Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies

Organisations increasingly rely on information and related systems, which are also a source of risk. Unfortunately, employees represent the greatest risk to organisational information because they are the most frequent source of information security breaches. To address this ‘weak link’ in organisational security, most organisations have strict information security policies (ISPs) designed to thwart employee information abuses. Regrettably, these ISPs are only partially effective because employees often ignore them, circumvent them or even do the opposite of what management desires. Research on attempts to increase ISP compliance has produced similarly mixed results. Lack of compliance with ISPs is a widespread organisational issue that increasingly bears disproportionately large direct and qualitative costs that undermine strategy. Consequently, the purpose of our study was to contribute to the understanding of both motivations to comply with new ISPs and motivations to react negatively against them. To do so, we proposed an innovative model, the control‐reactance compliance model (CRCM), which combines organisational control theory – a model that explains ISP compliance – with reactance theory – a model used to explain ISP noncompliance. To test CRCM, we used a sample of 320 working professionals in a variety of industries to examine the likely organisational outcomes of the delivery of a new ISP to employees in the form of a typical memo sent throughout an organisation. We largely found support for CRCM, and this study concludes with an explanation of the model's contributions to research and practice related to organisational ISP compliance.     

事故致因理论在信息安全事件中的应用分析

本文建立了信息安全事故致因分析理论和事故致因分析模型,并且对近年来的两起重大的信息安全事件应用事故致因模型进行事故致因分析,相信在对重大信息安全事件科学深入分析的基础上对信息安全监管工作的完善能够起到作用.     

信息安全专业信息论课程教学方法探讨

"信息论"课程是当前国内外通信工程、信息安全等专业的一门基础专业课程,具有概念繁多、理论抽象、数学推导复杂等特点。本文针对信息安全专业的人才培养方案需求和学生特点,有针对性地对教学方法改革进行了探讨:面向专业建设需求,优选教学内容;针对学生学习特点,强化与已学课程间的联系;突出理论结构体系,引导学生建立知识结构树;贴合专业应用需求,设计专业性强的教学案例。     

从层次角度看网络空间安全技术的覆盖领域

网络空间安全是涉及计算机科学与技术、信息与通信工程、控制科学与工程、密码学等学科的交叉学科,具有明确而深入的学科内涵。给出了网络空间安全的定义,提出了网络空间安全的层次模型,并系统地梳理了目前网络空间安全学科中的八大研究领域在设备层、系统层、数据层和应用层所面临的主要研究问题和相关技术,包括信息安全、信息保密、信息对抗、云的安全、大数据、物联网安全、移动安全和可信计算等。为进一步凝练网络空间安全的技术体系和学科方向提供了指导和借鉴。     

ACTEN: A conceptual model for security systems design

This paper describes ACTEN, a conceptual model for the design of security systems. Security information is represented by action-entity pairs and organized into a framework composed of graphs and tables. The rules permitting the building and management of this framework are introduced.The model describes both static and dynamic aspects of the security system; in fact, it shows the access modalities between objects in the system and the evolution of such modalities due to grant and revocation of rights within the security system.ACTEN also allows the identification of the authority and protection level of each component of the system. The tools for this analysis are introduced and an example is given.     

Understanding the influence of information systems competencies on process innovation: A resource-based view

The resource based view of firms is used to explore how information system (IS) competencies affect process innovation in an organization. Data was collected through a case study of two process innovations at a healthcare firm in the United States. The findings illustrate how six IS competencies – Knowledge Management, Collaboration, Project Management, Ambidexterity, IT/Innovation Governance, Business-IS Linkages – can differentially affect the conception, development and implementation of process innovations. Implications for researchers and practitioners are drawn from these conclusions and suggestions for further research are proposed.     

Why hasn’t technology disrupted academics’ teaching practices? Understanding resistance to change through the lens of activity theory

The advent of the Internet heralded predictions that e-learning would transform and disrupt teaching practices in higher education. E-learning also promised to expand opportunities for lifelong and flexible learning, and offered a panacea for practical issues such as decreased funding and increasing student numbers.     

Security lapses and the omission of information security measures: A threat control model and empirical test

Organizations and individuals are increasingly impacted by misuses of information that result from security lapses. Most of the cumulative research on information security has investigated the technical side of this critical issue, but securing organizational systems has its grounding in personal behavior. The fact remains that even with implementing mandatory controls, the application of computing defenses has not kept pace with abusers’ attempts to undermine them. Studies of information security contravention behaviors have focused on some aspects of security lapses and have provided some behavioral recommendations such as punishment of offenders or ethics training. While this research has provided some insight on information security contravention, they leave incomplete our understanding of the omission of information security measures among people who know how to protect their systems but fail to do so. Yet carelessness with information and failure to take available precautions contributes to significant civil losses and even to crimes. Explanatory theory to guide research that might help to answer important questions about how to treat this omission problem lacks empirical testing. This empirical study uses protection motivation theory to articulate and test a threat control model to validate assumptions and better understand the “knowing-doing” gap, so that more effective interventions can be developed.     

Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders

Organizational insiders have considerable influence on the effectiveness of information security efforts. However, most research conducted in this area fails to examine what these individuals believe about organizational security efforts. To help bridge this gap, this study assesses the mindset of insiders regarding their relationship with information security efforts and compares it against the mindset of information security professionals. Interviews were conducted with 22 ordinary insiders and 11 information security professionals, an effort that provides insight into how insiders gauge the efficacy of recommended responses to information security threats. Several key differences between insiders’ and professionals’ security mindsets are also discussed.     

Factors influencing the information security behaviour of IT employees

ABSTRACT

Although non-IT employees have received considerable attention in security research, IT employees have received scant attention, even though they might be very different to non-IT employees. To address this gap, we developed a model based on protection motivation theory, deterrence theory and the theory of reasoned action. We conducted a quantitative survey of IT employees to determine which factors influenced their information security behavioural intentions. Although sometimes contrary to findings regarding non-IT employees, the influential factors were: self-efficacy; and perceived impact of a potential event; with cues to action exerting a significant influence on that perceived impact. These results have significant academic and practical implications.     

A framework for the governance of information security

This paper highlights the importance of protecting an organization's vital business information assets by investigating several fundamental considerations that should be taken into account in this regard. Based on this, it is illustrated that information security should be a priority of executive management, including the Board and CEO and should therefore commence as a corporate governance responsibility. This paper, therefore, motivates that there is a need to integrate information security into corporate governance through the development of an information security governance (ISG) framework. This paper further proposes such a framework to aid an organization in its ISG efforts.     

基于STAMP模型的风险评估行为安全指标体系

现有的风险评估方法与模型在设计上未充分考虑风险评估行为本身对评估结果的影响,对风险评估的行为可能引入安全性风险的认识也存在较大不足。针对这个问题,首先建立风险评估行为STAMP模型,使用STPA分析方法对风险评估行为进行安全性分析,利用STAMP模型构建风险评估行为安全指标体系,并采用改进AHP方法筛选出重要指标因素。所提出的安全指标体系关注系统整体的涌现性而非单个组件的可靠性,根据造成系统安全事故发生或进入危险状态的原因,提供一种能够更加有效的构建安全指标体系的思路。     

The influence of information security on the adoption of web-based integrated information systems: an e-government study in Peru

This study analyzes the determinants of information security that influence the adoption of Web-based integrated information systems (IIS) by government agencies in Peru. The study introduces Web-based information systems designed to formulate strategic plans for the Peruvian government. A theoretical model is proposed to test the impact of organizational factors such as deterrent efforts, severity efforts, and preventive efforts and individual factors such as perceived information security threats and security awareness on intentions to use Web-based IIS. The empirical results indicate that deterrent efforts and deterrent severity have no significant influence on use intentions of IIS, whereas preventive efforts play an important role in such intentions. Information security awareness and perceived information security threats as individual factors have a significant effect on intentions to use the system. This suggests that organizations should implement preventive efforts by introducing various information security solutions, and improve information security awareness while reducing perceived information security threats.     

多属性群决策理论信息安全风险评估方法研究

信息安全风险评估是信息系统安全工程的重要组成部分,是建立信息系统安全体系的基础和前提。针对信息系统安全评估中风险值计算难以量化、主观因素影响大的问题,提出了一种基于多属性群决策理论OWGA（有序加权几何平均）算子和CWGA（组合加权几何平均）算子的评估方法。采用该方法,解决了风险评估中评估要素属性的权重赋值问题,同时群决策理论的引入提高了风险评估的准确性和客观性。实例分析表明,该方法合理有效,可为信息系统安全风险评估提供新思路。另外,该方法比较适合于指导安全工程实践与评估软件系统的开发。     

A comment on the ‘basic security theorem’ of Bell and LaPadula

Many claim that the security model developed by Bell and LaPadula and used as a basis for numerous prototype military computer systems is superior to others partly because its authors prove a ‘Basic Security Theorem’ that applies to it. This paper shows that the theorem does not support such claims since it can be proven for security models that are obviously not secure. Further, the theorem provides little help to those who design and implement secure systems.     

A stochastic model of attack process for the evaluation of security metrics

To trust a computer system that is supposed to be secure, it is necessary to predict the degree to which the system’s security level can be achieved when operating in a specific environment under cyber attacks. In this paper, we propose a state-based stochastic model for obtaining quantitative security metrics representing the level of a system’s security. The main focus of the study is on how to model the progression of an attack process over time. The basic assumption of our model is that the time parameter plays the essential role in capturing the nature of an attack process. In practice, the attack process will terminate successfully, possibly after a number of unsuccessful attempts. What is important is, indeed, the estimation of how long it takes to be conducted. The proposed stochastic model is parameterized based on a suitable definition of time distributions describing attacker’s actions and system’s reactions over time. For this purpose, probability distribution functions are defined and assigned to transitions of the model for characterizing the temporal aspects of the attacker and system behavior. With the definition of the distributions, the stochastic model will be recognized to be a semi-Markov chain. This mathematical model will be analytically solved to calculate the desirable quantitative security metrics, such as mean time to security failure and steady-state security. The proposed method shows a systematic development of the stochastic modeling techniques and concepts, used frequently in the area of dependability evaluation, for attack process modeling. Like any other modeling method, the proposed model is also constructed based on some underlying assumptions, which are specific to the context of security analysis.     

Cognitive‐affective drivers of employees' daily compliance with information security policies: A multilevel,longitudinal study

We present a model of employee compliance with information security policy (ISP) that (1) explicates stable, cognitive beliefs regarding the consequences of compliance and noncompliance as well as state‐based affective constructs, namely, positive and negative mood states and episodic, security‐related work‐impediment events, and (2) provides an expanded conceptualisation of moral considerations and normative influences regarding employees' ISP compliance. Because affect is central to this theorisation, we ensure that the model captures and explains differences in day‐to‐day affective constructs to account for the often fleeting nature of affective states. We test our multilevel model using an experience‐sampling methodology design, in which employees completed daily surveys over a 2‐week period, followed by a hierarchal linear modelling statistical assessment. Our contribution to theory is a unique account of ISP compliance that integrates affective factors with constructs from rational choice theory and theory of planned behaviour and that diverges from prior conceptualisations of ISP compliance as a purely stable and reason‐based phenomenon. For practitioners, our results suggest that a combination of cognitive and affective influences may produce discrete episodes of ISP compliance that do not coincide with prior behavioural trends.     

The effects of multilevel sanctions on information security violations: A mediating model

We proposed and empirically tested a mediating model for examining the effects of multilevel sanctions on preventing information security violations in the workplace. The results of the experiment suggested that personal self-sanctions and workgroup sanctions have significant deterrent effects on employee security violations, but that the effect of organizational sanctions becomes insignificant when the other two types of sanctions are taken into account. Theoretically, the study pointed out the importance of personal self-sanctions and informal workgroup sanctions. Practically, our results suggested that an “influencing” strategy may be more effective than an “enforcing” one in information security management.     

The impact of leadership on employees' intended information security behaviour: An examination of the full‐range leadership theory

Explaining the influence of management leadership on employees' information security behaviour is an important focus in information systems research and for companies and organizations. Unfortunately, the role of leadership has remained largely unexplored in the information security context. Our study addresses this gap in literature: how the dimensions of full‐range leadership influence employees' intended information security behaviour. Consequently, our study takes an interactional psychology perspective and links the dimensions of the full‐range model of leadership to employees' security compliance intention and security participation intention. We tested our multitheoretical model using Smart PLS 3.2.7 on a proprietary data set of 322 professionals in more than 14 branches throughout different regions worldwide. Our study contributes to the literature on information security, management, and leadership by exploring how and why different leadership styles enhance employees' intended information security behaviour. Our empirical findings emphasize the importance of transformational leaders because they are capable of directly influencing employees on the extra‐role and in‐role behaviour levels. Our results indicate new directions for information security and leadership research and implications for leadership practices.     

A moderated mediation model linking entrepreneurial leadership to green innovation: An upper echelons theory perspective

Despite the dominant discourses on the important role of entrepreneurial leadership in firms' development, related theoretical and empirical studies are still lacking in the environmental management area. Adopting upper echelons theory, this study develops a moderated mediation model that examines how entrepreneurial leadership affects the adoption of green innovation (GI) through organizational learning culture and how environmental dynamism moderates the mediating effect. This theoretical model is tested using a sample of 248 Chinese firms. Findings support the positive impact of entrepreneurial leadership on GI and the mediating role of organizational learning culture. The moderated mediation path analysis shows that environmental dynamism moderates the indirect effect of entrepreneurial leadership on GI via organizational learning culture. Overall, this study adds to entrepreneurship and environmental management scholarship by providing novel insights into the key role of entrepreneurial leadership in embracing GI.