The impact of leadership on employees' intended information security behaviour: An examination of the full‐range leadership theory

Explaining the influence of management leadership on employees' information security behaviour is an important focus in information systems research and for companies and organizations. Unfortunately, the role of leadership has remained largely unexplored in the information security context. Our study addresses this gap in literature: how the dimensions of full‐range leadership influence employees' intended information security behaviour. Consequently, our study takes an interactional psychology perspective and links the dimensions of the full‐range model of leadership to employees' security compliance intention and security participation intention. We tested our multitheoretical model using Smart PLS 3.2.7 on a proprietary data set of 322 professionals in more than 14 branches throughout different regions worldwide. Our study contributes to the literature on information security, management, and leadership by exploring how and why different leadership styles enhance employees' intended information security behaviour. Our empirical findings emphasize the importance of transformational leaders because they are capable of directly influencing employees on the extra‐role and in‐role behaviour levels. Our results indicate new directions for information security and leadership research and implications for leadership practices.     

What could possibly go wrong? A multi-panel Delphi study of organizational social media risk

The growth of social media has crossed the boundary from individual to organizational use, bringing with it a set of benefits and risks. To mitigate these risks and ensure the benefits of social media use are realized, organizations have developed a host of new policies, procedures, and hiring practices. However, research to date has yet to provide a comprehensive view on the nature of risk associated with the use of social media by organizations. Using a multi-panel Delphi approach consisting of new entrants to the workforce, certified human resource professionals, and certified Information Technology auditors, this study seeks to understand organizational social media risk. The results of the Delphi panels are compared against a textual analysis of 40 social media policies to provide a comprehensive view of the current state of social media policy development. We conclude with directions for future research that may guide researchers interested in exploring social media risk in organizations.     

Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders

Organizational insiders have considerable influence on the effectiveness of information security efforts. However, most research conducted in this area fails to examine what these individuals believe about organizational security efforts. To help bridge this gap, this study assesses the mindset of insiders regarding their relationship with information security efforts and compares it against the mindset of information security professionals. Interviews were conducted with 22 ordinary insiders and 11 information security professionals, an effort that provides insight into how insiders gauge the efficacy of recommended responses to information security threats. Several key differences between insiders’ and professionals’ security mindsets are also discussed.     

The Utility of Information Security Training and Education on Cybersecurity Incidents: An empirical evidence

As recent cyber-attacks have been increasing exponentially, the importance of security training for employees also has become growing ever than before. In addition, it is suggested that security training and education be an effective method for discerning cyber-attacks within academia and industries. Despite the importance and the necessity of the training, prior study did not investigate the quantitative utility of security training in an organizational level. Due to the absence of referential studies, many firms are having troubles in making decisions with respect to arranging optimal security training programs with limited security budgets. The main objective of this study is to find out a relationship between cybersecurity training and the number of incidents of organizations. Thus, this study quantified the effectiveness of security training on security incidents as the first study. This research examined the relationship among three main factors; education time, education participants, and outsourcing with numbers of cybersecurity incidents. 7089 firm level data is analyzed through Poisson regression method. Based on analysis results, we found that the negative relationship between security trainings and the occurrence of cybersecurity incidents. This study sheds light on the role of security training and education by suggesting its positive association with reducing the number of incidents in organizations from the quantitative perspective. The result of this study can be used as a referential guide for information security training decision-making procedure in organizations.

     

A model of emotion and computer abuse

Internal computer abuse has received considerable research attention as a significant source of IS security incidents in organizations. We examine the effects of both organizational and individual factors on individuals’ computer abuse intent. A theoretical model is developed based on two theories: abuse opportunity structure and emotion process. We empirically tested the model with 205 working professionals. We found that the abuse opportunity structure in organizations affects an individual's goal conduciveness, which in turn affects their abuse-positive affect. We also found that morality affects the abuse-positive affect, which in turn mediates the relationship between morality and abuse intent.     

Influences on regression testing strategies in agile software development environments

Regression testing is a well-established practice in software development, but in recent years it has seen a change of status and emphasis with the increasing popularity of agile methods, which stress the central role of regression testing in maintaining software quality. The objectives of this article are to investigate regression testing strategies in agile development teams and identify the factors that can influence the adoption and implementation of this practice. We have used a mixed methods approach to our research, beginning with an analysis of the literature to identify research themes related to the adoption of regression testing techniques under agile methodologies, from which we developed an analytical framework for the study. This was followed by three exploratory case studies that we used to exercise the main elements of the framework, develop some key themes of interest, and devise a questionnaire for the final stage of the study, an on-line survey to explore the main issues identified in the case studies across different contexts. Within our specific sample, our results suggest that organizational maturity is a key factor in effective regression testing practices and that the adoption of such practices is helped by a coherent testing philosophy and change management processes. We also found that the return on investment in automated regression testing was positive for our respondents and that adopting these practices in the context of agile methods had been a relatively painless process for the organizations in our survey. We conclude that investing in regression testing tools and processes is likely to be beneficial for organizations. However, further work is needed in assessing how organizational culture impacts on the quality process and the financial outcomes for commercial software development organizations.     

Organizational Characteristics Influencing SME Information Security Maturity

In the current business environment, many organizations use popular standards such as the ISO 27000x series, COBIT, and related frameworks to protect themselves against security incidents. However, these standards and frameworks are overly complicated for small to medium-sized enterprises, leaving these organizations with no easy to understand toolkit to address their security needs. This research builds upon the recent Information Security Focus Area Maturity (ISFAM) model for SME information security as a cornerstone in the development of an assessment tool for tailor-made, fast, and easy-to-use information security advice for SMEs. By performing an extensive literature review and evaluating the results with security experts, we propose the Characterizing Organizations’ Information Security for SMEs (CHOISS) model to relate measurable organizational characteristics in four categories through 47 parameters to help SMEs distinguish and prioritize which risks to mitigate.     

Turnover Intention of Technology Professionals: A Social Exchange Theory Perspective

Retaining skilled professionals is a critical concern for organizations because employee turnover can affect the quality of service provided by the organization and create considerable expense. Using a framework of social exchange theory, this study develops a model to investigate the interrelationships between turnover intentions, organizational commitment, and constructs of particular importance to information technology (IT) professionals. Field survey data from a large US federal agency empirically test these associations. The results confirm that IT professionals’ perceptions of their skill obsolescence, work overload, and the fairness of the rewards they receive directly influence their organizational commitment. Furthermore, their organizational commitment, perceived work overload, and fairness of rewards significantly affect turnover intention. Employees’ commitment toward the organization is an essential mediator between the perception that their skills are becoming obsolete and intention to leave the organization. Implications of these results for literature and practice are discussed.     

Cultivating security culture for information security success: A mixed-methods study based on anthropological perspective

The continuous information security failures in organizations have led focus toward organizational culture. It is argued that the development of culture of information security would subsequently lead to a secure organization. However, limited studies have been conducted to understand information security culture. This study aims to understand information security culture and its impact on success with information security efforts in an organization. The research model is based on the theory of primary message systems, which is an established theory from the anthropology discipline. We followed a mixed-methods research design involving two phases of the study. In the first phase, 25 semi-structured interviews with experienced cybersecurity practitioners were conducted to develop the research model. The second phase empirically validated the research model using survey data from 473 participants who completed a web-based survey in Southeast USA from multiple companies. For data analysis, we employed Partial Least Squares - Structural Equation Modeling using SmartPLS. Our findings indicate that group cohesiveness, professional code, information security awareness, and informal work practices have significant influence on information security culture. Further, the security culture has positive impact on information security success perception. The contribution of this research lies in establishing the role of security culture and information security awareness in contributing toward information security success.     

Exploring the effects of organizational justice,personal ethics and sanction on internet use policy compliance

Internet security risks, the leading security threats confronting today's organizations, often result from employees' non‐compliance with the internet use policy (IUP). Extant studies on compliance with security policies have largely ignored the impact of intrinsic motivation on employees' compliance intention. This paper proposes a theoretical model that integrates an intrinsic self‐regulatory approach with an extrinsic sanction‐based command‐and‐control approach to examine employees' IUP compliance intention. The self‐regulatory approach centers on the effect of organizational justice and personal ethical objections against internet abuses. The results of this study suggest that the self‐regulatory approach is more effective than the sanction‐based command‐and‐control approach. Based on the self‐regulatory approach, organizational justice not only influences IUP compliance intention directly but also indirectly through fostering ethical objections against internet abuses. This research provides empirical evidence of two additional effective levers for enhancing security policy compliance: organizational justice and personal ethics.     

A comprehensive simulation tool for the analysis of password policies

Modern organizations rely on passwords for preventing illicit access to valuable data and resources. A well designed password policy helps users create and manage more effective passwords. This paper offers a novel model and tool for understanding, creating, and testing password policies. We present a password policy simulation model which incorporates such factors as simulated users, accounts, and services. This model and its implementation enable administrators responsible for creating and managing password policies to test them before giving them to actual users. It also allows researchers to test how different password policy factors impact security, without the time and expense of actual human studies. We begin by presenting our password policy simulation model. We next discuss prior work and validate the model by showing how it is consistent with previous research conducted on human users. We then present and discuss experimental results derived using the model.     

Value-focused assessment of information system security in organizations

Abstract.  Information system (IS) security continues to present a challenge for executives and professionals. A large part of IS security research is technical in nature with limited consideration of people and organizational issues. The study presented in this paper adopts a broader perspective and presents an understanding of IS security in terms of the values of people from an organizational perspective. It uses the value-focused thinking approach to identify 'fundamental' objectives for IS security and 'means' of achieving them in an organization. Data for the study were collected through in-depth interviews with 103 managers about their values in managing IS security. Interview results suggest 86 objectives that are essential in managing IS security. The 86 objectives are organized into 25 clusters of nine fundamental and 16 means categories. These results are validated by a panel of seven IS security experts. The findings suggest that for maintaining IS security in organizations, it is necessary to go beyond technical considerations and adopt organizationally grounded principles and values.     

Managers’ and Employees’ Differing Responses to Security Approaches

ABSTRACT

Modern organizations face significant information security threats, to which they respond with various managerial techniques. It is widely believed that “one size does not fit all” for achieving employee information security policy compliance; nevertheless, it is yet to be determined which techniques work best to different organizational employees. We further this research stream by finding that different levels of users might be effectively motivated by different types of coercive and empowering techniques that are suitable to their level and position in the organizational chart. Our results suggest that participation in the ISP decision-making process might prove to be a more effective approach to motivate lower-level employees toward compliance and that enhancing the meaningfulness of policy compliance could be the preferred method among higher levels of management. Members within each level of the organization can be effectively influenced to comply with ISPs when such strategies are customized for their level.     

Organizational information security policies: a review and research framework

A major stream of research within the field of information systems security examines the use of organizational policies that specify how users of information and technology resources should behave in order to prevent, detect, and respond to security incidents. However, this growing (and at times, conflicting) body of research has made it challenging for researchers and practitioners to comprehend the current state of knowledge on the formation, implementation, and effectiveness of security policies in organizations. Accordingly, the purpose of this paper is to synthesize what we know and what remains to be learned about organizational information security policies, with an eye toward a holistic understanding of this research stream and the identification of promising paths for future study. We review 114 influential security policy-related journal articles and identify five core relationships examined in the literature. Based on these relationships, we outline a research framework that synthesizes the construct linkages within the current literature. Building on our analysis of these results, we identify a series of gaps and draw on additional theoretical perspectives to propose a revised framework that can be used as a basis for future research.     

Economic valuation for information security investment: <Emphasis Type="Italic">a systematic literature review</Emphasis>

Research on technological aspects of information security risk is a well-established area and familiar territory for most information security professionals. The same cannot be said about the economic value of information security investments in organisations. While there is an emerging research base investigating suitable approaches measuring the value of investments in information security, it remains difficult for practitioners to identify key approaches in current research. To address this issue, we conducted a systematic literature review on approaches used to evaluate investments in information security. Following a defined review protocol, we searched several databases for relevant primary studies and extracted key details from the identified studies to answer our research questions. The contributions of this work include: a comparison framework and a catalogue of existing approaches and trends that would help researchers and practitioners navigate existing work; categorisation and mapping of approaches according to their key elements and components; and a summary of key challenges and benefits of existing work, which should help focus future research efforts.     

Driving Information Systems Security through Innovations—First Indications

Modern organizations and even nations are increasingly dependent on information systems (IS) security, and their economic prosperity is strongly linked to innovation. Do these two important issues also relate one to another, and how? Can some lessons be learned that are important not only to security professionals but also to organizational and other important systems managing decision makers? Assuming that the answer is yes, how can we deploy innovation techniques to further improve IS security? Because this interdisciplinary area has not been addressed so far, this article presents one of the first attempts to address it on the basis of statistically relevant data on a national and international scale. It provides experimental results that imply some important statistical interdependencies that call for further study and also identifies systemic limitations, including those that exist on the European Union scale, that should be addressed to enable progress in this area.     

Adoption of open source software in organizations: A socio-cognitive perspective

Open source software (OSS) is an important trend in the information technology adoption landscape. It has received considerable attention in the scientific literature, but mostly in the professional press. In fact, there is much debate over its actual commercial and organizational value. Since the public discourse accompanying an IT may influence adoption decisions, it is important to consider IT specialists’ perceptions of the discourse on OSS. In this study, we investigated the relationship between IT specialists’ profiles, IT specialists’ reception of the public discourse on OSS, and their organizations’ receptivity to OSS. Drawing on the socio-cognitive perspective of IT innovation adoption and the organizing vision theory, a survey of 271 IT specialists was conducted to examine these issues. Our results indicate that a majority of IT specialists in our sample are rather neutral about the OSS concept conveyed in the public discourse. However, our sample also comprises respondents with more extreme perceptions who can be classified as either supporters or detractors. Our results indicate that detractors have more years of experience but have been less exposed to OSS than supporters, and that IT specialists’ perceptions of the OSS concept are positively associated with their organizations’ openness to OSS adoption and, to a lesser extent, with the existence of an organizational policy that favors OSS adoption. Altogether, our findings provide strong support for the organizing vision theory and the idea that the popularity of an IT innovation concept favors the adoption of the material IT innovation in organizations. By providing a preliminary test of a nomological network of IT specialists’ perceptions of the OSS concept, our study offers insights as to why organizations may or may not take OSS into account in their software procurement decisions.     

Firm diversity and data breach risk: A longitudinal study

Research has extensively investigated the rationale of firm diversity from the economic perspective, but little is known about how such a strategy may affect information security. The present study is the first to examine how firm diversity is relevant to firms’ likelihood to experience data breaches (i.e., data breach risk). Drawing from the strands of literature on information security, diversification, and resource-based view, we propose hypotheses on the relationship between firm diversity and data breach risk, as well as the boundary conditions of this relationship. On the basis of a twelve-year sample of publicly-listed firms, our analysis provides evidence to support the negative association between firm diversity and data breach risk. Our analysis also delineates conditions under which the effects of firm diversity can intervene to reduce the data breach risk invoked, such as under related diversity and when managers are managerially capable. For academics, our research accentuates an intriguing but unexamined benefit of firm diversity because it relates to information security. For practicing professionals, this research highlights the significant impact of firms’ operational structure on information security.