Theorising on risk homeostasis in the context of information security behaviour

Kearney, Wayne D.; Kruger, Hendrik G.

doi:10.1108/ics-04-2016-0029

Cited by 12 publications

(11 citation statements)

References 61 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Involvement theory was introduced by Astin (1999) to understudy factors in the college environment that affected students’ persistence in college and has been widely adopted by previous researchers in psychological and management research. Previous researchers have examined the role of involvement features related to ISP compliance including security knowledge sharing, collaboration, intervention and experience (Safa et al , 2016; Kearney and Kruger, 2016). Astin (1999) described quantitative and qualitative features of Involvement theory.…”

Section: Theoretical Backgroundmentioning

confidence: 99%

Establishing information security policy compliance culture in organizations

Amankwa

Loock

Kritzinger

2018

ICS

View full text Add to dashboard Cite

Purpose This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of factors such as supportive organizational culture, end-user involvement and compliance leadership to influence employees’ attitudes and behaviour intentions towards ISP in organizations. This paper also aims to develop a testable research model that might be useful for future researchers in predicting employees’ behavioural intentions. Design/methodology/approach In view of the study’s aim, a research model to show how three key constructs can influence the attitudes and behaviours of employees towards the establishment of security policy compliance culture (ISPCC) was developed and validated in an empirical field survey. Findings The study found that factors such as supportive organizational culture and end-user involvement significantly influenced employees’ attitudes towards compliance with ISP. However, leadership showed the weakest influence on attitudes towards compliance. The overall results showed that employees’ attitudes and behavioural intentions towards ISP compliance together influenced the establishment of ISPCC for ISP compliance in organizations. Practical implications Organizations should influence employees’ attitudes towards compliance with ISP by providing effective ISP leadership, encouraging end-user involvement during the draft and update of ISP and nurturing a culture that is conducive for ISP compliance. Originality/value The study provides some insights on how to effectively address the problem of non-compliance with ISP in organizations through the establishment of ISPCC, which has not been considered in any past research.

show abstract

Section: Theoretical Backgroundmentioning

confidence: 99%

Establishing information security policy compliance culture in organizations

Amankwa

Loock

Kritzinger

2018

ICS

View full text Add to dashboard Cite

show abstract

“…RHT has also been adapted in several security-related studies. Kearney and Kruger (2016) claimed that RHT can be leveraged to extend knowledge and insights into contradictory human behaviour.…”

Section: Rht In Information Securitymentioning

confidence: 99%

Risk homeostasis and security fatigue: a case study of data specialists

Bhana

Ophoff

2023

ICS

View full text Add to dashboard Cite

Purpose Organisations use a variety of technical, formal and informal security controls but also rely on employees to safeguard information assets. This relies heavily on compliance and constantly challenges employees to manage security-related risks. The purpose of this research is to explore the homeostatic mechanism proposed by risk homeostasis theory (RHT), as well as security fatigue, in an organisational context. Design/methodology/approach A case study approach was used to investigate the topic, focusing on data specialists who regularly work with sensitive information assets. Primary data was collected through semi-structured interviews with 12 data specialists in a large financial services company. Findings A thematic analysis of the data revealed risk perceptions, behavioural adjustments and indicators of security fatigue. The findings provide examples of how these concepts manifest in practice and confirm the relevance of RHT in the security domain. Originality/value This research illuminates homeostatic mechanisms in an organisational security context. It also illustrates links with security fatigue and how this could further impact risk. Examples and indicators of security fatigue can assist organisations with risk management, creating “employee-friendly” policies and procedures, choosing appropriate technical security solutions and tailoring security education, training and awareness activities.

show abstract

“…Many theories and models have been developed to study behaviour in various situations. Kearney and Kruger (2016) summarise the most prevalent theories as the following: the theory of reasoned action (TRA); the theory of planned behaviour (TPB); the general deterrence theory; and the protection motivation theory. Of the aforementioned, TPB (which is an extension of TRA) draws on the attitude of an individual to predict the intention that the individual has to perform a specific behaviour (Ifinedo, 2012;Bulgurcu et al, 2010).…”

Section: Theoretical Framework For Information Security Behaviourmentioning

confidence: 99%

“…Frangopoulos et al (2014) mention some common issues pertaining to bias when respondents answer questionnaires -which is a common data collection tool and also used in this studythat could have a negative impact on the subject being measured. Social desirability is a bias that is driven by respondents having a pre-conceived notion of the "correct" or "expected" answer (Kearney and Kruger, 2016;Fisher, 1993). The answers given are not a reflection of the truth or status quo, but rather a version of events that reflects actions that are deemed socially acceptable.…”

mentioning

confidence: 99%

The application of behavioural thresholds to analyse collective behaviour in information security

Snyman

Kruger

2017

ICS

View full text Add to dashboard Cite

Purpose The purpose of this study is to perform an exploratory investigation into the feasibility of behavioural threshold analysis as a possible aid in security awareness campaigns. Design/methodology/approach Generic behavioural threshold analysis is presented and then applied in the domain of information security by collecting data on the behavioural thresholds of individuals in a group setting and how the individuals influence each other when it comes to security behaviour. Findings Initial experimental results show that behavioural threshold analysis is feasible in the context of information security and may provide useful guidelines on how to construct information security awareness programmes. Practical implications Threshold analysis may contribute in a number of ways to information security, e.g. identification of security issues that are susceptible to peer pressure and easily influenced by peer behaviour; serve as a countermeasure against security fatigue; contribute to the economics of information security awareness programmes; track progress of security awareness campaigns; and provide a new measure for determining the importance of security awareness issues. Originality/value This paper describes the very first experiment to test the behavioural threshold analysis concepts in the context of information security.

show abstract

Theorising on risk homeostasis in the context of information security behaviour

Cited by 12 publications

References 61 publications

Establishing information security policy compliance culture in organizations

Establishing information security policy compliance culture in organizations

Risk homeostasis and security fatigue: a case study of data specialists

The application of behavioural thresholds to analyse collective behaviour in information security

Contact Info

Product

Resources

About