Predicting information security culture among employees of telecommunication companies in an emerging market

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Nurul Asmui Azmi Md Azmi ◽  
Ai Ping Teoh ◽  
Ali Vafaei-Zadeh ◽  
Haniruzila Hanifah
Keyword(s):  
Information Security ◽  
Emerging Market ◽  
Mediating Effect ◽  
Security Awareness ◽  
Content Type ◽  
Security Culture ◽  
Information Security Awareness ◽  
The Relationship ◽  
Information Security Culture ◽  
Telecommunications Companies

Purpose The purpose of this study is to examine factors, which influence information security culture among employees of telecommunications companies. The motivation for this study was the rise in the number of data breach incidents caused by the organizations’ own employees. Design/methodology/approach A total of 139 usable responses were collected via a Web-based questionnaire survey from employees of Malaysian telecommunications companies. Data were analysed by using SmartPLS 3. Findings Security education, training and awareness (SETA) programmes and information security awareness were found to have a positive and significant impact on Information Security Culture. Additionally, self-reported employees’ security behaviour was found to act as a partial mediator on the relationship between information security awareness and information security culture. Research limitations/implications The study was cross-sectional in nature. Therefore, it could not measure changes in population over time. Practical implications The empirical data provides a new perspective on significant elements that influence information security culture in an emerging market. Organizations in the telecommunications industry can now recognize that SETA programmes and information security awareness have a significant impact on information security culture. Employees’ security behaviour also mediates the relationship between information security awareness and information security culture. Originality/value This is the first study to analyse the mediating effect of employees’ security behaviour on the relationship between information security awareness and information security culture in the Malaysian telecommunications context.

Exploring the relationship between student mobile information security awareness and behavioural intent

2015 ◽  
Vol 23 (4) ◽  
pp. 406-420 ◽  
Author(s):  
Bukelwa Ngoqo ◽  
Stephen V. Flowerday
Keyword(s):  
Information Security ◽  
Mobile Phone ◽  
Undergraduate Students ◽  
Security Awareness ◽  
Human Errors ◽  
Content Type ◽  
Information Security Awareness ◽  
Student Information ◽  
Key Aspects ◽  
The Relationship

Purpose – The purpose of this paper was to analyse existing theories from the social sciences to gain a better understanding of factors which contribute to student mobile phone users’ poor information security behaviour. Two key aspects associated with information security behaviour were considered, namely, awareness and behavioural intent. This paper proposes that the knowing-and-doing gap can possibly be reduced by addressing both awareness and behavioural intent. This research paper explores the relationship between student mobile phone user information security awareness and behavioural intent in a developmental university in South Africa. Design/methodology/approach – Information security awareness interventions were implemented in this action research study, and student information security behavioural intent was observed after each cycle. Findings – The poor security behaviour exhibited by student mobile phone users, which was confirmed by the findings of this study, is of particular interest in the university context, as most undergraduate students are offered a computer-related course which covers certain information security-related principles. Existing researchers in the field of information security still grapple with the “knowing-and-doing” gap, where user information security knowledge/awareness sometimes does not result in safer behavioural practises. Originality/value – Zhang et al. (2009) suggest that understanding human behaviour is important when dealing with the problems caused by human errors. Harnesk and Lindstrom (2011) expressed a concern that existing research does not address the interlinked relationship between anticipated security behaviour and the enactment of security procedures. This study acknowledges Choi et al. (2008) contribution in their discussions on the “knowing-and-doing gap” suggests a link between awareness and actual behaviour that is confirmed by the findings of this study.

Success in Security Awareness

ITNOW ◽  
2020 ◽  
Vol 62 (4) ◽  
pp. 50-51
Author(s):  
Federico Iaschi
Keyword(s):  
Information Security ◽  
Security Awareness ◽  
Security Culture ◽  
Information Security Awareness ◽  
Awareness Programme ◽  
Information Security Culture

Abstract Information security culture can affect your business, both good and bad. Federico Iaschi, MBCS CISSP CISM, describes the crucial steps that help develop a successful information security awareness programme.

Key elements of an information security culture in organisations

2019 ◽  
Vol 27 (2) ◽  
pp. 146-164 ◽  
Author(s):  
Frans Nel ◽  
Lynette Drevin
Keyword(s):  
South Africa ◽  
Information Security ◽  
Design Methodology ◽  
Online Survey ◽  
Security Awareness ◽  
Content Type ◽  
Security Culture ◽  
Key Aspects ◽  
Information Security Culture ◽  
Initial Framework

Purpose The purpose of this paper is to report on a study that investigated the information security culture in organisations in South Africa, with the aim of identifying key aspects of the culture. The unique aspects for building an information security culture were examined and presented in the form of an initial framework. These efforts are necessary to address the critical human aspect of information security in organisations where risky cyber behaviour is still experienced. Design/methodology/approach Literature was investigated with the focus on the main keywords security culture and information security. The information security culture aspects of different studies were compared and analysed to identify key elements of information security culture after which an initial framework was constructed. An online survey was then conducted in which respondents were asked to assess the importance of the elements and to record possible missing elements/aspects regarding their organisation’s information security culture to construct an enhanced framework. Findings A list of 21 unique security culture elements was identified from the literature. These elements/aspects were divided into three groups based on the frequency each was mentioned or discussed in studies. The number of times an element was found was interpreted as an indication of how important that element/aspect is. A further four aspects were added to the enhanced framework based on the results that emerged from the survey. Originality/value The value of this research is that an initial framework of information security culture aspects was constructed that can be used to ensure that an organisation incorporates all key aspects in its own information security culture. This framework was further enhanced from the results of the survey. The framework can also assist further studies related to the information security culture in organisations for improved security awareness and safer cyber behaviour of employees.

The effect of resilience and job stress on information security awareness

2018 ◽  
Vol 26 (3) ◽  
pp. 277-289 ◽  
Author(s):  
Agata McCormac ◽  
Dragana Calic ◽  
Kathryn Parsons ◽  
Marcus Butavicius ◽  
Malcolm Pattinson ◽  
...  
Keyword(s):  
Information Security ◽  
Job Stress ◽  
The Body ◽  
Future Research ◽  
Security Awareness ◽  
Content Type ◽  
Information Security Awareness ◽  
Positive Effects ◽  
Human Aspects ◽  
The Relationship

Purpose The purpose of this study was to investigate the relationship between resilience, job stress and information security awareness (ISA). The study examined the effect of resilience and job stress on the three components that comprise ISA, namely, knowledge, attitude and behaviour. Design/methodology/approach A total of 1,048 working Australians completed an online questionnaire. ISA was measured with the Human Aspects of Information Security Questionnaire. Participants also completed the Brief Resilience Scale and the Job Stress Scale. Findings It was found that participants with greater resilience also had higher ISA and experienced lower levels of job stress. More specifically, individuals who reported higher levels of resilience had significantly better knowledge, attitude and behaviour. Similarly, participants who reported lower levels of job stress also reported significantly better knowledge, attitude and behaviour. Resilience plays an important mediating role in the relationship between job stress and ISA. This means that even if people have high levels of job stress, if they are better able to cope with or adapt to stress (i.e. have higher resilience), they are less likely to have lower ISA. Results of this study add to the body of literature emphasising the positive effects of resilience and suggest that resilience is associated with improved ISA and therefore more secure behaviour. Research limitations/implications Future research should focus on assessing the influence of resilience training in the workplace. Originality/value Given the constructive findings, it may be valuable to focus on the effect of organisational culture, and organisational security culture, on resilience, job stress and ISA.

External technology acquisition, exploitation and process innovation performance in emerging market small and medium sized enterprises: the moderating role of organizational slack

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Thammanoon Charmjuree ◽  
Yuosre F. Badir ◽  
Umar Safdar
Keyword(s):  
Open Innovation ◽  
Emerging Market ◽  
Process Innovation ◽  
Innovation Performance ◽  
Mediating Effect ◽  
Content Type ◽  
Technology Acquisition ◽  
The Relationship ◽  
Unabsorbed Slack ◽  
Positive Effect

PurposeThis study is among the very few to examine the firm's simultaneous use of both dimensions of open innovation and its influences on the firm's process innovation performance (PIP). Specifically, the authors consider the relationship between firm's external technology acquisition (ETA) and external technology exploitation (ETE) and examine their direct, indirect and mediating effect on the firm's PIP. The authors also examine the moderating effect of the organizations' unabsorbed slack (UASL) on the relationship between ETA and ETE.Design/methodology/approachAnalyzing data collected from 311 small- and medium-sized software development firms in emerging market; Thailand, we show that both ETA and ETE have a positive effect on PIP and that ETE fully mediates the relationship between ETA and PIP.FindingsThe authors show that both ETA and ETE have a positive effect on PIP and that ETE fully mediates the relationship between ETA and PIP. Moreover, the relationship between ETA and ETE is positively moderated by the firms' unabsorbed slack (UASL) and that the influence of ETA on PIP through ETE is stronger under higher unabsorbed slack.Originality/valueThe authors extend the “traditional” performance outcome of outbound dimension of open innovation concept, which focuses exclusively on commercialization and market (Chesbrough, 2003b), by showing that ETE positively influences the firm's PIP. Moreover, the study explains the mechanism through which ETA influence the firm's PIP by proposing that ETE fully mediates the relationship between ETA and PIP.

Establishing a Personalized Information Security Culture

2012 ◽  
pp. 53-69 ◽  
Author(s):  
Shuhaili Talib ◽  
Nathan L. Clarke ◽  
Steven M. Furnell
Keyword(s):  
Information Security ◽  
Home Environment ◽  
Security Culture ◽  
Information Security Awareness ◽  
Use Of Technology ◽  
Awareness Programs ◽  
Awareness Raising ◽  
Knowledge And Practice ◽  
Information Security Culture ◽  
Individual Security

Good security cannot be achieved through technical means alone and a solid understanding of the issues and how to protect one’s self is required from users. Whilst many initiatives, programs and strategies have been proposed to improve the level of information security awareness, most have been directed at organizations. Given people’s use of technology is primarily focused between the workplace and home; this paper seeks to understand the knowledge and practice relationship between these environments. Through a developed survey, it was identified that the majority of the learning about information security occurred in the workplace, where clear motivations, such as legislation and regulation, existed. Results found that users were more than willing to engage with such awareness raising initiatives. From a comparison of practice between work and home environments, it was found that this knowledge and practice obtained at the workplace was transferred to the home environment. Given this positive transferability of knowledge and the willingness to learn about how to remain secure, an opportunity exists to move away from specific organizational awareness programs and to move towards awareness raising strategies that will develop an all-round individual security culture for users independent of the environment they are operating in.

Readiness for information security of teachers as a function of their personality traits and their assessment of threats

2020 ◽  
Vol 72 (5) ◽  
pp. 787-812
Author(s):  
Noa Aharony ◽  
Dan Bouhnik ◽  
Nurit Reich
Keyword(s):  
Information Security ◽  
Personality Traits ◽  
Cultural Change ◽  
Design Methodology ◽  
Educational Institutions ◽  
Security Awareness ◽  
Content Type ◽  
Information Security Awareness ◽  
Secure Information ◽  
The Impact

PurposeThis study examines the impact of personality traits on the degree of challenge experienced by individuals with respect to the threat on their information, the evaluation of their self-efficacy to secure the information and hence, their readiness to secure information.Design/methodology/approachThe study's population consisted of 157 teachers from various educational institutions across Israel. We used five questionnaires to gather data.FindingsFindings reveal a link between participants' personality traits, situation evaluation indicators and their readiness to secure information. Further, the greater subjects' information security awareness and familiarity with information security concepts, the better their application of the tools for securing information will be.Originality/valueThe importance of this research lies primarily in that it highlights the importance of individual differences while dealing with information security awareness. The findings constitute a theoretical and empirical basis for building tools toward guiding teachers to protect their information, as well as for devising educational and pedagogic programs for making a cultural change.

Recommendations for information security awareness training for college students

2014 ◽  
Vol 22 (1) ◽  
pp. 115-126 ◽  
Author(s):  
Eyong B. Kim
Keyword(s):  
College Students ◽  
Information Security ◽  
New England ◽  
Web Sites ◽  
Security Awareness ◽  
Awareness Training ◽  
Content Type ◽  
Information Security Awareness ◽  
The Status ◽  
Security Awareness Training

Purpose – The purpose of this paper is to survey the status of information security awareness among college students in order to develop effective information security awareness training (ISAT). Design/methodology/approach – Based on a review of the literature and theoretical standpoints as well as the National Institute of Standards and Technology Special Publication 800-50 report, the author developed a questionnaire to investigate the attitudes toward information security awareness of undergraduate and graduate students in a business college at a mid-sized university in New England. Based on that survey and the previous literature, suggestions for more effective ISAT are provided. Findings – College students understand the importance and the need for ISAT but many of them do not participate in it. However, security topics that are not commonly covered by any installed (or built-in) programs or web sites have a significant relationship with information security awareness. It seems that students learned security concepts piecemeal from variety of sources. Practical implications – Universities can assess their ISAT for students based on the findings of this study. Originality/value – If any universities want to improve their current ISAT, or establish it, the findings of this study offer some guidelines.

scholarly journals A systematic review of scales for measuring information security culture

2020 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Špela Orehek ◽  
Gregor Petrič
Keyword(s):  
Systematic Review ◽  
Information Security ◽  
Critical Evaluation ◽  
Face Validity ◽  
Measurement Scale ◽  
Limited Evidence ◽  
Content Type ◽  
Security Culture ◽  
Concept Of Information ◽  
Information Security Culture

Purpose The concept of information security culture, which recently gained increased attention, aims to comprehensively grasp socio-cultural mechanisms that have an impact on organizational security. Different measurement instruments have been developed to measure and assess information security culture using survey-based tools. However, the content, breadth and face validity of these scales vary greatly. This study aims to identify and provide an overview of the scales that are used to measure information security culture and to evaluate the rigor of reported scale development and validation procedures. Design/methodology/approach Papers that introduce a new or adapt an existing scale of information security culture were systematically reviewed to evaluate scales of information security culture. A standard search strategy was applied to identify 19 relevant scales, which were evaluated based on the framework of 16 criteria pertaining to the rigor of reported operationalization and the reported validity and reliability of the identified scales. Findings The results show that the rigor with which scales of information security culture are validated varies greatly and that none of the scales meet all the evaluation criteria. Moreover, most of the studies provide somewhat limited evidence of the validation of scales, indicating room for further improvement. Particularly, critical issues seem to be the lack of evidence regarding discriminant and criterion validity and incomplete documentation of the operationalization process. Research limitations/implications Researchers focusing on the human factor in information security need to reach a certain level of agreement on the essential elements of the concept of information security culture. Future studies need to build on existing scales, address their limitations and gain further evidence regarding the validity of scales of information security culture. Further research should also investigate the quality of definitions and make expert assessments of the content fit between concepts and items. Practical implications Organizations that aim to assess the level of information security culture among employees can use the results of this systematic review to support the selection of an adequate measurement scale. However, caution is needed for scales that provide limited evidence of validation. Originality/value This is the first study that offers a critical evaluation of existing scales of information security culture. The results have decision-making value for researchers who intend to conduct survey-based examinations of information security culture.

Sign in / Sign up

Export Citation Format

Share Document