An Integrative Model of Information Security Awareness for Assessing Information Systems Security Risk

The pervasiveness of IT in supporting critical operations has made organizations increasingly vulnerable to IT threats. Since the impact of malicious IT may be complex, researchers suggest a multi-perspective approach to better understanding malicious IT and threat avoidance behavior. Drawing upon concepts from system dynamics, cybernetic theory and Technological Threat Avoidance Theory (TTAT) we develop a research model that contributes to our understanding of information security awareness (ISA) and its association with IS security risk assessment. Using a sample base of 119 IS security practitioners, an ISA research model was developed and tested using structural equation modeling. Our results indicate that the constructs technical knowledge, organizational impact, and attacker assessment generate strong correlations with ISA. Interestingly, organizational impact and attacker assessment generated stronger associations with ISA than technical knowledge. Our results also indicate that ISA is highly correlated with ISS risk assessment.

[1]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[2]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[3]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[4]  Barbara M. Byrne,et al.  Structural equation modeling with EQS : basic concepts, applications, and programming , 2000 .

[5]  Helmut Krcmar,et al.  Beyond Technical Aspects of Information Security: Risk Culture as a Success Factor for IT Risk Management , 2005, AMCIS.

[6]  I. Ajzen The theory of planned behavior , 1991 .

[7]  Sungjune Park,et al.  Understanding the Value of Countermeasure Portfolios in Information Systems Security , 2008, J. Manag. Inf. Syst..

[8]  M. Browne,et al.  Alternative Ways of Assessing Model Fit , 1992 .

[9]  Rahul Roy,et al.  Dynamics of organizational information security , 2003 .

[10]  Qiu-Hong Wang,et al.  The Deterrent and Displacement Effects of Information Security Enforcement:  International Evidence , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[11]  Mikko T. Siponen,et al.  An analysis of the traditional IS security approaches: implications for research and practice , 2005, Eur. J. Inf. Syst..

[12]  Steven L. Alter,et al.  Information Systems Risks and Risk Factors: Are They Mostly About Information Systems? , 2004, Commun. Assoc. Inf. Syst..

[13]  C. Carver,et al.  Control theory: a useful conceptual framework for personality-social, clinical, and health psychology. , 1982, Psychological bulletin.

[14]  Ivan P. L. Png,et al.  Information Security: Facilitating User Precautions Vis-à-Vis Enforcement Against Attackers , 2009, J. Manag. Inf. Syst..

[15]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[16]  Jay F. Nunamaker,et al.  Encouraging Users to Behave Securely: Examining the Influence of Technical, Managerial, and Educational Controls on Users' Secure Behavior , 2010, ICIS.

[17]  Steven L. Alter,et al.  A General, But Readily Adaptable Model of Information System Risk , 2004, Commun. Assoc. Inf. Syst..

[18]  Donald R. Chand The Design and Three-Year Review of an MS Program in Information Technology for Preparing Systems Integrators , 2004, Commun. Assoc. Inf. Syst..

[19]  Norbert Wiener,et al.  Cybernetics: Control and Communication in the Animal and the Machine. , 1949 .

[20]  M. Lindell,et al.  Accounting for common method variance in cross-sectional research designs. , 2001, The Journal of applied psychology.

[21]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[22]  James C. Anderson,et al.  An approach for confirmatory measurement and structural equation modeling of organizational properties , 1987 .

[23]  Manfred Kochen,et al.  On the economics of information , 1972, J. Am. Soc. Inf. Sci..

[24]  S. Hauser,et al.  Stress, coping, and adaptation. , 1990 .

[25]  Seth D. Guikema,et al.  Assessing risk from intelligent attacks: A perspective on approaches , 2010, Reliab. Eng. Syst. Saf..

[26]  Frances E. Aboud What Are They Thinking , 2013 .

[27]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[28]  Richard P. Bagozzi,et al.  Assessing Construct Validity in Organizational Research , 1991 .

[29]  Lawrence Bodin,et al.  Information security and risk management , 2008, CACM.

[30]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[31]  D. Sandy Staples,et al.  New Developments in Practice I: Risk Management in Information Systems: Problems and Potential , 2001, Commun. Assoc. Inf. Syst..

[32]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[33]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[34]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[35]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[36]  Mikko T. Siponen,et al.  Five dimensions of information security awareness , 2001, CSOC.

[37]  E. Cohen Making the Nation Safer: The Role of Science and Technology in Countering Terrorism , 2002 .

[38]  J. Hair Multivariate data analysis , 1972 .

[39]  Sam Ransbotham,et al.  Choice and Chance: A Conceptual Model of Paths to Information Security Compromise , 2009, Inf. Syst. Res..

[40]  Albert H. Segars,et al.  Re-examining perceived ease of use and usefulness , 1993 .

[41]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[42]  Y. Haimes,et al.  The Role of Risk Analysis in the Protection of Critical Infrastructures Against Terrorism , 2002, Risk analysis : an official publication of the Society for Risk Analysis.

[43]  C. Carver Approach, Avoidance, and the Self-Regulation of Affect and Action , 2006 .

[44]  Mikko T. Siponen,et al.  A Critical Assessment of IS Security Research between 1990-2004 , 2007, ECIS.

[45]  G. Stigler The Economics of Information , 1961, Journal of Political Economy.

[46]  Finn Olav Sveen,et al.  Overcoming organizational challenges to secure knowledge management , 2007, Inf. Syst. Frontiers.

[47]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[48]  Lara Khansa,et al.  Quantifying the benefits of investing in information security , 2009, Commun. ACM.

[49]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[50]  P. M. Podsakoff,et al.  Self-Reports in Organizational Research: Problems and Prospects , 1986 .

[51]  Ralph Parkman,et al.  6 – Cybernetics — Control and Communication , 1972 .