Evolvement of Information Security Research on Employees' Behavior: A Systematic Review and Future Direction

Alaskar, Mohamed; Vodanovich, Shahper; Shen, Kathy Ning

doi:10.1109/hicss.2015.508

Cited by 12 publications

(19 citation statements)

References 70 publications

(162 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Cilliers [36] states the most common data breach still remains where employees that have access to or may copy information without authorization. There are also a number of theories that have been published [16], [37] including deterrence theory (DT), theory of reasoned action/planned behavior (TRA), protection motivation theory (PMT), rational choice theory (RCT), social cognitive theory (SCT), social bond theory (SBT), and neutralization theory (NT), which address modeling behavior or behavioral change. However, all of these theories appear to focus upon intentional action and not address the prominent issue of unintentional human error.…”

Section: Related Workmentioning

confidence: 99%

“…Other research presented that 24% of data loss incidents were caused by insiders including accidental and malicious acts [16], 55% of root causes of data breaches occurred as a result of unintentional employee action [17] and more than one-third of hospital communication errors were related to human factors. In addition, it is also published that most unintended and unanticipated errors are due to socio-technical issues when using technologies [18] which are leading to the socio-technical nature of information security coming to the fore [19].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Employee Perspective on Information Security Related Human Error in Healthcare: Proactive Use of IS-CHEC in Questionnaire Form

Evans

Luo

et al. 2019

IEEE Access

View full text Add to dashboard Cite

The objective of the research was to establish data relating to underlying causes of human error which are the most common cause of information security incidents within a private sector healthcare organization. A survey questionnaire was designed to proactively apply the IS-CHEC information security human reliability analysis (HRA) technique. The IS-CHEC technique questionnaire identified the most likely core human error causes that could result in incidents, their likelihood, the most likely tasks that could be affected, suggested remedial and preventative measures, systems or processes that would be likely to be affected by human error and established the levels of risk exposure. The survey was operational from 15th November 2018 to 15th December 2018. It achieved a response rate of 65% which equated to 485 of 749 people targeted by the research. The research found that, in the case of this particular participating organization, the application of the IS-CHEC technique through a questionnaire added beneficial value as an enhancement to a standard approach of holistic risk assessment. The research confirmed that the IS-CHEC in questionnaire form can be successfully applied within a private sector healthcare organization and also that a distributed approach for information security human error assessment can be successfully undertaken in order to add beneficial value. The results of this paper indicate, from the questionnaire responses supplied by employees, that organizational focus on its people and their working environment can improve information security posture and reduce the likelihood of associated information security incidents through a reduction in human error. INDEX TERMSHuman error assessment and reduction technique (HEART), human error related information security incidents, human reliability analysis (HRA), information security, IS-CHEC.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Employee Perspective on Information Security Related Human Error in Healthcare: Proactive Use of IS-CHEC in Questionnaire Form

Evans

Luo

et al. 2019

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Similarly, the Chronology of Data Breaches shows that in 2012 in the U.S., approximately 9,232,015 records were stolen as the result of insider data breaches. The Ponemon Institute shows that 35% of data breaches around the world were due to human errors (Alaskar, Vodanovich and Shen 2015).…”

Section: Human Factors In Information Securitymentioning

confidence: 99%

“…According to the review paper by Alaskar, Vodanovich and Shen (2015), General Deterrence Theory is still the dominant theory used by Information Systems scholars to study information security compliance (Chen, Ramamurthy and Wen 2012, Cheng et al 2013, D'Arcy, Hovav and Galletta 2009, Guo and Yuan 2012, Harrington 1996, Lee, Lee and Yoo 2004, Siponen and Vance 2010, Son 2011, Straub Jr 1990). Straub Jr and Nance (1990) adopted classical deterrence theory from criminology literature into their information security studies.…”

Section: General Deterrence Theorymentioning

confidence: 99%

“…The papers by Sommestad et al (2014) and Alaskar, Vodanovich and Shen (2015) point out that the survey is the predominant research method used in the management of information security literature. However, it is well known that using self-reported data is biased, especially in studying anti-social and ethical/unethical behavior (Krumpal 2013).…”

Section: Scenario-based Security Compliance Measurementmentioning

confidence: 99%

See 1 more Smart Citation

Information Security Policy Compliance

Hoffman

2018

SSRN Journal

View full text Add to dashboard Cite

One of the most challenging problems modern firms face is that their weakest link in maintaining information security is the behavior of employees: clicking on phishing emails, telling friends and family private information, and searching for private information about themselves (Loch, Carr and Warkentin 1992). A survey conducted by the Computer Security Institute reported that the average monetary loss per incident was $288,618 and that 44% of those who responded to the survey reported insider securityrelated abuse, making it the second-most frequently occurring computer security incident (Richardson 2008). This paper uses a questionnaire from Hu, West and Smarandescu (2015) to test for the efficacy of different reward and punishment schemes in preventing insider security-related abuse. Hu et al.'s (2015) scenarios elicit from participants whether they would recommend violating company IT policies. Real monetary payments provide motivation.3 The results indicate that, if a company can detect abuses with some degree of certainty, the best strategy among those tested is to regularly reward individual employees with small rewards for complying with company policy and punish every detected violation. This recommendation contrasts with the existing literature, which focuses almost entirely on punishment for detected security breaches. This focus on punishment is referred to as General Deterrence Theory (Straub Jr 1990). The results in this paper suggest strongly that General Deterrence Theory does not provide an effective strategy for preventing security breaches.

show abstract

Information Security Behavior: Development of a Measurement Instrument Based on the Self-determination Theory

Gangire

Veiga

Herselman

2020

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Employee information security behaviour is important in securing an organisation's information technology resources. Employees can act in a risky or secure manner. Improving employee information security behaviour is important for organisations and should follow an assessment of their behaviour. A robust measuring instrument is a necessity for effectively assessing information security behaviour. In this study, a questionnaire was developed based on the Human Aspects of Information Security Questionnaire and self-determination theory and validated statistically. Data obtained through a quantitative survey (N = 263) at a South African university was used to validate the questionnaire. The result is a questionnaire that has internally consistent items, as shown by the results of the reliability analysis. Universities can use the questionnaire to identify developmental areas to improve information security from a behaviour perspective.

show abstract

Evolvement of Information Security Research on Employees' Behavior: A Systematic Review and Future Direction

Cited by 12 publications

References 70 publications

Employee Perspective on Information Security Related Human Error in Healthcare: Proactive Use of IS-CHEC in Questionnaire Form

Employee Perspective on Information Security Related Human Error in Healthcare: Proactive Use of IS-CHEC in Questionnaire Form

Information Security Policy Compliance

Information Security Behavior: Development of a Measurement Instrument Based on the Self-determination Theory

Contact Info

Product

Resources

About