Work ethic and information security behavior

Purpose Information security is a growing issue that impacts organizations in virtually all industries, and data breaches impact millions of customers and cost organizations millions of dollars. Within the past several years alone, huge data breaches have been experienced by organizations such as Marriot, Equifax, eBay, JP Morgan Chase, Home Depot, Target and Yahoo, the latter of which impacted three billion users. This study aims to examine the utilization of pre-employment screening to identify potential hires that may require enhanced information security training to avoid such costs. Design/methodology/approach The authors hypothesize that an individual’s work ethic predicts a person’s information security behavior. The authors test this hypothesis using structural equation modeling with bootstrapping techniques. Findings Data analysis suggests that certain dimensions of work ethic do indeed predict information security posture, and thus, simple pre-employment screening techniques (i.e. questionnaires) can aid in identifying potential security threats. Practical implications The findings provide a tool for identifying problematic employee security posture prior to hiring, which may be useful in identifying training needs for new hires. Originality/value The findings provide a tool for identifying problematic employee security posture prior to hiring, which may be useful in identifying training needs for new hires.

Impact of digital nudging on information security behavior: an experimental study on framing and priming in cybersecurity

PurposePhishing attacks are the most common cyber threats targeted at users. Digital nudging in the form of framing and priming may reduce user susceptibility to phishing. This research focuses on two types of digital nudging, framing and priming, and examines the impact of framing and priming on users' behavior (i.e. action) in a cybersecurity setting. It draws on prospect theory, instance-based learning theory and dual-process theory to generate the research hypotheses.Design/methodology/approachA 3 × 2 experimental study was carried out to test the hypotheses. The experiment consisted of three levels for framing (i.e. no framing, negative framing and positive framing) and two levels for priming (i.e. with and without priming).FindingsThe findings suggest that priming users to information security risks reduces their risk-taking behavior, whereas positive and negative framing of information security messages regarding potential consequences of the available choices do not change users' behavior. The results also indicate that risk-averse cybersecurity behavior is associated with greater confidence with the action, greater perceived severity of cybersecurity risks, lower perceived susceptibility to cybersecurity risks resulting from the action and lower trust in the download link.Originality/valueThis research shows that digital nudging in the form of priming is an effective way to reduce users' exposure to cybersecurity risks.

Behavioral Information Security: Defining the Criterion Space

The success of information security appears to depend in part upon the effective behavior of the individuals involved in its use. Appropriate and constructive behavior by end users, system administrators, and others can enhance the effectiveness of information security while inappropriate and destructive behaviors can substantially inhibit its effectiveness. The present research focuses on “behavioral information security” which is defined as the complexes of human action that influence the availability, confidentiality, and integrity of information systems. Because research in this area is so new, in the present in study we focused on delineating and understanding the behavioral domain. Our goal for this study was to construct and test a taxonomy of information security behaviors. We expect that this knowledge can support later research efforts that focus on understanding the antecedents and consequences of information security behavior.

Information Security Behavior and Information Security Policy Compliance: A Systematic Literature Review for Identifying the Transformation Process from Noncompliance to Compliance

A grave concern to an organization’s information security is employees’ behavior when they do not value information security policy compliance (ISPC). Most ISPC studies evaluate compliance and noncompliance behaviors separately. However, the literature lacks a comprehensive understanding of the factors that transform the employees’ behavior from noncompliance to compliance. Therefore, we conducted a systematic literature review (SLR), highlighting the studies done concerning information security behavior (ISB) towards ISPC in multiple settings: research frameworks, research designs, and research methodologies over the last decade. We found that ISPC research focused more on compliance behaviors than noncompliance behaviors. Value conflicts, security-related stress, and neutralization, among many other factors, provided significant evidence towards noncompliance. At the same time, internal/external and protection motivations proved positively significant towards compliance behaviors. Employees perceive internal and external motivations from their social circle, management behaviors, and organizational culture to adopt security-aware behaviors. Deterrence techniques, management behaviors, culture, and information security awareness play a vital role in transforming employees’ noncompliance into compliance behaviors. This SLR’s motivation is to synthesize the literature on ISPC and ISB, identifying the behavioral transformation process from noncompliance to compliance. This SLR contributes to information system security literature by providing a behavior transformation process model based on the existing ISPC literature.

Personality and Employees’ Information Security Behavior among Generational Cohorts

The Big Five Factors Model (FFM) of personality traits theory was tested for its ability to explain employee information security behavior (EISB), when age, measured by generational cohort (GCOHORT), moderated the relationship between the independent variables (IVs) extraversion, agreeableness, conscientiousness, emotional stability, intellect (EACESI) and the dependent variable (DV), employees’ information security behavior (EISB) which is measured by file protection behavior (FPB). Three age groups defined GCOHORT: 52–70 years old (1946–1964, Baby Boomers), 36–51 yrs old (1965–1980, Generation X), and 18– 35 yrs. Old (1981–1998, Millennial). Results of hierarchical multiple regressions analyses revealed statistically significant relationships between overall personality traits, four individual factors of personality traits, and the DV (p < .05). However, contrary to expectations, GCOHORT did not moderate the relationship between any of the main IVs and the DV (p > .05). Recommendations for future research are offered.

The Cultural Foundation of Information Security Behavior

Past behavior research overwhelmingly focused on information security policy compliance and under explored the role of organizational context in shaping information security behaviors. To address this research gap, this study integrated two threads of literature: organizational culture, and information security behavior control, and proposed a framework that integrates mid-range theories used in empirical research, connects them to organizational culture, and predicts its role in information security behavior control. Consistent with the cultural-fit perspective, this framework shows that information security policy compliance fits hierarchical culture and the approach of promoting positive, proactive, and emerging information security behaviors fits participative culture. Contributions and practical implications of this framework, together with future research directions, are discussed.