In their own words: employee attitudes towards information security

Purpose The purpose of this study is to uncover employee attitudes towards information security and to address the issue of social acceptability bias in information security research. Design/methodology/approach The study used personal construct psychology and repertory grids as the foundation for the study in a mixed-methods design. Data collection consisted of 11 in-depth interviews followed by a survey with 115 employee responses. The data from the interviews informed the design of the survey. Findings The results of the interviews identified a number of themes around individual responsibility for information security and the ability of individuals to contribute to information security. The survey demonstrated that those employees who thought the that organisation was driven by the need to protect information also thought that the risks were overstated and that their colleagues were overly cautious. Conversely, employees who thought that the organisation was driven by the need to optimise its use of information felt that the security risks were justified and that colleagues took too many risks. Research limitations/implications The survey findings were not statistically significant, but by breaking the survey results down further across business areas, it was possible to see differences within groups of individuals within the organisation. Originality/value The literature review highlights the issue of social acceptability bias and the problem of uncovering weakly held attitudes. In this study, the use of repertory grids offers a way of addressing these issues.

Download Full-text

Inter-organisational information security: a systematic literature review

Information and Computer Security ◽

10.1108/ics-11-2016-091 ◽

2016 ◽

Vol 24 (5) ◽

pp. 418-451 ◽

Cited By ~ 4

Author(s):

Fredrik Karlsson ◽

Ella Kolkowska ◽

Frans Prenkert

Keyword(s):

Information Security ◽

Literature Review ◽

Research Methods ◽

Theoretical Work ◽

Critical Discussion ◽

Future Research ◽

Research Topics ◽

Content Type ◽

Cultural Aspects ◽

Security Research

Purpose The purpose of this paper is to survey existing inter-organisational information security research to scrutinise the kind of knowledge that is currently available and the way in which this knowledge has been brought about. Design/methodology/approach The results are based on a literature review of inter-organisational information security research published between 1990 and 2014. Findings The authors conclude that existing research has focused on a limited set of research topics. A majority of the research has focused management issues, while employees’/non-staffs’ actual information security work in inter-organisational settings is an understudied area. In addition, the majority of the studies have used a subjective/argumentative method, and few studies combine theoretical work and empirical data. Research limitations/implications The findings suggest that future research should address a broader set of research topics, focusing especially on employees/non-staff and their use of processes and technology in inter-organisational settings, as well as on cultural aspects, which are lacking currently; focus more on theory generation or theory testing to increase the maturity of this sub-field; and use a broader set of research methods. Practical implications The authors conclude that existing research is to a large extent descriptive, philosophical or theoretical. Thus, it is difficult for practitioners to adopt existing research results, such as governance frameworks, which have not been empirically validated. Originality/value Few systematic reviews have assessed the maturity of existing inter-organisational information security research. Findings of authors on research topics, maturity and research methods extend beyond the existing knowledge base, which allow for a critical discussion about existing research in this sub-field of information security.

Download Full-text

Checking the manipulation checks in information security research

Information and Computer Security ◽

10.1108/ics-12-2013-0087 ◽

2015 ◽

Vol 23 (1) ◽

pp. 20-30 ◽

Cited By ~ 4

Author(s):

Kent Marett

Keyword(s):

Information Security ◽

Organizational Behavior ◽

Design Methodology ◽

Manipulation Check ◽

Content Type ◽

Traditional Assessment ◽

Security Research ◽

Research Designs ◽

Human Side ◽

Type Ii Errors

Purpose – An increasing amount of attention is being paid to the human side of information security programs, leading to research designs that require the manipulation of study variables. The purpose of this paper is to highlight a traditional assessment of such designs, the manipulation check, and examine how its absence can undermine otherwise solid research efforts. Design/methodology/approach – This paper reviews literature from the fields of research methods, organizational behavior and information systems for extant perspectives and viewpoints on manipulation checks, which are then brought into the realm of information security research. Findings – The possible risks involved with failing to perform manipulation checks are discussed, which include a possibility of making Type II errors. The paper provides further insight on the timing, method and manner in which manipulation checks can be performed. Originality/value – A disappointing number of research articles in the area of information security fail to report manipulation checks when they should. This paper seeks to remind researchers to perform this vital assessment and to use the results accordingly.

Download Full-text

Perception deception: security risks created by optimistic perceptions

Journal of Systems and Information Technology ◽

10.1108/jsit-07-2015-0062 ◽

2016 ◽

Vol 18 (1) ◽

pp. 2-17

Author(s):

Richard G. Taylor ◽

Jeff Brice, Jr. ◽

Sammie L. Robinson

Keyword(s):

Information Security ◽

Financial Institution ◽

Working Hours ◽

Organizational Setting ◽

Security Risks ◽

Content Type ◽

Security Research ◽

Hands On ◽

Functional Areas

Purpose – The purpose of the paper is to determine whether management’s optimistic perceptions of their organization’s level of information security preparedness can ultimately result in increased information security risks. Design/methodology/approach – A case study was conducted in a financial institution. In all, 24 employees were interviewed. These employees came from all functional areas and various positions, from tellers to executives. Interviews were conducted, internal policies and examiners’ reports were made available and access was given to observe the employees during working hours and to observe the facilities after hours. Findings – Executives were overly optimistic about the level of information security at their organization. These optimistic perceptions guided security priorities; however, the findings show that their perceptions were misguided leaving their organization open to increased security threats. More specifically, the results show that optimist perceptions by management can put an organization’s information at risk. Originality/value – The paper uses existing theory and evaluates it in a “real-world” setting. For security research, it can be difficult to get honest responses from questionnaires; however, the hands-on approach provided a deeper insight to the problem of optimistic perceptions in an organizational setting. For practitioners, the case can raise managements’ awareness of perceptional inaccuracies, resulting in more informed information security decisions and ultimately improved security for their organization.

Download Full-text

The role of organizational and social factors for information security in a nuclear power industry

Organizational Cybersecurity Journal: Practice, Process and People ◽

10.1108/ocj-04-2021-0012 ◽

2021 ◽

Vol ahead-of-print (ahead-of-print) ◽

Author(s):

Kristina Gyllensten ◽

Marianne Torner

Keyword(s):

High Risk ◽

Information Security ◽

Nuclear Power ◽

Power Industry ◽

Nuclear Power Industry ◽

Individual Responsibility ◽

Content Type ◽

Knowledge Support ◽

Depth Interviews

PurposeThe aim of this study was to explore the organizational and social prerequisites for employees' participative and rule-compliant information security behaviour in Swedish nuclear power production and its related industry. These industries are high-risk activities that must be meticulously secured. Protecting the information security in the related organizations is an essential aspect of this.Design/methodology/approachIndividual in-depth interviews were conducted with 24 employees in two organizations within the nuclear power industry in Sweden.FindingsWe found that prerequisites for employees' participative and rule-compliant information security behaviour could be categorized into structural, social and individual aspects. Structural aspects included well-adapted rules, knowledge support and resources. Social aspects included a supportive organizational culture, collaboration and adequate resources, and individual aspects included individual responsibility.Originality/valueThe qualitative approach of the study provided comprehensive descriptions of the identified preconditions. The results may thus enable organizations to better promote conditions important for information security in a high-risk industry.

Download Full-text

Value conflicts and non-compliance

Information and Computer Security ◽

10.1108/ics-08-2017-0057 ◽

2018 ◽

Vol 26 (2) ◽

pp. 246-258 ◽

Cited By ~ 3

Author(s):

Joakim Berndtsson ◽

Peter Johansson ◽

Martin Karlsson

Keyword(s):

Information Security ◽

Strong Support ◽

White Collar ◽

Value Conflicts ◽

Public And Private ◽

Content Type ◽

Security Research ◽

Public Sector Employees ◽

White Collar Workers ◽

Private And Public

Purpose The purpose of the study is to explore potential value conflicts between information security work and whistleblowing activities by analysing attitudes to whistleblowing among white-collar workers in Swedish organisations. Design/methodology/approach The study is conducted using survey data among (n = 674) Swedish white-collar workers. Statistical analyses are conducted to explore variations in acceptance of whistleblowing and analyse the relationship between acceptance for whistleblowing and information security attitudes and behaviours. Findings The study finds strong support for whistleblowing in both public and private spheres, and by both private and public sector employees. The study also finds stronger acceptance for intra-organisational whistleblowing, while support for external whistleblowing is low. Finally, the study shows that the whistleblowing activities might be perceived as coming in conflict with information security work, even as the support for including whistleblowing functions in information security practices is high. Research limitations/implications With a focus on one country, the study is limited in terms of empirical scope. It is also limited by a relatively small number of respondents and survey items relating to whistleblowing, which in turn affects its explanatory value. However, the study does provide unique new insight into a specific form of “non-compliance”, i.e. whistleblowing, which merits further investigation. Originality/value Few studies exist that combine insights from the fields of whistleblowing and information security research. Thus, this study provides a basis for further investigation into attitudes and behaviours linked to whistleblowing in public and private organisations, as well as attendant value conflicts related to information security management and practice.

Download Full-text

The 15th International Information Security Research Consortium (IISRC) Conference

International Affairs ◽

10.21557/iaf.51401259 ◽

2018 ◽

Vol 64 (003) ◽

pp. 133-182

Keyword(s):

Information Security ◽

Security Research ◽

Research Consortium

Download Full-text

An Application of Personal Construct Psychology Research Methodology in Psychology Research : Repertory Grid Technique

THE KOREAN JOURNAL OF PSYCHOLOGY GENERAL ◽

10.22257/kjp.2018.09.37.3.349 ◽

2018 ◽

Vol 37 (3) ◽

pp. 349-383

Author(s):

Sohee Kim ◽

Kumlan Yu

Keyword(s):

Research Methodology ◽

Repertory Grid ◽

Personal Construct ◽

Psychology Research ◽

Repertory Grid Technique ◽

Personal Construct Psychology ◽

Grid Technique ◽

Construct Psychology

Download Full-text

Applying personal construct psychology in sound design using a repertory grid

Proceedings of the 5th Audio Mostly Conference on A Conference on Interaction with Sound - AM '10 ◽

10.1145/1859799.1859807 ◽

2010 ◽

Cited By ~ 5

Author(s):

Stuart Cunningham

Keyword(s):

Repertory Grid ◽

Personal Construct ◽

Sound Design ◽

Personal Construct Psychology ◽

Construct Psychology

Download Full-text

Information security in the South Australian real estate industry

Information Management & Computer Security ◽

10.1108/imcs-10-2012-0060 ◽

2014 ◽

Vol 22 (1) ◽

pp. 24-41 ◽

Cited By ~ 9

Author(s):

Deepa Mani ◽

Kim-Kwang Raymond Choo ◽

Sameera Mubarak

Keyword(s):

Risk Management ◽

Information Security ◽

Real Estate ◽

South Australia ◽

Security Threats ◽

The South ◽

Content Type ◽

The Real ◽

The Real Estate ◽

Real Estate Sector

Purpose – Opportunities for malicious cyber activities have expanded with the globalisation and advancements in information and communication technology. Such activities will increasingly affect the security of businesses with online presence and/or connected to the internet. Although the real estate sector is a potential attack vector for and target of malicious cyber activities, it is an understudied industry. This paper aims to contribute to a better understanding of the information security threats, awareness, and risk management standards currently employed by the real estate sector in South Australia. Design/methodology/approach – The current study comprises both quantitative and qualitative methodologies, which include 20 survey questionnaires and 20 face-to-face interviews conducted in South Australia. Findings – There is a lack of understanding about the true magnitude of malicious cyber activities and its impact on the real estate sector, as illustrated in the findings of 40 real estate organisations in South Australia. The findings and the escalating complexities of the online environment underscore the need for regular ongoing training programs for basic online security (including new cybercrime trends) and the promotion of a culture of information security (e.g. when using smart mobile devices to store and access sensitive data) among staff. Such initiatives will enable staff employed in the (South Australian) real estate sector to maintain the current knowledge of the latest cybercrime activities and the best cyber security protection measures available. Originality/value – This is the first academic study focusing on the real estate organisations in South Australia. The findings will contribute to the evidence on the information security threats faced by the sector as well as in develop sector-specific information security risk management guidelines.

Download Full-text

Protecting a whale in a sea of phish

Journal of Information Technology ◽

10.1177/0268396220918594 ◽

2020 ◽

Vol 35 (3) ◽

pp. 214-231

Author(s):

Daniel Pienta ◽

Jason Bennett Thatcher ◽

Allen Johnston

Keyword(s):

Information Security ◽

Real World ◽

Spillover Effects ◽

Directed Attention ◽

Future Directions ◽

Security Research ◽

Email Message ◽

Multiple Domains ◽

Future Information

Whaling is one of the most financially damaging, well-known, effective cyberattacks employed by sophisticated cybercriminals. Although whaling largely consists of sending a simplistic email message to a whale (i.e. a high-value target in an organization), it can result in large payoffs for cybercriminals, in terms of money or data stolen from organizations. While a legitimate cybersecurity threat, little information security research has directed attention toward whaling. In this study, we begin to provide an initial understanding of what makes whaling such a pernicious problem for organizations, executives, or celebrities (e.g. whales), and those charged with protecting them. We do this by defining whaling, delineating it from general phishing and spear phishing, presenting real-world cases of whaling, and provide guidance on future information security research on whaling. We find that whaling is far more complex than general phishing and spear phishing, spans multiple domains (e.g. work and personal), and potentially results in spillover effects that ripple across the organization. We conclude with a discussion of promising future directions for whaling and information security research.

Download Full-text