Security Awareness: The First Step in Information Security Compliance Behavior

2019 ◽  
pp. 1-12 ◽  
Author(s):  
Inho Hwang ◽  
Robin Wakefield ◽  
Sanghyun Kim ◽  
Taeha Kim
Keyword(s):  
Information Security ◽  
Security Awareness ◽  
Compliance Behavior ◽  
Security Compliance

Are users competent to comply with information security policies? An analysis of professional competence models

2018 ◽  
Vol 31 (5) ◽  
pp. 1047-1068 ◽  
Author(s):  
Aggeliki Tsohou ◽  
Philipp Holtkamp
Keyword(s):  
Information Security ◽  
Professional Competence ◽  
Competency Model ◽  
Security Policies ◽  
Security Awareness ◽  
Content Type ◽  
Compliance Behavior ◽  
Individual Perception ◽  
Perception Of Security ◽  
Competence Models

Purpose Information security policies (ISPs) are used by organizations to communicate rules on the use of information systems (IS). Research studies show that compliance with the ISPs is not a straightforward issue and that several factors influence individual behavior toward ISP compliance, such as security awareness or individual perception of security threats. The purpose of this paper is to investigate the competencies associated with users’ ISP compliance behavior. Design/methodology/approach In order to reveal the competencies that are associated with the users’ ISP compliance behavior, the authors systematically analyze the ISP compliance literature and the authors develop an ISP compliance competency model. The authors then target to explore if IS users are equipped with these competencies; to do so, the authors analyze professional competence models from various industry sectors and compare the competencies that they include with the developed ISP compliance competencies. Findings The authors identify the competencies associated with ISP compliance and the authors provide evidence on the lack of attention in information security responsibilities demonstrated in professional competence frameworks. Research limitations/implications ISP compliance research has focused on identifying the antecedents of ISP compliance behavior. The authors offer an ISP compliance competency model and guide researchers in investigating the issue further by focusing on the professional competencies that are necessary for IS users. Practical implications The findings offer new contributions to practitioners by highlighting the lack of attention on the information security responsibilities demonstrated in professional competence frameworks. The paper also provides implications for the design of information security awareness programs and information security management systems in organizations. Originality/value To the best of the authors’ knowledge, the paper is the first study that addresses ISP compliance behavior from a professional competence perspective.

scholarly journals Assessing the Effects of Gamification on Enhancing Information Security Awareness Knowledge

2021 ◽  
Vol 11 (19) ◽  
pp. 9266
Author(s):  
Tienhua Wu ◽  
Kuang-You Tien ◽  
Wei-Chih Hsu ◽  
Fu-Hsiang Wen
Keyword(s):  
Gender Difference ◽  
Information Security ◽  
Effective Means ◽  
Learning System ◽  
Security Awareness ◽  
Information Security Awareness ◽  
Security Breaches ◽  
Knowledge Enhancement ◽  
Quasi Experimental ◽  
Security Compliance

Information security awareness (ISA) has become a vital issue, as security breaches often attributed to humans lead to losses for individuals and organizations. Information security (IS) education may be an effective strategy to improve students’ ISA; however, studies associated with the relationships between teaching effects and information security learning are few. This study adopted gamification practice and examined its effect on students’ ISA knowledge enhancement, attitude and intention of security compliance, and willingness for continuous IS education. This study also examined the gender difference in a gamified learning system. One hundred ten undergraduates participated in a quasi-experimental study. The results indicated that students within a gamified class performed better than students within a lecture-based instructional group. We found significant gamification effects on the three security focus areas of password management, Internet use, and information handling. Gamification did not significantly impact the attitude and intention of participants’ security compliance and students’ willingness for continuous IS learning. Gender difference in the effect of gamification on ISA knowledge enhancement was not observed as well. The research provides theoretical and practical contributions by incorporating gamification into IS learning and suggests gamification as an effective means to enhance students’ knowledge acquisition in an engaging, timely, economical, and repeated manner.

Factors Influencing Information Security Policy Compliance Behavior

2022 ◽  
pp. 213-232
Author(s):  
Kwame Simpe Ofori ◽  
Hod Anyigba ◽  
George Oppong Appiagyei Ampong ◽  
Osaretin Kayode Omoregie ◽  
Makafui Nyamadi ◽  
...  
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Future Research ◽  
General Deterrence ◽  
Security Education ◽  
Weakest Link ◽  
Compliance Behavior ◽  
Security Compliance ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance

One of the major concerns of organizations in today's networked world is to unravel how employees comply with information security policies (ISPs) since the internal employee has been identified as the weakest link in security policy breaches. A number of studies have examined ISP compliance from the perspective of deterrence; however, there have been mixed results. The study seeks to examine information security compliance from the perspective of the general deterrence theory (GDT) and information security climate (ISC). Data was collected from 329 employees drawn from the five top-performing banks in Ghana and analyzed with PLS-SEM. Results from the study show that security education training and awareness, top-management's commitment for information security, and peer non-compliance behavior affect the information security climate in an organization. Information security climate, punishment severity, and certainty of deterrent were also found to influence employees' intention to comply with ISP. The implications, limitations, and directions for future research are discussed.

scholarly journals Theory-Based Model and Prediction Analysis of Information Security Compliance Behavior in the Saudi Healthcare Sector

Symmetry ◽  
2020 ◽  
Vol 12 (9) ◽  
pp. 1544
Author(s):  
Sultan T. Alanazi ◽  
Mohammed Anbar ◽  
Shouki A. Ebad ◽  
Shankar Karuppayah ◽  
Hadeer A. Al-Ani
Keyword(s):  
Saudi Arabia ◽  
Information Systems ◽  
Information Security ◽  
Health Information ◽  
Healthcare Workers ◽  
Health Information Systems ◽  
General Information ◽  
Kingdom Of Saudi Arabia ◽  
Compliance Behavior ◽  
Security Compliance

The adoption of health information systems provides many potential healthcare benefits. The government of the Kingdom of Saudi Arabia has subsidized this field. However, like those of other less developed countries, organizations in the Kingdom of Saudi Arabia struggle to secure their health information systems. This issue may stem from a lack of awareness regarding information security. To date, most related studies have not considered all of the factors affecting information security compliance behavior (ISCB), which include psychological traits, cultural and religious beliefs, and legal concerns. This paper aims to investigate the usefulness of a theory-based model and determine the predictors of ISCB among healthcare workers at government hospitals in the Kingdom of Saudi Arabia. The study investigated 433 health workers in Arar, the capital of the Northern Borders Province in the Kingdom of Saudi Arabia. Two phases involved in this study were the hypothetical model formulation and identification of ISCB predictors. The results suggest that moderating and non-common factors (e.g., religion and morality) impact ISCB, while demographic characteristics (e.g., age, marital status, and work experience) do not. All published instruments and theories were embedded to determine the most acceptable theories for Saudi culture. The theory-based model of ISCB establishes the main domains of theory for this study, which were religion/morality, self-efficacy, legal/punishment, personality traits, cost of compliance/noncompliance, subjective norms, information security policy, general information security, and technology awareness. Predictors of ISCB indicate that general information security, followed by self-efficacy and religion/morality, is the most influential factor on ISCB among healthcare workers in the Kingdom of Saudi Arabia. This study is considered as the first to present the symmetry between theory and actual descriptive results, which were not investigated before.

Factors Influencing Information Security Policy Compliance Behavior

2020 ◽  
pp. 152-171
Author(s):  
Kwame Simpe Ofori ◽  
Hod Anyigba ◽  
George Oppong Appiagyei Ampong ◽  
Osaretin Kayode Omoregie ◽  
Makafui Nyamadi ◽  
...  
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Future Research ◽  
General Deterrence ◽  
Security Education ◽  
Weakest Link ◽  
Compliance Behavior ◽  
Security Compliance ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance

One of the major concerns of organizations in today's networked world is to unravel how employees comply with information security policies (ISPs) since the internal employee has been identified as the weakest link in security policy breaches. A number of studies have examined ISP compliance from the perspective of deterrence; however, there have been mixed results. The study seeks to examine information security compliance from the perspective of the general deterrence theory (GDT) and information security climate (ISC). Data was collected from 329 employees drawn from the five top-performing banks in Ghana and analyzed with PLS-SEM. Results from the study show that security education training and awareness, top-management's commitment for information security, and peer non-compliance behavior affect the information security climate in an organization. Information security climate, punishment severity, and certainty of deterrent were also found to influence employees' intention to comply with ISP. The implications, limitations, and directions for future research are discussed.

scholarly journals Why Employees (Still) Click on Phishing Links: An Investigation in Hospitals

10.2196/16775 ◽  
2020 ◽  
Vol 22 (1) ◽  
pp. e16775 ◽  
Author(s):  
Mohammad S Jalali ◽  
Maike Bruckes ◽  
Daniel Westmattelmann ◽  
Gerhard Schewe
Keyword(s):  
Information Security ◽  
Structural Equation ◽  
Behavioral Control ◽  
Equation Modeling ◽  
Perceived Behavioral Control ◽  
Security Technology ◽  
Compliance Behavior ◽  
Security Compliance ◽  
Reported Data ◽  
Felt Trust

Background Hospitals have been one of the major targets for phishing attacks. Despite efforts to improve information security compliance, hospitals still significantly suffer from such attacks, impacting the quality of care and the safety of patients. Objective This study aimed to investigate why hospital employees decide to click on phishing emails by analyzing actual clicking data. Methods We first gauged the factors that influence clicking behavior using the theory of planned behavior (TPB) and integrating trust theories. We then conducted a survey in hospitals and used structural equation modeling to investigate the components of compliance intention. We matched employees’ survey results with their actual clicking data from phishing campaigns. Results Our analysis (N=397) reveals that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, are positively related to compliance intention. However, compliance intention is not significantly related to compliance behavior. Only the level of employees’ workload is positively associated with the likelihood of employees clicking on a phishing link. Conclusions This is one of the few studies in information security and decision making that observed compliance behavior by analyzing clicking data rather than using self-reported data. We show that, in the context of phishing emails, intention and compliance might not be as strongly linked as previously assumed; hence, hospitals must remain vigilant with vulnerabilities that cannot be easily managed. Importantly, given the significant association between workload and noncompliance behavior (ie, clicking on phishing links), hospitals should better manage employees’ workload to increase information security. Our findings can help health care organizations augment employees’ compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.

Sign in / Sign up

Export Citation Format

Share Document