Skip to main content
SpringerLink
Log in

Information Security Behavior: Development of a Measurement Instrument Based on the Self-determination Theory

  • Conference paper
  • First Online:
Human Aspects of Information Security and Assurance (HAISA 2020)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 593))

  • 858 Accesses

Abstract

Employee information security behaviour is important in securing an organisation’s information technology resources. Employees can act in a risky or secure manner. Improving employee information security behaviour is important for organisations and should follow an assessment of their behaviour. A robust measuring instrument is a necessity for effectively assessing information security behaviour. In this study, a questionnaire was developed based on the Human Aspects of Information Security Questionnaire and self-determination theory and validated statistically. Data obtained through a quantitative survey (N = 263) at a South African university was used to validate the questionnaire. The result is a questionnaire that has internally consistent items, as shown by the results of the reliability analysis. Universities can use the questionnaire to identify developmental areas to improve information security from a behaviour perspective.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 54.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Safa, N.S., Sookhak, M., Von Solms, R., et al.: Information security conscious care behaviour formation in organizations. Comput. Secur. 53, 65–78 (2015). https://doi.org/10.1016/j.cose.2015.05.012

    Article  Google Scholar 

  2. Humaidi, N., Balakrishnan, V.: Indirect effect of management support on users’ compliance behaviour towards information security policies. Heal. Inf. Manag. J. 47, 17–27 (2017). https://doi.org/10.1177/1833358317700255

    Article  Google Scholar 

  3. Pahnila, S., Karjalainen, M., Mikko, S.: Information security behavior : towards multi-stage models. In: Proceedings of the Pacific Asia Conference on Information Systems (PACIS 2013) (2013)

    Google Scholar 

  4. Mayer, P., Kunz, A., Volkamer, M.: Reliable behavioural factors in the information security context. In: Proceedings of the 12th International Conference on Availability, Reliability and Security - (ARES 2017), pp. 1–10 (2017)

    Google Scholar 

  5. PricewaterhouseCoopers. The Global State of Information Security Survey 2018: PwC (2018). https://www.pwc.com/us/en/services/consulting/cybersecurity/library/information-security-survey.html

  6. Ponemon Institute: The third annual study on the state of endpoint security risk (2020). https://www.morphisec.com/hubfs/2020StateofEndpointSecurityFinal.pdf

  7. Huang, H.W., Parolia, N., Cheng, K.T.: Willingness and ability to perform information security compliance behavior: psychological ownership and self-efficacy perspective. In: Proceedings of the Pacific Asia Conference on Information Systems (PACIS 2016) (2016)

    Google Scholar 

  8. Iriqat, Y.M., Ahlan, A.R., Nuha, N.M.A.: Information security policy perceived compliance among staff in palestine universities : an empirical pilot study. In: Proceedings of the Jordan International Joint Conference on Electrical Engineering and Information Technology (JEEIT), pp. 580–585. IEEE (2019)

    Google Scholar 

  9. Alaskar, M., Vodanovich, S., Shen, K.N.: Evolvement of information security research on employees’ behavior: a systematic review and future direction. In: Proceedings of the 48th Hawaii International Conference on System Sciences, pp. 4241–4250. IEEE (2015)

    Google Scholar 

  10. Öğütçü, G., Testik, Ö.M., Chouseinoglou, O.: Analysis of personal information security behavior and awareness. Comput. Secur. 56, 83–93 (2016). https://doi.org/10.1016/j.cose.2015.10.002

    Article  Google Scholar 

  11. Ifinedo, P.: Information systems security policy compliance: an empirical study of the effects of socialization, influence, and cognition. Inf. Manag. 51, 69–79 (2013)

    Article  Google Scholar 

  12. Kranz, J.J., Haeussinger, F.J.: Why deterrence is not enough : The role of endogenous motivations on employees’ information security behavior. In: Proceedings of the 35th International Conference on Information Systems, pp. 1–14. IEEE (2014)

    Google Scholar 

  13. Parsons, K., McCormac, A., Butavicius, M., et al.: Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014). https://doi.org/10.1016/j.cose.2013.12.003

    Article  Google Scholar 

  14. Gangire, Y., Da Veiga, A., Herselman, M.: A conceptual model of information security compliant behaviour based on the self-determination theory. In: Proceedings of the 2019 Conference on Information Communications Technology and Society, (ICTAS). IEEE (2019)

    Google Scholar 

  15. Pattinson, M., Butavicius, M., Parsons, K., et al.: Examining attitudes toward information security behaviour using mixed methods. In: Proceedings of the 9th International Symposium on Human Aspects of Information Security & Assurance (HAISA). pp. 57–70 (2015)

    Google Scholar 

  16. Guo, K.H.: Security-related behavior in using information systems in the workplace: a review and synthesis. Comput. Secur. 32, 242–251 (2013). https://doi.org/10.1016/j.cose.2012.10.003

    Article  Google Scholar 

  17. Blythe, J.M., Coventry, L., Little, L.: Unpacking security policy compliance : the motivators and barriers of employees’ security behaviors. In: Proceedings of the Symposium on Usable Privacy and Security (SOUPS), Ottawa, pp. 103–122 (2015)

    Google Scholar 

  18. Klein, R.H., Luciano, E.M.: What influences information security behavior? A study with brazilian users. J. Inf. Syst. Technol. Manag. 13, 479–496 (2016). https://doi.org/10.4301/S1807-17752016000300007

    Article  Google Scholar 

  19. Alfawaz, S., Nelson, K., Mohannak, K.: Information security culture : a behaviour compliance conceptual framework. In: Proceedings of the 8th Australasian Information Security Conference (AISC), pp. 47–55 (2010)

    Google Scholar 

  20. Ahmad, Z., Norhashim, M., Song, O.T., Hui, L.T.: A typology of employees’ information security behaviour. In: Proceedings of the 4th International Conference on Information and Communication Technology, pp. 3–6 (2016)

    Google Scholar 

  21. Alohali, M., Clarke, N., Furnell, S., Albakri, S.: Information security behavior: recognizing the influencers. In: Proceedings of the Computing Conference, pp. 844–853 (2017)

    Google Scholar 

  22. Ryan, M.R., Deci, L.E.: Self-determination theory and the facilitation of intrinsic motivation, social development, and well-being. Am. Psychol. 55, 68–78 (2000)

    Article  Google Scholar 

  23. Legault, L.: Self determination theory. In: Zeigler-Hill, V., Shackelford, T.K. (eds.) Encyclopedia of Personality and Individual Differences, pp. 1–9. Springer, New York (2017). https://doi.org/10.1007/978-1-4419-1005-9_1620

    Chapter  Google Scholar 

  24. Shropshire, J., Warkentin, M., Sharma, S.: Personality, attitudes, and intentions: predicting initial adoption of information security behavior. Comput. Secur. 49, 177–191 (2015). https://doi.org/10.1016/j.cose.2015.01.002

    Article  Google Scholar 

  25. Calic, D., Pattinson, M., Parsons, K., et al.: Naïve and accidental behaviours that compromise information security : what the experts think. In: Proceedings of the 10th International Symposium on Human Aspects of Information Security & Assurance (HAISA), pp. 12–21 (2016)

    Google Scholar 

  26. Bélanger, F., Collignon, S., Enget, K., Negangard, E.: Determinants of early conformance with information security policies. Inf. Manag. 54, 887–901 (2017). https://doi.org/10.1016/j.im.2017.01.003

    Article  Google Scholar 

  27. Bauer, S., Bernroider, E.W.N., Chudzikowski, K.: Prevention is better than cure! Designing information security awareness programs to overcome users’ non-compliance with information security policies in banks. Comput. Secur. 68, 145–159 (2017). https://doi.org/10.1016/j.cose.2017.04.009

    Article  Google Scholar 

  28. Curry, M., Marshall, B., Crossler, R.E., Correia, J.: InfoSec Process Action Model (IPAM): Systematically addressing individual security behavior. Database Adv. Inf. Syst. 49, 49–66 (2018). https://doi.org/10.1145/3210530.3210535

    Article  Google Scholar 

  29. Aurigemma, S., Mattson, T.: Deterrence and punishment experience impacts on ISP compliance attitudes. Inf. Comput. Secur. 25, 421–436 (2017). https://doi.org/10.1108/ICS-11-2016-0089

    Article  Google Scholar 

  30. Swartz, P., Da Veiga, A., Martins, N.: A conceptual privacy governance framework. In: Proceeding of the 2019 Conference on Information Communications Technology and Society (ICTAS), pp. 1–6 (2019)

    Google Scholar 

  31. NIST Security and privacy controls for federal information systems and organizations: National Institute of Standards and Technology (2017)

    Google Scholar 

  32. Dennedy, M.F., Fox, J., Finneran, T.R.: Data and privacy governance concepts. The Privacy Engineer’s Manifesto, pp. 51–72. Apress, New York (2014)

    Chapter  Google Scholar 

  33. Parsons, K., Calic, D., Pattinson, M., et al.: The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Comput. Secur. 66, 40–51 (2017). https://doi.org/10.1016/j.cose.2017.01.004

    Article  Google Scholar 

  34. Oates, B.J.: Researching Information Systems and Computing. Sage, London (2006)

    Google Scholar 

  35. Saunders, M., Lewis, P., Thornhill, A.: Research Methods for Business Students, 7th edn. Pearson Education Limited, Essex (2016)

    Google Scholar 

  36. Da Veiga, A., Martins, N.: Improving the information security culture through monitoring and implementation actions illustrated through a case study. Comput. Secur. 49, 162–176 (2015). https://doi.org/10.1016/j.cose.2014.12.006

    Article  Google Scholar 

  37. Yong, A.G., Pearce, S.: A beginner’ s guide to factor analysis: focusing on exploratory factor analysis. Tutor. Quant. Methods Psychol. 9, 79–94 (2013)

    Article  Google Scholar 

  38. Williams, B., Onsman, A., Brown, T.: Exploratory factor analysis: a five-step guide for novices. J. Emerg. Prim. Heal. Care 8, 1–13 (2010)

    Google Scholar 

  39. O’Rourke, N., Hatcher, L.: A Step-By-Step Approach to Using SAS for Factor Analysis and Structural Equation. SAS Institute, Cary (2013)

    Google Scholar 

  40. Field, A.: Discovering Statistics Using SPSS, 3rd edn. Sage, London (2009)

    MATH  Google Scholar 

  41. Gerber, H., Hall, N.: Quantitative research design. In: Data Acquisition - 1 day. HR Statistics, Pretoria (2017)

    Google Scholar 

  42. Stevens, J.P.: Applied Multivariate Statistics for the Social Sciences, 4th edn. Erlbaum, Hillsdale (2002)

    MATH  Google Scholar 

  43. Marczyk, G., Fertinger, D., DeMatteo, D.: Essentials of Research Design and Methodology. Wiley, Hoboken (2005)

    MATH  Google Scholar 

Download references

Acknowledgment

This work is based on research supported by the University of South Africa’s Women in Research Grant.

Author information

Authors and Affiliations

  1. School of Computing, College of Science, Engineering and Technology, University of South Africa (UNISA), Florida Campus, Johannesburg, South Africa

    Yotamu Gangire, Adéle Da Veiga & Marlien Herselman

  2. Next Generation Enterprises and Institutions, CSIR, Pretoria, South Africa

    Marlien Herselman

Authors
  1. Yotamu Gangire
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Adéle Da Veiga
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marlien Herselman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yotamu Gangire .

Editor information

Editors and Affiliations

  1. University of Plymouth, Plymouth, UK

    Nathan Clarke

  2. University of Plymouth, Plymouth, UK

    Steven Furnell

Rights and permissions

Reprints and permissions

Copyright information

© 2020 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gangire, Y., Da Veiga, A., Herselman, M. (2020). Information Security Behavior: Development of a Measurement Instrument Based on the Self-determination Theory. In: Clarke, N., Furnell, S. (eds) Human Aspects of Information Security and Assurance. HAISA 2020. IFIP Advances in Information and Communication Technology, vol 593. Springer, Cham. https://doi.org/10.1007/978-3-030-57404-8_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-57404-8_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-57403-1

  • Online ISBN: 978-3-030-57404-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation