| 1. |
- Kajtazi, Miranda, 1983-, et al.
(author)
-
Information Security Policy Compliance : An Empirical Study on Escalation of Commitment
- 2013
-
In: 19th Americas Conference on Information Systems (AMCIS 2013). - Red Hook, N.Y. : Curran Associates, Inc.. - 9781629933948 ; , s. 2011-2020
-
Conference paper (peer-reviewed)abstract
- This study aims to facilitate a new understanding on employees’ attitude towards compliance with the requirements of their information security policy (ISPs) through the lens of escalation. Escalation presents a situation in which employees must decide whether to persist in or withdraw from a non-performing task. Drawing on the Theory of Planned Behavior (TPB) and Agency Theory, our model delineates three mediating factors in explaining attitude: work impediment, information asymmetry, and safety of resources. We also propose information security awareness as an independent variable having an indirect effect on attitude through mediating factors. The proposed model is tested using the data collected from 376 employees working in the banking industry. The results of the PLS analyses show that while information asymmetry and safety of resources have significant impacts on attitude, work impediment does not. The results also show that ISA has significant impact on all three mediating factors.
|
|
| 2. |
- Kolkowska, Ella, et al.
(author)
-
Analyzing information security goals
- 2012
-
In: Threats, countermeasures, and advances in applied information security. - : IGI Global. - 9781466609785 ; , s. 91-110
-
Book chapter (peer-reviewed)
|
|
| 3. |
- Rocha Flores, Waldo, et al.
(author)
-
Information security knowledge sharing in organizations : Investigating the effect of behavioral information security governance and national culture
- 2014
-
In: Computers & security (Print). - : Elsevier. - 0167-4048 .- 1872-6208. ; 43, s. 90-110
-
Journal article (peer-reviewed)abstract
- This paper presents an empirical investigation on what behavioral information security governance factors drives the establishment of information security knowledge sharing in organizations. Data was collected from organizations located in different geographic regions of the world, and the amount of data collected from two countries – namely, USA and Sweden – allowed us to investigate if the effect of behavioral information security governance factors on the establishment of security knowledge sharing differs based on national culture.The study followed a mixed methods research design, wherein qualitative data was collected to both establish the study’s research model and develop a survey instrument that was distributed to 578 information security executives. The results suggest that processes to coordinate implemented security knowledge sharing mechanisms have a major direct influence on the establishment of security knowledge sharing in organizations; the effect of organizational structure (e.g., centralized security function to develop and deploy uniform firm-wide policies, and use of steering committees to facilitate information security planning) is slightly weaker, while business-based information security management has no significant direct effect on security knowledge sharing. A mediation analysis revealed that the reason for the non-significant direct relation between business-based information security management and security knowledge sharing is the fully mediating effect of coordinating information security processes. Thus, the results disentangles the interrelated influences of behavioral information security governance factors on security knowledge sharing by showing that information security governance sets the platform to establish security knowledge sharing, and coordinating processes realize the effect of both the structure of the information security function and the alignment of information security management with business needs.A multigroup analysis identified that national culture had a significant moderating effect on the association between four of the six proposed relations. In Sweden – which is seen as a less individualist, feminine country – managers tend to focus their efforts on implementing controls that are aligned with business activities and employees’ need; monitoring the effectiveness of the implemented controls, and assuring that the controls are not too obtrusive to the end user. On the contrary, US organizations establish security knowledge sharing in their organization through formal arrangements and structures. These results imply that Swedish managers perceive it to be important to involve, or at least know how their employees cope with the decisions that have been made, thus favoring local participation in information security management, while US managers may feel the need to have more central control when running their information security function.The findings suggest that national culture should be taken into consideration in future studies – in particular when investigating organizations operating in a global environment – and understand how it affects behaviors and decision-making.
|
|
| 4. |
- Metalidou, Efthymia, et al.
(author)
-
The Human Factor of Information Security : Unintentional Damage Perspective
- 2014
-
In: Procedia - Social and Behavioral Sciences. - : Elsevier. ; , s. 424-428
-
Conference paper (peer-reviewed)abstract
- It is widely acknowledged that employees of an organization are often a weak link in the protection of its information assets. Information security has not been given enough attention in the literature in terms of the human factor effect; researchers have called for more examination in this area. Human factors play a significant role in computer security. In this paper, we focus on the relationship of the human factor on information security presenting the human weaknesses that may lead to unintentional harm to the organization and discuss how information security awareness can be a major tool in overcoming these weaknesses. A framework for a field research is also presented in order to identify the human factors and the major attacks that threat computer security.
|
|
| 5. |
|
|
| 6. |
- Hedström, Karin, 1967-, et al.
(author)
-
Value conflicts for information security management
- 2011
-
In: Journal of strategic information systems. - Amsterdam : Elsevier. - 0963-8687 .- 1873-1198. ; 20:4, s. 373-384
-
Journal article (peer-reviewed)abstract
- A business’s information is one of its most important assets, making the protection of information a strategic issue. In this paper, we investigate the tension between information security policies and information security practice through longitudinal case studies at two health care facilities. The management of information security is traditionally informed by a control-based compliance model, which assumes that human behavior needs to be controlled and regulated. We propose a different theoretical model: the value-based compliance model, assuming that multiple forms of rationality are employed in organizational actions at one time, causing potential value conflicts. This has strong strategic implications for the management of information security. We believe health care situations can be better managed using the assumptions of a value-based compliance model.
|
|
| 7. |
- Iqbal, Sarfraz, et al.
(author)
-
Towards a design theory for educational on-line information security laboratories
- 2012
-
In: Advances in Web-Based Learning - ICWL 2012. - Heidelberg : Encyclopedia of Global Archaeology/Springer Verlag. - 9783642336416 - 9783642336423 ; , s. 295-306
-
Conference paper (peer-reviewed)abstract
- Online learning for educating information security professionals has increased in popularity. The security curriculum and technology, as well as hands-on laboratory experiences implemented in information security labs, are important elements in an online education system for information security. We drew our motivation from an on-going information security lab development initiative in our own institution, and this paper aims to provide an integrated overview on reported instances of online hands-on education in information security. Our review contributes to the existing knowledge by using the anatomy of design theory framework as a basis for literature analysis, as this provides a common basis to examine theories about human-created information technology artifacts such as information security labs and how such knowledge has been communicated to academia. Our results show that none of the articles studied here puts forward a well-grounded and tested design theory for on-line information security laboratories. This hinders accumulation of knowledge in this area and makes it difficult for others to observe, test and adapt clear design principles for security laboratories and exercises.
|
|
| 8. |
- Kowalski, Stewart, et al.
(author)
-
Information Security Metrics: Research Directions
- 2011
-
Conference paper (peer-reviewed)abstract
- This paper is largely based on a state of the art report covering the information security (IS) metrics area produced as part of the Controlled Information Security (COINS) research project funded by the Swedish Civil Contingencies Agency (MSB) and the comprehensive literature review conducted while compiling the report. The report's findings are summarized and some of the key issues discovered in the course of the literature review are reflected upon. Additionally, the paper describes a conceptual systemic scheme/model for the research process, while explaining its relevance to the subject area, that may help with resolution of the outlined issues in future research in the area. The paper is written principally with a management/governance (rather than engineering) perspective in mind
|
|
| 9. |
|
|
| 10. |
- Metalidou, Efthymia, et al.
(author)
-
Human factor and information security in higher education
- 2014
-
In: Journal of Systems and Information Technology. - : Emerald Group Publishing Limited. - 1328-7265 .- 1758-8847. ; 16:3, s. 210-221
-
Journal article (peer-reviewed)abstract
- Purpose – This paper investigates the association of Lack of Awareness and human factors, and the association of Lack of Awareness and significant attacks that threat computer security in Higher Education.Design/methodology/approach – Five human factors and nine attacks are considered, in order to investigate their relationship. A field research is conducted on Greek employees in Higher Education in order to identify the human factors that affect information security. The sample is consisted of 103 employees that use computers at work. Pearson correlation analysis between Lack of Awareness and nine (9) computer security risks is performed.Findings – Examining the association of Lack of Awareness with these attacks that threat the security of computers, all nine factors of important attacks exert significant and positive effect, apart from Phishing. Considering the relationship of Lack of Awareness to human factors, all five human factors used are significantly and positively correlated with Lack of Awareness. Moreover, all nine important attacks, apart from one, exert a significant and positive effect.Research limitations/implications – The paper extends understanding of the relationship of the human factors, the Lack of Awareness, and information security. The study has focused on employees of the Technological Educational Institute (TEI) of Athens, namely teachers, administrators, and working post-graduate students.Originality/value – The paper has used weighted factors based on data collection in Higher Education to calculate a global index for Lack of Awareness, as the result of the weighted aggregation of nine (9) risks, and extends the analysis performed in the literature to evaluate the effectiveness of Security Awareness in Computer Risk Management.
|
|
