A Path Way to Successful Management of Individual Intention to Security Compliance: A Role of Organizational Security Climate

Åström

Information &Amp; Computer Security

2015

Purpose – The aim of this paper is to survey existing information security culture research to scrutinise the kind of knowledge that has been developed and the way in which this knowledge has been brought about. Design/methodology/approach – Results are based on a literature review of information security culture research published between 2000 and 2013 (December). Findings – This paper can conclude that existing research has focused on a broad set of research topics, but with limited depth. It is striking that the effects of different information security cultures have not been part of that focus. Moreover, existing research has used a small repertoire of research methods, a repertoire that is more limited than in information systems research in general. Furthermore, an extensive part of the research is descriptive, philosophical or theoretical – lacking a structured use of empirical data – which means that it is quite immature. Research limitations/implications – Findings call for future research that: addresses the effects of different information security cultures; addresses the identified research topics with greater depth; focuses more on generating theories or testing theories to increase the maturity of this subfield of information security research; and uses a broader set of research methods. It would be particularly interesting to see future studies that use intervening or ethnographic approaches because, to date, these have been completely lacking in existing research. Practical implications – Findings show that existing research is, to a large extent, descriptive, philosophical or theoretical. Hence, it is difficult for practitioners to adopt these research results, such as frameworks for cultivating or assessment tools, which have not been empirically validated. Originality/value – Few state-of-the-art reviews have sought to assess the maturity of existing research on information security culture. Findings on types of research methods used in information security culture research extend beyond the existing knowledge base, which allows for a critical discussion about existing research in this sub-discipline of information security.

Section: Research Questions Investigated In Information Security Culture Researchmentioning

confidence: 83%

Section: Research Questions Investigated In Information Security Culture Researchmentioning

confidence: 99%

Information security culture – state-of-the-art review between 2000 and 2013

Åström

Information &Amp; Computer Security

2015

“…Appropriate information security is needed to enhance the confidentiality, integrity and availability of data, helping to maintain the original form of information content without risk of modification or loss. Various disciplines involved in managing organizations and securing their information have shown intense interest in the field of information security management (Goo et al , 2013), effectively preventing security breaches and using up-to-date information management strategies to meet the latest information security standards. This paper focuses on information security management issues for human service organizations (HSOs) and presents an information security management framework to assist them in reducing the threat of information security breaches.…”

Section: Introductionmentioning

confidence: 99%

Developing a theory-based information security management framework for human service organizations

Mubarak

2016

JICES

Purpose This paper aims to identify organizations’ information security issues and to explore dynamic, organizational culture and contingency theories to develop an implementable framework for information security systems in human service organizations (HSOs) based soundly in theory and practice. Design/methodology/approach The paper includes a critical review of global information security management issues for HSOs and relevant multi-disciplinary organizational theories to address them. Findings Effective information security management can be particularly challenging to HSO because of their use of volunteer staff in a borderless electronic environment. Organizations’ lack of recognition of the need for staff awareness of information security threats and for training in secure work practices, particularly in terms of maintaining clients’ privacy and confidentiality, is a major issue. The dynamic theory of organizational knowledge creation, organizational culture theory and contingency theory were identified as the most suitable theoretical perspectives to address this issue and underpin an effective information security management framework for HSOs. Research limitations/implications The theory-based framework presented here has not been tested in practice. Such testing will be carried out in further research. Originality/value Currently, there is no framework for information security systems in HSOs. The framework developed here provides a foundation on which HSO can build information security systems specific to their needs.

“…Other theories have only been occasionally tested. For example, tests of Neutralization Theory (Siponen and Vance, 2010; Barlow et al , 2013) and Social Control Theory (Lee et al , 2004; Goo et al , 2013) have been performed.…”

Section: Theory and Hypothesesmentioning

confidence: 99%

“…Some of these studies have also found links between information security policy compliance intentions and the norms expressed by friends (Jenkins and Durcikova, 2013), information security personnel (Siponen et al , 2010; Siponen et al , 2014), IT personnel (Ifinedo, 2012) or technical specialists (Herath and Rao, 2009). Furthermore, research by Goo et al (2013), McCoy et al (2009), Lowry et al (2014), Hu et al (2012), Finch et al (2003), Chipperfield and Furnell (2010), Furnell and Thomson (2009) and Sommestad (2015) have established or proposed various links between individuals’ perception of their organization and their perceptions related to information security.…”

Section: Theory and Hypothesesmentioning

confidence: 99%

Work-related groups and information security policy compliance

Sommestad

2018

ICS

Purpose It is widely acknowledged that norms and culture influence decisions related to information security. The purpose of this paper is to investigate how work-related groups influence information security policy compliance intentions and to what extent this influence is captured by the Theory of Planned Behavior, an established model over individual decision-making. Design/methodology/approach A multilevel model is used to test the influence of work-related groups using a cluster sample of responses from 2,291 employees from 203 worksites, 119 organizations, 6 industries and 38 professions. Findings The results suggest that work-related groups influence individuals’ decision-making in the manner in which contemporary theories of information security culture posit. However, the influence is weak to modest and overshadowed by individual perceptions that are straightforward to measure. Research limitations/implications This paper is limited to one national culture and four types of work-related groups. However, the results suggest that the Theory of Planned Behavior captures most of the influence that work-related groups have on decision-making. Future research on security culture and similar phenomena should take this into account. Practical implications Information security perceptions in work-related groups are diverse and information security decisions appear to be based on individual perceptions and priorities rather than groupthink or peer-pressure. Security management interventions may be more effective if they target individuals rather than groups. Originality/value This paper tests some of the basic ideas related to information security culture and its influence on individuals’ decision-making.