Collective information security behaviour: a technology-driven framework

Purpose This paper aims to present the development of a framework for evaluating group behaviour in information security in practice. Design/methodology/approach Information security behavioural threshold analysis is used as the theoretical foundation for the proposed framework. The suitability of the proposed framework is evaluated based on two sets of qualitative measures (general frameworks and information security frameworks) which were identified from literature. The successful evaluation of the proposed framework, guided by the identified evaluation measures, is presented in terms of positive practical applications, as well as positive peer review and publication of the underlying theory. Findings A methodology to formalise a framework to analyse group behaviour in information security can successfully be applied in a practical environment. This application takes the framework from only a theoretical conceptualisation to an implementable solution to evaluate and positively influence information security group behaviour. Practical implications Behavioural threshold analysis is identified as a practical mechanism to evaluate information security group behaviour. The suggested framework, as implemented in a management decision support system (DSS), allows practitioners to assess the security behaviour and awareness in their organisation. The resulting information can be used to exert an influence for positive change in the information security of the organisation. Originality/value A novel conceptual mapping of two sets of qualitative evaluation measures is presented and used to evaluate the proposed framework. The resulting framework is made practical through its encapsulation in a DSS.

[1]  Ana Respício,et al.  Decision support for selecting information security controls , 2018, J. Decis. Syst..

[2]  Tankiso Moletsane,et al.  Mobile Information Security Awareness Among Students in Higher Education : An Exploratory Study , 2020, 2020 Conference on Information Communications Technology and Society (ICTAS).

[3]  Mark S. Granovetter Threshold Models of Collective Behavior , 1978, American Journal of Sociology.

[4]  J. Grimshaw,et al.  Knowledge translation of research findings , 2012, Implementation Science.

[5]  Hennie A. Kruger,et al.  The application of behavioural thresholds to analyse collective behaviour in information security , 2017, Inf. Comput. Secur..

[6]  M. Gupta,et al.  Information Security Management Practices: Case Studies from India , 2019 .

[7]  Hennie A. Kruger,et al.  Information Security Behavioural Threshold Analysis in Practice: An Implementation Framework , 2020, HAISA.

[8]  Hennie A. Kruger,et al.  Behavioural threshold analysis: methodological and practical considerations for applications in information security , 2019, Behav. Inf. Technol..

[9]  Mikko T. Siponen,et al.  To Calculate or To Follow Others: How Do Information Security Managers Make Investment Decisions? , 2019, HICSS.

[10]  Steve Mansfield-Devine Monitoring communications: the false positive problem , 2013 .

[11]  J. Ray,et al.  The Reliability of Short Social Desirability Scales , 1984 .

[12]  W. Reynolds Development of reliable and valid short forms of the marlowe-crowne social desirability scale , 1982 .

[13]  Paul Michael Di Gangi,et al.  It Takes a Village: Understanding the Collective Security Efficacy of Employee Groups , 2019, J. Assoc. Inf. Syst..

[14]  Hennie A. Kruger,et al.  Theorising on Information Cascades and Sequential Decision-making for Analysing Security Behaviour , 2019, ICISSP.

[15]  Chris Hankin,et al.  Decision support approaches for cyber security investment , 2015, Decis. Support Syst..

[16]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[17]  Teodor Sommestad,et al.  The Theory of Planned Behavior and Information Security Policy Compliance , 2019, J. Comput. Inf. Syst..

[18]  Evangelos A. Kiountouzis,et al.  Investigating Information Security Awareness: Research and Practice Gaps , 2008, Inf. Secur. J. A Glob. Perspect..

[19]  Areej AlHogail,et al.  Design and validation of information security culture framework , 2015, Comput. Hum. Behav..

[20]  Tracey Caldwell,et al.  Plugging the cyber-security skills gap , 2013 .

[21]  A Kitson,et al.  Enabling the implementation of evidence based practice: a conceptual framework. , 1998, Quality in health care : QHC.

[22]  Hennie A. Kruger,et al.  External Contextual Factors in Information Security Behaviour , 2020, ICISSP.

[23]  Lin Wang,et al.  Impact of digital content on young children’s reading interest and concentration for books , 2018, Behav. Inf. Technol..

[24]  Hennie A. Kruger,et al.  I shall, we shall, and all others will: paradoxical information security behaviour , 2018, Inf. Comput. Secur..

[25]  Saad Haj Bakry Development of security policies for private networks , 2003 .

[26]  B. Kent Implementing research findings into practice: frameworks and guidance. , 2019, International journal of evidence-based healthcare.

[27]  A. Haines,et al.  Making better use of research findings , 1998, BMJ.

[28]  van de Mortel,et al.  Faking it: Social desirability response bias in self-report research , 2008 .

[29]  Sean B. Maynard,et al.  An Exploratory Study of Current Information Security Training and Awareness Practices in Organizations , 2018, HICSS.

[30]  Jordan Shropshire,et al.  Personality, attitudes, and intentions: Predicting initial adoption of information security behavior , 2015, Comput. Secur..

[31]  J. Doug Tygar,et al.  Organisational culture, procedural countermeasures, and employee security behaviour: A qualitative study , 2017, Inf. Comput. Secur..

[32]  L. Brennan,et al.  Review of Behavioural Theories in Security Compliance and Research Challenge , 2017 .

[33]  Hennie A. Kruger,et al.  A Management Decision Support System for Evaluating Information Security Behaviour , 2019, ISSA.