Organizational aspects of cybersecurity in German family firms – Do opportunities or risks predominate?

PurposeThe starting point for the considerations the authors make in this paper are the special features of family businesses in the area of management discussed in the literature. It has been established here that family businesses sometimes choose different organizational setups than nonfamily businesses. This has not yet been investigated for cybersecurity. In the context of cybersecurity, there has been little theoretical or empirical work addressing the question of whether the qualitative characteristics of family businesses have an impact on the understanding of cybersecurity and the organization of cyber risk defense in the companies. Based on theoretically founded hypotheses, a quantitative empirical study was conducted in German companies.Design/methodology/approachThe article is based on a quantitative-empirical survey of 184 companies, the results of which were analyzed using statistical-empirical methods.FindingsThe article asked – based on the subjective perception of cybersecurity and cyber risks – to what extent family businesses are sensitized to the topic and what conclusions they draw from it. An interesting tension emerges: family businesses see their employees more as a security risk, but do less than nonfamily businesses in terms of both training and organizational establishment. Whether this is due to a lack of technical or managerial expertise, or whether family businesses simply think they can prevent cybersecurity with less formal methods such as trust, is open to conjecture, but cannot be demonstrated with the research approach taken here. Qualitative follow-up studies are needed here.Originality/valueThis paper represents the first quantitative survey on cybersecurity with a specific focus on family businesses. It shows tension between awareness, especially of risks emanating from employees, and organizational routines that have not been implemented or established.

The role of organizational and social factors for information security in a nuclear power industry

PurposeThe aim of this study was to explore the organizational and social prerequisites for employees' participative and rule-compliant information security behaviour in Swedish nuclear power production and its related industry. These industries are high-risk activities that must be meticulously secured. Protecting the information security in the related organizations is an essential aspect of this.Design/methodology/approachIndividual in-depth interviews were conducted with 24 employees in two organizations within the nuclear power industry in Sweden.FindingsWe found that prerequisites for employees' participative and rule-compliant information security behaviour could be categorized into structural, social and individual aspects. Structural aspects included well-adapted rules, knowledge support and resources. Social aspects included a supportive organizational culture, collaboration and adequate resources, and individual aspects included individual responsibility.Originality/valueThe qualitative approach of the study provided comprehensive descriptions of the identified preconditions. The results may thus enable organizations to better promote conditions important for information security in a high-risk industry.

Data breach recovery areas: an exploration of organization's recovery strategies for surviving data breaches

PurposeData breaches are an increasing phenomenon in today's digital society. Despite the preparations an organization must take to prevent a data breach, it is still necessary to develop strategies in the event of a data breach. This paper explores the key recovery areas necessary for data breach recovery.Design/methodology/approachStakeholder theory and three recovery areas (customer, employee and process recovery) are proposed as necessary theoretical lens to study data breach recovery. Three data breach cases (Anthem, Equifax, and Citrix) were presented to provide merit to the argument of the proposed theoretical foundations of stakeholder theory and recovery areas for data breach recovery research.FindingsInsights from these cases reveal four areas of recovery are necessary for data breach recovery – customer recovery, employee recovery, process recovery and regulatory recovery.Originality/valueThese areas are presented in the data recovery areas model and are necessary for: (1) organizations to focus on these areas when resolving data breaches and (2) future data breach recovery researchers in developing their research in the field.

Impact of digital nudging on information security behavior: an experimental study on framing and priming in cybersecurity

PurposePhishing attacks are the most common cyber threats targeted at users. Digital nudging in the form of framing and priming may reduce user susceptibility to phishing. This research focuses on two types of digital nudging, framing and priming, and examines the impact of framing and priming on users' behavior (i.e. action) in a cybersecurity setting. It draws on prospect theory, instance-based learning theory and dual-process theory to generate the research hypotheses.Design/methodology/approachA 3 × 2 experimental study was carried out to test the hypotheses. The experiment consisted of three levels for framing (i.e. no framing, negative framing and positive framing) and two levels for priming (i.e. with and without priming).FindingsThe findings suggest that priming users to information security risks reduces their risk-taking behavior, whereas positive and negative framing of information security messages regarding potential consequences of the available choices do not change users' behavior. The results also indicate that risk-averse cybersecurity behavior is associated with greater confidence with the action, greater perceived severity of cybersecurity risks, lower perceived susceptibility to cybersecurity risks resulting from the action and lower trust in the download link.Originality/valueThis research shows that digital nudging in the form of priming is an effective way to reduce users' exposure to cybersecurity risks.

Empowering professional and ethical balance in digital record management

PurposeThis paper aims to examine the professional skills and ethical values balanced to generate policies and procedures with significant guidance to give insights into systematic control of integrating simultaneous integrity between the use and maintenance in digital-based recordkeeping.Design/methodology/approachThe investigation was conducted using keywords responsibilities engagement, professional and ethical balance, and records management. Descriptive analysis was applied with the initiative on integrating, evaluating and interpreting the findings of multiple types of research from recent grounded theory.FindingsThe finding reveals that determining the potential value of foregoing effort to provide an ultimate application guideline as a counter measure against the emerging challenges of the dynamic records management system needs to adopt appropriate professional and ethical empowerment across the procedural stage in underlying the demand and the response with the express purpose of promoting appropriate and wise usage for the sustainable positive benefit of responsibilities on recording management.Originality/valueAs a pivotal role in determining the potential value of foregoing effort as aimed in this paper, the initiative to provide an ultimate application guideline as a counter measure against the emerging challenges of the dynamic records management system needs to bring along with urging for an appropriate professional and ethical empowerment across the procedural stage proposed referring to the demand and the response with the express purpose of promoting appropriate and wise usage for the sustainable positive benefit of responsibilities on recording management.

Ethical leadership and employee information security policy (ISP) violation: exploring dual-mediation paths

PurposeA growing number of studies have investigated the effect of ethical leadership on behavioral outcome of employees. However, considering the important role of ethics in IS security, the security literature lacks a theoretical and empirical investigation of the relationship between ethical leadership and employees' security behavior, such as information security policy (ISP) violation. Drawing on social learning and social exchange theories, this paper empirically tests the impact of ethical leadership on employees' ISP violation intention through both information security climate (i.e. from a moral manager's perspective) and affective commitment (i.e. from a moral person's perspective).Design/methodology/approachThe research was developed based on social learning theory and social exchange theory. To measure the variables in the model, the authors used and adapted measurement items from previous studies. The authors conducted a scenario-based survey with 339 valid responses to test and validate the research model.FindingsResults indicated that information security climate fully mediates the relationship between ethical leadership and ISP violation intention. The authors also found that information security climate enhances the negative effect of affective commitment on ISP violation intention.Originality/valueThis research contributes to the literature of information security by introducing the role of ethical leadership and integrating two theories into our research model. This study also calls attention to how information security climate and affective commitment mediate the relationship between ethical leadership and employees' ISP violation intention. The theory-driven study provides important pragmatic guidance for enhancing the understanding of the importance of ethical leadership in information systems security research.

A cyber situational awareness model to predict the implementation of cyber security controls and precautions by SMEs

PurposeThere is widespread concern about the fact that small- and medium-sized enterprises (SMEs) seem to be particularly vulnerable to cyberattacks. This is perhaps because smaller businesses lack sufficient situational awareness to make informed decisions in this space, or because they lack the resources to implement security controls and precautions.Design/methodology/approachIn this paper, Endsley’s theory of situation awareness was extended to propose a model of SMEs’ cyber situational awareness, and the extent to which this awareness triggers the implementation of cyber security measures. Empirical data were collected through an online survey of 361 UK-based SMEs; subsequently, the authors used partial least squares modeling to validate the model.FindingsThe results show that heightened situational awareness, as well as resource availability, significantly affects SMEs’ implementation of cyber precautions and controls.Research limitations/implicationsWhile resource limitations are undoubtedly a problem for SMEs, their lack of cyber situational awareness seems to be the area requiring most attention.Practical implicationsThe findings of this study are reported and recommendations were made that can help to improve situational awareness, which will have the effect of encouraging the implementation of cyber security measures.Originality/valueThis is the first study to apply the situational awareness theory to understand why SMEs do not implement cyber security best practice measures.

Heads-up! An alert and warning system for phishing emails

PurposeThis study introduces the concept of audiovisual alerts and warnings as a way to reduce phishing susceptibility on mobile devices.Design/methodology/approachThis study has three phases. The first phase included 32 subject matter experts that provided feedback toward a phishing alert and warning system. The second phase included development and a pilot study to validate a phishing alert and warning system prototype. The third phase included delivery of the Phishing Alert and Warning System (PAWSTM mobile app) to 205 participants. This study designed, developed, as well as empirically tested the PAWSTM mobile app that alerted and warned participants to the signs of phishing in emails on mobile devices.FindingsThe results of this study indicated audio alerts and visual warnings potentially lower phishing susceptibility in emails. Audiovisual warnings appeared to assist study participants in noticing phishing emails more easily and in less time than without audiovisual warnings.Practical implicationsThis study's implications to mitigation of phishing emails are key, as it appears that alerts and warnings added to email applications may play a significant role in the reduction of phishing susceptibility.Originality/valueThis study extends the existing information security body of knowledge on phishing prevention and awareness by using audiovisual alerts and warnings to email recipients tested in real-life applications.