Abstract
Computer users are often referred to, rather disparagingly as “the weakest link” in information security. This resonates with the frus- tration experienced by organisations who are doing their best to secure their systems, only to have an employee compromise everything with an insecure act. Organisations put a great deal of effort into education and training but it has become clear that this, on its own, is not sufficient. A wide range of relevant literature has been consulted in order to produce a model that reflects the process from ignorance to actual behaviour, and to highlight the factors that play a role in this pathway. This is the pri- mary contribution of this paper. The model introduces the notion of two gulfs. The gulf of evaluation has the undecided user at one side, at the other a user with an intention to behave securely. A set of factors that help to bridge the gulf have been identified from the research literature. The second gulf is called the gulf of execution, which has to be bridged, assisted or deterred by a number of factors, so that users will convert intentions to actual behaviours. Interestingly, one of the factors that play a role in bridging both gulfs is security culture. Particular attention is paid to this factor and its role in encouraging secure behaviour.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Chia, P., Maynard, S., Ruighaver, A.: Understanding organizational security culture. In: Proceedings of PACIS 2002, Japan (2002)
Albrechtsen, E.: A qualitative study of users’ view on information security. Computers & Security 26(4), 276–289 (2007)
Pahnila, S., Siponen, M., Mahmood, A.: Employees’ behavior towards is security policy compliance. In: 40th Annual Hawaii International Conference on System Sciences, HICSS 2007, p. 156b. IEEE (2007)
Siponen, M., Pahnila, S., Mahmood, A.: Employees adherence to information security policies: an empirical study. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds.) New Approaches for Security, Privacy and Trust in Complex Environments. IFIP, vol. 232, pp. 133–144. Springer, Boston (2007)
Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger pass- word authentication using browser extensions. In: Proceedings of the 14th Usenix Security Symposium, vol. 1998 (2005)
Gaunt, N.: Practical approaches to creating a security culture. International Journal of Medical Informatics 60(2), 151–157 (2000)
Gundu, T., Flowerday, S.V.: The enemy within: A behavioural intention model and an information security awareness process. In: Information Security for South Africa (ISSA), pp. 1–8. IEEE (2012)
Skinner, B.F.: Beyond freedom and dignity. Bantam Vintage (1972)
Locke, J.: Some thoughts concerning education. In: Eliot, C.W. (ed.) The Harvard Classics, ch. XXXVII. P.F. Collier & Son, New York (1909-1914)
Gloucestershire Citizen, Poundland staff in Gloucester given 10p discount for Christmas bonus (December 22, 2013), http://www.gloucestercitizen.co.uk/Poundland-staff-Gloucester-given-10p-discount/story-20353454-detail/story.html
Hawkes, S.: IKEA rewards thousands of staff with pension bonus. The Telegraph (December 19, 2013)
Taylor, F.W.: The principles of scientific management, New York, vol. 202 (1911)
Maslow, A.H.: A theory of human motivation. Psychological Review 50(4), 370 (1943)
Roe, A.: Section of psychology: Personality and vocation. Transactions of the New York Academy of Sciences 9(7 Series II), 257–267 (1947)
Rock, D.: SCARF: a brain-based model for collaborating with and influencing others. NeuroLeadership Journal 1(1), 44–52 (2008)
Lopes, H.: Why do people work? Individual wants versus common goods. Journal of Economic Issues 45(1), 57–74 (2011)
Deci, E.L.: Intrinsic motivation, extrinsic reinforcement, and inequity. Journal of Personality and Social Psychology 22(1), 113 (1972)
Pink, D.H.: The surprising truth about what motivates us. Soundview Executive Book Summaries (2010)
Ryff, C.D., Keyes, C.L.M.: The structure of psychological well-being revisited. Journal of Personality and Social Psychology 69(4), 719 (1995)
Adams, J.S.: Inequity in social exchange. Advances in Experimental Social Psychology 2, 267–299 (1965)
Ajzen, I.: From intentions to actions: A theory of planned behavior. Springer (1985)
Norman, D.A.: Cognitive engineering. In: User Centered System Design, pp. 31–61 (1986)
Webb, T.L., Sheeran, P.: Integrating concepts from goal theories to understand the achievement of personal goals. European Journal of Social Psychology 35(1), 69–96 (2005)
Cooke, R., Sheeran, P.: Moderation of cognition-intention and cognition- behaviour relations: A meta-analysis of properties of variables from the theory of planned behaviour. British Journal of Social Psychology 43(2), 159–186 (2004)
Dinev, T., Hu, Q.: The centrality of awareness in the formation of user behavioral intention toward preventive technologies in the context of voluntary use. In: The Fourth Annual Workshop on HCI Research in MIS, International Conference of Information Systems, ICIS (2005)
Bentler, P.M., Speckart, G.: Models of attitude–behavior relations. Psychological Review 86(5), 452 (1979)
Herath, T., Rao, H.R.: Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems 18(2), 106–125 (2009)
Hedstrom, K., Karlsson, F., Kolkowska, E.: Social action theory for understanding information security non-compliance in hospitals: The importance of user rationale. Information Management & Computer Security 21(4), 266–287 (2013)
Maddux, J.E., Rogers, R.W.: Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology 19(5), 469–479 (1983)
Vroom, V.H., Yetton, P.W.: Leadership and decision-making. University of Pittsburgh Press (1973)
Liu, C., Marchewka, J.T., Lu, J., Yu, C.-S.: Beyond concern: a privacy–trust–behavioral intention model of electronic commerce. Information & Management 42(1), 127–142 (2004)
Damond, M.E., Breuer, N.L., Pharr, A.E.: The evaluation of setting and a culturally specific HIV/AIDS curriculum: HIV/AIDS knowledge and behavioral intent of african american adolescents. Journal of Black Psychology 19(2), 169–189 (1993)
Goo, J., Yim, M.-S., Kim, D.J.: A path way to successful management of individual intention to security compliance: A role of organizational security climate. In: 2013 46th Hawaii International Conference on System Sciences (HICSS), pp. 2959–2968. IEEE (2013)
Renaud, K., Goucher, W.: Health service employees and information security policies: an uneasy partnership? Information Management & Computer Security 20(4), 296–311 (2012)
Shelton, D.: Commitment and compliance: The role of non-binding norms in the international legal system. Oxford University Press (2003)
Steel, R.P., Ovalle, N.K.: A review and meta-analysis of research on the relationship between behavioral intentions and employee turnover. Journal of Applied Psychology 69(4), 673 (1984)
Christophel, D.M.: The relationships among teacher immediacy behaviors, student motivation, and learning. Communication Education 39(4), 323–340 (1990)
Whitby, M., McLaws, M.-L., Ross, M.W.: Why healthcare workers don’t wash their hands: a behavioral explanation. Infection Control and Hospital Epidemiology 27(5), 484–492 (2006)
Bakker, A.B., Demerouti, E., Verbeke, W.: Using the job demands-resources model to predict burnout and performance. Human Resource Management 43(1), 83–104 (2004)
Furnell, S., Rajendran, A.: Understanding the influences on information security behaviour. Computer Fraud & Security 2012(3), 12–15 (2012)
Ashenden, D., Sasse, A.: CISOs and organisational culture: Their own worst enemy? Computers & Security 39, 396–405 (2013)
Van Niekerk, J., Von Solms, R.: Information security culture: A management perspective. Computers & Security 29(4), 476–486 (2010)
Leach, J.: Improving user security behaviour. Computers & Security 22(8), 685–692 (2003)
Pornpitakpan, C.: The persuasiveness of source credibility: A critical review of five decades’ evidence. Journal of Applied Social Psychology 34(2), 243–281 (2004)
Furnell, S., Thomson, K.-L.: From culture to disobedience: Recognising the varying user acceptance of it security. Computer Fraud & Security 2009(2), 5–10 (2009)
Schelly, C., Cross, J.E., Franzen, W.S., Hall, P., Reeve, S.: Reducing energy consumption and creating a conservation culture in organizations: A case study of one public school district. Environment and Behavior 43(3), 316–343 (2011)
Webb, T.L., Sheeran, P.: Does changing behavioral intentions engender behavior change? a meta-analysis of the experimental evidence. Psychological Bulletin 132(2), 249 (2006)
Walton, R.E.: From control to commitment in the workplace. In: The Sociology of Organizations: Classic, Contemporary, and Critical Readings, pp. 114–122. Sage Publications, California (2003)
Singh, A.N., Picot, A., Kranz, J., Gupta, M., Ojha, A.: Information security management (ism) practices: Lessons from select cases from India and Germany. Global Journal of Flexible Systems Management 14(4), 225–239 (2013)
Foubert, J.D.: The longitudinal effects of a rape-prevention program on fraternity mens attitudes, behavioral intent, and behavior. Journal of American College Health 48, 158–163 (2000)
Ouellette, J.A., Wood, W.: Habit and intention in everyday life: the multiple processes by which past behavior predicts future behavior. Psychological Bulletin 124(1), 54 (1998)
Gollwitzer, P.M., Bayer, U.C., McCulloch, K.C.: The control of the unwanted. In: The New Unconscious, pp. 485–515 (2005)
Thomson, K.-L., von Solms, R., Louw, L.: Cultivating an organizational information security culture. Computer Fraud & Security 2006(10), 7–11 (2006)
Rivis, A., Sheeran, P.: Descriptive norms as an additional predictor in the theory of planned behaviour: A meta-analysis. Current Psychology 22(3), 218–233 (2003)
Sheppard, B.H., Hartwick, J., Warshaw, P.R.: The theory of reasoned action: A meta-analysis of past research with recommendations for modifications and future research. Journal of Consumer Research, 325–343 (1988)
Feldman, D.C.: The development and enforcement of group norms. Academy of Management Review 9(1), 47–53 (1984)
Knapp, K.J., Marshall, T.E., Rainer, R.K., Ford, F.N.: Information security: management’s effect on culture and policy. Information Management & Computer Security 14(1), 24–36 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Renaud, K., Goucher, W. (2014). The Curious Incidence of Security Breaches by Knowledgeable Employees and the Pivotal Role a of Security Culture. In: Tryfonas, T., Askoxylakis, I. (eds) Human Aspects of Information Security, Privacy, and Trust. HAS 2014. Lecture Notes in Computer Science, vol 8533. Springer, Cham. https://doi.org/10.1007/978-3-319-07620-1_32
Download citation
DOI: https://doi.org/10.1007/978-3-319-07620-1_32
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07619-5
Online ISBN: 978-3-319-07620-1
eBook Packages: Computer ScienceComputer Science (R0)