Factors of people-centric security climate: conceptual model and exploratory study in Vietnam

There is an increasing focus on the persuasive approach to develop a people-centric security climate where employees are aware of the priority of security and perform conscious security behaviour proactively. Employees can evaluate the priority of security as they observe and interact with the security features that constitute the security climate of the workplace. We examined the fundamental challenge that not every employee could recognise those features. In this multi-stage research, we adopted the theoretical lens of symbolic interactionism to advance a conceptual model which explains the relationship between organisation's social networks and the formation of information security climate. A descriptive case study in Vietnam was then conducted to refine the proposed model. The findings validated and extended the dimensions of information security climate, as well as identified the relevant organisation's social networks (i.e. information, affect, and power) that lead to its formation.

[1]  B. Schneider,et al.  Organizational climate and culture. , 2009, Annual review of psychology.

[2]  Yajiong Xue,et al.  Understanding the Influence of Team Climate on IT Use , 2010, J. Assoc. Inf. Syst..

[3]  D. Trafimow,et al.  Evidence that perceived behavioural control is a multidimensional construct: perceived control and perceived difficulty. , 2002, The British journal of social psychology.

[4]  Blake E. Ashforth,et al.  Climate Formation: Issues and Extensions , 1985 .

[5]  Eirik Albrechtsen,et al.  Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study , 2010, Comput. Secur..

[6]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[7]  Dov Zohar,et al.  Safety climate: Conceptualization, measurement, and improvement. , 2014 .

[8]  M. Hagger,et al.  First- and higher-order models of attitudes, normative influence, and perceived behavioural control in the theory of planned behaviour. , 2005, The British journal of social psychology.

[9]  D. Zohar,et al.  Transformational leadership and group interaction as climate antecedents: a social network analysis. , 2008, The Journal of applied psychology.

[10]  Yufei Yuan,et al.  The effects of multilevel sanctions on information security violations: A mediating model , 2012, Inf. Manag..

[11]  Noah J. Goldstein,et al.  Social influence: compliance and conformity. , 2004, Annual review of psychology.

[12]  W. S. Chow,et al.  Social network, social trust and shared goals in organizational knowledge sharing , 2008, Inf. Manag..

[13]  Vince Bruno,et al.  Towards a complete understanding of information security misbehaviours: a proposal for future research with social network approach , 2014 .

[14]  Arnon E. Reichers,et al.  On the Etiology of Climates. , 1983 .

[15]  Social Network Analysis in Organizations , 2014, Encyclopedia of Social Network Analysis and Mining.

[16]  Irene M. Y. Woon,et al.  Perceptions of Information Security at the Workplace : Linking Information Security Climate to Compliant Behavior , 2006 .

[17]  Icek Ajzen,et al.  From Intentions to Actions: A Theory of Planned Behavior , 1985 .

[18]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[19]  Martin G. Everett,et al.  Analyzing social networks , 2013 .

[20]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[21]  Chia-Huei Emily Ko,et al.  Organizational and psychological climate: A review of theory and research , 2008 .

[22]  R. Solms,et al.  Cultivating an organizational information security culture , 2006 .

[23]  Allan P. Jones,et al.  Psychological climate: Dimensions and relationships of individual and aggregated work environment perceptions☆ , 1979 .

[24]  J. Gerring What Is a Case Study and What Is It Good for? , 2004, American Political Science Review.

[25]  Frans Feldberg,et al.  Social Network Influences on Technology Acceptance: A Matter of Tie Strength, Centrality and Density , 2010, Bled eConference.

[26]  Johanne Saint-Charles,et al.  Different relationships for coping with ambiguity and uncertainty in organizations , 2009, Soc. Networks.

[27]  Andreas M Riege,et al.  Validity and reliability tests in case study research: a literature review with “hands‐on” applications for each research phase , 2003 .

[28]  Benjamin Schneider,et al.  The Oxford Handbook of Organizational Climate and Culture , 2014 .

[29]  Line Dubé,et al.  Rigor in Information Systems Positivist Case Research: Current Practices , 2003, MIS Q..

[30]  Vince Bruno,et al.  Investigating the Formation of Information Security Climate Perceptions with Social Network Analysis: A Research Proposal , 2015, PACIS.

[31]  Christine Nadel,et al.  Case Study Research Design And Methods , 2016 .

[32]  S. Dong,et al.  An Improved Motivation Model for People Behaviors Change in Virtual Communities Based on Social Cognitive Theory , 2009, 2009 First International Conference on Information Science and Engineering.

[33]  Z. Zainal Case Study As a Research Method , 2007 .

[34]  Mikko T. Siponen,et al.  Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches , 2011, J. Assoc. Inf. Syst..

[35]  Brent D. Rosso,et al.  On the meaning of work: A theoretical integration and review , 2010 .

[36]  Siddhi Pittayachawan,et al.  Comparing intention to avoid malware across contexts in a BYOD-enabled Australian university: A Protection Motivation Theory approach , 2015, Comput. Secur..

[37]  Dan Jong Kim,et al.  A Path to Successful Management of Employee Security Compliance: An Empirical Study of Information Security Climate , 2014, IEEE Transactions on Professional Communication.

[38]  I. Ajzen The theory of planned behavior , 1991 .

[39]  A. Neal,et al.  The impact of organizational climate on safety climate and individual behavior , 2000 .

[40]  Viswanath Venkatesh,et al.  Model of Acceptance with Peer Support: A Social Network Perspective to Understand Employees' System Use , 2009, MIS Q..

[41]  Duy P. T. Dang,et al.  Predicting Insider's Malicious Security Behaviours: A General Strain Theory-Based Conceptual Model , 2014, CONF-IRM.

[42]  Liaquat Hossain,et al.  Exploring user acceptance of technology using social networks , 2009 .

[43]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[44]  Sarv Devaraj,et al.  Employee Misuse of Information Technology Resources: Testing a Contemporary Deterrence Model , 2012, Decis. Sci..