An Adversarial Dance: Toward an Understanding of Insiders’ Responses to Organizational Information Security Measures

2023 | Journal of the Association for Information Systems | Citations: 0

Authors: Balozian, Puzant; Burns, A.; Leidner, Dorothy

Abstract: Despite the increased focus on organizational security policies and programs, s ... Expand

Abstract: Despite the increased focus on organizational security policies and programs, some employees continue to engage in maladaptive responses to security measures (i.e., behaviors other than those recommended, intended, or prescribed). To help shed light on insiders' adaptive and maladaptive responses to IS security measures, we conducted a case study of an organization at the forefront of security policy initiatives. Drawing on the beliefs-actions-outcomes (BAO) model to analyze our case data, we uncover a potentially nonvirtuous cycle consisting of security-related beliefs, actions, and outcomes, which we refer to as an "adversarial dance." Explaining our results, we describe a novel belief framework that identifies four security belief profiles and uncovers an underexplored outcome of IS security: insiders' lived security experiences. We find that individuals' unfavorable lived security experiences produce counterproductive security-related beliefs that, in turn, lead to maladaptive behaviors. Maladaptive behaviors create new potential for security risk, leading to increased organizational security measures to counter them. Thus, the adversarial dance continues, as the new security measures have the potential to reinforce counterproductive security-related beliefs about the importance and risk of IS security and lead to new maladaptive behaviors. To help situate our findings within the current security literature, we integrate the results with prior research based on extant theories. While this paper is not the first to suggest that security measures can elicit maladaptive behaviors, the emergent belief framework and expanded BAO model of IS security constitute an important contribution to the behavioral IS security literature.Puzant Balozian is an assistant professor of computer information systems at James Madison University. His research focus is primarily on the impacts of organizational factors on individual user behaviors in the context of information security and privacy and addressing security policy compliance and violation. Collapse

Topics: IT security IT security defense productivity IT security threat anonymity

Methods: case study qualitative interview personal interview theory development survey

Theories: information systems theory neutralization theory behavioral theory

Are Information Security Practices Driven by the Likelihood and potential Impact of Security Events?

2023 | Americas Conference on Information Systems | Citations: 0

Authors: Batra, Gunjan; Saeed, Khawaja; Zafar, Humayun

Abstract: Organizations have opened up various digital interfaces through which customers ... Expand

Abstract: Organizations have opened up various digital interfaces through which customers gain access to online services. Digital interaction between the organization and its customers increases security risks. This study examines how the risk profile of customers defined by their perception of the likelihood and potential impact of a security incident is related to their information security behaviors. We collected data in the context of online banking services to empirically evaluate this research question. The results showed that individuals with low likelihood and high impact perceptions of security incidents had authentication and device security practices significantly higher than that of other groups. Surprisingly, there was no difference in security practices across groups with high likelihood/high impact and low likelihood/low impact perceptions of security incidents. Implications of these results are discussed along with ways we plan to extend this research study. Collapse

Topics: electronic authentication cybersecurity behavior password online banking information security practice

Methods: cluster analysis survey exploratory factor analysis data transformation descriptive statistic

Barking Up the Wrong Tree? Reconsidering Policy Compliance as a Dependent Variable within Behavioral Cybersecurity Research

2023 | HICSS | Citations: 0

Authors: Cram, W. Alec; D'Arcy, John

Abstract: A rich body of research examines the cybersecurity behavior of employees, with a ... Expand

Abstract: A rich body of research examines the cybersecurity behavior of employees, with a particular focus on explaining the reasons why employees comply with (or violate) organizational cybersecurity policies. However, we posit that this emphasis on policy compliance is susceptible to several notable limitations that could lead to inaccurate research conclusions. In this commentary, we examine the limitations of using cybersecurity policy compliance as a dependent variable by presenting three assertions: (1) the link between policy compliance and organizational-level outcomes is ambiguous; (2) policies vary widely in terms of their clarity and completeness; and (3) employees have an inconsistent familiarity with their own organization’s cybersecurity policies. Taken together, we suggest that studying compliance with cybersecurity policies reveals only a partial picture of employee behavior. In response, we offer recommendations for future research. Collapse

Topics: IT security data breach computer data storage cybersecurity behavior top management support

Methods: survey linguistic analysis company material

‘What a waste of time’: An examination of cybersecurity legitimacy

2023 | Information Systems Journal | Citations: 0

Authors: Cram, W. Alec; D'Arcy, John

Abstract: Managers who oversee cybersecurity policies commonly rely on managerial encourag ... Expand

Abstract: Managers who oversee cybersecurity policies commonly rely on managerial encouragement (e.g., rewards) and employee characteristics (e.g., attitude) to drive compliant behaviour. However, whereas some cybersecurity initiatives are perceived as reasonable by employees, others are viewed as a ‘waste of time’. This research introduces employee judgements of cybersecurity legitimacy as a new angle for understanding employee compliance with cybersecurity policies over time. Drawing on theory from the organisational legitimacy and cybersecurity literature, we conduct a three-wave survey of 529 employees and find that, for each separate wave, negative legitimacy judgements mediate the relationship between management support and compliance, as well as between cybersecurity inconvenience and compliance. Our results provide support for cybersecurity legitimacy as an important influence on employee compliance with cybersecurity initiatives. This is significant because it highlights to managers the importance of not simply expecting compliant employee behaviour to follow from the introduction of cybersecurity initiatives, but that employees need to be convinced that the initiatives are fair and reasonable. Interestingly, we did not find sufficient support for our expectation that the increased likelihood of a cybersecurity incident will moderate the legitimacy-policy compliance relationship. This result suggests that the legitimacy perceptions of employees are unyielding to differences in the risk characteristics of the cybersecurity incidents facing organisations. Collapse

Topics: IT security top management support cybersecurity behavior pandemic privacy

Methods: survey SEM tool structural equation modeling survey design confirmatory factor analysis

Theories: fairness theory organizational behavior theory

Enhancing users’ security engagement through cultivating commitment: the role of psychological needs fulfilment

2023 | European Journal of Information Systems | Citations: 0

Authors: Davis, Joshua; Agrawal, Deepti; Guo, Xiang

Abstract: Employee behaviour is fundamental to corporate information security (InfoSec) ca ... Expand

Abstract: Employee behaviour is fundamental to corporate information security (InfoSec) capabilities across the phases of prevention, detection, and response. Unfortunately, despite over a decade of research on the topic, the human aspect of security remains the most vulnerable in many companies today, often rooted in employee disinterest. Two traditions within the InfoSec research that may contribute to this disconnect are 1) emphasis on extrinsic manipulation of behaviour versus cultivation of internalised commitment to organisational InfoSec and 2) emphasis on isolated activities over more integrated perspectives of security behaviour. Addressing these gaps, the current study examines end user InfoSec behaviour through a distinct internal motivational lens. Rooted in Self-Determination Theory, a research model is introduced that highlights workplace factors which drive end users’ internalised commitment to organisational InfoSec by fulfiling fundamental psychological needs (autonomy, competence, and relatedness) within this context. Commitment, which captures internally regulated motivation to contribute to organisational InfoSec performance, is then positioned as a driver of intention to engage in various security behaviours. Overall, the results support the study’s hypotheses and underscore the important roles perceived behavioural control, IT competence, and user-IS department relations have on commitment to organisational InfoSec and resultant behavioural outcomes. Collapse

Topics: knowledge base IT job cybersecurity behavior resource allocation electronic mail

Methods: survey design survey partial least squares regression psychometrics partial least squares path modeling

Theories: self determination theory

Augmenting Password Strength Meter Design Using the Elaboration Likelihood Model: Evidence from Randomized Experiments

2023 | Information Systems Research | Citations: 0

Authors: Khern-am-nuai, Warut; Hashim, Matthew J.; Pinsonneault, Alain; Yang, Weining; Li, Ninghui

Abstract: Password-based authentication is the most commonly used method for gaining acces ... Expand

Abstract: Password-based authentication is the most commonly used method for gaining access to secured systems. Unfortunately, empirical evidence highlights the fact that most passwords are significantly weak, and encouraging users to create stronger passwords is a significant challenge. In this research, we propose a theoretically augmented password strength meter design that is guided by the elaboration likelihood model of persuasion (ELM). We evaluate our design by leveraging three independent and complementary methods: a survey-based experiment using students to evaluate the saliency of our conceptual design (proof of concept), a controlled laboratory experiment conducted on Amazon Mechanical Turk to test the effectiveness of the proposed design (proof of value), and a randomized field experiment conducted in collaboration with an online forum in Asia to establish proof of use. In each study, we observe the changes in users’ behavior in response to our proposed password strength meter. We find that the ELM-augmented password strength meter is significantly effective at addressing the challenges of password-based authentication. Users exposed to this strength meter are more likely to change their passwords, leading to a new password that is significantly stronger. Our findings suggest that the proposed design of augmented password strength meters is an effective method for promoting secure password behavior among end users.History: Alessandro Acquisti, Senior Editor; Pallab Sanyal, Associate Editor.Funding: The authors gratefully acknowledge financial support from the Social Science and Humanities Research Council of Canada (SSHRC) [Grant 435-2018-0605].Supplemental Material: The online appendix is available at https://doi.org/10.1287/isre.2022.1125. Collapse

Topics: password website data security electronic authentication application programming interface

Methods: experiment survey laboratory experiment experimental group field experiment

Theories: elaboration likelihood model

The effects of knowledge mechanisms on employees' information security threat construal

2023 | Information Systems Journal | Citations: 1

Authors: Mady, Ashraf; Gupta, Saurabh; Warkentin, Merrill

Abstract: Organisations implement a variety of knowledge mechanisms such as information se ... Expand

Abstract: Organisations implement a variety of knowledge mechanisms such as information security education, training and awareness (SETA) programs and information security policies, to influence employees' secure behaviour. Despite increased efforts to provide information systems (IS) security knowledge to employees, data breaches and other security incidents resulting from insider behaviour continue. Recent IS security research, primarily grounded on assumptions of employees' rational assessment of numerous factors, has yielded inconsistent results. Challenging this paradigm, we model secure behaviour on security knowledge mechanisms, which focuses on the multidimensional nature of security knowledge breadth, depth and finesse to represent the full array of managerial levers. We further draw on construal level theory to conceptualise users' perceptual judgements of security messages. Two studies support our model, with the second building on the first. Study 1, an experiment with 312 participants, focused on validating the treatments. Study 2, a survey with 219 participants, validated the entire model. Results showed that our model has significantly more explanatory and predictive power than the orthodox paradigm. Our results have practical implications for optimising the organisation of knowledge mechanisms by emphasising the personal relevance of threats and defining the factors that lead to secure behaviour. We also contribute to the discourse on information security research and provide a template for integrating theories, thus opening new avenues for future research. Collapse

Topics: data security email phishing security policy IT security task complexity

Methods: survey experiment Student's t-test parametric test survey design

Theories: construal level theory security compliance theory

Close the Intention-Behavior Gap via Attitudes: Case Study of the Volitional Adoption of a Two-Factor Authentication Service

2023 | HICSS | Citations: 0

Authors: Mattson, Tom; Aurigemma, Sal; Ren, Jie

Abstract: Most of the theories used in the behavioral security literature explain the vari ... Expand

Abstract: Most of the theories used in the behavioral security literature explain the variance in intentions to act securely. Yet, individuals often fail to act on their intentions. This disconnect is referred to as the intention-behavior gap. Most theories propose a single structural path between intentions and actual behaviors with the expectation that individuals will act on their intentions. The purpose of our paper is to investigate this intention-behavior gap in the context of the volitional adoption of information security technologies. To do so, we conducted a two-phased qualitative study of the adoption of a two-factor authentication (2FA) service. In our bottom-up investigation, we discovered emergent themes related to the four functional areas of attitudes (i.e., functional attitude theory). Our paper contributes to the behavioral security literature by suggesting that individuals must change their negative attitudes related to different functional areas to start to reduce the intention-behavior gap. Collapse

Topics: multi-factor authentication behavioral intention electronic mail data security data breach

Methods: qualitative coding personal interview logistic regression

Theories: attitude theory

Buying in and Feeling Responsible: A Model of Extra-role Security Behavior

2023 | HICSS | Citations: 0

Authors: Nehme, Alaa; Marler, Laura

Abstract: Extra-role security behavior has been recognized as a salient element of informa ... Expand

Abstract: Extra-role security behavior has been recognized as a salient element of information security. Drawing upon the research on proactivity in the management literature, we identify ‘felt responsibility for constructive change’ (FRCC) as an important proactive motivational state that drives the behavior. We then follow proactive motivation theory and seek the contextual element and individual difference that precede FRCC. Based on buy-in theory, we propose that user participation in the development of information security-related activities and artifacts induces FRCC. To balance context specificity with generality, we model the individual difference of proactive personality as a moderator of this relation. Our model expands the scope of studying behavioral security by addressing users’ proactive involvement in protecting organizations’ information assets, as opposed to only examining reactive and passive user involvement. Further, the model extends the literature by addressing how promoting positive pre-kinetic events serves organizational information security. Collapse

Topics: data security participatory design personality cybersecurity behavior decision making

Methods: design methodology theory development conceptual modelling

Theories: organizational behavior theory buy-in theory of participation motivation theory

The Janus Effect of Generative AI: Charting the Path for Responsible Conduct of Scholarly Activities in Information Systems

2023 | Information Systems Research | Citations: 7

Authors: Susarla, Anjana; Gopal, Ram; Thatcher, Jason Bennett; Sarker, Suprateek

Abstract: Funding: A. Susarla was funded by an R01 grant from the National Library of Medi ... Expand

Abstract: Funding: A. Susarla was funded by an R01 grant from the National Library of Medicine, through [Grant R01LM013443]. Collapse

Topics: generative AI cybersecurity behavior internet technology intellectual property IS discipline

Methods: chatGPT literature study survey qualitative interview structural equation modeling