Sage Journals: Discover world-class research

Abstract

In this study three aspects of information security decision making—namely, knowledge of policies and procedures, attitude towards policies and procedures, and self-reported behavior—were examined in conjunction with the organizational factors that may increase human-based cyber vulnerabilities. The results of a survey of 500 Australian employees revealed a significant, positive relationship between information security decision making and organizational information security culture. This suggests that improving the security culture of an organization will positively influence the behavior of employees, which in turn should also improve compliance with security policies. This means that risk to an organization’s information systems and data will be mitigated. The complexity associated with implementing effective rewards and punishments are discussed, along with suggestions for further research to adequately understand the many factors that influence information security decision making.

Keywords

decision making topics safety culture cybersecurity domains cognitive processes organizational processes information systems

Get full access to this article

View all access options for this article.

References

Ajzen

(1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50, 179-211.

Armitage

C. J.

Conner

(2001). Efficacy of the theory of planned behavior: A meta-analytic review. British Journal of Social Psychology, 40, 471-499.

Blackwell

R. D.

Miniard

P. W.

Engel

J. F.

(2001). Consumer behviour (9th ed.). Orlando, FL: Harcourt.

Cameron

Pierce

(2002). Rewards and intrinsic motivation: Resolving the controversy. Westport, CT: Bergin & Garvey.

Cohen

(1988). Statistical power analysis for the behavioral sciences (2nd ed.). Hillsdale, NJ: Lawrence Erlbaum Associates.

Deci

E. L.

Koestner

Ryan

R. M.

(1999). A meta-analytic review of experiments examining the effects of extrinsic rewards on intrinsic motivation. Psychological Bulletin, 125(6), 692-700.

Flechais

Riegelsberger

Sasse

M. A.

(2005). Divide and conquer: The role of trust and assurance in the design of secure socio-technical systems. In Proceedings of the 2005 Workshop on New Security Paradigms (pp. 33-41). New York: ACM.

Furnell

(2006). Malicious or misinformed? Exploring a contributor to the insider threat. Computer Fraud & Security, 9, 8-12.

Furnell

S. M.

Gennatou

Dowland

P. S.

(2002). A prototype tool for information security awareness and training. Logistics Information Management, 15, 352-357.

10.

Furnell

Jusoh

Katsabas

(2006). The challenges of understanding and using security: A survey of end-users. Computer Security, 25(1), 27-35.

11.

Grier

R. A.

(2012). Military cognitive readiness at the operational and strategic levels: A theoretical model for measurement development. Journal of Cognitive Engineering and Decision Making, 6(4), 358-392.

12.

Griffin

M. A.

Neal

(2000). Perceptions of safety at work: A framework for linking safety climate to safety performance, knowledge, and motivation. Journal of Occupational Health Psychology, 5, 347-358.

13.

Guldenmund

(2000). The nature of safety culture: A review of theory and research. Safety Science, 34, 215-257.

14.

Herath

Rao

H. R.

(2009). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support System, 47(2), 154-165.

15.

Herley

(2009). So long, and no thanks for the externalities: The rational rejection of security advice by users. In Proceedings of the 2009 Workshop on New Security Paradigms (pp. 133-144). New York: ACM.

16.

Hofmann

D. A.

Stetzer

(1996). A cross-level investigation of factors influencing unsafe behaviors and accidents. Personnel Psychology, 49, 307-339.

17.

Huber

G. P.

(1981). The nature of organizational decision making and the design of decision support systems. MIS Quarterly, 5(2), 1-10.

18.

Huczynski

Buchanan

(2001). Organizational behavior: An introductory text (4th ed.). Harlow, UK: Prentice Hall.

19.

Jacob

B. A.

Levitt

S. D.

(2003). Rotten apples: An investigation of the prevalence and predictors of teacher cheating. Quarterly Journal of Economics, 118(3), 843-877.

20.

Jones

B. D.

(1999). Bounded rationality. Annual Review of Political Science, 2, 297-321.

21.

Knapp

K. J.

Marshall

T. E.

Rainer

R. K.

Nelson Ford

(2006). Information security: Management’s effect on culture and policy. Information Management & Computer Security, 14, 24-36.

22.

Kolkowska

Dhillon

(2013). Organizational power and information security rule compliance. Computers & Security, 33, 3-11.

23.

Kraemer

Carayon

(2007). Human errors and violations in computer and information security: The viewpoint of network administrators and security specialists. Applied Ergonomics, 38, 143-154.

24.

Kruger

H. A.

Kearney

W. D.

(2006). A prototype for assessing information security awareness. Computers & Security, 25, 289-296.

25.

Magklaras

G. B.

Furnell

S. M.

(2005). A preliminary model of end user sophistication for insider threat prediction in IT systems. Computers & Security, 24, 371-380.

26.

McCormac

Parsons

K. M.

Butavicius

M. A.

(2012). Preventing and profiling malicious insider threats (DSTO Technical Report, DSTO-TR-2012-2697). Canberra, Australia: Defence Science and Technology Organization.

27.

McGuire

W. J.

(Ed.). (1969). The nature of attitudes and attitude change (Vol. 3). Reading, MA: Addison-Wesley.

28.

Mosier

K. L.

Fischer

(2010). The role of affect in naturalistic decision making. Journal of Cognitive Engineering and Decision Making, 4(3), 240-255.

29.

Neal

Griffin

M. A.

Hart

P. M.

(2000). The impact of organizational climate on safety climate and individual behavior. Safety Science, 34, 99-109.

30.

O’Reilly

C. A.

Weitz

B. A.

(1980). Managing marginal employees: The use of warnings and dismissals. Administrative Science Quarterly, 25(3), 467-484.

31.

Pahnila

Siponen

Mahmood

(2007, January 3-6). Employees’ behavior towards IS security policy compliance. Paper presented at the 40th Hawaii International Conference on System Sciences, Waikoloa, HI.

32.

Parsons

McCormac

Butavicius

Pattinson

Jerram

(2014). Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers & Security, 42, 165-176.

33.

Parsons

McCormac

Pattinson

Butavicius

Jerram

(2013). Phishing for the truth: A scenario-based experiment of users’ behavioral response to emails. In Janczewski

L. J.

Wolf

Shenoi

(Eds.), Security and privacy protection in information processing systems—IFIP advances in information and communication technology (Volume 405, pp. 366-378). Auckland, NZ: Springer.

34.

Parsons

McCormac

Pattinson

Butavicius

Jerram

(2014). A study of information security awareness in Australian government organizations. Information Management & Computer Security, 22(4), 334-345.

35.

Pattinson

Jerram

Parsons

K. M.

McCormac

Butavicius

M. A.

(2012). Why do some people manage phishing emails better than others? Information Management & Computer Security, 20(1), 18-28.

36.

Reason

(1990). Human error. Cambridge, UK: Cambridge University Press.

37.

Ruighaver

A. B.

Maynard

S. B.

Chang

(2007). Organizational security culture: Extending the end-user perspective. Computers & Security, 26, 56-62.

38.

Sasse

M. A.

(2003, April 5). Computer security: Anatomy of a usability disaster, and a plan for recovery. Paper presented at the CHI2003 Workshop on Human-Computer Interaction and Security Systems, Ft. Lauderdale, Florida.

39.

Schein

E. H.

(1992). Organizational culture and leadership (2nd ed.). San Francisco: Jossey-Bass.

40.

Schneider

(1975). Organizational climates: An essay. Personnel Psychology, 28, 447-479.

41.

Schneier

(2011). Changing incentives creates security risks. Schneier On Security [web log]. Retrieved September 1, 2014, from https://www.schneier.com/blog/archives/2011/04/changing_incent.html

42.

Schneier

C. E.

(1974). Behavior modification in management: A review and critique. Academy of Management Journal, 17, 528-548.

43.

Schultz

(2005). The human factor in security. Computers & Security, 24(6), 425-426.

44.

Simon

H. A.

(1955). A behavioral model of rational choice. The Quarterly Journal of Economics, 69(1), 99-118.

45.

Simon

H. A.

(1977). The new science of management decision (rev. ed.). Englewood Cliffs, NJ: Prentice-Hall.

46.

Skinner

B. F.

(1938). The behavior of organisms: An experimental analysis. New York: Appleton-Century.

47.

Straub

D. W.

(1990). Effective IS security: An empirical study. Information Systems Research, 1(3), 255-276.

48.

Thomson

K. L.

(2009, April 15-16). Information security conscience: A precondition to an information security culture. Paper presented at the Eighth Annual Security Conference, Las Vegas, Nevada.

49.

Vroom

von Solms

(2004). Towards information security behavioral compliance. Computer Security, 23(3), 191-198.

50.

Wood

C. C.

Banks

W.W.

(1993). Human error: An overlooked but significant information security problem. Computers & Security, 12, 51-60.

51.

Zakaria

Gani

Mohd Nor

Badrul Anuar

(2007, June 17-19). Reengineering information security culture formulation through management perspective. Paper presented at the International Conference on Electrical Engineering and Informatics, Indonesia.

52.

Zohar

(1980). Safety climate in industrial organizations: Theoretical and applied implications. Journal of Applied Psychology, 12, 78-85.

The Influence of Organizational Information Security Culture on Information Security Decision Making

Abstract

Keywords

Get full access to this article

References