Analyzing the role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs (original) (raw)
Related papers
An assessment of the role of cultural factors in information security awareness
2011 Information Security for South Africa, 2011
An information security awareness program is regarded as an important instrument in the protection of information assets. In this study, the traditional approach to an information security awareness program is extended to include possible cultural factors relating to people from diverse backgrounds. The human factor, consisting of two closely related dimensions, namely knowledge and behaviour, play a significant role in
African Conference on Information Systems, 2017
To protect systems and data the adoption of information security is important, with the human factor playing a significant role to ensure positive security behaviour. This paper adopts system dynamics and the theory of planned behaviour as a lens to analyse computer user information security behaviour. It explores the positive and negative loop effects of cognitive beliefs as factors that influence the behaviour. This focus on a user-centred, as opposed to technology-centred approach to motivate behaviour. The analysis shows how Behavioural beliefs inform perceived benefits or drawbacks of adopting security measures and consequently determine attitude towards information security. Normative beliefs are influenced by social pressure or people perceived to be important and consequently determine subjective norms towards information security. Control beliefs is shaped by the perceived ease or difficulty of adopting security measures, which consequently determine perceived behavioural control towards information security. Changing cognitive beliefs and factors define a user's intention and subsequent the adoption of information security measures. A model revealing the complex interplay is developed, providing a view of the beliefs and factors influencing information security behaviour. An understanding of beliefs and factors can be used to design an effective information security awareness program to keep users motivated to adopt security measures.
"http://aisel.aisnet.org/misq/vol34/iss3/9/ Many organizations recognize that their employees, who are often considered the weakest link in information security, can also be great assets in the effort to reduce risk related to information security. Since the key is employees who comply with the information security rules and regulations of the organization, understanding compliance behavior is crucial for organizations that want to leverage their human capital to strengthen information security. This research identifies the antecedents of employee compliance with the information security policy (ISP) of an organization. Specifically, we investigate the rationality-based factors that drive an employee to comply with requirements of the ISP with regard to protecting the organization’s information and technology resources. Drawing on the theory of planned behavior, we posit that, along with normative belief and self-efficacy, an employee’s attitude toward compliance determines intention to comply with the ISP. As a key contribution, we posit that an employee’s attitude is influenced by benefit of compliance, cost of compliance, and cost of noncompliance, which are beliefs about the overall assessment of consequences of compliance or noncompliance. We then postulate that these beliefs are shaped by the employee’s outcome beliefs concerning the events that follow compliance or noncompliance: benefit of compliance is shaped by intrinsic benefit, safety of resources, and rewards, while cost of compliance is shaped by work impediment; and cost of noncompliance is shaped by intrinsic cost, vulnerability of resources, and sanctions. We also investigate the impact of information security awareness (ISA) on outcome beliefs and an employee’s attitude toward compliance with the ISP. Our results show that an employee’s intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply. Outcome beliefs significantly affect beliefs about overall assessment of consequences, and they, in turn, significantly affect an employee’s attitude. Furthermore, ISA positively affects both attitude and outcome beliefs. As the importance of employees’ following their organizations’ information security rules and regulations increases, our study sheds light on the role of ISA and compliance-related beliefs in an organization’s efforts to encourage compliance."
Information, 2024
Cybercrime is currently rapidly developing, requiring an increased demand for information security knowledge. Attackers are becoming more sophisticated and complex in their assault tactics. Employees are a focal point since humans remain the ‘weakest link’ and are vital to prevention. This research investigates what cognitive and internal factors influence information security awareness (ISA) among employees, through quantitative empirical research using a survey conducted at a Dutch financial insurance firm. The research question of “How and to what extent do cognitive and internal factors contribute to information security awareness (ISA)?” has been answered, using the theory of situation awareness as the theoretical lens. The constructs of Security Complexity, Information Security Goals (InfoSec Goals), and SETA Programs (security education, training, and awareness) significantly contribute to ISA. The most important research recommendations are to seek novel explaining variables for ISA, further investigate the roots of Security Complexity and what influences InfoSec Goals, and venture into qualitative and experimental research methodologies to seek more depth. The practical recommendations are to minimize the complexity of (1) information security topics (e.g., by contextualizing it more for specific employee groups) and (2) integrate these simplifications in various SETA methods (e.g., gamification and online training).
Effectiveness of information security awareness methods based on psychological theories
AFRICAN JOURNAL OF BUSINESS MANAGEMENT, 2011
Effective user security awareness campaign can greatly enhance the information assurance posture of an organization. Information security includes organizational aspects, legal aspects, institutionalization and applications of best practices in addition to security technologies. User awareness represents a significant challenge in the security domain, with the human factor ultimately being the element that is exploited in a variety of attack scenarios. Information security awareness program is a critical component in any organizations strategy. In contrast to other information security awareness work which mostly explains methods and techniques for raising information security awareness; this paper discusses and evaluates the effectiveness of different information security awareness tools and techniques on the basis of psychological theories and models. Finally, it describes how to measure information security awareness in an organization.
WHAT INFLUENCES INFORMATION SECURITY BEHAVIOR? A STUDY WITH BRAZILIAN USERS
JISTEM - Journal of Information Systems and Technology Management , 2016
The popularization of software to mitigate Information Security threats can produce an exaggerated notion about its full effectiveness in the elimination of any threat. This situation can result reckless users behavior, increasing vulnerability. Based on behavioral theories, a theoretical model and hypotheses were developed to understand the extent to which human perception of threat, control and disgruntlement can induce responsible behavior. A self-administered questionnaire was created and validated. The data were collected in Brazil, and complementary results regarding similar studies conducted in USA were found. The results show that there is an influence of information security orientations provided by organizations in the perception about severity of the threat. The relationship between threat, effort, control and disgruntlement, and the responsible behavior towards information security was verified through linear regression. The results also point out the significant influence of the analyzed construct on Safe Behavior. The contributions involve relatively new concepts in the field and a new research instrument as well. For the practitioners, this study highlights the importance of Perceived Severity and Perceived Susceptibility in the formulation of the content of Information Security awareness guidelines within organizations. Moreover, users' disgruntlement with the organization, colleagues or superiors is a factor to be considered in the awareness programs.
Risk Communication, Risk Perception and Information Security
This paper puts forward the view that an individuals perception of the risks associated with information systems determines the likelihood and extent to which she or he will engage in risk taking behaviour when using a computer. It is suggested that this behavior can be manipulated by framing a communication concerning information system risk in a particular manner. In order to achieve major effectiveness in getting an information security message across to a computer user, this paper discusses and demonstrates how his or her individual cognitive style should be considered when framing the risk message. It then follows that if the risk taking bchaviour of computer users becomes less risky due to an increase in the level of perceived risk, then the level of information security increases. Full Text at Springer, may require registration or fee
IJERT-A Conceptual Model To Understand Information Security Awareness
International Journal of Engineering Research and Technology (IJERT), 2014
https://www.ijert.org/a-conceptual-model-to-understand-information-security-awareness https://www.ijert.org/research/a-conceptual-model-to-understand-information-security-awareness-IJERTV3IS080428.pdf Information technology plays an important role in everyday lives and it affects the status of information security. Commonly used meaning for information security in literature is the preservation of confidentiality, integrity and availability. The main aim of the research is to examine the information security awareness and influence information security culture through awareness before applying to any organization. Information security awareness provides some kind of safeguard for our information from outside attack. Most of the security incidents are occurred due to the negligence and unawareness of the users. It is important for all employees in society to keep the awareness of information security at higher level. Generally few users with poor awareness and many users with rich awareness of information security in society exist. End-users attitude and the evaluation of information security policy are the two important factors in raising information security awareness. The success of project management within organization requires security awareness. This paper proposes an information security awareness model (ISAM) which analyzes and identifies the most common events related to information security awareness and categorizes these events as low-level, mid-level, and high-level.
Decision Sciences, 2018
ABSTRACTEmployee disinterest in information security remains one of the greatest impediments to effective information security management programs. How can organizations enhance the persuasiveness of the information security messages used to warn employees of threats and encourage employees to take specific actions to improve their security? We use fear appeal theory and the elaboration likelihood model to argue that security messages presented using more personally relevant language are more likely to induce employees to engage in the recommended protective security behaviors. Our strategy uses organization identification theory to segment employees into two groups and then develops security messages that use language aligned with each of the two segments. We tested this strategy within a large U.S. organization, and found that employees were more likely to consider and act upon messages that used language aligned with their organizational identification than messages using languag...
Computer Security Behavior and Awareness: An Empirical Case Study
International Journal on Perceptive and Cognitive Computing, 2019
The purpose of this study is to investigate the student’s behavior towards information security and test critical factors that are affecting its awareness, which was carried out among the undergraduate students of An-Najah National University, Palestine. Previous studies have shown that end-users present the weakest link in the security chain. The attacks on computer systems are continuously becoming serious problems which raise the interest among researchers. In achieving the goal of this study, surveys of 80 university students' data were collected and analyzed using SPSS to examine the theoretical model. It is hoped that the outcome of this study will contribute in developing a proper understanding of the factors influencing the behavior of university students towards information security behavior. Additionally, it is anticipated that the findings of this study to lead to more awareness programs that can be used to promote privacy and security protection behaviors of informat...