Information security management and the human aspect in organizations

The aim of this study is to encourage management boards to recognize that employees play a major role in the management of information security. Thus, these issues need to be addressed efficiently, especially in organizations in which data are a valuable asset.,Before developing the instrument for the survey, first, effective measurement built upon existing literature review was identified and developed and the survey questionnaires were set according to past studies and the findings based on qualitative analyses. Data were collected by using cross-sectional questionnaire and a Likert scale, whereby each question was related to an item as in the work of Witherspoon et al. (2013). Data analysis was done using the SPSS.3B.,Based on the results from three surveys and findings, a principle of information security compliance practices was proposed based on the authors’ proposed nine-five-circle (NFC) principle that enhances information security management by identifying human conduct and IT security-related issues regarding the aspect of information security management. Furthermore, the authors’ principle has enabled closing the gap between technology and humans in this study by proving that the factors in the present study’s finding are interrelated and work together, rather than on their own.,The main objective of this study was to address the lack of research evidence on what mobilizes and influences information security management development and implementation. This objective has been fulfilled by surveying, collecting and analyzing data and by giving an account of the attributes that hinder information security management. Accordingly, a major practical contribution of the present research is the empirical data it provides that enable obtaining a bigger picture and precise information about the real issues that cause information security management shortcomings.,In this sense, despite the fact that this study has limitations concerning the development of a diagnostic tool, it is obviously the main procedure for the measurements of a framework to assess information security compliance policies in the organizations surveyed.,The present study’s discoveries recommend in actuality that using flexible tools that can be scoped to meet individual organizational needs have positive effects on the implementation of information security management policies within an organization. Accordingly, the research proposes that organizations should forsake the oversimplified generalized guidelines that neglect the verification of the difference in information security requirements in various organizations. Instead, they should focus on the issue of how to sustain and enhance their organization’s compliance through a dynamic compliance process that involves awareness of the compliance regulation, controlling integration and closing gaps.,The rapid growth of information technology (IT) has created numerous business opportunities. At the same time, this growth has increased information security risk. IT security risk is an important issue in industrial sectors, and in organizations that are innovating owing to globalization or changes in organizational culture. Previously, technology-associated risk assessments focused on various technology factors, but as of the early twenty-first century, the most important issue identified in technology risk studies is the human factor.

[1]  Dan N. Stone,et al.  Antecedents of organizational knowledge sharing: a meta-analysis and critique , 2013, J. Knowl. Manag..

[2]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[3]  Eirik Albrechtsen,et al.  Implementation and effectiveness of organizational information security measures , 2008, Inf. Manag. Comput. Secur..

[4]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[5]  Jan Guynes Clark,et al.  Why there aren't more information security research studies , 2004, Inf. Manag..

[6]  Younghwa Lee,et al.  An empirical investigation of anti-spyware software adoption: A multitheoretical perspective , 2008, Inf. Manag..

[7]  Xiangbin Yan,et al.  Information disclosure on social networking sites: An intrinsic-extrinsic motivation perspective , 2015, Comput. Hum. Behav..

[8]  Kailash Joshi,et al.  Understanding User Resistance and Acceptance during the Implementation of an Order Management System: A Case Study Using the Equity Implementation Model1 , 2005 .

[9]  Stefan Fenz,et al.  Toward web-based information security knowledge sharing , 2013, Inf. Secur. Tech. Rep..

[10]  Paul Benjamin Lowry,et al.  Using Accountability to Reduce Access Policy Violations in Information Systems , 2013, J. Manag. Inf. Syst..

[11]  Carol W. Hsu,et al.  Frame misalignment: interpreting the implementation of information systems security certification in an organization , 2009, Eur. J. Inf. Syst..

[12]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[13]  Heejo Lee,et al.  APFS: Adaptive Probabilistic Filter Scheduling against distributed denial-of-service attacks , 2013, Comput. Secur..

[14]  Andrew James Simmonds,et al.  An Ontology for Network Security Attacks , 2004, AACC.

[15]  Gavriel Salvendy,et al.  Usability and Security An Appraisal of Usability Issues in Information Security Methods , 2001, Comput. Secur..

[16]  Elmarie Kritzinger,et al.  Cyber security for home users: A new way of protection through awareness enforcement , 2010, Comput. Secur..

[17]  Rossouw von Solms,et al.  Phishing for phishing awareness , 2013, Behav. Inf. Technol..

[18]  Steve Love,et al.  Security awareness of computer users: A phishing threat avoidance perspective , 2014, Comput. Hum. Behav..

[19]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[20]  Jean-Noël Ezingeard,et al.  Information Assurance and Corporate Strategy: A Delphi Study of Choices, Challenges, and Developments for the Future , 2011, Inf. Syst. Manag..

[21]  Sean B. Maynard,et al.  Information security strategies: towards an organizational multi-strategy perspective , 2014, J. Intell. Manuf..

[22]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[23]  Shan Ling Pan,et al.  Towards a process model of information systems implementation: the case of customer relationship management (CRM) , 2006, DATB.

[24]  Avshalom Caspi,et al.  Does the Perceived Risk of Punishment Deter Criminally Prone Individuals? Rational Choice, Self-Control, and Crime , 2004 .

[25]  A. B. Ruighaver,et al.  Incident response teams - Challenges in supporting the organisational security function , 2012, Comput. Secur..

[26]  Jie Zhang,et al.  Impact of perceived technical protection on security behaviors , 2009, Inf. Manag. Comput. Secur..

[27]  Steven Furnell,et al.  Information security conscious care behaviour formation in organizations , 2015, Comput. Secur..

[28]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[29]  Jemal H. Abawajy,et al.  User preference of cyber security awareness delivery methods , 2014, Behav. Inf. Technol..

[30]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[31]  Cheng Jin,et al.  Defense Against Spoofed IP Traffic Using Hop-Count Filtering , 2007, IEEE/ACM Transactions on Networking.

[32]  Tero Vartiainen,et al.  Unauthorized copying of software and levels of moral development: a literature analysis and its implications for research and practice , 2004, Inf. Syst. J..

[33]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[34]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[35]  Tsung Teng Chen,et al.  Knowledge sharing in interest online communities: A comparison of posters and lurkers , 2014, Comput. Hum. Behav..

[36]  Jelena Mirkovic,et al.  D-WARD: a source-end defense against flooding denial-of-service attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[37]  Kirstie Hawkey,et al.  An integrated view of human, organizational, and technological challenges of IT security management , 2009, Inf. Manag. Comput. Secur..

[38]  Yufei Yuan,et al.  The effects of multilevel sanctions on information security violations: A mediating model , 2012, Inf. Manag..

[39]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[40]  Serpil Aytac,et al.  Factors influencing information security management in small- and medium-sized enterprises: A case study from Turkey , 2011, Int. J. Inf. Manag..

[41]  A. Picot,et al.  Information Security Management (ISM) Practices: Lessons from Select Cases from India and Germany , 2013 .

[42]  Mikko T. Siponen,et al.  An analysis of the traditional IS security approaches: implications for research and practice , 2005, Eur. J. Inf. Syst..

[43]  Jurij F. Tasic,et al.  Information systems security and human behaviour , 2007, Behav. Inf. Technol..

[44]  Dag H. Olsen,et al.  An Empirical Research on the Impacts of organisational decisions’ locus, tasks structure rules, knowledge, and IT function’s value on ERP system success , 2015 .

[45]  H W Jordan,et al.  On crime and punishment. , 1990, Journal of the National Medical Association.

[46]  Jordan Shropshire,et al.  Personality, attitudes, and intentions: Predicting initial adoption of information security behavior , 2015, Comput. Secur..

[47]  Thompson S. H. Teo,et al.  Prevalence, perceived seriousness, justification and regulation of cyberloafing in Singapore: An exploratory study , 2005, Inf. Manag..

[48]  Nico Martins,et al.  Improving the information security culture through monitoring and implementation actions illustrated through a case study , 2015, Comput. Secur..

[49]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[50]  H. Compston,et al.  Policy Networks and Policy Change , 2009 .

[51]  Deborah Bunker,et al.  Circuits of Power: A Study of Mandated Compliance to an Information Systems Security De Jure Standard in a Government Organization , 2010, MIS Q..

[52]  Eirik Albrechtsen,et al.  Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study , 2010, Comput. Secur..

[53]  Jai-Yeol Son,et al.  Out of fear or desire? Toward a better understanding of employees' motivation to follow IS security policies , 2011, Inf. Manag..

[54]  Shuchih Ernest Chang,et al.  Organizational factors to the effectiveness of implementing information security management , 2006, Ind. Manag. Data Syst..

[55]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[56]  Helmut Krcmar,et al.  Security Analysis of the German Electronic Health Card's Peripheral Parts , 2009, ICEIS.

[57]  Ninghui Li,et al.  Denial of service attacks and defenses in decentralized trust management , 2006, 2006 Securecomm and Workshops.

[58]  Ken H. Guo Security-related behavior in using information systems in the workplace: A review and synthesis , 2013, Comput. Secur..

[59]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[60]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[61]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[62]  Jean-Noël Ezingeard,et al.  Anchoring information security governance research: sociological groundings and future directions , 2006 .

[63]  Kai Hwang,et al.  Collaborative detection and filtering of shrew DDoS attacks using spectral analysis , 2006, J. Parallel Distributed Comput..

[64]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[65]  Iván Arce,et al.  The Weakest Link Revisited , 2003, IEEE Secur. Priv..

[66]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[67]  Robert Willison,et al.  Understanding the perpetration of employee computer crime in the organisational context , 2006, Inf. Organ..

[68]  Nader Sohrabi Safa,et al.  A customer loyalty formation model in electronic commerce , 2013 .

[69]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[70]  Detmar W. Straub,et al.  Institutional Influences on Information Systems Security Innovations , 2012, Inf. Syst. Res..

[71]  Timothy Paul Cronan,et al.  Piracy, computer crime, and IS misuse at the university , 2006, Commun. ACM.

[72]  Kirstie Hawkey,et al.  Security practitioners in context: their activities and interactions , 2008, Int. J. Hum. Comput. Stud..

[73]  Keng Siau,et al.  Acceptable internet use policy , 2002, CACM.

[74]  Qing Hu,et al.  The role of external and internal influences on information systems security - a neo-institutional perspective , 2007, J. Strateg. Inf. Syst..

[75]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[76]  Qingxiong Ma,et al.  An Integrated Framework for Information Security Management , 2009 .

[77]  Gregory White,et al.  An Empirical Study on the Effectiveness of Common Security Measures , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[78]  Marco de Vivo,et al.  Internet security attacks at the basic levels , 1998, OPSR.

[79]  Graeme G. Shanks,et al.  A situation awareness model for information security risk management , 2014, Comput. Secur..