Exploring behavioral information security networks in an organizational context: An empirical case study

The purpose of this research is to propose network research as an alternative approach in the behavioral security field. A case study was conducted in a large interior contractor to explore eight organizational networks, four of which focus on security behaviors. The researchers employed social network analysis methods, including quantitative and qualitative ones, to analyze the case study's data and demonstrate the analytical capability of the network analysis approach in the behavioral security field. Key features of the security networks' structures include high transitivity, hierarchy, and centralization, whereas reciprocity and density are lower than other organizational networks. Moreover, work-related interactions were found to impact security influence, among which giving IT advice increases significantly one's influential status in security matters. Practical implications include suggestions about the use of network analysis methods as a tool for security managers to monitor their behavioral security networks and devise appropriate strategies. Potential research directions are also elaborated, which future research can employ and promote the novel and practical use of network analysis techniques.

[1]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[2]  R. Hanneman Introduction to Social Network Methods , 2001 .

[3]  Tom L. Roberts,et al.  Understanding the mindset of the abusive insider: An examination of insiders' causal reasoning following internal security changes , 2011, Comput. Secur..

[4]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[5]  Rob Cross,et al.  Managing Change through Networks and Values , 2007 .

[6]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[7]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[8]  Ronald S. Burt,et al.  How many names are enough? Identifying network effects with the least set of listed contacts , 2013, Soc. Networks.

[9]  Ronald Rousseau,et al.  Social network analysis: a powerful strategy, also for the information sciences , 2002, J. Inf. Sci..

[10]  Irene M. Y. Woon,et al.  Forthcoming: Journal of Information Privacy and Security , 2022 .

[11]  Duy P. T. Dang,et al.  Predicting Insider's Malicious Security Behaviours: A General Strain Theory-Based Conceptual Model , 2014, CONF-IRM.

[12]  Vince Bruno,et al.  Towards a complete understanding of information security misbehaviours: a proposal for future research with social network approach , 2014 .

[13]  M. Conner,et al.  Predicting health behaviour : research and practice with social cognition models , 2005 .

[14]  G. Hofstede Culture′s Consequences: Comparing Values, Behaviors, Institutions and Organizations Across Nations , 2001 .

[15]  Thomas W Valente,et al.  Social network diagnostics: a tool for monitoring group interventions , 2013, Implementation Science.

[16]  A. Hovav,et al.  Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures , 2009 .

[17]  Johanne Saint-Charles,et al.  Different relationships for coping with ambiguity and uncertainty in organizations , 2009, Soc. Networks.

[18]  Paul Dourish,et al.  Security in the wild: user strategies for managing security as an everyday, practical problem , 2004, Personal and Ubiquitous Computing.

[19]  Martin G. Everett,et al.  Analyzing social networks , 2013 .

[20]  Steven B. Andrews,et al.  Power, Social Influence, and Sense Making: Effects of Network Centrality and Proximity on Employee Perceptions. , 1993 .

[21]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[22]  I. Ajzen The theory of planned behaviour: Reactions and reflections , 2011, Psychology & health.

[23]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[24]  Merrill Warkentin,et al.  Beyond Deterrence: An Expanded View of Employee Computer Abuse , 2013, MIS Q..

[25]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[26]  Siddhi Pittayachawan,et al.  Comparing intention to avoid malware across contexts in a BYOD-enabled Australian university: A Protection Motivation Theory approach , 2015, Comput. Secur..

[27]  T. Hirschi Causes of Delinquency. , 1970, British medical journal.

[28]  Dan Jong Kim,et al.  A Path to Successful Management of Employee Security Compliance: An Empirical Study of Information Security Climate , 2014, IEEE Transactions on Professional Communication.

[29]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[30]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[31]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[32]  Robert Agnew,et al.  Building on the Foundation of General Strain Theory: Specifying the Types of Strain Most Likely to Lead to Crime and Delinquency , 2001 .

[33]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[34]  Jordan Shropshire,et al.  The influence of the informal social learning environment on information privacy policy compliance efficacy and intention , 2011, Eur. J. Inf. Syst..

[35]  Charles Cresson Wood An Unappreciated Reason Why Information Security Policies Fail , 2000 .

[36]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[37]  Blake E. Ashforth,et al.  Climate Formation: Issues and Extensions , 1985 .

[38]  Viswanath Venkatesh,et al.  Model of Acceptance with Peer Support: A Social Network Perspective to Understand Employees' System Use , 2009, MIS Q..

[39]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[40]  Keshnee Padayachee,et al.  Taxonomy of compliant information security behavior , 2012, Comput. Secur..

[41]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[42]  Simon Parkin,et al.  Learning from "Shadow Security": Why understanding non-compliant behaviors provides the basis for effective security , 2014 .

[43]  A. Bandura Self-efficacy: toward a unifying theory of behavioral change. , 1977, Psychology Review.

[44]  Rossouw von Solms,et al.  An information security knowledge sharing model in organizations , 2016, Comput. Hum. Behav..