Security onboarding: an interview study on security training for temporary employees

After being placed into a position, it is common for new employees to be acclimated to an organization's culture, rules, and procedures via a process called onboarding. These processes are critical to ensure that employees become valuable assets to an organization and abide by organizational rules and procedures. In this research study, we interviewed senior undergraduate students who had recently completed internships to determine what, if any, onboarding process they completed for their placement. Applying qualitative analysis, we find that the onboarding processes for these interns varied widely, from no onboarding at all to several extensive training sessions. Similarly, some interns reported high-level technical security training, while others reported almost no restrictions while on organizational networks. We build on our findings by providing recommendations for organizational improvements for interns, and by extension, full-time employees.

[1]  Shashikant Rai,et al.  BRING YOUR OWN DEVICE (BYOD): SECURITY RISKS AND MITIGATING STRATEGIES , 2013 .

[2]  SiponenMikko,et al.  Improving employees' compliance through information systems security training , 2010 .

[3]  R. Baskerville,et al.  An information security meta‐policy for emergent organizations , 2002 .

[4]  Jens Grossklags,et al.  Assessing the current state of information security policies in academic organizations , 2019, Inf. Comput. Secur..

[5]  Rainer Böhme,et al.  Secure Team Composition to Thwart Insider Threats and Cyber-Espionage , 2014, TOIT.

[6]  Matthew Tischer,et al.  Users Really Do Plug in USB Drives They Find , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[7]  Kona Renee Jones,et al.  DEVELOPING AND IMPLEMENTING A MANDATORY ONLINE STUDENT ORIENTATION , 2013 .

[8]  Stephen Flowerday,et al.  An ethnographic study to assess the enactment of information security culture in a retail store , 2015, 2015 World Congress on Internet Security (WorldCIS).

[9]  Vivien K. G. Lim,et al.  Cyberloafing at the workplace: gain or drain on work? , 2012, Behav. Inf. Technol..

[10]  Sean B. Eom,et al.  The Determinants of Students' Perceived Learning Outcomes and Satisfaction in University Online Education: An Empirical Investigation* , 2006 .

[11]  Max M. North,et al.  To Adapt MOOCs, or Not? That Is No Longer the Question. , 2014 .

[12]  George Bradt,et al.  Onboarding: How to Get Your New Employees Up to Speed in Half the Time , 2009 .

[13]  Pascale Carayon,et al.  Human and organizational factors in computer and information security: Pathways to vulnerabilities , 2009, Comput. Secur..

[14]  Eugene H. Spafford,et al.  PFIRES: a policy framework for information security , 2003, CACM.

[15]  BulgurcuBurcu,et al.  Information security policy compliance , 2010 .

[16]  Tom L. Roberts,et al.  Assessing the Role of Security Education, Training, and Awareness on Insiders' Security-Related Behavior: An Expectancy Theory Approach , 2015, 2015 48th Hawaii International Conference on System Sciences.

[17]  Marin Silic,et al.  Emerging security threats for mobile platforms , 2011, 2011 Proceedings of the 34th International Convention MIPRO.

[18]  Malcolm Coco,et al.  Internships: A Try before You Buy Arrangement , 2000 .

[19]  John B. Kaneene,et al.  Creating Open Education Resources for Teaching and Community Development through Action Research: The Milk Production and Hygiene Module , 2013 .

[20]  Lara Khansa,et al.  How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management , 2009, Computers & security.

[21]  Rick Sturm,et al.  Management of Mobile Applications , 2017 .

[22]  W. Andrew Taylor,et al.  Organizational differences in ISO 9000 implementation practices , 1995 .

[23]  L. Leung Validity, reliability, and generalizability in qualitative research , 2015, Journal of family medicine and primary care.

[24]  Bradley R. Staats,et al.  Breaking Them in or Eliciting Their Best? Reframing Socialization around Newcomers’ Authentic Self-expression , 2013 .

[25]  Berrin Erdogan,et al.  Organizational socialization: The effective onboarding of new employees. , 2011 .

[26]  Ken H. Guo Security-related behavior in using information systems in the workplace: A review and synthesis , 2013, Comput. Secur..

[27]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[28]  Sue Saunders McCaffrey Comparison of Career Maturity among Graduate Students and Undergraduates. , 1984 .

[29]  David R. Hannah Keeping trade secrets secret , 2006 .

[30]  E. Casey,et al.  An Examination of the Sufficiency of Small Qualitative Samples , 2018, Social Work Research.

[31]  Carsten Kleiner,et al.  BYOD — Bring Your Own Device , 2013, HMD Praxis der Wirtschaftsinformatik.

[32]  Jens Grossklags,et al.  I Like It, but I Hate It: Employee Perceptions Towards an Institutional Transition to BYOD Second-Factor Authentication , 2017, ACSAC.

[33]  M. Whitman,et al.  Management Of Information Security , 2004 .

[34]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[35]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[36]  Shuchih Ernest Chang,et al.  Organizational factors to the effectiveness of implementing information security management , 2006, Ind. Manag. Data Syst..

[37]  Mary E. Piorun,et al.  Employee onboarding: identification of best practices in ACRL libraries , 2013 .

[38]  Charles A. Rarick,et al.  Determinants and Assessment of Political Risk in Central America , 2000 .

[39]  Christoph Meinel,et al.  IMPROVING THE ONBOARDING USER EXPERIENCE IN MOOCS , 2014 .

[40]  R. Solms,et al.  Cultivating an organizational information security culture , 2006 .

[41]  I. E. Allen,et al.  Online Report Card: Tracking Online Education in the United States. , 2016 .

[42]  Debi Ashenden,et al.  Risk Management for Computer Security , 2005 .

[43]  Michael Hergert,et al.  Student Perceptions Of The Value Of Internships In Business Education , 2009 .

[44]  Jan H. P. Eloff,et al.  Information Security Policy - What do International Information Security Standards say? , 2002, ISSA.

[45]  Kyra Sutton,et al.  Specific Onboarding Practices for the Socialization of New Employees , 2015 .

[46]  H GuoKen Security-related behavior in using information systems in the workplace , 2013 .

[47]  M. Angela Sasse,et al.  CISOs and organisational culture: Their own worst enemy? , 2013, Comput. Secur..

[48]  Jens Grossklags,et al.  The Acceptable State: an Analysis of the current State of Acceptable Use Policies in Academic Institutions , 2019, ECIS.

[49]  Maggie Johnson,et al.  Learning to Be a Programmer in a Complex Organization: A Case Study on Practice-Based Learning during the Onboarding Process at Google , 2010 .

[50]  Mikko T. Siponen,et al.  Toward a New Meta-Theory for Designing Information Systems (IS) Security Training Approaches , 2011, J. Assoc. Inf. Syst..

[51]  Kelly Caine,et al.  Local Standards for Sample Size at CHI , 2016, CHI.

[52]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[53]  Brian W. Cashell The Economic Impact of Cyber-Attacks , 2004 .

[54]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[55]  Jens Grossklags,et al.  What's In Your Policy? An Analysis of the Current State of Information Security Policies in Academic Institutions , 2018 .

[56]  I Kirlappos,et al.  Learning from "shadow security": understanding non-compliant behaviours to improve information security management , 2016 .

[57]  Bill Morrow,et al.  BYOD security challenges: control and protect your most sensitive data , 2012, Netw. Secur..

[58]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[59]  John E. Hunter,et al.  Employment testing: Old theories and new research findings. , 1981 .

[60]  Anat Hovav,et al.  Employees' Compliance with BYOD Security Policy: Insights from Reactance, Organizational Justice, and Protection Motivation Theory , 2014, ECIS.

[61]  Robert Willison,et al.  Understanding the perpetration of employee computer crime in the organisational context , 2006, Inf. Organ..

[62]  Kevin Ortbach,et al.  Are You Ready to Lose Control? A Theory on the Role of Trust and Risk Perception on Bring-Your-Own-Device Policy and Information System Service Quality , 2015, ECIS.

[63]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[64]  Jo Hillman Planning for Employee Onboarding: Finding Ways to Increase New Employee Success and Long-Term Retention. Noel-Levitz White Paper. , 2010 .

[65]  K. Malterud,et al.  Sample Size in Qualitative Interview Studies , 2016, Qualitative health research.