A Descriptive Review and Classification of Organizational Information Security Awareness Research

Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding.

[1]  J. D'Arcy,et al.  Security culture and the employment relationship as drivers of employees' security compliance , 2014, Inf. Manag. Comput. Secur..

[2]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[3]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[4]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[5]  Tom L. Roberts,et al.  The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets , 2015, J. Manag. Inf. Syst..

[6]  Eirik Albrechtsen,et al.  Implementation and effectiveness of organizational information security measures , 2008, Inf. Manag. Comput. Secur..

[7]  Hennie A. Kruger,et al.  A Vocabulary Test to Assess Information Security Awareness , 2010, Inf. Manag. Comput. Secur..

[8]  H. Willmott,et al.  Qualitative research in business and management , 2014 .

[9]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[10]  Steve Love,et al.  Security awareness of computer users: A phishing threat avoidance perspective , 2014, Comput. Hum. Behav..

[11]  Robert E. Crossler,et al.  User Motivations in Protecting Information Security: Protection Motivation Theory Versus Self-Determination Theory , 2017, J. Manag. Inf. Syst..

[12]  Johan Van Niekerk,et al.  Combating Information Security Apathy By Encouraging Prosocial Organisational Behaviour , 2011, HAISA.

[13]  Charlie C. Chen,et al.  A cross-cultural investigation of situational information security awareness programs , 2008, Inf. Manag. Comput. Secur..

[14]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[15]  Young U. Ryu,et al.  I Am Fine but You Are Not: Optimistic Bias and Illusion of Control on Information Security , 2005, ICIS.

[16]  Eirik Albrechtsen,et al.  Effects on employees' information security abilities by e-learning , 2009, Inf. Manag. Comput. Secur..

[17]  Kevin Grant,et al.  International Journal of Information Management , 2022 .

[18]  Bilal Khan,et al.  Effectiveness of information security awareness methods based on psychological theories , 2011 .

[19]  Hennie A. Kruger,et al.  The application of behavioural thresholds to analyse collective behaviour in information security , 2017, Inf. Comput. Secur..

[20]  Özlem Müge Testik,et al.  Analysis of personal information security behavior and awareness , 2016, Comput. Secur..

[21]  Stefan Bauer,et al.  From Information Security Awareness to Reasoned Compliant Action , 2017 .

[22]  Johann Kranz,et al.  Understanding the Antecedents of Information Security Awareness - An Empirical Study , 2013, AMCIS.

[23]  I. Ajzen Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior. , 2002 .

[24]  Evangelos A. Kiountouzis,et al.  Investigating Information Security Awareness: Research and Practice Gaps , 2008, Inf. Secur. J. A Glob. Perspect..

[25]  Stefan Bauer,et al.  Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks , 2017, Comput. Secur..

[26]  Malcolm Robert Pattinson,et al.  The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies , 2017, Comput. Secur..

[27]  Rossouw von Solms,et al.  An information security knowledge sharing model in organizations , 2016, Comput. Hum. Behav..

[28]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[29]  William R. King,et al.  Understanding the Role and Methods of Meta-Analysis in IS Research , 2005, Commun. Assoc. Inf. Syst..

[30]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[31]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[32]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[33]  Margit Christa Scholl,et al.  Scientific Knowledge of the Human Side of Information Security as a Basis for Sustainable Trainings in Organizational Practices , 2018, HICSS.

[34]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[35]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[36]  Nico Martins,et al.  Improving the information security culture through monitoring and implementation actions illustrated through a case study , 2015, Comput. Secur..

[37]  Philip E. T. Lewis,et al.  Research Methods for Business Students , 2006 .

[38]  M. Breitner,et al.  Information security awareness and behavior: a theory-based literature review , 2014 .

[39]  Puspita Kencana Sari,et al.  Electronic Word-of-Mouth (EWOM) Adoption Model for Information Security Awareness: A Case Study in University Students , 2018 .

[40]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[41]  Lennart Jaeger Information Security Awareness: Literature Review and Integrative Framework , 2018, HICSS.

[42]  Vince Bruno,et al.  Why employees share information security advice? Exploring the contributing factors and structural patterns of security advice sharing in the workplace , 2017, Comput. Hum. Behav..

[43]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[44]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[45]  Teodor Sommestad,et al.  Variables influencing information security policy compliance: A systematic review of quantitative studies , 2014, Inf. Manag. Comput. Secur..

[46]  Chitu Okoli,et al.  A Guide to Conducting a Systematic Literature Review of Information Systems Research , 2010 .

[47]  Michael H. Breitner,et al.  Employees' Information Security Awareness and Behavior: A Literature Review , 2013, 2013 46th Hawaii International Conference on System Sciences.

[48]  Rami Puzis,et al.  Taxonomy of mobile users' security awareness , 2018, Comput. Secur..

[49]  Aggeliki Tsohou,et al.  Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs , 2015, Comput. Secur..

[50]  Steven Furnell,et al.  Information security conscious care behaviour formation in organizations , 2015, Comput. Secur..

[51]  Mikko T. Siponen,et al.  Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches , 2011, J. Assoc. Inf. Syst..

[52]  Niclas Eberhagen,et al.  Human factor and information security in higher education , 2014, J. Syst. Inf. Technol..

[53]  Bonnie Brinton Anderson,et al.  Using Measures of Risk Perception to Predict Information Security Behavior: Insights from Electroencephalography (EEG) , 2014, J. Assoc. Inf. Syst..

[54]  Nico Martins,et al.  Defining and identifying dominant information security cultures and subcultures , 2017, Comput. Secur..

[55]  Evangelos A. Kiountouzis,et al.  Managing the introduction of information security awareness programmes in organisations , 2015, Eur. J. Inf. Syst..

[56]  Lemuria Carter,et al.  Dispositional and situational factors: influences on information security policy violations , 2016, Eur. J. Inf. Syst..

[57]  Elfi Furtmueller,et al.  Using grounded theory as a method for rigorously reviewing literature , 2013, Eur. J. Inf. Syst..

[58]  Evangelos A. Kiountouzis,et al.  Analyzing Trajectories of Information Security Awareness , 2012, Inf. Technol. People.

[59]  J. Doug Tygar,et al.  Organisational culture, procedural countermeasures, and employee security behaviour: A qualitative study , 2017, Inf. Comput. Secur..