Abstract
Since information security (InfoSec) incidents often involve human error, businesses are investing greater resources into improving staff awareness and compliance with best-practice InfoSec behaviours. This research examined whether employees who feel that they may be personally affected by workplace InfoSec incidents are more likely to behave in accordance with those best-practice behaviours. To further understand this, we also examined organisational commitment and risk perception. Data collection involved an online questionnaire measuring these constructs in relation to three workplace cyber threats: phishing, malware, and mobile devices. The questionnaire was completed by 269 employed Australians. Participants who felt more personally affected by attacks associated with mobile devices were more likely to report following best-practice behaviours in that context at work. This was not the case for phishing and malware attacks. Other variables, including age, gender, employment level and InfoSec training, were also found to predict reported compliance with best-practice behaviours, and employees with more frequent training self-reported poorer compliance. Theoretical and practical implications are discussed.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Telstra Corporation: Telstra Security Report 2019 (2019). https://www.telstra.com.au/content/dam/shared-component-assets/tecom/campaigns/security-report/Summary-Report-2019-LR.pdf
PricewaterhouseCoopers: Key findings from the global state of information security survey 2016. Turnaround and transformation in cyber security (2015)
Telstra Corporation: Telstra Cyber Security Report 2017: Managing risk in a digital world (2017)
Parsons, K., et al.: The influence of organizational information security culture on information security decision making. J. Cogn. Eng. Decis. Mak. 9(2), 117–129 (2015)
Parsons, K., et al.: The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Comput. Secur. 66, 40–51 (2017)
Kruger, H.A., Kearney, W.D.: A prototype for assessing information security awareness. Comput. Secur. 25(4), 289–296 (2006)
Williams, M., Nurse, J.R., Creese, S.: Privacy is the boring bit: user perceptions and behaviour in the internet-of-things. In: 2017 15th Annual Conference on Privacy, Security and Trust (PST) (2017)
Pattinson, M., Jerram, C.: A study of information security risk perceptions at a local government organisation. In: Australasian Conference on Information Systems, Melbourne, Australia (2013)
Pattinson, M., et al.: The information security awareness of bank employees. In: Clarke, N., Furnell, S. (eds.) Human Aspects of Information Security & Assurance (HAISA 2016) (2016)
Parsons, K., et al.: Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014)
McCormac, A., et al.: Individual differences and information security awareness. Comput. Hum. Behav. 69, 151–156 (2017)
Marsh and McLennan Companies and Microsoft Corporation: 2019 Global Cyber Risk Perception Survey (2019)
Cisco: The Internet of Things: Reduce Security Risks with Automated Policies (2015)
Sharevski, F.: Experiential user-centered security in a classroom: secure design for IoT. IEEE Commun. Mag. 57(11), 48–53 (2019)
Williams, M., Nurse, J.R.C., Creese, S.: Privacy is the boring bit: user perceptions and behaviour in the internet-of-things. In: Proceedings - 2017 15th Annual Conference on Privacy, Security and Trust, PST 2017 (2018)
Zheng, S., et al.: User perceptions of smart home IoT privacy. In: Proceedings of the ACM on Human-Computer Interaction, vol. 2, no. CSCW (2018)
Sjöberg, L., Moen, B.-E., Rundmo, T.: Explaining risk perception. An evaluation of the psychometric paradigm in risk perception research, Trondheim, Norway (2004)
Rayner, S., Cantor, R.: How fair is safe enough? The cultural approach to societal technology choice1. Risk Anal. 7(1), 3–9 (1987)
Siegrist, M., Keller, C., Kiers, H.A.L.: A new look at the psychometric paradigm of perception of hazards. Risk Anal. 25(1), 211–222 (2005)
Sjöberg, L.: The different dynamics of personal and general risk. Risk Manag. 5(3), 19–34 (2003)
Slovic, P., Fischhoff, B., Lichtenstein, S.: Facts and fears: understanding perceived risk. In: Schwing, R.C., Albers, W.A. (eds.) Societal Risk Assessment: How Safe is Safe Enough?. General Motors Research Laboratories, pp. 181–216. Springer, Boston (1980). https://doi.org/10.1007/978-1-4899-0445-4_9
Slovic, P., Fischhoff, B., Lichtenstein, S.: Facts and fears: societal perception of risk. Adv. Consum. Res. 8, 497 (1980)
Farahmand, F., et al.: Risk perceptions of information security: a measurement study. In: 2009 International Conference on Computational Science and Engineering (2009)
Huang, D.-L., Rau, P.-L.P., Salvendy, G.: Perception of information security. Behav. Inf. Technol. 29(3), 221–232 (2010)
Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)
Fransella, F.: A Manual for Repertory Grid Technique. Academic Press, London (1977). Bannister, D. (ed.)
Edwards, A.: The relationship between the judged desirability of a trait and the probability that the trait will be endorsed. J. Appl. Psychol. 37(2), 90–93 (1953)
Mowday, R.T., Steers, R.M., Porter, L.W.: The measurement of organizational commitment. J. Vocat. Behav. 14(2), 224–247 (1979)
Cetin, S., Gürbüz, S., Sert, M.: A meta-analysis of the relationship between organizational commitment and organizational citizenship behavior: test of potential moderator variables. Empl. Responsib. Rights J. 27(4), 281–303 (2015). https://doi.org/10.1007/s10672-015-9266-5
Cohen, A.: Organizational commitment and turnover: a meta-analysis. Acad. Manag. J. 36(5), 1140–1157 (1993)
Suparjo: Job satisfaction as an antecedent of organizational commitment: a systematic review. Int. J. Civ. Eng. Technol. 8(9), 832–843 (2017)
Kontoghiorghes, C.: Predicting motivation to learn and motivation to transfer learning back to the job in a service organization: a new systemic model for training effectiveness. Perform. Improve. Q. 15(3), 114–129 (2002)
Bashir, N., Long, C.S.: The relationship between training and organizational commitment among academicians in Malaysia. J. Manag. Dev. 34(10), 1227–1245 (2015)
Bulut, C., Çulha, O.: The effects of organizational training on organizational commitment. Int. J. Train. Dev. 14, 309–322 (2010)
Meyer, J.P., Allen, N.J.: A three-component conceptualization of organizational commitment. Hum. Resour. Manag. Rev. 1(1), 61–89 (1991)
Stanton, J.M., et al.: Examining the linkage between organizational commitment and information security. In: IEEE International Conference on Systems, Man and Cybernetics (2003)
Pattinson, M., et al.: Matching training to individual learning styles improves information security awareness. Inf. Comput. Secur. (2019, ahead-of-print)
ISACA: State of cybersecurity: implications for 2016. An ISACA and RSA conference survey (2016)
Allen, N.J., John, P.M.: The measurement and antecedents of affective, continuance and normative commitment to the organization. J. Occup. Psychol. 63(1), 1–18 (1990)
Pattinson, M., Butavicius, M., Parsons, K., McCormac, A., Calic, D.: Factors that influence information security behavior: an australian web-based study. In: Tryfonas, T., Askoxylakis, I. (eds.) HAS 2015. LNCS, vol. 9190, pp. 231–241. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20376-8_21
Nel, F., Drevin, L.: Key elements of an information security culture in organisations. Inf. Comput. Secur. 27(2), 146–164 (2019)
Eisenberger, R., et al.: Is the employee-organization relationship dying or thriving? A temporal meta-analysis. J. Appl. Psychol. 104(8), 1036–1057 (2019)
Reeves, A., Calic, D., Delfabbro, P.: Encouraging employee engagement with cyber security: how to tackle cyber fatigue. SAGE Open: Special Collection on Organizational Cybersecurity (2020, submitted)
Lowry, P.B., Moody, G.D.: Proposing the control-reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies. Inf. Syst. J. 25(5), 433–463 (2015)
Caputo, D.D., et al.: Going spear phishing: exploring embedded training and awareness. IEEE Secur. Priv. 12(1), 28–38 (2014)
Supakkul, S., et al.: Goal-oriented security threat mitigation patterns. In: ACM International Conference Proceeding Series (2010)
Wiley, A., McCormac, A., Calic, D.: More than the individual: examining the relationship between culture and information security awareness. Comput. Secur. 88, 101640 (2020)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Reeves, A., Parsons, K., Calic, D. (2020). Whose Risk Is It Anyway: How Do Risk Perception and Organisational Commitment Affect Employee Information Security Awareness?. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2020. Lecture Notes in Computer Science(), vol 12210. Springer, Cham. https://doi.org/10.1007/978-3-030-50309-3_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-50309-3_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-50308-6
Online ISBN: 978-3-030-50309-3
eBook Packages: Computer ScienceComputer Science (R0)