A typology of employees' information security behaviour

Ahmad, Zauwiyah; Norhashim, Mariati; Ong, Thian Song; Hui, Liew Tze

doi:10.1109/icoict.2016.7571929

Cited by 6 publications

(9 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the knowing-doing mode, employees know the rules, have the necessary security skills and comply with the rules (Alfawaz et al, 2010). Ahmad et al (2016) group employees into four types based on whether or not they know the security rules and whether or not they comply with the information security rules. They classify these rules as discerning, obedient, rebellious and oblivious employees.…”

Section: Theoretical Backgroundmentioning

confidence: 99%

“…Discerning individuals conform to the information security rules because they have the necessary knowledge; some employees conform to the information security rules not because they have the knowledge but because they follow organisational rules just because they are there; other employees choose not to conform to information security rules despite having the knowledge; and others still violate information security because they do not have the security knowledge (Ahmad et al, 2016). Alfawaz et al (2010) and Ahmad et al (2016) propose a classification of employees' information security behaviour that also explain why employees fail to comply with organisational ISPs. They postulate that employees fail to comply because they are ignorant of the regulations, they choose not to or they are not competent owing to lack of security knowledge.…”

Section: Theoretical Backgroundmentioning

confidence: 99%

“…Secure behaviour is a result of an employee who has a clear intention to comply with the ISP (Guo, 2013;Safa et al, 2015). However, the employee may unintentionally comply with the ISP (Guo, 2013); the employee could comply with the ISP when they are not knowledgeable about information security rules or the existence of the ISP (Alfawaz et al, 2010;Ahmad et al, 2016).…”

Section: Ics 294mentioning

confidence: 99%

See 2 more Smart Citations

Assessing information security behaviour: a self-determination theory perspective

Gangire

Veiga

Herselman

2021

ICS

View full text Add to dashboard Cite

Purpose This paper outlines the development of a validated questionnaire for assessing information security behaviour. The purpose of this paper is to present data from the questionnaire validation process and the quantitative study results. Design/methodology/approach Data obtained through a quantitative survey (N = 263) at a South African university were used to validate the questionnaire. Findings Exploratory factor analysis produced 11 factors. Cronbach’s alpha for the 11 factors were all above 0.7, suggesting that the questionnaire is valid and reliable. The responses show that autonomy questions received positive perception, followed by competence questions and lastly relatedness questions. The correlation analysis results show that there was a statistically significant relationship between competence factors and autonomy factors. There was a partial significant relationship between autonomy and relatedness factors, and between competence and relatedness factors. The study results suggest that competence and autonomy could be more important than relatedness in fostering information security behaviour among employees. Research limitations/implications This study used a convenience sampling, a cross-sectional design, and was carried out in a single organisation. This could pose limitations when generalising the study results. Future studies could use random sampling and consider other universities for further validation. Practical implications Universities can use the questionnaire to identify developmental areas to improve information security from a behaviour perspective. Originality/value This paper provides a research instrument for assessing information security behaviour from the perspective of the self-determination theory.

show abstract

Section: Theoretical Backgroundmentioning

confidence: 99%

Section: Theoretical Backgroundmentioning

confidence: 99%

Section: Ics 294mentioning

confidence: 99%

See 1 more Smart Citation

Assessing information security behaviour: a self-determination theory perspective

Gangire

Veiga

Herselman

2021

ICS

View full text Add to dashboard Cite

show abstract

“…Accordingly, since technical solutions are insufficient to address the challenges of information security [19], everincreasing security needs have expanded the attention of researchers to research of the role of management in information security management [2]. Effective information security management requires a combination of technical and managerial controls for information risk management [2] with an emphasis on people as an essential element of information security [19], [20], [21] where, despite sophisticated technologies and technical measures, employee inattention may continue to jeopardize the organization's security which depends on its users [8], [22], [23].…”

Section: Information Security In Organizationsmentioning

confidence: 99%

“…While education involves learning basic concepts and theoretical concepts from work materials, the training serves to provide employees with skills and knowledge related to information security that are specific to their roles and responsibilities through the use of seminars and workshops. On the other hand, raising awareness serves for focusing employee attention on information security in order to ensure their understanding of their roles and responsibilities in the protection of information [27] that can easily be overlooked if information security is considered as solely IT department's responsibility [23]. The greatest emphasis from these three components is awareness raising, which functions as a tool to familiarize employees with the understanding and acceptance of the information security policy developed by the organization [12].…”

Section: Information Security Education Training and Awarenessmentioning

confidence: 99%

Key Success Factors of Information Systems Security

Arbanas

Hrustek

2019

J. inf. organ. sci. (Online)

View full text Add to dashboard Cite

The issue of information systems security, and thus information as key resource in today's information society, is something that all organizations in all sectors face in one way or another. To ensure that information remain secure, many organizations have implemented a continuous, structured and systematic security approach to manage and protect an organization's information from undermining individuals by establishing security policies, processes, procedures, and information security organizational structures. However, despite this, security threats, incidents, vulnerabilities and risks are still raging in many organizations. One of the main causes of this problem is poor understanding of information systems security key success factors. Identifying and understanding of information security key success factors can help organizations to manage how to focus limited resources on those elements that really impact on success, therefore saving time and money and creating added value and further enabling operational business. This research, based on comprehensive literature review, summarizes most cited key success factors of information systems security identified in scientific articles indexed in relevant databases, of which the top three success factors were management support, information security policy and information security education, training and awareness. At the end, article states identified research gaps and provides readers with possible directions for further researches. those from the organizational or sociological aspect, since even the best security technology cannot stop the social engineering based attack [1]. One of the first and the foremost challenges faced by information security executives is to successfully balance the need to protect information assets on the one hand and enable operational operations on the other, because over-strict protection can lead to business performance barriers while loose controls can create unacceptable risks for information assets [3]. A modern view of information security requires that an effective information security strategy must be balanced, i.e. designing and implementing security solutions should emphasize the importance of technology, but also the socio-organizational context within the organization [3] and observe information security also as business and social question, not just technical [3], [2].National Institute of Standards and Technology (NIST) [4] defines information security as "the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability"; information systems security as "the protection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats" and cyber security as "the ability to protect or defend...

show abstract