: Wang, Dawei; Durcikova, Alexandra; Dennis, Alan

Abstract: Information security is a multilevel phenomenon with employee security decision ... Expand

Abstract: Information security is a multilevel phenomenon with employee security decisions being influenced by macrolevel factors (e.g., organizational policies), mesolevel factors (e.g., one's immediate workgroup-IW), and microlevel factors (e.g., individual personalities). We argue that an employee's local IW (i.e., immediate supervisor and coworkers) has a strong effect on security. This paper focuses on the effects of these mesolevel factors in the presence of macro-and microlevel factors. Drawing on the social structure and social learning framework as well as workgroup research, we hypothesize that the security behavior of an employee's IW supervisor and coworkers moderated by the nature of these relationships influences information security decisions. Our research, based on a sample of 217 full-time employees, reveals that the IW significantly affects security decisions, over and above the micro-and macrolevel factors. These effects are moderated by the nature of the relationship between employees and their IW supervisor (leader-member exchange) and coworkers (team-member exchange). A post hoc analysis shows that the mesolevel factors alone had the same explanatory power as the micro-and macrolevels combined. Our research suggests that future theory and research should include the IW and that organizations should share security responsibilities with line managers and help them understand their substantial impact on information security. Security training programs should ask employees about the behaviors of their IW supervisor and coworkers and, where needed, deliver anti-neutralization training to mitigate the effects of the IW's noncompliance behaviors.Alexandra Durcikova is an associate professor of MIS at the Price College of Business, University of Oklahoma. Her research focuses on knowledge management, knowledge repositories, and human compliance with security policy and characteristics of successful phishing attempts within the area of computer security, and health information systems. Collapse

Topics: data security IT security threat IT security password self efficacy

Methods: survey theory development descriptive statistic data transformation factor analysis

Theories: big five model social learning theory leader–member exchange theory

Protecting Organizational Information Assets: Exploring the Influence of Regulatory Focus on Rational Choices

2021 | HICSS | Citations: 0

Authors: Burns, Aj

Abstract: Protecting organizational information assets is an essential objective for most ... Expand

Abstract: Protecting organizational information assets is an essential objective for most organizations. More than ever, information security relies on insiders with access to information in their work. This research integrates regulatory focus theory with rational choice theory to help shed light on these insiders’ motivations to protect organizational information. The result of these exploratory analyses indicates that promotion and prevention foci each distinctly relate to perceived costs and benefits of protecting organizational information assets. Additionally, the findings show that the overall benefit of protecting mediates an expanded set of costs and benefits. Ultimately, the model explains 57.1% of the variance in insiders’ intentions to protect organizational information assets. Collapse

Topics: data security information security practice IT security cybersecurity behavior anonymity

Methods: PLS tool partial least squares regression mediation analysis self reported survey theoretical contribution

Theories: regulatory focus theory rational choice theory

The Mediating Role of Psychological Empowerment in Information Security Compliance Intentions

2020 | Journal of the Association for Information Systems | Citations: 5

Authors: Dhillon, Gurpreet; Talib, Yurita Yakimini Abdul; Picoto, Winnie Ng

Abstract: The issue of employee noncompliance with information security policies is univer ... Expand

Abstract: The issue of employee noncompliance with information security policies is universal. Noncompliance increases the possibility of invasive information security threats, which can result in compromised organizational assets. Although research has empirically revealed a relationship between structural empowerment and employee intention to comply with information security policies, the mediating role of psychological empowerment in the relationship has received limited attention. This study conceptualizes the role of psychological empowerment as a mediator between structural empowerment and the intention to comply with information security policy. It suggests that empowerment work structures, which include information security education, training, and awareness (SETA), access to information security strategic goals, and participation in information security decision-making all increase employees’ feelings of being psychologically empowered, which consequently leads to positive intentions to comply with information security policy. Collapse

Topics: data security decision making security policy intrinsic motivation missing data

Methods: SEM tool chi squared test structural equation modeling survey factor analysis

Toward Uncovering Patterns of Certification Internalization

2020 | International Conference on Information Systems | Citations: 0

Authors: Greulich, Malte; Lins, Sebastian; Sunyaev, Ali

Abstract: The number and variety of information systems (IS) certifications have increased ... Expand

Abstract: The number and variety of information systems (IS) certifications have increased continuously as the use of information technology has diversified and expanded. IS certifications are neutral third-party attestations of specific system characteristics and management principles to prove compliance with requirements. The reasons for organizations to adopt IS certifications are diverse, such as fostering learning and improvement, or demonstrating regulatory compliance. However, because of organizations’ diverse motivations to adopt certifications, organizations also differ in their degree of internalizing the certification. In particular, superficial, ceremonial adoption and a lack of internalization of certifications become critical issues harming the certification’s reputation and effectiveness. This short paper reports on preliminary findings from a qualitative study on the development of a data protection certification. Based on unique access to case companies throughout the certification attestation process, our research will provide insights into how motivations for adoption impact the internalization processes of organizations. Collapse

Topics: data protection legal context General Data Protection Regulation cloud computing quality management

Methods: qualitative coding qualitative interview personal interview literature study field study

Theories: resource based view of the firm institutional theory signaling theory

Motivating information security policy compliance: The critical role of supervisor-subordinate guanxi and organizational commitment

2020 | International Journal of Information Management | Citations: 0

Authors: Liu, Chenhui; Wang, Nengmin; Liang, Huigang

Abstract: Employees’ non-compliance with organizational information security policy (ISP) ... Expand

Abstract: Employees’ non-compliance with organizational information security policy (ISP) when using informational resources has become the main reason for continuous security incidents. Drawing upon technology threat avoidance theory (TTAT) and social exchange theory (SET), our study investigates the influence of supervisorsubordinate guanxi (SSG) and organizational commitment in the information security management. Our hypotheses were tested using survey data from 235 Chinese government employees. Results not only confirm the direct effect of SSG on government employees’ ISP compliance but also suggest that SSG indirectly influences compliance behavior via the mediation of organizational commitment. Organizational commitment weakens the negative influence of perceived costs on compliance behavior and also weakens the positive effect of self-efficacy on employees’ ISP compliance. For low-commitment employees, the negative influence of perceived costs on compliance behavior is more significant than that of those with strong organizational commitment, and selfefficacy exerts a stronger effect on ISP compliance for low-commitment employees than it does for high-commitment employees. This study contributes to current literature on information systems (IS) by confirming the critical roles of SSG and organizational commitment in motivating employees’ compliance behavior. Collapse

Topics: organizational commitment self efficacy information management IT security information security management

Methods: survey partial least squares regression descriptive statistic data transformation statistical hypothesis test

Theories: social psychology theory social exchange theory technology threat avoidance theory

Stakeholder perceptions of information security policy: Analyzing personal constructs

2020 | International Journal of Information Management | Citations: 6

Authors: Samonas, Spyridon; Dhillon, Gurpreet; Almusharraf, Ahlam

Abstract: Organizational stakeholders, such as employees and security managers, may unders ... Expand

Abstract: Organizational stakeholders, such as employees and security managers, may understand security rules and policies differently. Extant literature suggests that stakeholder perceptions of security policies can contribute to the success or failure of policies. This paper draws on the Theory of Personal Constructs and the associated methodology, the Repertory Grid technique, to capture the convergence and divergence of stakeholder perceptions with regards to security policy. We collected data from the employees of an e-commerce company that had developed five information security sub-policies. Our study highlights the practical utility of the Repertory Grid analysis in helping information security researchers and managers pinpoint a) the aspects of a security policy that are well-received by stakeholders, as well as those that are not, and b) the variance in the perceptions of stakeholders. Organizations can, then, capitalize on the well-received aspects of the policy and take corrective action for the ill-received ones. Collapse

Topics: security policy data security electronic commerce user attitude information security policy compliance

Methods: qualitative interview cluster analysis qualitative content analysis hierarchical clustering repertory grid technique

Peers matter: The moderating role of social influence on information security policy compliance

2020 | Information Systems Journal | Citations: 30

Authors: Yazdanmehr, Adel; Wang, Jingguo; Yang, Zhiyong

Abstract: Information security in an organization largely depends on employee compliance w ... Expand

Abstract: Information security in an organization largely depends on employee compliance with information security policy (ISP). Previous studies have mainly explored the effects of command-and-control and self-regulatory approaches on employee ISP compliance. However, how social influence at both individual and organizational levels impacts the effectiveness of these two approaches has not been adequately explored. This study proposes a social contingency model in which a rules-oriented ethical climate (employee perception of a rules-adherence environment) at the organizational level and susceptibility to interpersonal influence (employees observing common practices via peer interactions) at the individual level interact with both command-and-control and self-regulatory approaches to affect ISP compliance. Using employee survey data, we found that these two social influence factors weaken the effects of both command-and-control and self-regulatory approaches on ISP compliance. Theoretical and practical implications are also discussed. Collapse

Topics: social influence data security security policy intrinsic motivation communication service infrastructure

Methods: survey descriptive statistic partial least squares regression literature study scale reliability

Theories: contingency theory general deterrence theory deterrence theory

Generally Speaking, Context Matters: Making the Case for a Change from Universal to Particular ISP Research

2019 | Journal of the Association for Information Systems | Citations: 22

Authors: Aurigemma, Sal; Mattson, Thomas

Abstract: The objective of our paper is to conceptually and empirically challenge the idea ... Expand

Abstract: The objective of our paper is to conceptually and empirically challenge the idea of general information security policy (ISP) compliance. Conceptually, we argue that general ISP compliance is an ill-defined concept that has minimal theoretical usefulness because the policy-directed security actions vary considerably from threat to threat in terms of time, difficulty, diligence, knowledge, and effort. Yet, our senior IS scholars’ basket of journals has a strong preference to publish models in which the authors speculate that their findings are generalizable across all (or many) threats and controls contained in an organization’s ISP document. In our paper, we argue that compliance with each of the mandatory threat-specific security actions may require different (as opposed to similar) explanatory models, which makes constructing a universal model of ISP compliance problematic. Therefore, we argue that future ISP compliance literature will be more valuable if it focuses on the mechanisms, treatments, and behavioral antecedents associated with the required actions around specific threats instead of attempting to build a model that purportedly covers all (or many) threatspecific security actions (or intentions thereof). To support this claim empirically, we conducted two studies comparing general compliance intentions (i.e., undefined security action) and threat-specific compliance intentions. In both studies, our data show that compliance intentions vary significantly across general compliance measures and multiple threat-specific security measures or scenarios. Our results indicate that it is problematic to generalize about the behavioral antecedents from general compliance intentions to threat-specific security compliance intentions, from one threat-specific security action to other threat-specific security actions, and from one threat-specific security action to general compliance intentions. Collapse

Topics: password workstation IT security threat phishing self efficacy

Methods: literature study survey survey design chi squared test case study

Theories: theory of planned behavior protection motivation theory rational choice theory deterrence theory