A case for information security awareness (ISA) programmes to protect global information, innovation and knowledge resources

The global diffusion of new technology, the increasing use of Web 2.0 networking and cloud computing have enable organisations to exchange significant amounts of information and knowledge. The successful transfer of knowledge and innovation has become critical to organisational competitiveness and survival. However, increased connectivity and unrestricted information sharing has rendered global organisations vulnerable to cyber-threats capable of breaching databases and restricted information. As cyber-attacks have become increasingly successful, organisations have invested more into cyber-safeguards to protect intellectual property and strategic data. Often absent in this strategic equation is the dissemination of knowledge to employees regarding the impact of cyber-attacks and how to protect informational resources. Research demonstrates that cyber-attacks are deterred and mitigated by the use of information security awareness (ISA) programmes. This paper discusses key components recommended for a viable ISA programme for global organisations seeking to educate their employees on the due care to protect knowledge resources and intellectual property.

[1]  W. Powell,et al.  The iron cage revisited institutional isomorphism and collective rationality in organizational fields , 1983 .

[2]  Sungjune Park,et al.  Understanding the Value of Countermeasure Portfolios in Information Systems Security , 2008, J. Manag. Inf. Syst..

[3]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[4]  Lara Khansa,et al.  Quantifying the benefits of investing in information security , 2009, Commun. ACM.

[5]  L. Zucker Institutional Theories of Organization , 1987 .

[6]  Manpreet Dhillon,et al.  Towards Changes in Information Security Education , 2006, J. Inf. Technol. Educ..

[7]  Roberto J. Mejias An Integrative Model of Information Security Awareness for Assessing Information Systems Security Risk , 2012, 2012 45th Hawaii International Conference on System Sciences.

[8]  Christopher J. Alberts,et al.  Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0 , 1999 .

[9]  Mark C. Suchman Managing Legitimacy: Strategic and Institutional Approaches , 1995 .

[10]  Michael G. Harvey,et al.  The impact of country-of-origin on the acceptance of foreign subsidiaries in host countries: an examination of the ‘liability-of-foreignness’ , 2013 .

[11]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[12]  Rana Tassabehji Information Security Threats , 2005 .

[13]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[14]  C. Bartlett,et al.  Managing across Borders: The Transnational Solution , 1990 .

[15]  Norbert Wiener,et al.  Cybernetics: Control and Communication in the Animal and the Machine. , 1949 .

[16]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[17]  R. Grant,et al.  Knowledge and the firm: Overview , 1996 .

[18]  Lawrence Bodin,et al.  Information security and risk management , 2008, CACM.

[19]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[20]  J. Pfeffer,et al.  A social information processing approach to job attitudes and task design. , 1978, Administrative science quarterly.

[21]  Ivan P. L. Png,et al.  Information Security: Facilitating User Precautions Vis-à-Vis Enforcement Against Attackers , 2009, J. Manag. Inf. Syst..

[22]  Soonhung Han,et al.  Protection of intellectual property based on a skeleton model in product design collaboration , 2009, Comput. Aided Des..

[23]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[24]  Paul DiMaggio Interest and Agency in Institutional Theory , 1988 .

[25]  Dawn M. Cappelli,et al.  A Preliminary Model of Insider Theft of Intellectual Property , 2011 .

[26]  C. Carver,et al.  Control theory: a useful conceptual framework for personality-social, clinical, and health psychology. , 1982, Psychological bulletin.

[27]  Ivan P. L. Png,et al.  The Deterrent and Displacement Effects of Information Security Enforcement: International Evidence , 2008 .

[28]  Steven L. Alter,et al.  Information Systems Risks and Risk Factors: Are They Mostly About Information Systems? , 2004, Commun. Assoc. Inf. Syst..

[29]  Rahul Roy,et al.  Dynamics of organizational information security , 2003 .

[30]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[31]  Richard F. Deckro,et al.  Evaluating information assurance strategies , 2005, Decis. Support Syst..

[32]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[33]  Peter W. Roberts,et al.  Integrating Transaction Cost and Institutional Theories: Toward a Constrained-Efficiency Framework for Understanding Organizational Design Adoption , 1997 .

[34]  Seth D. Guikema,et al.  Assessing risk from intelligent attacks: A perspective on approaches , 2010, Reliab. Eng. Syst. Saf..

[35]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[36]  Rossouw von Solms,et al.  Information security requirements - Interpreting the legal aspects , 2008, Comput. Secur..

[37]  J. Pfeffer,et al.  Organizational Legitimacy , 1975 .