| 1. |
- Kajtazi, Miranda, 1983-, et al.
(författare)
-
Information Security Policy Compliance : An Empirical Study on Escalation of Commitment
- 2013
-
Ingår i: 19th Americas Conference on Information Systems (AMCIS 2013). - Red Hook, N.Y. : Curran Associates, Inc.. - 9781629933948 ; , s. 2011-2020
-
Konferensbidrag (refereegranskat)abstract
- This study aims to facilitate a new understanding on employees’ attitude towards compliance with the requirements of their information security policy (ISPs) through the lens of escalation. Escalation presents a situation in which employees must decide whether to persist in or withdraw from a non-performing task. Drawing on the Theory of Planned Behavior (TPB) and Agency Theory, our model delineates three mediating factors in explaining attitude: work impediment, information asymmetry, and safety of resources. We also propose information security awareness as an independent variable having an indirect effect on attitude through mediating factors. The proposed model is tested using the data collected from 376 employees working in the banking industry. The results of the PLS analyses show that while information asymmetry and safety of resources have significant impacts on attitude, work impediment does not. The results also show that ISA has significant impact on all three mediating factors.
|
|
| 2. |
- Metalidou, Efthymia, et al.
(författare)
-
The Human Factor of Information Security : Unintentional Damage Perspective
- 2014
-
Ingår i: Procedia - Social and Behavioral Sciences. - : Elsevier. ; , s. 424-428
-
Konferensbidrag (refereegranskat)abstract
- It is widely acknowledged that employees of an organization are often a weak link in the protection of its information assets. Information security has not been given enough attention in the literature in terms of the human factor effect; researchers have called for more examination in this area. Human factors play a significant role in computer security. In this paper, we focus on the relationship of the human factor on information security presenting the human weaknesses that may lead to unintentional harm to the organization and discuss how information security awareness can be a major tool in overcoming these weaknesses. A framework for a field research is also presented in order to identify the human factors and the major attacks that threat computer security.
|
|
| 3. |
- Metalidou, Efthymia, et al.
(författare)
-
Human factor and information security in higher education
- 2014
-
Ingår i: Journal of Systems and Information Technology. - : Emerald Group Publishing Limited. - 1328-7265 .- 1758-8847. ; 16:3, s. 210-221
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose – This paper investigates the association of Lack of Awareness and human factors, and the association of Lack of Awareness and significant attacks that threat computer security in Higher Education.Design/methodology/approach – Five human factors and nine attacks are considered, in order to investigate their relationship. A field research is conducted on Greek employees in Higher Education in order to identify the human factors that affect information security. The sample is consisted of 103 employees that use computers at work. Pearson correlation analysis between Lack of Awareness and nine (9) computer security risks is performed.Findings – Examining the association of Lack of Awareness with these attacks that threat the security of computers, all nine factors of important attacks exert significant and positive effect, apart from Phishing. Considering the relationship of Lack of Awareness to human factors, all five human factors used are significantly and positively correlated with Lack of Awareness. Moreover, all nine important attacks, apart from one, exert a significant and positive effect.Research limitations/implications – The paper extends understanding of the relationship of the human factors, the Lack of Awareness, and information security. The study has focused on employees of the Technological Educational Institute (TEI) of Athens, namely teachers, administrators, and working post-graduate students.Originality/value – The paper has used weighted factors based on data collection in Higher Education to calculate a global index for Lack of Awareness, as the result of the weighted aggregation of nine (9) risks, and extends the analysis performed in the literature to evaluate the effectiveness of Security Awareness in Computer Risk Management.
|
|
| 4. |
- Magnusson, Lars, 1952-, et al.
(författare)
-
Post-Mortem of Mega Hacks : Signifying the Need for a Systemic Enterprise View on Information Security
- 2023
-
Ingår i: 2023 7th International Conference on Cryptography, Security and Privacy (CSP). - : IEEE. - 9798350323368 - 9798350323375 ; , s. 41-46
-
Konferensbidrag (refereegranskat)abstract
- Once, system thinking was about singular systems. Today we exist in a far more complex world, with systems interacting with systems, directly or indirectly. Information security, therefore, must involve all systems in the chain. New legal European regulations such as Guidelines for Data Protection Regulation demand that the ICT/IT world must include systems outside the organizational border to be involved and accounted for under enterprise information security umbrella. Recent mega hacks analyzed in this article point to the fact that a systems thinking perspective is needed to create modern governance, risk, and compliance security model framework. This research work puts forth a conceptual model based on Viable System Model appropriate for a major global information security restructuring. A motive for VSM is grounded in that it works fine with securing modern laws like GDPR and CCPA in supporting a needed enterprise perspective.
|
|
| 5. |
- Kajtazi, Miranda, 1983-, et al.
(författare)
-
Guilt Proneness as a Mechanism Towards Information Security Policy Compliance
- 2013
-
Ingår i: Proceedings of the 24th Australasian Conference on Information Systems. - : Royal Melbourne Institute of Technology (RMIT). - 9780992449506
-
Konferensbidrag (refereegranskat)abstract
- In this paper, we develop a theoretical framework for understanding the role guilt proneness plays in the Information Security Policy (ISP) compliance. We define guilt proneness as an emotional personality trait indicative of a predisposition to experience a negative feeling about ISP violation. We develop a research model based on the theory of planned behaviour, guilt proneness theory and rational choice theory to explain employees’ intentions to comply with ISPs by incorporating the guilt proneness as a moderator between benefit of compliance and benefit of violation as perceived by employees and their attitude towards compliance. Identifying the roles of predispositions like guilt proneness in the ISP compliance will have interesting theoretical and practical implications in the area of information security.
|
|
| 6. |
- Magnusson, Lars, 1952-, et al.
(författare)
-
On System Thinking and Information Security
- 2019
-
Ingår i: The OR Society Annual Conference OR61, 3-5 September 2019, Sibson Building, Kent University. - : The Operational Research Society. ; , s. 161-162
-
Konferensbidrag (refereegranskat)abstract
- Security problems we have to deal with today regarding Internet are created by ourselves. Internet, initially created to handle US Government data traffic, evolved to become communication between different research institutes. The protocols that were used had no security at all. Today we still use this network to almost everything and the complexity has grown tremendously. Compared to when the network initially was created, we now try to protect assets rather than just communicate, divide users according to permission and accessibility, and deal with privacy issues. Basically, everything is depending on the network that initially was created with no security.Privacy has been a critical security aspect for the EU, but with the event of the GDPR privacy is both a legal aspect and an auditable ICT concept. GDPR includes topics like: owning your own data, independent of who collected it and where it is stored, and; the right to be forgotten. Each data collector also needs to have a complete data-flow map, describing any privacy data sets in a flow, to make these traceable and ready for audit inspection. Any organization handling EU residents’ data, needs to adhere to proactive Information Security processes. GDPR is based on the principles of Governance, Risk, and Compliance. It is not a purely legal construct; it is a management and strategy issue, not an IT issue. Further examples relate to cloud services with distributed resources, which illustrate the complex problem situation.There is a need for a new perspective, moving from systems management to data flow management. We propose a systemic model which illustrate processes and flows within a fractal structure; we build on Beer’s Viable System Model. Such a model enables mapping of complexity and data flows and provide a tool for auditing and, thus, enable meeting the requirements of GDPR.
|
|
| 7. |
- Kajtazi, Miranda, 1983-, et al.
(författare)
-
Assessing Self-Justification as an Antecedent of Noncompliance with Information Security Policies
- 2013
-
Ingår i: Proceedings of the 24th Australasian Conference on Information Systems. - : Royal Melbourne Institute of Technology (RMIT). - 9780992449506 ; , s. 1-12
-
Konferensbidrag (refereegranskat)abstract
- This paper aims to extend our knowledge about employees’ noncompliance with Information Security Policies (ISPs), focusing on employees’ self-justification as a result of escalation of commitment that may trigger noncompliance behaviour. Escalation presents a situation when employees must decide whether to persist or withdraw from nonperforming tasks at work. Drawing on self-justification theory and prospect theory, our model presents two escalation factors in explaining employee’s willingness to engage in noncompliance behaviour with ISPs: self-justification and risk perceptions. We also propose that perceived benefits of noncompliance and perceived costs of compliance, at the intersection of cognitive and emotional driven acts influence self-justification. The model is tested based on 376 respondents from banking industry. The results show that while self-justification has a significant impact on willingness, risk perceptions do not moderate their relation. We suggest that future research should explore the roles of self-justification in noncompliance to a greater extent.
|
|
| 8. |
- Kajtazi, Miranda, 1983-, et al.
(författare)
-
Assessing Sunk Cost Effect on Employees'€™ Intentions to Violate Information Security Policies in Organizations
- 2014
-
Ingår i: Proceedings of the 47th Annual Hawaii International Conference on System Sciences. - : IEEE. - 9781479925049 ; , s. 3169-3177
-
Konferensbidrag (refereegranskat)abstract
- It has been widely known that employees pose insider threats to the information and technology resources of an organization. In this paper, we develop a model to explain insiders' intentional violation of the requirements of an information security policy. We propose sunk cost as a mediating factor. We test our research model on data collected from three information-intensive organizations in banking and pharmaceutical industries (n=502). Our results show that sunk cost acts as a mediator between the proposed antecedents of sunk cost (i.e., completion effect and goal in congruency) and intentions to violate the ISP. We discuss the implications of our results for developing theory and for re-designing current security agendas that could help improve compliance behavior in the future.
|
|
| 9. |
- Wennberg, Louise, et al.
(författare)
-
Information security - an application of a systems approach
- 2006
-
Ingår i: Kybernetes. - : Emerald Group Publishing Limited. - 0368-492X .- 1758-7883. ; 35:6, s. 786-796
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose – The paper aims to describe and discuss the establishment of customer care centres in Sweden with particular concerns about information security.Design/methodology/approach – The paper is part of a series about information security and the approach is to study the subject within an organisation and initially to understand how it works.Findings – An effective way was found to embrace as many factors as possible by using a theory that contains the characteristics of the organisation. It was found that a combination of general systems theory and classic information systems theory was very successful.Practical implications – The new systems and new structure within the Corporation of Swedish Pharmacies (Apotekes) will in future create better conditions for customers and the opportunity to have products delivered at home or by collection from the centres.Originality/value – Describes new and ongoing developments aimed at improving customer care and demonstrates the application of system theory to the resulting organisation and implementation.
|
|
| 10. |
- Magnusson, Lars, 1952-
(författare)
-
A New Authentication Paradigm?
- 2012
-
Ingår i: ISC2 InfoSecurity Professional Magazine. - Faringham, US : ISC2. ; 3:17, s. 24-24
-
Tidskriftsartikel (refereegranskat)abstract
- A discussion piece regarding early 2010 woes and concerns about authentication of cloud service users and the information security aspects of that. Includes a perspective of authentication in the view of AT&T Plan 9 Factorum security service.
|
|
