InfoSec Process Action Model (IPAM): Targeting Insiders' Weak Password Behavior

2019 ◽  
Vol 33 (3) ◽  
pp. 201-225 ◽  
Author(s):  
Michael Curry ◽  
Byron Marshall ◽  
John Correia ◽  
Robert E. Crossler
Keyword(s):  
Individual Behavior ◽  
Threefold Increase ◽  
Multi Stage ◽  
Compliance Behavior ◽  
Noncompliant Behavior ◽  
Action Model ◽  
Security Compliance ◽  
Residual Control ◽  
Control Risk

ABSTRACT The possibility of noncompliant behavior is a challenge for cybersecurity professionals and their auditors as they try to estimate residual control risk. Building on the recently proposed InfoSec Process Action Model (IPAM), this work explores how nontechnical assessments and interventions can indicate and reduce the likelihood of risky individual behavior. The multi-stage approach seeks to bridge the well-known gap between intent and action. In a strong password creation experiment involving 229 participants, IPAM constructs resulted in a marked increase in R2 for initiating compliance behavior with control expectations from 47 percent to 60 percent. Importantly, the model constructs offer measurable indications despite practical limitations on organizations' ability to assess problematic individual password behavior. A threefold increase in one measure of strong password behavior suggested the process positively impacted individual cybersecurity behavior. The results suggest that the process-nuanced IPAM approach is promising both for assessing and impacting security compliance behavior.

scholarly journals Tax Compliance: Between Intrinsic Religiosity and Extrinsic Religiosity

2018 ◽  
Vol 21 (1) ◽  
Author(s):  
Theresia Woro Damayanti
Keyword(s):  
Tax Compliance ◽  
Sampling Technique ◽  
Intrinsic Religiosity ◽  
Religious Leaders ◽  
Daily Lives ◽  
Central Java ◽  
Extrinsic Religiosity ◽  
Multi Stage ◽  
Compliance Behavior ◽  
Religious Teaching

This study examined the correlation between intention on tax compliance and tax compliance behavior with the moderating variable of religiosity orientation both intrinsic religiosity and extrinsic religiosity. The religiosity orientation in this study used religiosity orientation commitment, which better illustrates the commitment on religiosity orientation in everyday life rather than to the presence of individuals in a place of worship as in previous studies. The population in this study is individual taxpayer in Central Java; the sample is taken using multi-stage sampling technique. By using PLS, this study showed that there was an influence of the intention to comply on tax compliance. External religiosity orientation was proved to strengthen the influence of the intention to comply on tax compliance while intrinsic religiosity orientation was not. Tax authorities can utilize the finding by conducting a collaboration with religious leaders to provide insight for taxpayers that religious considerations should affect business considerations that religious teaching is the most important thing in the daily lives and there should be a balance between religious teaching and physical life.

Factors Influencing Information Security Policy Compliance Behavior

2022 ◽  
pp. 213-232
Author(s):  
Kwame Simpe Ofori ◽  
Hod Anyigba ◽  
George Oppong Appiagyei Ampong ◽  
Osaretin Kayode Omoregie ◽  
Makafui Nyamadi ◽  
...  
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Future Research ◽  
General Deterrence ◽  
Security Education ◽  
Weakest Link ◽  
Compliance Behavior ◽  
Security Compliance ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance

One of the major concerns of organizations in today's networked world is to unravel how employees comply with information security policies (ISPs) since the internal employee has been identified as the weakest link in security policy breaches. A number of studies have examined ISP compliance from the perspective of deterrence; however, there have been mixed results. The study seeks to examine information security compliance from the perspective of the general deterrence theory (GDT) and information security climate (ISC). Data was collected from 329 employees drawn from the five top-performing banks in Ghana and analyzed with PLS-SEM. Results from the study show that security education training and awareness, top-management's commitment for information security, and peer non-compliance behavior affect the information security climate in an organization. Information security climate, punishment severity, and certainty of deterrent were also found to influence employees' intention to comply with ISP. The implications, limitations, and directions for future research are discussed.

scholarly journals Theory-Based Model and Prediction Analysis of Information Security Compliance Behavior in the Saudi Healthcare Sector

Symmetry ◽  
2020 ◽  
Vol 12 (9) ◽  
pp. 1544
Author(s):  
Sultan T. Alanazi ◽  
Mohammed Anbar ◽  
Shouki A. Ebad ◽  
Shankar Karuppayah ◽  
Hadeer A. Al-Ani
Keyword(s):  
Saudi Arabia ◽  
Information Systems ◽  
Information Security ◽  
Health Information ◽  
Healthcare Workers ◽  
Health Information Systems ◽  
General Information ◽  
Kingdom Of Saudi Arabia ◽  
Compliance Behavior ◽  
Security Compliance

The adoption of health information systems provides many potential healthcare benefits. The government of the Kingdom of Saudi Arabia has subsidized this field. However, like those of other less developed countries, organizations in the Kingdom of Saudi Arabia struggle to secure their health information systems. This issue may stem from a lack of awareness regarding information security. To date, most related studies have not considered all of the factors affecting information security compliance behavior (ISCB), which include psychological traits, cultural and religious beliefs, and legal concerns. This paper aims to investigate the usefulness of a theory-based model and determine the predictors of ISCB among healthcare workers at government hospitals in the Kingdom of Saudi Arabia. The study investigated 433 health workers in Arar, the capital of the Northern Borders Province in the Kingdom of Saudi Arabia. Two phases involved in this study were the hypothetical model formulation and identification of ISCB predictors. The results suggest that moderating and non-common factors (e.g., religion and morality) impact ISCB, while demographic characteristics (e.g., age, marital status, and work experience) do not. All published instruments and theories were embedded to determine the most acceptable theories for Saudi culture. The theory-based model of ISCB establishes the main domains of theory for this study, which were religion/morality, self-efficacy, legal/punishment, personality traits, cost of compliance/noncompliance, subjective norms, information security policy, general information security, and technology awareness. Predictors of ISCB indicate that general information security, followed by self-efficacy and religion/morality, is the most influential factor on ISCB among healthcare workers in the Kingdom of Saudi Arabia. This study is considered as the first to present the symmetry between theory and actual descriptive results, which were not investigated before.

Factors Influencing Information Security Policy Compliance Behavior

2020 ◽  
pp. 152-171
Author(s):  
Kwame Simpe Ofori ◽  
Hod Anyigba ◽  
George Oppong Appiagyei Ampong ◽  
Osaretin Kayode Omoregie ◽  
Makafui Nyamadi ◽  
...  
Keyword(s):  
Information Security ◽  
Security Policy ◽  
Future Research ◽  
General Deterrence ◽  
Security Education ◽  
Weakest Link ◽  
Compliance Behavior ◽  
Security Compliance ◽  
Information Security Policy Compliance ◽  
Security Policy Compliance

One of the major concerns of organizations in today's networked world is to unravel how employees comply with information security policies (ISPs) since the internal employee has been identified as the weakest link in security policy breaches. A number of studies have examined ISP compliance from the perspective of deterrence; however, there have been mixed results. The study seeks to examine information security compliance from the perspective of the general deterrence theory (GDT) and information security climate (ISC). Data was collected from 329 employees drawn from the five top-performing banks in Ghana and analyzed with PLS-SEM. Results from the study show that security education training and awareness, top-management's commitment for information security, and peer non-compliance behavior affect the information security climate in an organization. Information security climate, punishment severity, and certainty of deterrent were also found to influence employees' intention to comply with ISP. The implications, limitations, and directions for future research are discussed.

Enhancing cyber security behavior: an internal social marketing approach

2019 ◽  
Vol 28 (2) ◽  
pp. 133-159
Author(s):  
Hiep Cong Pham ◽  
Linda Brennan ◽  
Lukas Parker ◽  
Nhat Tram Phan-Le ◽  
Irfan Ulhaq ◽  
...  
Keyword(s):  
Social Marketing ◽  
Cyber Security ◽  
Marketing Mix ◽  
User Engagement ◽  
Product Price ◽  
Content Type ◽  
Compliance Behavior ◽  
Security Compliance ◽  
The Impact ◽  
Marketing Approach

Purpose Understanding the behavioral change process of system users to adopt safe security practices is important to the success of an organization’s cybersecurity program. This study aims to explore how the 7Ps (product, price, promotion, place, physical evidence, process and people) marketing mix, as part of an internal social marketing approach, can be used to gain an understanding of employees’ interactions within an organization’s cybersecurity environment. This understanding could inform the design of servicescapes and behavioral infrastructure to promote and maintain cybersecurity compliance. Design/methodology/approach This study adopted an inductive qualitative approach using in-depth interviews with employees in several Vietnamese organizations. Discussions were centered on employee experiences and their perceptions of cybersecurity initiatives, as well as the impact of initiatives on compliance behavior. Responses were then categorized under the 7Ps marketing mix framework. Findings The study shows that assessing a cybersecurity program using the 7P mix enables the systematic capture of users’ security compliance and acceptance of IT systems. Additionally, understanding the interactions between system elements permits the design of behavioral infrastructure to enhance security efforts. Results also show that user engagement is essential in developing secure systems. User engagement requires developing shared objectives, localized communications, co-designing of efficient processes and understanding the “pain points” of security compliance. The knowledge developed from this research provides a framework for those managing cybersecurity systems and enables the design human-centered systems conducive to compliance. Originality/value The study is one of the first to use a cross-disciplinary social marketing approach to examine how employees experience and comply with security initiatives. Previous studies have mostly focused on determinants of compliance behavior without providing a clear platform for management action. Internal social marketing using 7Ps provides a simple but innovative approach to reexamine existing compliance approaches. Findings from the study could leverage proven successful marketing techniques to promote security compliance.

Toward an intellectual capital cyber security theory: insights from Lebanon

2021 ◽  
Vol ahead-of-print (ahead-of-print) ◽  
Author(s):  
Puzant Balozian ◽  
Dorothy Leidner ◽  
Botong Xue
Keyword(s):  
Information Systems ◽  
Intellectual Capital ◽  
Cyber Security ◽  
Theory Building ◽  
Content Type ◽  
Systems Security ◽  
Research Article ◽  
Compliance Behavior ◽  
Security Compliance ◽  
Practical Implications

PurposeIntellectual capital (IC) cyber security is a priority in all organizations. Because of the dearth in IC cyber security (ICCS) research theories and the constant call to theory building, this study proposes a theory of ICCS drawing upon tested empirical data of information systems security (ISS) theory in Lebanon.Design/methodology/approachAfter a pilot test, the authors tested the newly developed ISS theory using a field study consisting of 187 respondents, representing many industries, thus contributing to generalizability. ISS theory is used as a proxy for the development of ICCS theory.FindingsBased on a review of the literature from the past three decades in the information systems (IS) discipline and a discovery of the partial yet significant relevance of ISS literature to ICCS, this study succinctly summarized the antecedents and independent variables impacting security compliance behavior, putting the variables into one comprehensive yet parsimonious theoretical model. This study shows the theoretical and practical relevancy of ISS theory to ICCS theory building.Practical implicationsThis paper highlights the importance of ISS compliance in the context of ICCS, especially in the area of spoken knowledge in environments containing Internet-based security devices.Originality/valueThis research article is original, as it presents the theory of ICCS, which was developed by drawing upon a comprehensive literature review of the IS discipline and finding the bridges between the security of both IS and IC.

Sign in / Sign up

Export Citation Format

Share Document