Abstract
Employee information security behaviour is important in securing an organisation’s information technology resources. Employees can act in a risky or secure manner. Improving employee information security behaviour is important for organisations and should follow an assessment of their behaviour. A robust measuring instrument is a necessity for effectively assessing information security behaviour. In this study, a questionnaire was developed based on the Human Aspects of Information Security Questionnaire and self-determination theory and validated statistically. Data obtained through a quantitative survey (N = 263) at a South African university was used to validate the questionnaire. The result is a questionnaire that has internally consistent items, as shown by the results of the reliability analysis. Universities can use the questionnaire to identify developmental areas to improve information security from a behaviour perspective.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Safa, N.S., Sookhak, M., Von Solms, R., et al.: Information security conscious care behaviour formation in organizations. Comput. Secur. 53, 65–78 (2015). https://doi.org/10.1016/j.cose.2015.05.012
Humaidi, N., Balakrishnan, V.: Indirect effect of management support on users’ compliance behaviour towards information security policies. Heal. Inf. Manag. J. 47, 17–27 (2017). https://doi.org/10.1177/1833358317700255
Pahnila, S., Karjalainen, M., Mikko, S.: Information security behavior : towards multi-stage models. In: Proceedings of the Pacific Asia Conference on Information Systems (PACIS 2013) (2013)
Mayer, P., Kunz, A., Volkamer, M.: Reliable behavioural factors in the information security context. In: Proceedings of the 12th International Conference on Availability, Reliability and Security - (ARES 2017), pp. 1–10 (2017)
PricewaterhouseCoopers. The Global State of Information Security Survey 2018: PwC (2018). https://www.pwc.com/us/en/services/consulting/cybersecurity/library/information-security-survey.html
Ponemon Institute: The third annual study on the state of endpoint security risk (2020). https://www.morphisec.com/hubfs/2020StateofEndpointSecurityFinal.pdf
Huang, H.W., Parolia, N., Cheng, K.T.: Willingness and ability to perform information security compliance behavior: psychological ownership and self-efficacy perspective. In: Proceedings of the Pacific Asia Conference on Information Systems (PACIS 2016) (2016)
Iriqat, Y.M., Ahlan, A.R., Nuha, N.M.A.: Information security policy perceived compliance among staff in palestine universities : an empirical pilot study. In: Proceedings of the Jordan International Joint Conference on Electrical Engineering and Information Technology (JEEIT), pp. 580–585. IEEE (2019)
Alaskar, M., Vodanovich, S., Shen, K.N.: Evolvement of information security research on employees’ behavior: a systematic review and future direction. In: Proceedings of the 48th Hawaii International Conference on System Sciences, pp. 4241–4250. IEEE (2015)
Öğütçü, G., Testik, Ö.M., Chouseinoglou, O.: Analysis of personal information security behavior and awareness. Comput. Secur. 56, 83–93 (2016). https://doi.org/10.1016/j.cose.2015.10.002
Ifinedo, P.: Information systems security policy compliance: an empirical study of the effects of socialization, influence, and cognition. Inf. Manag. 51, 69–79 (2013)
Kranz, J.J., Haeussinger, F.J.: Why deterrence is not enough : The role of endogenous motivations on employees’ information security behavior. In: Proceedings of the 35th International Conference on Information Systems, pp. 1–14. IEEE (2014)
Parsons, K., McCormac, A., Butavicius, M., et al.: Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014). https://doi.org/10.1016/j.cose.2013.12.003
Gangire, Y., Da Veiga, A., Herselman, M.: A conceptual model of information security compliant behaviour based on the self-determination theory. In: Proceedings of the 2019 Conference on Information Communications Technology and Society, (ICTAS). IEEE (2019)
Pattinson, M., Butavicius, M., Parsons, K., et al.: Examining attitudes toward information security behaviour using mixed methods. In: Proceedings of the 9th International Symposium on Human Aspects of Information Security & Assurance (HAISA). pp. 57–70 (2015)
Guo, K.H.: Security-related behavior in using information systems in the workplace: a review and synthesis. Comput. Secur. 32, 242–251 (2013). https://doi.org/10.1016/j.cose.2012.10.003
Blythe, J.M., Coventry, L., Little, L.: Unpacking security policy compliance : the motivators and barriers of employees’ security behaviors. In: Proceedings of the Symposium on Usable Privacy and Security (SOUPS), Ottawa, pp. 103–122 (2015)
Klein, R.H., Luciano, E.M.: What influences information security behavior? A study with brazilian users. J. Inf. Syst. Technol. Manag. 13, 479–496 (2016). https://doi.org/10.4301/S1807-17752016000300007
Alfawaz, S., Nelson, K., Mohannak, K.: Information security culture : a behaviour compliance conceptual framework. In: Proceedings of the 8th Australasian Information Security Conference (AISC), pp. 47–55 (2010)
Ahmad, Z., Norhashim, M., Song, O.T., Hui, L.T.: A typology of employees’ information security behaviour. In: Proceedings of the 4th International Conference on Information and Communication Technology, pp. 3–6 (2016)
Alohali, M., Clarke, N., Furnell, S., Albakri, S.: Information security behavior: recognizing the influencers. In: Proceedings of the Computing Conference, pp. 844–853 (2017)
Ryan, M.R., Deci, L.E.: Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. Am. Psychol. 55, 68–78 (2000)
Legault, L.: Self determination theory. In: Zeigler-Hill, V., Shackelford, T.K. (eds.) Encyclopedia of Personality and Individual Differences, pp. 1–9. Springer, New York (2017). https://doi.org/10.1007/978-1-4419-1005-9_1620
Shropshire, J., Warkentin, M., Sharma, S.: Personality, attitudes, and intentions: predicting initial adoption of information security behavior. Comput. Secur. 49, 177–191 (2015). https://doi.org/10.1016/j.cose.2015.01.002
Calic, D., Pattinson, M., Parsons, K., et al.: Naïve and accidental behaviours that compromise information security : what the experts think. In: Proceedings of the 10th International Symposium on Human Aspects of Information Security & Assurance (HAISA), pp. 12–21 (2016)
Bélanger, F., Collignon, S., Enget, K., Negangard, E.: Determinants of early conformance with information security policies. Inf. Manag. 54, 887–901 (2017). https://doi.org/10.1016/j.im.2017.01.003
Bauer, S., Bernroider, E.W.N., Chudzikowski, K.: Prevention is better than cure! Designing information security awareness programs to overcome users’ non-compliance with information security policies in banks. Comput. Secur. 68, 145–159 (2017). https://doi.org/10.1016/j.cose.2017.04.009
Curry, M., Marshall, B., Crossler, R.E., Correia, J.: InfoSec Process Action Model (IPAM): Systematically addressing individual security behavior. Database Adv. Inf. Syst. 49, 49–66 (2018). https://doi.org/10.1145/3210530.3210535
Aurigemma, S., Mattson, T.: Deterrence and punishment experience impacts on ISP compliance attitudes. Inf. Comput. Secur. 25, 421–436 (2017). https://doi.org/10.1108/ICS-11-2016-0089
Swartz, P., Da Veiga, A., Martins, N.: A conceptual privacy governance framework. In: Proceeding of the 2019 Conference on Information Communications Technology and Society (ICTAS), pp. 1–6 (2019)
NIST Security and privacy controls for federal information systems and organizations: National Institute of Standards and Technology (2017)
Dennedy, M.F., Fox, J., Finneran, T.R.: Data and privacy governance concepts. The Privacy Engineer’s Manifesto, pp. 51–72. Apress, New York (2014)
Parsons, K., Calic, D., Pattinson, M., et al.: The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Comput. Secur. 66, 40–51 (2017). https://doi.org/10.1016/j.cose.2017.01.004
Oates, B.J.: Researching Information Systems and Computing. Sage, London (2006)
Saunders, M., Lewis, P., Thornhill, A.: Research Methods for Business Students, 7th edn. Pearson Education Limited, Essex (2016)
Da Veiga, A., Martins, N.: Improving the information security culture through monitoring and implementation actions illustrated through a case study. Comput. Secur. 49, 162–176 (2015). https://doi.org/10.1016/j.cose.2014.12.006
Yong, A.G., Pearce, S.: A beginner’ s guide to factor analysis: focusing on exploratory factor analysis. Tutor. Quant. Methods Psychol. 9, 79–94 (2013)
Williams, B., Onsman, A., Brown, T.: Exploratory factor analysis: a five-step guide for novices. J. Emerg. Prim. Heal. Care 8, 1–13 (2010)
O’Rourke, N., Hatcher, L.: A Step-By-Step Approach to Using SAS for Factor Analysis and Structural Equation. SAS Institute, Cary (2013)
Field, A.: Discovering Statistics Using SPSS, 3rd edn. Sage, London (2009)
Gerber, H., Hall, N.: Quantitative research design. In: Data Acquisition - 1 day. HR Statistics, Pretoria (2017)
Stevens, J.P.: Applied Multivariate Statistics for the Social Sciences, 4th edn. Erlbaum, Hillsdale (2002)
Marczyk, G., Fertinger, D., DeMatteo, D.: Essentials of Research Design and Methodology. Wiley, Hoboken (2005)
Acknowledgment
This work is based on research supported by the University of South Africa’s Women in Research Grant.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 IFIP International Federation for Information Processing
About this paper
Cite this paper
Gangire, Y., Da Veiga, A., Herselman, M. (2020). Information Security Behavior: Development of a Measurement Instrument Based on the Self-determination Theory. In: Clarke, N., Furnell, S. (eds) Human Aspects of Information Security and Assurance. HAISA 2020. IFIP Advances in Information and Communication Technology, vol 593. Springer, Cham. https://doi.org/10.1007/978-3-030-57404-8_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-57404-8_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-57403-1
Online ISBN: 978-3-030-57404-8
eBook Packages: Computer ScienceComputer Science (R0)