• Corpus ID: 23014

Featured Talk: Measuring Secure Behavior: A Research Commentary

  title={Featured Talk: Measuring Secure Behavior: A Research Commentary},
  author={Merrill Warkentin and Detmar W. Straub and Kalana Malimage},
HE expansion of and reliance on highly-interconnected information systems has increased the exposure of organizations to various threats. Though some security threats are technical or the result of natural or manmade disasters, many are anthropogenic, including errors and omissions by employees, malicious acts by employees, and the acts of external factors such as competitors with malicious intent, hackers, and others [21]. This increased vulnerability in the threat landscape has caused most… 

Figures and Tables from this paper

A theory-based review of information security behavior in the organization and home context

  • Joseph OmidosuJacques Ophoff
  • Computer Science
    2016 International Conference on Advances in Computing and Communication Engineering (ICACCE)
  • 2016
It is found that limited research attention has been given to information security behavior in the home context, indicating the dominant theoretical approaches used to date.

Future directions for behavioral information security research

The Impact of Time Pressure on Human Cybersecurity Behavior: An Integrative Framework

A conceptual framework consisting of contexts, psychological constructs, and boundary conditions pertaining to the role time pressure plays on HCS behavior is presented and will serve as a guideline for future studies exploring different aspects of time pressure in cybersecurity contexts and also to identify potential countermeasures for the detrimental impact of time Pressure.

Developing a Viral Artifact to Improve Employees’ Security Behavior

The purpose of this research is to develop a viral video artifact to improve employee security behavior concerning information technology.

Managers’ and Employees’ Differing Responses to Security Approaches

The results suggest that participation in the ISP decision-making process might prove to be a more effective approach to motivate lower-level employees toward compliance and that enhancing the meaningfulness of policy compliance could be the preferred method among higher levels of management.

The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets

It is shown in detail how organizational commitment is the mechanism through which organizational security threats become personally relevant to insiders and how SETA efforts influence many PMT-based components.

An ethnographic study to assess the enactment of information security culture in a retail store

An ethnographic investigation into the security culture of a single retail store that is part of a large nationwide organization in the United Kingdom surprisingly revealed poor security culture, despite the organization as a whole seemingly following good practice with respect to education and policy.

High-Risk Deviant Decisions: Does Neutralization Still Play a Role?

The results show that sanctions play an important role in reducing employees’ intentions to violate policy but that, even under extreme boundary conditions, employees might seek to rationalize their unethical behavior by denying responsibility for their actions through, for example, arguing that their supervisors pressured them into performing the violations.



User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach

An extended deterrence theory model is presented that combines work from criminology, social psychology, and information systems and suggests that user awareness of security countermeasures directly influences the perceived certainty and severity of organizational sanctions associated with IS misuse, which leads to reduced IS misuse intention.

Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations

This article shows that neutralization theory, a theory prominent in Criminology but not yet applied in the context of IS, provides a compelling explanation for IS security policy violations and offers new insight into how employees rationalize this behavior.

Protection motivation and deterrence: a framework for security policy compliance in organisations

An Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd's Decomposed Theory of Planned Behaviour is developed and it is found that employees in the sample underestimate the probability of security breaches.

Understanding Nonmalicious Security Violations in the Workplace: A Composite Behavior Model

This study proposes and test empirically a nonmalicious security violation (NMSV) model with data from a survey of end users at work, and suggests that utilitarian outcomes, normative outcomes, and self-identity outcomes are key determinants of end user intentions to engage in NMSVs.

Effective IS Security: An Empirical Study

Investigation of whether a management decision to invest in IS security results in more effective control of computer abuse indicates that security countermeasures that include deterrent administrative procedures and preventive security software will result in significantly lower computer abuse.

Fear Appeals and Information Security Behaviors: An Empirical Study

Investigation of the influence of fear appeals on the compliance of end users with recommendations to enact specific individual computer security actions toward the mitigation of threats suggests that fear appeals do impact end user behavioral intentions to comply with recommended individual acts of security, but the impact is not uniform across all end users.

Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness

The results show that an employee's intention to comply with the ISP is significantly influenced by attitude, normative beliefs, and self-efficacy to comply, and the role of ISA and compliance-related beliefs in an organization's efforts to encourage compliance is shed.

Beyond Deterrence: An Expanded View of Employee Computer Abuse

The Straub and Welke (1998) security action cycle framework is extended and three areas worthy of empirical investigation are proposed--techniques of neutralization, expressive/instrumental criminal motivations, and disgruntlement as a result of perceptions of organizational injustice--and questions for future research in these areas are proposed.

Threats to Information Systems: Today's Reality, Yesterday's Understanding

A study investigating MIS executives' concern about a variety of threats found computer viruses to be a particular concern, highlighting a gap between the use of modern technology and the understanding of the security implications inherent in its use.