Assessing information security attitudes: a comparison of two studies

Purpose The purpose of this paper is to report on the use of two studies that assessed the attitudes of typical computer users. The aim of the research was to compare a self-reporting online survey with a set of one-on-one repertory grid technique interviews. More specifically, this research focussed on participant attitudes toward naive and accidental information security behaviours. Design/methodology/approach In the first study, 23 university students responded to an online survey within a university laboratory setting that captured their attitudes toward behaviours in each of seven focus areas. In the second study, the same students participated in a one-on-one repertory grid technique interview that elicited their attitudes toward the same seven behaviours. Results were analysed using Spearman correlations. Findings There were significant correlations for three of the seven behaviours, although attitudes relating to password management, use of social networking sites, information handling and reporting of security incidents were not significantly correlated. Research limitations/implications The small sample size (n = 23) and the fact that participants were not necessarily representative of typical employees, may have impacted on the results. Practical implications This study contributes to the challenge of developing a reliable instrument that will assess individual InfoSec awareness. Senior management will be better placed to design intervention strategies, such as training and education of employees, if individual attitudes are known. This, in turn, will reduce risk-inclined behaviour and a more secure organisation. Originality/value The literature review indicates that this study addresses a genuine gap in the research.

[1]  Steven Furnell,et al.  The challenges of understanding and using security: A survey of end-users , 2006, Comput. Secur..

[2]  K. Lawless,et al.  The knowledge, attitudes, & behaviors approach how to evaluate performance and learning in complex environments , 2004 .

[3]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[4]  I. Ajzen,et al.  Attitudes and the Attitude-Behavior Relation: Reasoned and Automatic Processes , 2000 .

[5]  Devi Jankowicz,et al.  The Easy Guide to Repertory Grids , 2003 .

[6]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[7]  G J Wilde,et al.  Risk homeostasis theory: an overview , 1998, Injury prevention : journal of the International Society for Child and Adolescent Injury Prevention.

[8]  I. Ajzen,et al.  Attitudinal and normative variables as predictors of specific behavior. , 1973 .

[9]  Neil Hair,et al.  Using qualitative repertory grid techniques to explore perceptions of business-to-business online customer experience , 2009 .

[10]  A. Bytheway,et al.  Factors affecting information systems’ success , 1996 .

[11]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[12]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[13]  Izak Benbasat,et al.  AMCIS 2002 Panels and Workshops I: Human-Computer Interaction Research in the MIS Discipline , 2002, Commun. Assoc. Inf. Syst..

[14]  S. Fiske,et al.  Integrating The Stereotype Content Model (Warmth And Competence) And The Osgood Semantic Differential (Evaluation, Potency, And Activity). , 2013, European journal of social psychology.

[15]  Jurij F. Tasic,et al.  Information systems security and human behaviour , 2007, Behav. Inf. Technol..

[16]  Gary M Olson,et al.  Human-computer interaction: psychological aspects of the human use of computing. , 2003, Annual review of psychology.

[17]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[18]  Richard Bell,et al.  A manual for repertory grid technique , 1977 .

[19]  Paul Benjamin Lowry,et al.  An Overview and Tutorial of the Repertory Grid Technique in Information Systems Research , 2008, Commun. Assoc. Inf. Syst..

[20]  James D. Hollan,et al.  Strategic directions in human-computer interaction , 1996, CSUR.

[21]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[22]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[23]  P Armsby,et al.  Methods for assessing drivers' perception of specific hazards on the road. , 1989, Accident; analysis and prevention.

[24]  I. Ajzen The theory of planned behavior , 1991 .

[25]  Felix B. Tan,et al.  The Repertory Grid Technique: A Method for the Study of Cognition in Information Systems , 2002, MIS Q..

[26]  C. Osgood,et al.  The Measurement of Meaning , 1958 .

[27]  B. Latané,et al.  Bystander intervention in emergencies: diffusion of responsibility. , 1968, Journal of personality and social psychology.

[28]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[29]  Malcolm Robert Pattinson,et al.  How well are information risks being communicated to your computer end-users? , 2007, Inf. Manag. Comput. Secur..