Investigating the impact of cybersecurity policy awareness on employees' cybersecurity behavior

Abstract As internet technology and mobile applications increase in volume and complexity, malicious cyber-attacks are evolving, and as a result society is facing greater security risks in cyberspace more than ever before. This study has extended the published literature on cybersecurity by theoretically defining the conceptual domains of employees’ security behavior, and developed and tested operational measures to advance information security behavior research in the workplace. A conceptual framework is proposed and tested using survey results from 579 business managers and professionals. Structural equation modeling and ANOVA procedures are employed to test the proposed hypotheses. The results show that when employees are aware of their company’s information security policy and procedures, they are more competent to manage cybersecurity tasks than those who are not aware of their companies’ cybersecurity policies. The study also indicates that an organizational information security environment positively influences employees’ threat appraisal and coping appraisal abilities, which in turn, positively contribute to their cybersecurity compliance behavior.

[1]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[2]  Dustin Ormond,et al.  Don't make excuses! Discouraging neutralization to reduce IT policy violation , 2013, Comput. Secur..

[3]  Qing Hu,et al.  Assimilation of Enterprise Systems: The Effect of Institutional Pressures and the Mediating Role of Top Management , 2007, MIS Q..

[4]  Wu He,et al.  A review of social media security risks and mitigation techniques , 2012, J. Syst. Inf. Technol..

[5]  Wu He,et al.  Gender difference and employees' cybersecurity behaviors , 2017, Comput. Hum. Behav..

[6]  Viswanath Venkatesh,et al.  Consumer Acceptance and Use of Information Technology: Extending the Unified Theory of Acceptance and Use of Technology , 2012, MIS Q..

[7]  JinYoung Han,et al.  An integrative model of information security policy compliance with psychological contract: Examining a bilateral perspective , 2017, Comput. Secur..

[8]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[9]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[10]  Paul van Schaik,et al.  Familiarity with Internet threats: Beyond awareness , 2017, Comput. Secur..

[11]  I. Rosenstock,et al.  What research in motivation suggests for public health. , 1960, American journal of public health and the nation's health.

[12]  Paul Benjamin Lowry,et al.  Cognitive‐affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study , 2019, Inf. Syst. J..

[13]  Mathias Ekstedt,et al.  Shaping intention to resist social engineering through transformational leadership, information security culture and awareness , 2016, Comput. Secur..

[14]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[15]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[16]  Yogesh Kumar Dwivedi,et al.  Towards a theory of SocioCitizenry: Quality anticipation, trust configuration, and approved adaptation of governmental social media , 2018, Int. J. Inf. Manag..

[17]  Tom L. Roberts,et al.  Understanding the mindset of the abusive insider: An examination of insiders' causal reasoning following internal security changes , 2011, Comput. Secur..

[18]  Sid L. Huff,et al.  CIO lateral influence behaviors: gaining peers' commitment to strategic information systems , 2000, ICIS.

[19]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[20]  Yogesh Kumar Dwivedi,et al.  Polarization and acculturation in US Election 2016 outcomes – Can twitter analytics predict changes in voting preferences , 2019, Technological Forecasting and Social Change.

[21]  Wu He,et al.  A survey of security risks of mobile social media through blog mining and an extensive literature search , 2013, Inf. Manag. Comput. Secur..

[22]  Yunjie Calvin Xu,et al.  Studying Users' Computer Security Behavior Using the Health Belief Model , 2007, PACIS.

[23]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[24]  Tracey Caldwell,et al.  Plugging the cyber-security skills gap , 2013 .

[25]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[26]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[27]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[28]  Yogesh Kumar Dwivedi,et al.  Advances in Social Media Research: Past, Present and Future , 2017, Information Systems Frontiers.

[29]  Yogesh Kumar Dwivedi Social media marketing and advertising , 2015 .

[30]  Yogesh Kumar Dwivedi,et al.  Social media in marketing: A review and analysis of the existing literature , 2017, Telematics Informatics.

[31]  Geoffrey S. Hubona,et al.  The mediation of external variables in the technology acceptance model , 2006, Inf. Manag..

[32]  J. D'Arcy,et al.  Security culture and the employment relationship as drivers of employees' security compliance , 2014, Inf. Manag. Comput. Secur..

[33]  Mahmood Hussain Shah,et al.  Information security management needs more holistic approach: A literature review , 2016, Int. J. Inf. Manag..

[34]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[35]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[36]  Wen-Lung Shiau,et al.  Examining the core knowledge on facebook , 2018, Int. J. Inf. Manag..

[37]  Lara Khansa,et al.  Whither information security? Examining the complementarities and substitutive effects among IT and information security firms , 2012, Int. J. Inf. Manag..

[38]  Cheolho Yoon,et al.  Exploring Factors That Influence Students’ Behaviors in Information Security , 2013 .

[39]  Aggeliki Tsohou,et al.  Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs , 2015, Comput. Secur..

[40]  James C. Anderson,et al.  STRUCTURAL EQUATION MODELING IN PRACTICE: A REVIEW AND RECOMMENDED TWO-STEP APPROACH , 1988 .

[41]  Deborah J. Armstrong,et al.  The impact of relational leadership and social alignment on information security system effectiveness in Korean governmental organizations , 2018, Int. J. Inf. Manag..

[42]  David F. Larcker,et al.  Structural Equation Models with Unobservable Variables and Measurement Error: Algebra and Statistics: , 1981 .

[43]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[44]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[45]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[46]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[47]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[48]  Wen-Lung Shiau,et al.  Co-citation and cluster analyses of extant literature on social networks , 2017, Int. J. Inf. Manag..

[49]  Graeme G. Shanks,et al.  A case analysis of information systems and security incident responses , 2015, Int. J. Inf. Manag..

[50]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[51]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.