Identifying HRM Practices for Improving Information Security Performance: An Importance-Performance Map Analysis

This article focuses on identifying key human resource management (HRM) practices necessary for improving information security performance from the perspective of IT professionals. The Importance-Performance Map Analysis (IPMA) via SmartPLS 3.0 was employed and 232 samples were collected from information technology (IT) professionals in 43 organizations. The analysis identified information security training, background checks and monitoring as very important HRM practices that could improve the performance of organizational information security. In particular, the study found training on mobile devices security and malware; background checks and monitoring of potential, current and former employees as of high importance but with low performance. Thus, these key areas need to be improved with top priority. Conversely, the study found accountability and employee relations as being overly emphasized by the organisations. The findings raised some useful implications and information for HR and IT leaders to consider in future information security strategy.

[1]  Youngkeun Choi,et al.  Human Resource Management and Security Policy Compliance , 2017, Int. J. Hum. Cap. Inf. Technol. Prof..

[2]  Kevin F. McCrohan,et al.  Influence of Awareness and Training on Cyber Security , 2010 .

[3]  Simon M. Smith,et al.  Keeping potential job‐hoppers' feet on the ground , 2013 .

[4]  Ken Kelley,et al.  When Do IT Security Investments Matter? Accounting for the Influence of Institutional Factors in the Context of Healthcare Data Breaches , 2017, MIS Q..

[5]  Tom L. Roberts,et al.  Examining the Relationship of Organizational Insiders' Psychological Capital with Information Security Threat and Coping Appraisals , 2017, Comput. Hum. Behav..

[6]  Paul Benjamin Lowry,et al.  Using Accountability to Reduce Access Policy Violations in Information Systems , 2013, J. Manag. Inf. Syst..

[7]  Jemal H. Abawajy,et al.  User preference of cyber security awareness delivery methods , 2014, Behav. Inf. Technol..

[8]  Andrew B. Whinston,et al.  Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements , 2013, J. Manag. Inf. Syst..

[9]  Marko Sarstedt,et al.  An assessment of the use of partial least squares structural equation modeling in marketing research , 2012 .

[10]  Iguehi Joy Ikenwe,et al.  Information Security in the Digital Age: The Case of Developing Countries , 2016 .

[11]  Homeland security initiatives and background checks in higher education , 2010 .

[12]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[13]  Umer Zaman,et al.  PERCEIVED ACCOUNTABILITY AND CONFLICT MANAGEMENT STYLES AS PREDICTORS OF JOB PERFORMANCE OF PUBLIC OFFICIALS IN PAKISTAN , 2016 .

[14]  H. Weistroffer,et al.  Understanding Deterrence Theory in Security Compliance Behavior: A Quantitative Meta-Analysis Approach , 2016 .

[15]  Ryan J. Baxter,et al.  Applying Basic Gamification Techniques to IT Compliance Training: Evidence from the Lab and Field , 2015, J. Inf. Syst..

[16]  Steven Furnell,et al.  From culture to disobedience: Recognising the varying user acceptance of IT security , 2009 .

[17]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[18]  Carla Merkle Westphall,et al.  A cyclical evaluation model of information security maturity , 2014, Inf. Manag. Comput. Secur..

[19]  A. Radhakrishna,et al.  A Study on the Effect of Human Resource Development on Employment Relations , 2015 .

[20]  Adéle da Veiga,et al.  Comparing the information security culture of employees who had read the information security policy and those who had not: Illustrated through an empirical study , 2016, Inf. Comput. Secur..

[21]  S. Geisser A predictive approach to the random effect model , 1974 .

[22]  J. D'Arcy,et al.  Security culture and the employment relationship as drivers of employees' security compliance , 2014, Inf. Manag. Comput. Secur..

[23]  Kaja Prislan,et al.  Measuring Information Security Performance with 10 by 10 Model for Holistic State Evaluation , 2016, PloS one.

[24]  Tom L. Roberts,et al.  The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets , 2015, J. Manag. Inf. Syst..

[25]  Steven Furnell,et al.  A security education Q&A , 2014, Inf. Manag. Comput. Secur..

[26]  Ayako Komatsu,et al.  Human aspects of information security: An empirical study of intentional versus actual behavior , 2013, Inf. Manag. Comput. Secur..

[27]  Theodore Tryfonas,et al.  Using penetration testing feedback to cultivate an atmosphere of proactive security amongst end-users , 2009, Inf. Manag. Comput. Secur..

[28]  Ramakrishna Ayyagari,et al.  Is Seeing Believing? Training Users on Information Security: Evidence from Java Applets , 2017, J. Inf. Syst. Educ..

[29]  Eyong B. Kim,et al.  Recommendations for information security awareness training for college students , 2014, Inf. Manag. Comput. Secur..

[30]  Winfred Yaokumah The Influence of Students' Characteristics on Mobile Device Security Measures , 2016, Int. J. Inf. Syst. Soc. Chang..

[31]  Johan Van Niekerk,et al.  Combating Information Security Apathy By Encouraging Prosocial Organisational Behaviour , 2011, HAISA.

[32]  Qing Hu,et al.  The Role of Self-Control in Information Security Violations: Insights from a Cognitive Neuroscience Perspective , 2015, J. Manag. Inf. Syst..

[33]  Steve G. Sutton,et al.  Potential Employees' Ethical Perceptions of Active Monitoring: The Dark Side of Data Analytics , 2017, J. Inf. Syst..

[34]  William C. McDowell,et al.  Am I Really at Risk? Determinants of Online Users' Intentions to Use Strong Passwords , 2009 .

[35]  Charalampos Manifavas,et al.  How Effective Is Your Security Awareness Program? An Evaluation Methodology , 2012, Inf. Secur. J. A Glob. Perspect..

[36]  R. Brody Beyond the basic background check: hiring the “right” employees , 2010 .

[37]  Margaret C. McKee,et al.  Restorying a Culture of Ethical and Spiritual Values: A Role for Leader Storytelling , 2007 .

[38]  David Lacey Understanding and transforming organizational security culture , 2010, Inf. Manag. Comput. Secur..

[39]  Garry L. White,et al.  Incorporating Global Information Security and Assurance in IS Education , 2013, J. Inf. Syst. Educ..

[40]  Donn B. Parker Security Accountability in Job Performance , 1995, Inf. Secur. J. A Glob. Perspect..

[41]  Daejin Kim,et al.  Why not comply with information security? An empirical approach for the causes of non-compliance , 2017, Online Inf. Rev..

[42]  M. Stone Cross‐Validatory Choice and Assessment of Statistical Predictions , 1976 .

[43]  Marko Sarstedt,et al.  Gain more insight from your PLS-SEM results: The importance-performance map analysis , 2016, Ind. Manag. Data Syst..

[44]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[45]  Christoph Ossege,et al.  Accountability – are We Better off Without It? , 2012 .

[46]  Fredrik Karlsson,et al.  Information security culture - state-of-the-art review between 2000 and 2013 , 2015, Inf. Comput. Secur..

[47]  Stephen W. Hartman,et al.  Information Security Governance Of Enterprise Information Systems: An Approach To Legislative Compliant , 2011, BIOINFORMATICS 2011.

[48]  Rana Tassabehji Information Security Threats , 2005 .