Abstract
The growing number of information security breaches in organisations presents a serious risk to the confidentiality of personal and commercially sensitive data. Current research studies indicate that humans are the weakest link in the information security chain and the root cause of numerous security incidents in organisations. Based on literature gaps, this study investigates how procedural security countermeasures tend to affect employee security behaviour. Data for this study was collected in organisations located in the United States and Ireland. Results suggest that procedural security countermeasures are inclined to promote security-cautious behaviour, while their absence tends to lead to non-compliant behaviour.
A prior version of this paper has been published in the ISD2017 Proceedings (http://aisel.aisnet.org/isd2014/proceedings2017).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationally-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)
Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., Baskerville, R.: Future directions for behavioral information security research. Comput. Secur. 32, 90–101 (2013)
D’Arcy, J., Hovav, A.: Deterring internal information systems misuse. Commun. ACM 50(10), 113–117 (2007)
Lee, Y., Larsen, K.R.: Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software. Eur. J. Inform. Syst. 18(2), 177–187 (2009)
Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A., Ross, R.W.: If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. Eur. J. Inform. Syst. 18(2), 151–164 (2009)
D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inform. Syst. Res. 20(1), 1–20 (2009)
Straub, D.W.: Effective IS security: an empirical study. Inform. Syst. Res. 1(3), 255–276 (1990)
Straub, D.W., Welke, R.J.: Coping with systems risk: security planning models for management decision making. MIS Q. 22(4), 441–469 (1998)
Hovav, A., D’Arcy, J.: Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the U.S. and South Korea. Inf. Manag. 49(2), 99–110 (2012)
Cheng, L., Ying, L., Wenli, L., Holm, E., Zhai, Q.: Understanding the violation of IS security policy in organizations: an integrated model based on social control and deterrence theory. Comput. Secur. 39, 447–459 (2013)
Siponen, M., Mahmood, M.A., Pahnila, S.: Are employees putting your company at risk by not following information security policies? Commun. ACM 52(12), 145–147 (2009)
Lee, S.M., Lee, S.G., Yoo, S.: An integrative model of computer abuse based on social control and general deterrence theories. Inf. Manag. 41(6), 707–718 (2004)
Barlow, J.B., Warkentin, M., Ormond, D., Dennis, A.R.: Don’t make excuses! Discouraging neutralization to reduce IT policy violation. Comput. Secur. 39 (Part B), 145–159 (2013)
Blumstein, A., Cohen, J., Nagin, D.: Deterrence and incapacitation: Estimating the effects of criminal sanctions on crime rates. In: Bridges, G., Crutchfield, R., Weis, R.L. (eds.) Crime and Society: Reading in Criminal Justice, vol. 3, pp. 96–100. Pine Forge Press, Thousand Oaks (1996)
Guo, K.H.: Security-related behavior in using information systems in the workplace: a review and synthesis. Comput. Secur. 32, 242–251 (2013)
Sacco, V.F.: Shoplifting prevention: the role of communication-based intervention strategies. Can. J. Criminol. 27(1), 15–29 (1985)
Quazi, M.M.: Effective drug-free workplace plan uses worker testing as deterrent. Occup. Health Saf. 62(6), 26–31 (1993)
Matavire, R., Brown, I.: Profiling grounded theory approaches in information systems research. Eur. J. Inform. Syst. 22(1), 119–129 (2013)
Maykut, P., Morehouse, R.: Beginning Qualitative Research: A Philosophic and Practical Guide. The Falmer Press, London (1994)
Eisenhardt, K.M.: Building theories from case study research. Acad. Manag. Rev. 14(4), 532–550 (1989)
Furnell, S.M., Gennatou, M., Dowland, P.S.: A prototype tool for IS security awareness and training. Int. J. Logistics Inform. Manag. 15(5), 352–357 (2002)
Chan, M., Woon, I., Kankanhalli, A.: Perceptions of information security at the workplace: linking information security climate to compliant behaviour. J. Inform. Priv. Secur. 1(3), 18–41 (2005)
Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Quality and fairness of an information security policy as antecedents of employees’ security engagement in the workplace: an empirical investigation. In: 43rd Annual Hawaii International Conference on System Sciences, pp. 1–7. IEEE Press (2010)
D’Arcy, J., Herath, T.: A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. Eur. J. Inform. Syst. 20(6), 643–658 (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Connolly, L.Y., Lang, M., Tygar, D.J. (2018). Employee Security Behaviour: The Importance of Education and Policies in Organisational Settings. In: Paspallis, N., Raspopoulos, M., Barry, C., Lang, M., Linger, H., Schneider, C. (eds) Advances in Information Systems Development. Lecture Notes in Information Systems and Organisation, vol 26. Springer, Cham. https://doi.org/10.1007/978-3-319-74817-7_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-74817-7_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-74816-0
Online ISBN: 978-3-319-74817-7
eBook Packages: Business and ManagementBusiness and Management (R0)