Behavioral Information Security: Defining the Criterion Space

The success of information security appears to depend in part upon the effective behavior of the individuals involved in its use. Appropriate and constructive behavior by end users, system administrators, and others can enhance the effectiveness of information security while inappropriate and destructive behaviors can substantially inhibit its effectiveness. The present research focuses on “behavioral information security” which is defined as the complexes of human action that influence the availability, confidentiality, and integrity of information systems. Because research in this area is so new, in the present in study we focused on delineating and understanding the behavioral domain. Our goal for this study was to construct and test a taxonomy of information security behaviors. We expect that this knowledge can support later research efforts that focus on understanding the antecedents and consequences of information security behavior.

Behavioral Information Security

The effectiveness of information security can be substantially limited by inappropriate and destructive human behaviors within an organization. As recent critical security incidents have shown, successful insider intrusions induce a fear of repeated disruptive behaviors within organizations, and can be more costly and damaging than outsider threats. Today, employees compose the majority of end-users. The wide variety of information that they handle in a multitude of work and non-work settings brings new challenges to organizations and drives technological and managerial change. Several areas of studies such as behavioral information security, information security governance and social engineering to name a few, have emerged in an attempt to understand the phenomena and suggest countermeasures and responses. This paper starts by defining behavioral information security and provides examples of security behaviors that have an impact on the overall security of an organization. Threats’ mitigations are then depicted followed by future trends.