If someone is watching,I'll do what I'm asked: mandatoriness,control, and information security

Information security has become increasingly important to organizations. Despite the prevalence of technical security measures, individual employees remain the key link – and frequently the weakest link – in corporate defenses. When individuals choose to disregard security policies and procedures, the organization is at risk. How, then, can organizations motivate their employees to follow security guidelines? Using an organizational control lens, we build a model to explain individual information security precaution-taking behavior. Specific hypotheses are developed and tested using a field survey. We examine elements of control and introduce the concept of ‘mandatoriness,’ which we define as the degree to which individuals perceive that compliance with existing security policies and procedures is compulsory or expected by organizational management. We find that the acts of specifying policies and evaluating behaviors are effective in convincing individuals that security policies are mandatory. The perception of mandatoriness is effective in motivating individuals to take security precautions, thus if individuals believe that management watches, they will comply.     

The Ethics of Telework

A survey containing 18 ethical scenarios involving teleworkers, their managers, and the organizations that employ them illustrates teleworking's challenge to the issues of trust, time versus quality, and the definition of what work entails. New corporate policies that support all stakeholders will help resolve these issues and achieve telework's proven benefits.     

Motivating IS security compliance: Insights from Habit and Protection Motivation Theory

Employees’ failure to comply with IS security procedures is a key concern for organizations today. A number of socio-cognitive theories have been used to explain this. However, prior studies have not examined the influence of past and automatic behavior on employee decisions to comply. This is an important omission because past behavior has been assumed to strongly affect decision-making.To address this gap, we integrated habit (a routinized form of past behavior) with Protection Motivation Theory (PMT), to explain compliance. An empirical test showed that habitual IS security compliance strongly reinforced the cognitive processes theorized by PMT, as well as employee intention for future compliance. We also found that nearly all components of PMT significantly impacted employee intention to comply with IS security policies. Together, these results highlighted the importance of addressing employees’ past and automatic behavior in order to improve compliance.     

What could possibly go wrong? A multi-panel Delphi study of organizational social media risk

The growth of social media has crossed the boundary from individual to organizational use, bringing with it a set of benefits and risks. To mitigate these risks and ensure the benefits of social media use are realized, organizations have developed a host of new policies, procedures, and hiring practices. However, research to date has yet to provide a comprehensive view on the nature of risk associated with the use of social media by organizations. Using a multi-panel Delphi approach consisting of new entrants to the workforce, certified human resource professionals, and certified Information Technology auditors, this study seeks to understand organizational social media risk. The results of the Delphi panels are compared against a textual analysis of 40 social media policies to provide a comprehensive view of the current state of social media policy development. We conclude with directions for future research that may guide researchers interested in exploring social media risk in organizations.     

ORGANIZATIONAL MEMORY: THREE EXPERIMENTS ON THE QUALITY OF INFORMATION

Abstract

An expert system in ethical organizational administration is a new and appropriate venture for workers in artificial intelligence. The positive relationship between knowledge and belief along with the inextricable connection of fact to value set the general systems design for this modeling process. The premises of general systems theory dictate the modeling of an holistic ethical system. The pattern of the holistic ethical system of Orthodox Christianity is used to design the flow diagram of the decision-making and judgment-making processes in ethical thought. There are seven symbolic propositions that detail these ethical processes. With the public language of the United States being secular, four Orthodox Christian ethical principles were transformed from their biblical and theological language into four university ethical policies using secular language. The writer's future design of computer software will confirm or deny the wisdom of this approach to modeling an ethical system.     

Hierarchical hippocratic databases with minimal disclosure for virtual organizations

The protection of customer privacy is a fundamental issue in today’s corporate marketing strategies. Not surprisingly, many research efforts have proposed new privacy-aware technologies. Among them, Hippocratic databases offer mechanisms for enforcing privacy rules in database systems for inter-organizational business processes (also known as virtual organizations). This paper extends these mechanisms to allow for hierarchical purposes, distributed authorizations and minimal disclosure supporting the business processes of virtual organizations that want to offer their clients a number of ways to fulfill a service. Specifically, we use a goal-oriented approach to analyze privacy policies of the enterprises involved in a business process. On the basis of the purpose hierarchy derived through a goal refinement process, we provide algorithms for determining the minimum set of authorizations needed to achieve a service. This allows us to automatically derive access control policies for an inter-organizational business process from the collection of privacy policies associated with different participating enterprises. By using effective on-line algorithms, the derivation of such minimal information can also be done on-the-fly by the customer wishing to access a service.This is an expanded and revised version of [20].     

The Year 2000 Problem: Ethical Implications

As the end of 1990s draws ever closer, organizations are “making the dash to the year 2000 finish line.” Unfortunately, this is no small task. Moreover, the year 2000 concerns of many organizations will not end on January 1, 2000. Systems failures will inevitably occur, and experts predict that the year 2000 (Y2K) problem will lead to numerous lawsuits costing enterprises vast sums of money. With the rise of litigation, it is likely that ethical questions will also be raised about organizations' handling of their year 2000 problems. Among the relevant ethical issues that will be considered is did system developers and their organizations have an ethical obligation to address the year 2000 problem? This question is of great importance whether the developers work for in-house information systems (IS) departments or for software and hardware vendor organizations. This paper takes a detailed look at this issue. This paper also focuses special attention on a typology of factors, derived from models of ethical decision making, that have served to inhibit or facilitate organizational responses to the year 2000 problem. The goal of this analysis is to recognize and remove the obstacles that remain to an effective Y2K response, so that organizations can not only become year-2000-ready, but also become better prepared to ethically, technically, and effectively manage their information assets. In so doing, organizations will be pursuing the prudent, ethical course of action that minimizes their legal exposure, and protects the long-term interests of their stakeholders.     

Computer-mediated group influence on ethical behavior

Drawing on previous research in ethical behavior in information technology, this study examines the effects of group discussion, using virtual teams, on an individual’s intention to behave ethically/unethically. It was hypothesized that behavioral intention would be influenced by an individual’s attitude (toward ethical behavior), personal normative beliefs, ego strength, locus of control, perceived importance, gender and the scenario, and that computer-mediated group discussion would impact an individual’s ethical behavioral intention. This was tested through an experiment using five different ethical scenarios involving information technology. The results show that for two of the five scenarios, individual behavioral intention was significantly more unethical after computer-mediated group discussion than before, while for one scenario, individual behavioral intention was significantly more ethical after computer-mediated group discussion than before. The results of this study may help organizations to develop realistic training programs for IT professionals that account for changes in employee’s personal ethical models after interacting with others.     

Failure to adapt or adaptations that fail: contrasting models on procedures and safety

This paper introduces two models on procedures and safety and assesses the practical consequences these have for organizations trying to make progress on safety through procedures. The application of procedures is contrasted as rote rule following versus substantive cognitive activity. It reveals a fundamental double bind: operators can fail to adapt procedures when adapting proved necessary, or attempt procedural adaptations that may fail. Rather than simply increasing pressure to comply, organizations should invest in their understanding of the gap between procedures and practice, and help develop operators' skill at adapting.     

Ethical reciprocity in digitalized transactions: An empirical study of pre- and post-contractual behavior

Are unethical e-service providers more tolerant of disloyal users? Only a few studies have been done on the attitude of the e-service providers who behave unethically. This research intends to fill this gap in current literature. We identify two different perspectives, behavior consistency and ethical reciprocity, in explaining the attitude of e-service providers towards their users who have breached the service contracts. We further investigate such attitude in respect of the perceived mutual commitment between these providers and their users. We test our propositions by a survey on financial e-service providers and our findings support the perspective of ethical reciprocity.     

Exploring the effects of organizational justice,personal ethics and sanction on internet use policy compliance

Internet security risks, the leading security threats confronting today's organizations, often result from employees' non‐compliance with the internet use policy (IUP). Extant studies on compliance with security policies have largely ignored the impact of intrinsic motivation on employees' compliance intention. This paper proposes a theoretical model that integrates an intrinsic self‐regulatory approach with an extrinsic sanction‐based command‐and‐control approach to examine employees' IUP compliance intention. The self‐regulatory approach centers on the effect of organizational justice and personal ethical objections against internet abuses. The results of this study suggest that the self‐regulatory approach is more effective than the sanction‐based command‐and‐control approach. Based on the self‐regulatory approach, organizational justice not only influences IUP compliance intention directly but also indirectly through fostering ethical objections against internet abuses. This research provides empirical evidence of two additional effective levers for enhancing security policy compliance: organizational justice and personal ethics.     

Time series forecasting with a non-linear model and the scatter search meta-heuristic

Forecasting the behavior of variables (e.g., economic, financial, physical) is of strategic value for organizations, which helps to sustain practical interest in the development of alternative models and resolution procedures. This paper presents a non-linear model that combines radial basis functions and the ARMA(p, q) structure. The optimal set of parameters for such a model is difficult to find. In this paper, a scatter search meta-heuristic is used to find this optimal set. Five time series are analyzed to assess and illustrate the pertinence of the proposed meta-heuristic method.     

Implications Regarding Computer Technology Attitudes of New Employees

Employee attitudes toward computer technology change over time. As computer technology becomes increasingly more prevalent throughout society and throughout the educational process, appreciative and critical attitudes toward the technology change. Understanding these attitudes can help organizations develop appropriate strategies to improve organizational effectiveness. Entry-level employees often present the greatest challenge for assimilation into the organization. Because today's student becomes tomorrow's entry-level employee, an examination of today's students to determine the appreciative and critical attitudes of future employees can prove beneficial in making modifications to organizational policies and procedures.     

An Information Security Governance Framework

Information security culture develops in an organization due to certain actions taken by the organization. Management implements information security components, such as policies and technical security measures with which employees interact and that they include in their working procedures. Employees develop certain perceptions and exhibit behavior, such as the reporting of security incidents or sharing of passwords, which could either contribute or be a threat to the securing of information assets. To inculcate an acceptable level of information security culture, the organization must govern information security effectively by implementing all the required information security components. This article evaluates four approaches towards information security governance frameworks in order to arrive at a complete list of information security components. The information security components are used to compile a new comprehensive Information Security Governance framework. The proposed governance framework can be used by organizations to ensure they are governing information security from a holistic perspective, thereby minimising risk and cultivating an acceptable level of information security culture.     

Scalable and Effective Test Generation for Role-Based Access Control Systems

Conformance testing procedures for generating tests from the finite state model representation of Role-Based Access Control (RBAC) policies are proposed and evaluated. A test suite generated using one of these procedures has excellent fault detection ability but is astronomically large. Two approaches to reduce the size of the generated test suite were investigated. One is based on a set of six heuristics and the other directly generates a test suite from the finite state model using random selection of paths in the policy model. Empirical studies revealed that the second approach to test suite generation, combined with one or more heuristics, is most effective in the detection of both first-order mutation and malicious faults and generates a significantly smaller test suite than the one generated directly from the finite state models.     

Ethical behavior issues in software use: An analysis of public and private sectors

Ethical issues related to information systems are important to the information technology (IT) professionals. These issues are also significant for organizations and societies. Although considerable literature on IT and related ethical issues exists, a review of this literature has found little empirical research on ethical practices within the government and private sector organizations. Therefore, the objective of this paper is to draw inferences regarding such practices currently in these sectors. The research results indicate a significant correlation between the code of ethics and the attitude of professionals towards the unethical use of software in government and private sector organizations. These also indicate significant differences in government and private sectors.     

The Practical Use of Empirical Studies for Maintenance Process Improvement

Many software maintenance organizations are currently attempting to improve their maintenance processes. Using empirical studies to drive and quantify such improvements is more rare, but can be seen at some organizations. During the International Workshop on Empirical Studies of Software Maintenance (WESS96), a group of people who were using empirical studies formed a panel to discuss the barriers to and successes of using such studies. This paper is a summary of that panel's discussion. As such, it uses the experiences of the participants to show that a significant amount of empirical research on industrial projects has been completed. It discusses the results of several of these studies, and their factors for success. The paper also describes key barriers that inhibit the use of empirical research in maintenance process improvement in practice and presents a set of ideas on potential areas for further empirical research in an industrial setting. This revised version was published online in July 2006 with corrections to the Cover Date.     

An innovative simulation environment for cross-domain policy enforcement

With the development of policy management systems, policy-based management has been introduced in cross-domain organization collaborations and system integrations. Theoretically, cross-domain policy enforcement is possible, but in reality different systems from different organizations or domains have very different high-level policy representations and low-level enforcement mechanisms, such as security policies and privacy configurations. To ensure the compatibility and enforceability of one policy set in another domain, a simulation environment is needed prior to actual policy deployment and enforcement code development. In most cases, we have to manually write enforcement codes for all organizations or domains involved in every collaboration activity, which is a huge task. The goal of this paper is to propose an enforcement architecture and develop a simulation framework for cross-domain policy enforcement. The entire environment is used to simulate the problem of enforcing policies across domain boundaries when permanent or temporary collaborations have to span multiple domains. The middleware derived from this simulation environment can also be used to generate policy enforcement components directly for permanent integration or temporary interaction. This middleware provides various functions to enforce policies automatically or semi-automatically across domains, such as collecting policies of each participant domain in a new collaboration, generating policy models for each domain, and mapping specific policy rules following these models to different enforcement mechanisms of participant domains.     

The Importance of Ethical Standards and Computer Crime Laws for Data Security

A recent survey shows that most people access computer resources without the benefit of clear standards of ethical and legal behavior in the MIS environment. This uninformed access leaves the organization - which is the legal custodian of computer data and software-susceptible to theft of resources and privacy and copyright violations as well as legal prosecution from law enforcement authorities. This article describes a survey of a cross section of MIS personnel and other system users in business, academia, and law enforcement and analyzes its results in the context of the current legal and ethical environment. It also suggests several remedies for reducing an organizations exposure to computer crime.     

Resources and Services of the EGEE Production Infrastructure

This paper presents the pan-European EGEE Grid focusing on aspects such as production infrastructure, the management tools and the operational services offered. Usage statistics and the provided Quality of Service are analysed to assess the maturity level, the current penetration of Grid technologies in Europe and the current expansion trends. Being EGEE a large distributed infrastructure, operations are a joint effort of different regional centres with central coordination. EGEE operations rely on a common and agreed set of procedures, policies and interfaces, which are the foundation of operational services such as middleware deployment, Grid oversight, accounting, operational security management and support. A transition is in place to lead EGEE to a more sustainable approach based on a set of integrated National Grid Initiatives. With the support of the EGI-InSPIRE project the EGEE e-infrastructure and its services will migrate into a new governance model for the future sustainability of Grids in Europe.