Protecting information from a wide variety of security threats is an important and sometimes daunting organizational activity. Instead of relying solely on technological advancements to help solve human problems, managers within firms must recognize and understand the roles that organizational insiders have in the protection of information (Choobineh et al. 2007; Vroom et al. 2004). The systematic study of human influences on organizational information security is termed behavioral information security (Fagnot 2008; Stanton et al. 2006b), and it affirms that the protection of organizational information assets is best achieved when the detrimental behaviors of organizational insiders are effectively deterred and the beneficial activities of these individuals are appropriately encouraged. Relative to the former, the latter facet has received little attention in the academic literature.Given this opportunity, this research explicitly focuses upon protective behaviors that help promote the protection of organizational information resources. These behaviors are termed protection-motivated behaviors (PMBs). PMBs are defined as the volitional behaviors organizational insiders can enact that protect (1) organizationally relevant information within their firms and (2) the computer-based information systems in which that information is stored, collected, disseminated, and/or manipulated from information-security threats. This paper focuses upon the development of a formal typology of PMBs as viewed by organizational insiders. Data are obtained from 33 interviews and several end-user surveys, which are then utilized by the complementary classification techniques of Multidimensional Scaling (MDS), Property Fitting (ProFit) analysis, and cluster analysis. Sixty-seven individual PMBs were discovered, and the above classification techniques uncovered a three-dimensional perceptual space common among organizational insiders regarding PMBs. This space verifies that insiders differentiate PMBs according to whether the behaviors (1) require a minor or continual level of improvements within organizations, (2) are widely or narrowly standardized and applied throughout various organizations, and (3) are a reasonable or unreasonable request of organizations to make of their insiders. Fourteen unique clusters were also discovered during this process; this finding further assists information security researchers and practitioners in their understanding of how organizational insiders perceive the behaviors that help protect information assets.
[1]
Rossouw von Solms,et al.
Towards information security behavioural compliance
,
2004,
Comput. Secur..
[2]
T. Falbo.
Multidimensional scaling of power strategies.
,
1977
.
[3]
Huseyin Cavusoglu,et al.
Economics of IT Security Management
,
2004,
Economics of Information Security.
[4]
Effy Oz,et al.
Ethical Standards for Information Systems Professionals: A Case for a Unified Code
,
1992,
MIS Q..
[5]
Rathindra Sarathy,et al.
An Enhanced Data Perturbation Approach for Small Data Sets
,
2005,
Decis. Sci..
[6]
Rossouw von Solms,et al.
Information security culture: A management perspective
,
2010,
Comput. Secur..
[7]
Geoff Walsham,et al.
Ethical theory, codes of ethics and IS practice
,
1996
.
[8]
Sharath Pankanti,et al.
Biometrics: a tool for information security
,
2006,
IEEE Transactions on Information Forensics and Security.
[9]
Richard F. Deckro,et al.
Evaluating information assurance strategies
,
2005,
Decis. Support Syst..
[10]
K. Beck,et al.
Information seeking among safety and health managers.
,
1983,
The Journal of psychology.
[11]
Michael E. Whitman.
Enemy at the gate: threats to information security
,
2003,
CACM.
[12]
J. Kruskal.
The Relationship between Multidimensional Scaling and Clustering
,
1977
.
[13]
George Rabinowitz,et al.
An Introduction to Nonmetric Multidimensional Scaling
,
1975
.
[14]
R. W. Rogers,et al.
A Protection Motivation Theory of Fear Appeals and Attitude Change1.
,
1975,
The Journal of psychology.
[15]
D. Straub.
Effective IS Security
,
1990
.
[16]
A. Bandura.
Self-efficacy: toward a unifying theory of behavioral change.
,
1977,
Psychology Review.
[17]
Anat Hovav,et al.
Deterring internal information systems misuse
,
2007,
CACM.