Organizational Data Breach: Building Conscious Care Behavior in Incident Response

Organizational and end user data breaches are highly implicated by the role of information security conscious care behavior in respective incident responses. This research study draws upon the literature in the areas of information security, incident response, theory of planned behaviour, and protection motivation theory to expand and empirically validate a modified framework of information security conscious care behaviour formation. The applicability of the theoretical framework is shown through a case study labelled as a cyber-attack of unprecedented scale and sophistication in Singapore’s history to-date, the 2018 SingHealth data breach. The single in-depth case study observed information security awareness, policy, experience, attitude, subjective norms, perceived behavioral control, threat appraisal and self-efficacy as emerging prominently in the framework’s applicability in incident handling. The data analysis did not support threat severity relationship with conscious care behaviour. The findings from the above-mentioned observations are presented as possible key drivers in the shaping information security conscious care behaviour in real-world cyber incident management.

[1]  I. Ajzen The theory of planned behavior , 1991 .

[2]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[3]  Robert E. Crossler,et al.  An Extended Perspective on Individual Security Behaviors: Protection Motivation Theory and a Unified Security Practices (USP) Instrument , 2014, DATB.

[4]  Steven Furnell,et al.  Information security conscious care behaviour formation in organizations , 2015, Comput. Secur..

[5]  P. Carayon,et al.  Human errors and violations in computer and information security: the viewpoint of network administrators and security specialists. , 2007, Applied ergonomics.

[6]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[7]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[8]  Nathan L. Clarke,et al.  Power to the people? The evolving recognition of human aspects of security , 2012, Comput. Secur..

[9]  Peter A. Todd,et al.  Understanding Information Technology Usage: A Test of Competing Models , 1995, Inf. Syst. Res..

[10]  Viswanath Venkatesh,et al.  User Compensation as a Data Breach Recovery Action: An Investigation of the Sony PlayStation Network Breach , 2017, MIS Q..

[11]  Muzafer Sherif,et al.  A study of some social factors in perception. , 1935 .

[12]  V. Braun,et al.  Using thematic analysis in psychology , 2006 .

[13]  Jo Bryce,et al.  The role of disclosure of personal information in the evaluation of risk and trust in young peoples' online interactions , 2014, Comput. Hum. Behav..

[14]  Mikko T. Siponen,et al.  Toward a Unified Model of Information Security Policy Compliance , 2018, MIS Q..

[15]  Suresh Cuganesan,et al.  How senior management and workplace norms influence information security attitudes and self-efficacy , 2018, Behav. Inf. Technol..

[16]  Mark Francis Tannian,et al.  Business impact visualization for information security and compliance events , 2013 .

[17]  Jan Jürjens,et al.  Information security management and the human aspect in organizations , 2017, Inf. Comput. Secur..

[18]  Waldemar Karwowski,et al.  Human Factors in Information Security Culture: A Literature Review , 2017, AHFE.

[19]  Thomas Mattson,et al.  Exploring the effect of uncertainty avoidance on taking voluntary protective security actions , 2018, Comput. Secur..

[20]  Faith M. Heikkila,et al.  An analysis of the impact of information security policies on computer security breach incidents in law firms , 2009 .

[21]  Stephen Haunts,et al.  What Are Data Breaches? , 2019, Applied Cryptography in .NET and Azure Key Vault.

[22]  Stefan Bauer,et al.  Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks , 2017, Comput. Secur..

[23]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[24]  Leighton R. Johnson Computer Incident Response and Forensics Team Management: Conducting a Successful Incident Response , 2013 .

[25]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[26]  Rossouw von Solms,et al.  An information security knowledge sharing model in organizations , 2016, Comput. Hum. Behav..

[27]  Ying Li,et al.  Understanding the violation of IS security policy in organizations: An integrated model based on social control and deterrence theory , 2013, Comput. Secur..

[28]  Robert E. Crossler,et al.  User Motivations in Protecting Information Security: Protection Motivation Theory Versus Self-Determination Theory , 2017, J. Manag. Inf. Syst..

[29]  S. Asch Studies of independence and conformity: I. A minority of one against a unanimous majority. , 1956 .

[30]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[31]  E. Seydel,et al.  Protection Motivation Theory , 2022 .

[32]  Eugene Schultz,et al.  Incident Response: A Strategic Guide to Handling System and Network Security Breaches , 2001 .

[33]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[34]  Pamela Briggs,et al.  Using protection motivation theory in the design of nudges to improve online security behavior , 2019, Int. J. Hum. Comput. Stud..

[35]  Yu Andy Wu,et al.  Impact of Users’ Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective , 2016, Inf. Syst. Manag..

[36]  David Hylender,et al.  Data Breach Investigations Report , 2011 .

[37]  Thomas Johnson,et al.  Computer Security Incident Handling Guide , 2005 .

[38]  Tom L. Roberts,et al.  Examining the Relationship of Organizational Insiders' Psychological Capital with Information Security Threat and Coping Appraisals , 2017, Comput. Hum. Behav..