Explaining the Development of Information Security Climate and an Information Security Support Network: A Longitudinal Social Network Analysis

Behavioural information security (InfoSec) research has studied InfoSec at workplaces through the employees perceptions of InfoSec climate, which is determined by observable InfoSec practices performed by their colleagues and direct supervisors. Prior studies have identified the antecedents of a positive InfoSec climate, in particular socialisation through the employees discussions of InfoSec-related matters to explain the formation of InfoSec climate based on the employees individual cognition. We conceptualise six forms of socialisation as six networks, which comprise employees provisions of (1) work advice, (2) organisational updates, (3) personal advice, (4) trust for expertise, (5) InfoSec advice, and (6) InfoSec troubleshooting support. The adoption of a longitudinal social network analysis (SNA), called stochastic actor-oriented modelling (SAOM), enabled us to analyse the changes in the socialising patterns and the InfoSec climate perceptions over time. Consequently, this analysis explains the forming mechanisms of the employees InfoSec climate perceptions as well as their socialising process in greater detail. Our findings in relation to the forming mechanisms of InfoSec-related socialisation and InfoSec climate, provide practical recommendations to improve organisational InfoSec. This includes identifying influential employees to diffuse InfoSec knowledge within a workplace. Additionally, this research proposes a novel approach for InfoSec behavioural research through the adoption of SNA methods to study InfoSec-related phenomena.

[1]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[2]  Simon Parkin,et al.  Learning from "Shadow Security": Why understanding non-compliant behaviors provides the basis for effective security , 2014 .

[3]  G. Hofstede Culture′s Consequences: Comparing Values, Behaviors, Institutions and Organizations Across Nations , 2001 .

[4]  Evangelos A. Kiountouzis,et al.  Managing the introduction of information security awareness programmes in organisations , 2015, Eur. J. Inf. Syst..

[5]  Lawrence A. Palinkas,et al.  Social Network Analysis for Program Implementation , 2015, PloS one.

[6]  E. Morrison,et al.  Newcomer information seeking: Exploring types, modes, sources, and outcomes. , 1993 .

[7]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[8]  Margherita Pasini,et al.  Development and validation of an Integrated Organizational Safety Climate Questionnaire with multilevel confirmatory factor analysis , 2011, Quality & Quantity.

[9]  Alfons Trompenaars,et al.  Riding the Waves of Culture: Understanding Diversity in Global Business , 1993 .

[10]  Irene M. Y. Woon,et al.  Perceptions of Information Security at the Workplace : Linking Information Security Climate to Compliant Behavior , 2006 .

[11]  Rossouw von Solms,et al.  An information security knowledge sharing model in organizations , 2016, Comput. Hum. Behav..

[12]  Phil Wood Confirmatory Factor Analysis for Applied Research , 2008 .

[13]  M. McPherson,et al.  Birds of a Feather: Homophily in Social Networks , 2001 .

[14]  M. Hogg,et al.  Social Identity, Self-Categorization, and the Communication of Group Norms , 2006 .

[15]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[16]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[17]  Blake E. Ashforth,et al.  Climate Formation: Issues and Extensions , 1985 .

[18]  Rob Cross,et al.  A Relational View of Information Seeking and Learning in Social Networks , 2003, Manag. Sci..

[19]  Paul Benjamin Lowry,et al.  Explaining Opposing Compliance Motivations towards Organizational Information Security Policies , 2013, 2013 46th Hawaii International Conference on System Sciences.

[20]  Paul Dourish,et al.  Collective Information Practice: Exploring Privacy and Security as Social and Cultural Phenomena , 2006, Hum. Comput. Interact..

[21]  Richard A. Fabes,et al.  Peer Influence on Academic Performance: A Social Network Analysis of Social-Emotional Intervention Effects , 2016, Prevention Science.

[22]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[23]  John-Paul Hatala,et al.  Making Transfer Climate Visible: Utilizing Social Network Analysis to Facilitate the Transfer of Training , 2007 .

[24]  Arnon E. Reichers,et al.  On the Etiology of Climates. , 1983 .

[25]  Jongwoo Kim,et al.  An emote opportunity model of computer abuse , 2014, Inf. Technol. People.

[26]  René Veenstra,et al.  INFLUENCE AND SELECTION PROCESSES IN WEAPON CARRYING DURING ADOLESCENCE: THE ROLES OF STATUS, AGGRESSION, AND VULNERABILITY* , 2010 .

[27]  Tom A. B. Snijders,et al.  Introduction to stochastic actor-based models for network dynamics , 2010, Soc. Networks.

[28]  Dan Jong Kim,et al.  A Path to Successful Management of Employee Security Compliance: An Empirical Study of Information Security Climate , 2014, IEEE Transactions on Professional Communication.

[29]  I. Ajzen The theory of planned behavior , 1991 .

[30]  R. Cross,et al.  Using Social Network Analysis to Improve Communities of Practice , 2006 .

[31]  Yufei Yuan,et al.  The effects of multilevel sanctions on information security violations: A mediating model , 2012, Inf. Manag..

[32]  K. Weick FROM SENSEMAKING IN ORGANIZATIONS , 2021, The New Economic Sociology.

[33]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[34]  Johanne Saint-Charles,et al.  Different relationships for coping with ambiguity and uncertainty in organizations , 2009, Soc. Networks.

[35]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[36]  Charles J. Kacmar,et al.  Developing and Validating Trust Measures for e-Commerce: An Integrative Typology , 2002, Inf. Syst. Res..

[37]  Steven B. Andrews,et al.  Power, Social Influence, and Sense Making: Effects of Network Centrality and Proximity on Employee Perceptions. , 1993 .

[38]  Ying Li,et al.  Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory , 2013, Comput. Secur..

[39]  Vince Bruno,et al.  Applying network analysis to investigate interpersonal influence of information security behaviours in the workplace , 2017, Inf. Manag..

[40]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[41]  Ruth M. Ripley,et al.  Manual for RSiena , 2011 .

[42]  Jordan Shropshire,et al.  The influence of the informal social learning environment on information privacy policy compliance efficacy and intention , 2011, Eur. J. Inf. Syst..

[43]  Mathias Ekstedt,et al.  Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture , 2014, Comput. Secur..

[44]  J. R. French,et al.  The bases of social power. , 1959 .

[45]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[46]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[47]  T. Valente Network Interventions , 2012, Science.

[48]  D. Zohar,et al.  A multilevel model of safety climate: cross-level relationships between organization and group-level climates. , 2005, The Journal of applied psychology.

[49]  Marianne Törner,et al.  Nordic Safety Climate Questionnaire (NOSACQ-50): A new tool for diagnosing occupational safety climate , 2011 .

[50]  Terry Anthony Byrd,et al.  A methodology for construct development in MIS research , 2005, Eur. J. Inf. Syst..

[51]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[52]  Helen Lingard,et al.  Group‐level safety climate in the Australian construction industry: within‐group homogeneity and between‐group differences in road construction and maintenance , 2009 .

[53]  Merrill Warkentin,et al.  Behavioral Information Security Management , 2014, Computing Handbook, 3rd ed..

[54]  A. B. Ruighaver,et al.  Organisational security culture: Extending the end-user perspective , 2007, Comput. Secur..

[55]  R. Stine,et al.  Bootstrapping Goodness-of-Fit Measures in Structural Equation Models , 1992 .

[56]  C. Steglich,et al.  DYNAMIC NETWORKS AND BEHAVIOR: SEPARATING SELECTION FROM INFLUENCE: separating selection from influence , 2010 .