Quality and Fairness of an Information Security Policy As Antecedents of Employees' Security Engagement in the Workplace: An Empirical Investigation

Bulğurcu, Burcu; Cavusoglu, Hasan; Benbasat, Izak

doi:10.1109/hicss.2010.312

Cited by 23 publications

(24 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Bulgurcu et al [7] posit that the quality and fairness of an information security policy, as perceived by employees, are factors in employee security compliance. 'Security hygiene', as defined by Pfleeger et al, is a combination of workable security habits that also delivers effective risk management to the level required by the organisation [20].…”

Section: Challenge 2: the Organisation Must Reflect On The Existing Smentioning

confidence: 99%

Finding Security Champions in Blends of Organisational Culture

Becker¹,

Parkin²,

Sasse³

2017

Proceedings 2nd European Workshop on Usable Security

View full text Add to dashboard Cite

Security managers define policies and procedures to express how employees should behave to 'do their bit' for information security. They assume these policies are compatible with the business processes and individual employees' tasks as they know them. Security managers usually rely on the 'official' description of how those processes are run; the dayto-day reality is different, and this is where security policies can cause friction. Organisations need employees to participate in the construction of workable security, by identifying where policies causes friction, are ambiguous, or just do not apply. However, current efforts to involve employees in security act to identify employees who can be local representatives of policy-as with the currently popular idea of 'security champions'rather than as a representative of employee security needs. Towards helping organisations 'close the loop' and get input from employees, we have conducted employee surveys on security in the context of their specific jobs. The paper presents results from secondary analysis of one such survey in a large commercial organisation. The analysis of 608 responses finds that attitude to policy and behaviour types-the prevailing security cultures-vary greatly in the organisation and across four business divisions examined in further detail. There is a role in contributing to the effectiveness of security policies not only for those who follow policy, but also for those who question policy, socialise solutions, or expect security to justify itself as a critical part of their productive work. This demonstrates that security champions cannot be uniform across the organisation, but rather that organisations should rethink the role of security champions as diverse 'bottom-up' agents to change policy for the better, rather than communicators of existing 'top-down' policies. * Authors contributed equally. The promotion of security champions is seen as a way to find local representatives who can promote and monitor security policy at a local level, acting as an extension of company's security management team [12]. However, security champions may only be effective in this way if the policy itself is workable [6]. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

Section: Challenge 2: the Organisation Must Reflect On The Existing Smentioning

confidence: 99%

Finding Security Champions in Blends of Organisational Culture

Becker¹,

Parkin²,

Sasse³

2017

Proceedings 2nd European Workshop on Usable Security

View full text Add to dashboard Cite

show abstract

“…Common security controls reduce security risk to information systems [7]. Controls can be introduced in an ad hoc nature, but ISS controls based on policy are more effective [2], [18]. Senior management involvement is critical for not only establishing ISS policy, but also ensuring employee compliance [1], [19], [20].…”

Section: Literature Reviewmentioning

confidence: 99%

Information System Security Commitment: A Pilot Study of External Influences on Senior Management

Tejay

Barton

2013

2013 46th Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

This study investigated how external influences motivate senior management to commit to information system security (ISS) by examining the mediating role of senior management between external influences and organizational change. Neo-institutional theory was used to examine normative, mimetic, and coercive mechanisms that affect ISS assimilation in organizations. Findings show senior management beliefs about ISS and participation in ISS mediate effects of external influences on ISS assimilation. The findings from this pilot study give merit to a more comprehensive study, and provide a better understanding of how to motivate senior management to lead ISS in their organizations.

show abstract

“…After applying the inclusion and exclusion criteria, 13 articles were excluded, resulting in 36 articles included in the final review. From the 13 excluded references, seven were excluded based on the third criteria: five references were conferences proceedings [1,[44][45][46][47], one was a book chapter [48] and one was a thesis [49]. The remaining six excluded references discussed domains that could be argued to be under the IS policy scope.…”

Section: Search Processmentioning

confidence: 99%

Evolvement of Information Security Research on Employees' Behavior: A Systematic Review and Future Direction

Alaskar

Vodanovich

Shen

2015

2015 48th Hawaii International Conference on System Sciences

View full text Add to dashboard Cite

Information Security (IS) is one of the biggest concerns for many organizations. This concern has led many to focus a huge effort into studying different IS areas. One of these critical areas is the human aspect, where investigation of employees' behaviors has emerged as an important topic. In this paper, we conduct a systematic review of all empirical studies published on this topic. The review will highlight the theoretical and methodological development and the dissemination of related empirical studies in academic journals throughout the years. At the end of the review, future research considerations are discussed and shared.

show abstract

Quality and Fairness of an Information Security Policy As Antecedents of Employees' Security Engagement in the Workplace: An Empirical Investigation

Cited by 23 publications

References 16 publications

Finding Security Champions in Blends of Organisational Culture

Finding Security Champions in Blends of Organisational Culture

Information System Security Commitment: A Pilot Study of External Influences on Senior Management

Evolvement of Information Security Research on Employees' Behavior: A Systematic Review and Future Direction

Contact Info

Product

Resources

About