A neo-institutional perspective on the establishment of information security knowledge sharing practices

Information security knowledge sharing (ISKS) among an organization's employees is vital to the organization's ability to protect itself from any number of prevalent threats, yet for many organizations, their ability to establish ISKS practices is hampered by a lack of understanding of where and how the key drivers of these practices will emerge. Based on neoinstitutional theory and a multi-study field survey of 834 professional managers in the USA, we develop and test a model that explains the establishment of ISKS practices in an organization as a product of the institutional forces abut to the organization providing normative, mimetic, and coercive influences on top management beliefs and participations in ISKS. Our findings also emphasize the importance of establishing ISKS practices for ensuring employee compliance with information security policies and an effective culture of security. Prior research has shown the importance of institutional forces on organizational processes as well as the importance of ISKS to organizational security efforts. However, this study is one of the early studies to provide insight into the manner, in which institutional forces hold sway over the people responsible for establishing the ISKS practices of a firm; insight that it is essential for firms that have yet to establish such practices or have struggled in their attempts to do so.     

Information security – Professional perceptions of knowledge-sharing intention under self-efficacy,trust, reciprocity,and shared-language

Knowledge sharing is an important component of knowledge management systems. Security knowledge sharing substantially reduces risk and investment in information security. Despite the importance of information security, little research based on knowledge sharing has focused on the security profession. Therefore, this study analyses key factors, containing attitude, self-efficacy, trust, norm of reciprocity, and shared language, in respect of the information security workers intention to share knowledge. Information security professionals in virtual communities, including the Information Security Professional Association (ISPA), Information Systems Security Association (ISSA), Society of Information Risk Analysts (SIRA), and LinkedIn security groups, were surveyed to test the proposed research model. Confirmatory factor analysis (CFA) and the structural equation modelling (SEM) technique were used to analyse the data and evaluate the research model. The results showed that the research model fit the data well and the structural model suggests a strong relationship between attitude, trust, and norms of reciprocity to knowledge sharing intention. Hypotheses regarding the influence of self-efficacy and reciprocity, to knowledge sharing attitude were upheld. Shared language did not influence either the attitude or intention to share knowledge.     

Exploring the effects of organizational justice,personal ethics and sanction on internet use policy compliance

Internet security risks, the leading security threats confronting today's organizations, often result from employees' non‐compliance with the internet use policy (IUP). Extant studies on compliance with security policies have largely ignored the impact of intrinsic motivation on employees' compliance intention. This paper proposes a theoretical model that integrates an intrinsic self‐regulatory approach with an extrinsic sanction‐based command‐and‐control approach to examine employees' IUP compliance intention. The self‐regulatory approach centers on the effect of organizational justice and personal ethical objections against internet abuses. The results of this study suggest that the self‐regulatory approach is more effective than the sanction‐based command‐and‐control approach. Based on the self‐regulatory approach, organizational justice not only influences IUP compliance intention directly but also indirectly through fostering ethical objections against internet abuses. This research provides empirical evidence of two additional effective levers for enhancing security policy compliance: organizational justice and personal ethics.     

The impact of leadership on employees' intended information security behaviour: An examination of the full‐range leadership theory

Explaining the influence of management leadership on employees' information security behaviour is an important focus in information systems research and for companies and organizations. Unfortunately, the role of leadership has remained largely unexplored in the information security context. Our study addresses this gap in literature: how the dimensions of full‐range leadership influence employees' intended information security behaviour. Consequently, our study takes an interactional psychology perspective and links the dimensions of the full‐range model of leadership to employees' security compliance intention and security participation intention. We tested our multitheoretical model using Smart PLS 3.2.7 on a proprietary data set of 322 professionals in more than 14 branches throughout different regions worldwide. Our study contributes to the literature on information security, management, and leadership by exploring how and why different leadership styles enhance employees' intended information security behaviour. Our empirical findings emphasize the importance of transformational leaders because they are capable of directly influencing employees on the extra‐role and in‐role behaviour levels. Our results indicate new directions for information security and leadership research and implications for leadership practices.     

Age as a moderator of attitude towards technology in the workplace: work motivation and overall job satisfaction

Given the prevalence of technology in the workplace, an understanding of employees' attitudes towards technology is essential. Such attitudes have been linked to such important issues as the successful implementation of new technologies in the workplace, employee intent to use technology, and the actual usage of technology by employees. As a result of the rapidly aging workforce, and because age has been linked to computer use and comfort, it is important to examine the relationship that may exist between age and attitudes towards technology. This study examines age as a moderator of 612 employees' attitudes towards technology in relation to work motivation (intrinsic and extrinsic) and overall job satisfaction. Further, given the technological socialisation of the Generation X (Gen X) versus the Baby Boomers, our sample comprised these two demographics. Hierarchical moderated multiple regression indicates age moderates the relationship between attitude towards technology and intrinsic motivation, extrinsic motivation, and to a lesser extent, overall job satisfaction. In each instance, older employees exhibit the strongest relationships with the outcome variables when possessing a high attitude towards technology. In contrast, older employees exhibit the weakest relationships when possessing a low attitude towards technology. These results are supportive of the moderating effect of age on attitude towards technology. Lastly, implications and directions for future research are discussed.     

A longitudinal investigation of continued online shopping behavior: An extension of the theory of planned behavior

The purpose of this study is to propose an extended model of Theory of Planned Behavior (TPB) by incorporating constructs drawn from the model of Expectation Disconfirmation Theory (EDT) and to examine the antecedents of users’ intention to continue using online shopping (continuance intention). Prior research has demonstrated that TPB constructs, including attitude, subjective norm, and perceived behavioral control, are important factors in determining the acceptance and use of various information technologies. These factors, however, are insufficient to explain a user's continuance intention in the online shopping context. In this study we extended TPB with two EDT constructs—disconfirmation and satisfaction—for studying users’ continuance intention in the online shopping context. By employing longitudinal method with two-stage survey, we empirically validated the proposed model and research hypotheses.     

A study of Facebook Groups members’ knowledge sharing

There have been many studies focusing on individuals’ knowledge sharing behavior in the organizational setting. With the rapid prevalence of social networking sites, many people began to express their thoughts or share their knowledge via Facebook website. Facebook is an open environment which does not provide any immediate monetary benefits to its users. Its Groups members’ knowledge sharing behavior could be different from the ones in organizations. We proposed a research model to examine factors which promote the Facebook Groups users’ willingness to share knowledge. The factors in the study include extrinsic motivation, social and psychological forces, and social networking sharing culture. We used PLS to test our proposed hypotheses based on 271 responses collected through an online survey. Our results indicated that reputation would affect knowledge sharing attitude of Groups members and sense of self-worth would directly and indirectly (through subjective norm) affect the attitude. In addition, social networking sharing culture (fairness, identification, and openness) is the most significant factor, not only directly affecting knowledge sharing intention, but also indirectly influencing the sharing intention through subjective norm and knowledge sharing attitude.     

Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service

Email plays an important role in the digital economy but is threatened by increasingly sophisticated cybercrimes. A number of security services have been developed, including an email authentication service designed to cope with email threats. It remains unknown how users perceive and evaluate these security services and consequently form their adoption intention. Drawing on the Technology Acceptance Model and Technology Threat Avoidance Theory, this paper investigates the factors that affect user intention to adopt an email authentication service. Our results show that user intention to adopt an email security service is contingent upon users' perception of risk and evaluation of both internal and external coping strategies. This study contributes to research in security service adoption, service success and design, and information security behaviour.     

Factors That Influence Employees’ Security Policy Compliance: An Awareness-Motivation-Capability Perspective

Information security policy (ISP) plays an important role in information security management in organizations. Past research investigated various factors that may impact employee behavior toward security policy compliance from the perspective of general deterrence theory (GDT), protection and motivation Theory (PMT), and rational choice theory (RCT). However, there is no unifying foundation/framework that examines all of those factors in a harmonic way so that the research findings can guide information security practices and research into the employee ISP compliance management context. Additionally, prior findings provided mixed results. This study proposes a research model based on the awareness-motivation-capability (AMC) framework, aiming to unify the factors to predict employee ISP compliance intention. We believe that a harmonic approach in managing employee ISP compliance can create optimal outcomes.     

On the Anatomy of Human Hacking

ABSTRACT

Human hacking is a nontechnical kind of intrusion that relies heavily on human manipulation. Its impact is continuously giving serious concern in the Information technology arena which has often been undermined due to the ease with which this technique is widely used to infiltrate networks through unsuspecting individuals that are undeniably considered the “weakest link” in the security circle. Security awareness that brings about behavioral change, reduces employees' vulnerability, and protects against threats exploiting employees' vulnerability having a positive impact overall on risks related to information assets. Strategies for developing and implementing a successful information security awareness program are presented in this article, which also provides an introduction to the subject of human hacking while discussing the various counter-measures available to minimize the likelihood of such occurrences and their financial, reputation, psychological, and legal ramifications.     

An investigation of volitional control in information ethics

The main motivation of our research is how the issue of volitional control might affect the application of the Theory of Planned Behaviour (TPB) to research decisions related to information ethics. Specifically, a TPB-based model provides the best fit to the sample collected for the present study. In this model, the contribution of both the attitude and perceived behavioural control to the intention is shown to fluctuate depending upon the degree of volitional control concerning the targeted behaviour. As the behaviour's degree of volitional control lessens, the weighted influence of perceived behavioural control increases and that of the attitude decreases. Thus, it is confirmed that degree of volitional control concerning an ethical act indeed plays a central role in applying the Theory of Planned Behaviour to information ethics research.     

An analysis of multiple factors relating to teachers' problematic information security behavior

Given the high Internet penetration rate and the huge repository of data stored online, there is a growing trend urging people to utilize data. However, the potential for the malicious use of data disclosed online necessitates attention. Risky information security behavior often leads to damage. Previous research has focused on information security behavior in the workplace; however, there has been little research on teachers' perceptions of their own information security behavior, in particular for teachers in primary and secondary education. For students at this age, their teachers can serve as models. Through understanding teachers' information security behavioral intentions and related protection motivation, we can design training programs for teachers and hence increase teachers' as well as students' normative judgment with regard to information security behavior. The purpose of this research is to explore those factors that relate to teachers' information security behavior as grounded in Protection Motivation Theory. Additionally, the construct of social norms was incorporated based on several studies. Overall, we wish to examine how perceived severity, vulnerability, response-efficacy, self-efficacy, response costs and social norms related to teachers' problematic information security behavior. Structural equation modeling was implemented to analyze the relationships. The results and implications are presented.     

Dealing with digital traces: Understanding protective behaviors on mobile devices

With increasingly digitization, more and more information is collected from individuals and organizations, leading to several privacy concerns. These risks are further heightened in the mobile realm as data collection can occur continuously and ubiquitously. When individuals use their own devices in work settings, these issues become concerns for organization as well. The question then is how to ensure individuals perform proper information protection behaviors on mobile devices. In this research, we develop a model of mobile information protection based on an integration of the Theory of Planned Behavior and the information privacy literature to explore the antecedents of the attitude of individuals towards sharing information on their mobile devices, their intentions to use protective settings, and their actual practices. The model is tested with data from 228 iPhone users. The results indicate that mobile information protection intention leads to actual privacy settings practice, and that attitude towards information sharing and mobile privacy protection self-efficacy affect this intention. Determinants of attitude towards information sharing include mobile privacy concern and trust of the mobile platform. Finally, prior invasion experience is related to privacy concern. These findings provide insights into factors that can be targeted to enhance individuals’ protective actions to limit the amount of digital information they share via their smartphones.     

The effects of knowledge mechanisms on employees' information security threat construal

Organisations implement a variety of knowledge mechanisms such as information security education, training and awareness (SETA) programs and information security policies, to influence employees' secure behaviour. Despite increased efforts to provide information systems (IS) security knowledge to employees, data breaches and other security incidents resulting from insider behaviour continue. Recent IS security research, primarily grounded on assumptions of employees' rational assessment of numerous factors, has yielded inconsistent results. Challenging this paradigm, we model secure behaviour on security knowledge mechanisms, which focuses on the multidimensional nature of security knowledge breadth, depth and finesse to represent the full array of managerial levers. We further draw on construal level theory to conceptualise users' perceptual judgements of security messages. Two studies support our model, with the second building on the first. Study 1, an experiment with 312 participants, focused on validating the treatments. Study 2, a survey with 219 participants, validated the entire model. Results showed that our model has significantly more explanatory and predictive power than the orthodox paradigm. Our results have practical implications for optimising the organisation of knowledge mechanisms by emphasising the personal relevance of threats and defining the factors that lead to secure behaviour. We also contribute to the discourse on information security research and provide a template for integrating theories, thus opening new avenues for future research.     

Understanding user motivation for evaluating online content: a self-determination theory perspective

In a digital society, people have access to all kinds of electronic information as online users. They have also contributed various content for exchanging ideas in the online community, which has not only extended the traditional knowledge sharing channels, but has also led to concerns about content quality and reliability. The literature suggests that user involvement in collaboratively evaluating the quality of online content for an online community is likely to be an effective means to ease these concerns. However, the understanding of users' intentions to be willing to take part in evaluating online content is still limited. Based on self-determination theory, this study proposes a research model to understand the extrinsic motivation of the user intention. The research model was tested using data collected from 303 participants who were recruited from online communities. The results show that three types of extrinsic motivation, namely identified motivation, introjected motivation, and external motivation, play an important role in user intention of collaboratively evaluating online content. In addition, the research findings suggest that user satisfaction of the three basic psychological needs of autonomy, competence, and relatedness influences different types of extrinsic motivation.     

Employees’ adherence to information security policies: An exploratory field study

The key threat to information security comes from employees who do not comply with information security policies. We developed a new multi-theory based model that explained employees’ adherence to security policies. The paradigm combines elements from the Protection Motivation Theory, the Theory of Reasoned Action, and the Cognitive Evaluation Theory. We validated the model by using a sample of 669 responses from four corporations in Finland. The SEM-based results showed that perceived severity of potential information security threats, employees’ belief as to whether they can apply and adhere to information security policies, perceived vulnerability to potential security threats, employees’ attitude toward complying with information security policies, and social norms toward complying with these policies had a significant and positive effect on the employees’ intention to comply with information security policies. Intention to comply with information security policies also had a significant impact on actual compliance with these policies. High level managers must warn employees of the importance of information security and why it is necessary to carry out these policies. In addition, employees should be provided with security education and hands on training.     

Organizational Data Breach: Building Conscious Care Behavior in Incident Response

Organizational and end user data breaches are highly implicated by the role of information security conscious care behavior in respective incident responses. This research study draws upon the literature in the areas of information security, incident response, theory of planned behaviour, and protection motivation theory to expand and empirically validate a modified framework of information security conscious care behaviour formation. The applicability of the theoretical framework is shown through a case study labelled as a cyber-attack of unprecedented scale and sophistication in Singapore’s history to-date, the 2018 SingHealth data breach. The single in-depth case study observed information security awareness, policy, experience, attitude, subjective norms, perceived behavioral control, threat appraisal and self-efficacy as emerging prominently in the framework’s applicability in incident handling. The data analysis did not support threat severity relationship with conscious care behaviour. The findings from the above-mentioned observations are presented as possible key drivers in the shaping information security conscious care behaviour in real-world cyber incident management.     

Impact of Users’ Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective

This article uses the protection motivation theory to study the impact of information security awareness on desktop security behavior. It contributes to the literature by examining the roles played by awareness, an important antecedent to the cognitive processes in the protection motivation theory. The findings indicate that security awareness significantly affects perceived severity, response efficacy, self-efficacy, and response cost. Constructs in the coping appraisal process (except response cost), in turn, significantly impact recommended security behavior.     

Factors influencing the adoption of internet banking: An integration of TAM and TPB with perceived risk and perceived benefit

Online banking (Internet banking) has emerged as one of the most profitable e-commerce applications over the last decade. Although several prior research projects have focused on the factors that impact on the adoption of information technology or Internet, there is limited empirical work which simultaneously captures the success factors (positive factors) and resistance factors (negative factors) that help customers to adopt online banking. This paper explores and integrates the various advantages of online banking to form a positive factor named perceived benefit. In addition, drawing from perceived risk theory, five specific risk facets – financial, security/privacy, performance, social and time risk – are synthesized with perceived benefit as well as integrated with the technology acceptance model (TAM) and theory of planned behavior (TPB) model to propose a theoretical model to explain customers’ intention to use online banking. The results indicated that the intention to use online banking is adversely affected mainly by the security/privacy risk, as well as financial risk and is positively affected mainly by perceived benefit, attitude and perceived usefulness. The implications of integrating perceived benefit and perceived risk into the proposed online banking adoption model are discussed.     

The effect of work ethic on employees' individual innovation behavior

The present study examines the previously untested effect of work ethic on individual innovation behavior. These entrenched personal values that may remain unaffected by organizational constitution are suggested to shape a person's inclination to engage in innovative action. Deploying partial least squares (PLS) structural equation modeling (SEM), we show that being self‐reliant and time‐efficient positively influences employees' innovation behavior, while an attitude toward hard work and leisure has a negative impact. Moreover, self‐reliance, leisure orientation, and centrality of work are positively moderated by fair salary, a specific form of relational reward that previously has been identified as an antecedent of motivation. The work at hand thus contributes to extant research by enhancing knowledge about the antecedents of innovative behavior, showing that inherent work‐related values matter. As such, the study demonstrates the importance of considering the linkage of personal differences and motivational factors when examining the complex processes of individual innovation behavior.