Information Security Behavior: Factors and Research Directions

This study presents an extensive literature review on information security behavior in the context of factors affecting security behavior of users in organizational environments. The study critically analyzes articles in the information security behavior and brings forward 18 themes for security practitioners and researchers to consider in implementing information security initiatives. The findings of this review can be used by researchers and practitioners as a roadmap to guide further research in information security behavior. Also, the various factors identified in this paper can be used to improve information security programs in organizations.

[1]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[2]  Johan Sandström,et al.  An Inquiry into the Study of Corporate Codes of Ethics , 2007 .

[3]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[4]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[5]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[6]  J. Walther Relational Aspects of Computer-Mediated Communication: Experimental Observations over Time , 1995 .

[7]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[8]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[9]  Janine L. Spears The effects of user participation in identifying information security risk in business processes , 2006, SIGMIS CPR '06.

[10]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[11]  Karen D. Loch,et al.  Evaluating ethical decision making and computer use , 1996, CACM.

[12]  R. Baskerville,et al.  An information security meta‐policy for emergent organizations , 2002 .

[13]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[14]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[15]  Terri L. Griffith,et al.  Distinguishing Between the Forest and the Trees: Media, Features, and Methodology in Electronic Communication Research , 1994 .

[16]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[17]  Younghwa Lee,et al.  An empirical investigation of anti-spyware software adoption: A multitheoretical perspective , 2008, Inf. Manag..

[18]  Helen Kelley,et al.  Morality and Computers: Attitudes and Differences in Moral Judgments , 1999, Inf. Syst. Res..

[19]  Harri Oinas-Kukkonen,et al.  A review of information security issues and respective research contributions , 2007, DATB.

[20]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[21]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[22]  Richard Barber,et al.  The Secured Enterprise: Protecting Your Information Assets , 2002 .

[23]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[24]  Kregg Aytes,et al.  A Research Model for Investigating Human Behavior Related to Computer Security , 2003, AMCIS.

[25]  Richard T. Watson,et al.  Analyzing the Past to Prepare for the Future: Writing a Literature Review , 2002, MIS Q..

[26]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[27]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[28]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[29]  Petri Puhakainen,et al.  A design theory for information security awareness , 2006 .

[30]  Susan J. Harrington,et al.  The Effect of Codes of Ethics and Personal Denial of Responsibility on Computer Abuse Judgments and Intentions , 1996, MIS Q..

[31]  Eirik Albrechtsen,et al.  Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study , 2010, Comput. Secur..

[32]  Humayun Zafar,et al.  Current State of Information Security Research In IS , 2009, Commun. Assoc. Inf. Syst..

[33]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[34]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[35]  Quey-Jen Yeh,et al.  Threats and countermeasures for information system security: A cross-industry study , 2007, Inf. Manag..

[36]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[37]  Hock-Hai Teo,et al.  An integrative study of information systems security effectiveness , 2003, Int. J. Inf. Manag..

[38]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[39]  Phil Spurling,et al.  Promoting security awareness and commitment , 1995, Inf. Manag. Comput. Secur..

[40]  Sherrie Drye Cannoy,et al.  A framework for health care information assurance policy and compliance , 2010, CACM.

[41]  C. Marlene Fiol,et al.  Identification in Face-to-Face, Hybrid, and Pure Virtual Teams: Untangling the Contradictions , 2005, Organ. Sci..

[42]  Yair Levy,et al.  A Systems Approach to Conduct an Effective Literature Review in Support of Information Systems Research , 2006, Informing Sci. Int. J. an Emerg. Transdiscipl..

[43]  Charles Cresson Wood,et al.  Writing infosec policies , 1995, Computers & security.

[44]  Henk Sol,et al.  Proceedings of the 54th Hawaii International Conference on System Sciences , 1997, HICSS 2015.

[45]  Indira R. Guzman,et al.  Examining the linkage between organizational commitment and information security , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[46]  Thomas B. Lawrence,et al.  Territoriality in Organizations , 2005 .

[47]  Boas Shamir,et al.  Security-related behavior of PC users in organizations , 1991, Inf. Manag..