Definition and Multidimensionality of Security Awareness: Close Encounters of the Second Order

This study proposes and examines a multidimensional definition of information security awareness. We also investigate its antecedents and analyze its effects on compliance with organizational information security policies. The above research goals are tested through the theoretical lens of technology threat avoidance theory and protection motivation theory. Information security awareness is defined as a second-order construct composed of the elements of threat and coping appraisals supplemented by the responsibilities construct to account for organizational environment. The study was executed in two stages. First, the participants (employees of a municipality) were exposed to a series of phishing messages. Second, the same individuals were asked to participate in a survey designed to examine their security awareness. The research model was tested using PLS-SEM approach. The results indicate that security awareness is in fact a second-order formative construct composed of six components. There are significant differences in security awareness levels between the victims of the phishing experiment and the employees who maintain compliance with security policies. Our study extends the theory by proposing and validating a general, yet practical definition of security awareness. It also bridges the gap between theory and practice - our contextualization of security awareness draws heavily on both fields.

[1]  Rajiv Sabherwal,et al.  Reconciling Variance and Process Strategies for Studying Information System Development , 1995, Inf. Syst. Res..

[2]  P. Merikle,et al.  Unconscious perception revisited , 1982, Perception & psychophysics.

[3]  Alexander Kott,et al.  Cyber Defense and Situational Awareness , 2015, Advances in Information Security.

[4]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[5]  Bernard C. Y. Tan,et al.  A Cross-Cultural Study on Escalation of Commitment Behavior in Software Projects , 2000, MIS Q..

[6]  K Witte,et al.  Predicting risk behaviors: development and validation of a diagnostic scale. , 1996, Journal of health communication.

[7]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[8]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[9]  S. Henley,et al.  Unconscious perception re-revisited: A comment on Merikle’s (1982) paper , 1984 .

[10]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[11]  Rolph E. Anderson,et al.  Multivariate Data Analysis (7th ed. , 2009 .

[12]  Paul A. Pavlou,et al.  Understanding and Mitigating Uncertainty in Online Exchange Relationships: A Principal-Agent Perspective , 2007, MIS Q..

[13]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[14]  Laurie A. Williams,et al.  Towards a framework to measure security expertise in requirements analysis , 2014, 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE).

[15]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[16]  John Mallery Chapter 1 – Building a Secure Organization , 2009 .

[17]  M. Markus,et al.  Information technology and organizational change: causal structure in theory and research , 1988 .

[18]  Wynne W. Chin How to Write Up and Report PLS Analyses , 2010 .

[19]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[20]  D. Wayne Osgood,et al.  Readiness, Functioning, and Perceived Effectiveness in Community Prevention Coalitions: A Study of Communities That Care , 2004, American journal of community psychology.

[21]  Sanjay Goel,et al.  The Security Expertise Assessment Measure (SEAM): Developing a scale for hacker expertise , 2016, Comput. Secur..

[22]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[23]  Gavriel Salvendy,et al.  Factors affecting perception of information security and their impacts on IT adoption and security practices , 2011, Int. J. Hum. Comput. Stud..

[24]  P. Lachenbruch Statistical Power Analysis for the Behavioral Sciences (2nd ed.) , 1989 .

[25]  A. Mahmood,et al.  Factors Influencing Protection Motivation and IS Security Policy Compliance , 2006, 2006 Innovations in Information Technology.

[26]  David Woods,et al.  Situation Awareness: A Critical But Ill-Defined Phenomenon , 1991 .

[27]  Scott B. MacKenzie,et al.  Construct Measurement and Validation Procedures in MIS and Behavioral Research: Integrating New and Existing Techniques , 2011, MIS Q..

[28]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[29]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[30]  Mikko T. Siponen,et al.  Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations , 2014, Eur. J. Inf. Syst..

[31]  Deborah Compeau,et al.  Computer Self-Efficacy: Development of a Measure and Initial Test , 1995, MIS Q..

[32]  Straub,et al.  Editor's Comments: An Update and Extension to SEM Guidelines for Administrative and Social Science Research , 2011 .

[33]  Robin L. Nabi,et al.  Avoiding the boomerang: testing the relative effectiveness of antidrug public service announcements before a national campaign. , 2002, American journal of public health.

[34]  Ryan T. Wright,et al.  Operationalizing Multidimensional Constructs in Structural Equation Modeling: Recommendations for IS Research , 2012, Commun. Assoc. Inf. Syst..

[35]  Evangelos A. Kiountouzis,et al.  Investigating Information Security Awareness: Research and Practice Gaps , 2008, Inf. Secur. J. A Glob. Perspect..

[36]  Steven Furnell,et al.  Assessing the security perceptions of personal Internet users , 2007, Comput. Secur..

[37]  Detmar W. Straub,et al.  Validation Guidelines for IS Positivist Research , 2004, Commun. Assoc. Inf. Syst..

[38]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[39]  Carl S. Guynes,et al.  Security Awareness Programs , 2012, BIS 2012.

[40]  Craig L. Tidwell Measuring the Effect of Using Simulated Security Awareness Training and Testing on Members of Virtual Communities of Practice , 2010 .

[41]  B. Tabachnick,et al.  Using multivariate statistics, 5th ed. , 2007 .

[42]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[43]  Mark Wilson,et al.  SP 800-16. Information Technology Security Training Requirements: a Role- and Performance-Based Model , 1998 .

[44]  I. Nonaka A Dynamic Theory of Organizational Knowledge Creation , 1994 .

[45]  Detmar W. Straub,et al.  Reconceptualizing System Usage: An Approach and Empirical Test , 2006, Inf. Syst. Res..

[46]  Paul Dourish,et al.  Awareness and coordination in shared workspaces , 1992, CSCW '92.

[47]  Ephraim R. McLean,et al.  Theoretical perspectives in IS research: from variance and process to conceptual latitude and conceptual fit , 2015, Eur. J. Inf. Syst..

[48]  Mark Ciampa Security Awareness: Applying Practical Security in Your World , 2004 .

[49]  Terry Anthony Byrd,et al.  A methodology for construct development in MIS research , 2005, Eur. J. Inf. Syst..

[50]  Wynne W. Chin The partial least squares approach for structural equation modeling. , 1998 .

[51]  Elmarie Kritzinger,et al.  Information security management: An information security retrieval and awareness model for industry , 2008, Comput. Secur..

[52]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[53]  J. Brown,et al.  Organizational Learning and Communities-of-Practice: Toward a Unified View of Working, Learning, and Innovation , 1991 .

[54]  Sabine A. Einwiller,et al.  Accuracy Motivation, Consensus Information, and the Law of Large Numbers: Effects on Attitude Judgment in the Absence of Argumentation , 1998 .

[55]  Detmar W. Straub,et al.  How Information Technology Governance Mechanisms and Strategic Alignment Influence Organizational Performance: Insights from a Matched Survey of Business and IT Managers , 2015, MIS Q..

[56]  David F. Larcker,et al.  Structural Equation Models with Unobservable Variables and Measurement Error: Algebra and Statistics: , 1981 .

[57]  Shelley E. Taylor,et al.  Social comparison, self-regulation, and motivation. , 1996 .

[58]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[59]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[60]  Albert L. Harris,et al.  The impact of information richness on information security awareness training effectiveness , 2009, Comput. Educ..

[61]  Wolfgang Prinz,et al.  NESSIE: An awareness environment for cooperative settings , 1999, ECSCW.

[62]  Shelly Chaiken,et al.  The Heuristic-Systematic Model of Social Information Processing , 2002 .

[63]  Martin Wetzels,et al.  Hierarchical latent variable models in PLS-SEM: guidelines for using reflective-formative type models , 2012 .

[64]  P. Sheeran,et al.  Prediction and Intervention in Health-Related Behavior: A Meta-Analytic Review of Protection Motivation Theory , 2000 .

[65]  J. Schweitzer Security awareness , 1986, PCS '86.

[66]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[67]  R. W. Rogers,et al.  A meta-analysis of research on protection motivation theory. , 2000 .

[68]  Detmar W. Straub,et al.  Security concerns of system users: a proposed study of user preceptions of the adequacy of security measures , 1989, [1989] Proceedings of the Twenty-Second Annual Hawaii International Conference on System Sciences. Volume IV: Emerging Technologies and Applications Track.

[69]  Mica R. Endsley,et al.  Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[70]  Jason Bennett Thatcher,et al.  Conceptualizing models using multidimensional constructs: a review and guidelines for their use , 2012, Eur. J. Inf. Syst..

[71]  Richard Kissel,et al.  Glossary of Key Information Security Terms , 2014 .

[72]  I. Rosenstock The Health Belief Model and Preventive Health Behavior , 1974 .

[73]  Robert E. Crossler,et al.  Protection Motivation Theory: Understanding Determinants to Backing Up Personal Data , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[74]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[75]  Victoria Savalei,et al.  Assessing Mediational Models: Testing and Interval Estimation for Indirect Effects , 2010, Multivariate behavioral research.

[76]  Cheryl Burke Jarvis,et al.  The problem of measurement model misspecification in behavioral and organizational research and some recommended solutions. , 2005, The Journal of applied psychology.

[77]  Detmar W. Straub,et al.  Measuring System Usage: Implications for IS Theory Testing , 1995 .

[78]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[79]  P. Ellen,et al.  The Role of Perceived Consumer Effectiveness in Motivating Environmentally Conscious Behaviors , 1991 .

[80]  Wynne W. Chin,et al.  A Comparison of Approaches for the Analysis of Interaction Effects Between Latent Variables Using Partial Least Squares Path Modeling , 2010 .

[81]  J. Edwards Multidimensional Constructs in Organizational Behavior Research: An Integrative Analytical Framework , 2001 .

[82]  Herbert J. Mattord,et al.  Principles of Information Security, 5th Edition (forthcoming) , 2014 .

[83]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[84]  I. Ajzen The theory of planned behavior , 1991 .

[85]  Nick Lee,et al.  Problems with formative and higher-order reflective variables , 2013 .

[86]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[87]  Carl Gutwin,et al.  Support for workspace awareness in educational groupware , 1995, CSCL.

[88]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[89]  Mikko T. Siponen,et al.  Five dimensions of information security awareness , 2001, CSOC.

[90]  Claudia van Oppen,et al.  USING PLS PATH MODELING FOR ASSESSING HIERARCHICAL CONSTRUCT MODELS : GUIDELINES AND EMPIRICAL , 2022 .

[91]  N D Weinstein,et al.  Perceived probability, perceived severity, and health-protective behavior. , 2000, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[92]  I. Ajzen Attitudes, Personality and Behavior , 1988 .

[93]  Eirik Albrechtsen,et al.  Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study , 2010, Comput. Secur..

[94]  Marko Sarstedt,et al.  Partial least squares structural equation modeling (PLS-SEM): An emerging tool in business research , 2014 .

[95]  Mary J. Culnan,et al.  Why IT Executives Should Help Employees Secure Their Home Computers , 2008, MIS Q. Executive.

[96]  J. Kihlstrom,et al.  Mental Representations of the Self , 1984 .

[97]  Carl Gutwin,et al.  Workspace Awareness in Real-Time Distributed Groupware: Framework, Widgets, and Evaluation , 1996, BCS HCI.

[98]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[99]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[100]  A. Hovav,et al.  Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures , 2009 .

[101]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[102]  Yu Andy Wu,et al.  The Role of Situation Awareness in Detecting Criminal Intrusions: A Different Perspective on Information Security Awareness , 2012, AMCIS.

[103]  Evangelos A. Kiountouzis,et al.  Process-variance models in information security awareness research , 2008, Inf. Manag. Comput. Secur..

[104]  Ronald C. Dodge,et al.  Phishing for user security awareness , 2007, Comput. Secur..

[105]  Shon Harris CISSP Certification All-in-One Exam Guide, Fourth Edition , 2002 .

[106]  Sadie Creese,et al.  Relationships between Password Choices, Perceptions of Risk and Security Expertise , 2013, HCI.

[107]  Shon Harris,et al.  CISSP All-in-One Exam Guide , 2001 .

[108]  Richard D. Holowczak,et al.  Locking the door but leaving the computer vulnerable: Factors inhibiting home users' adoption of software firewalls , 2008, Decis. Support Syst..

[109]  John R. Mallery Building a Secure Organization , 2013 .

[110]  Anat Hovav,et al.  Deterring internal information systems misuse , 2007, CACM.

[111]  P. Merikle Toward a definition of awareness , 1984 .

[112]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[113]  Lance James,et al.  Phishing exposed , 2005 .

[114]  Evangelos A. Kiountouzis,et al.  Information systems security from a knowledge management perspective , 2005, Inf. Manag. Comput. Security.

[115]  Xhevrie Mamaqi Multidimensional constructs in learning motivation: a comprehensive analytical framework , 2016 .

[116]  Russell Dean Vines,et al.  Phishing: Cutting the Identity Theft Line , 2005 .

[117]  E. Erdfelder,et al.  Statistical power analyses using G*Power 3.1: Tests for correlation and regression analyses , 2009, Behavior research methods.

[118]  Young U. Ryu,et al.  Unrealistic optimism on information security management , 2012, Comput. Secur..

[119]  Kenneth S. Law,et al.  Toward A Taxonomy of Multidimensional Constructs , 1998 .

[120]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[121]  Elmarie Kritzinger,et al.  Cyber security for home users: A new way of protection through awareness enforcement , 2010, Comput. Secur..

[122]  Neil Kessel,et al.  Cross-cultural Study , 1964 .

[123]  Marian G. Williams,et al.  Extending usability inspection evaluation techniques for synchronous collaborative computing applications , 2002 .

[124]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[125]  Gary McGraw,et al.  Knowledge for Software Security , 2005, IEEE Secur. Priv..

[126]  Eirik Albrechtsen,et al.  The long term effects of information security e-learning on organizational learning , 2011, Inf. Manag. Comput. Secur..

[127]  D. Kolb Experiential Learning: Experience as the Source of Learning and Development , 1983 .