Whose Risk Is It Anyway: How Do Risk Perception and Organisational Commitment Affect Employee Information Security Awareness?

Since information security (InfoSec) incidents often involve human error, businesses are investing greater resources into improving staff awareness and compliance with best-practice InfoSec behaviours. This research examined whether employees who feel that they may be personally affected by workplace InfoSec incidents are more likely to behave in accordance with those best-practice behaviours. To further understand this, we also examined organisational commitment and risk perception. Data collection involved an online questionnaire measuring these constructs in relation to three workplace cyber threats: phishing, malware, and mobile devices. The questionnaire was completed by 269 employed Australians. Participants who felt more personally affected by attacks associated with mobile devices were more likely to report following best-practice behaviours in that context at work. This was not the case for phishing and malware attacks. Other variables, including age, gender, employment level and InfoSec training, were also found to predict reported compliance with best-practice behaviours, and employees with more frequent training self-reported poorer compliance. Theoretical and practical implications are discussed.

[1]  Allen L. Edwards,et al.  The Relationship Between the Judged Desirability of a Trait and the Probability That the Trait Will Be Endorsed , 1953 .

[2]  John P. Meyer,et al.  The measurement and antecedents of affective, continuance and normative commitment to the organization , 1990 .

[3]  Malcolm Robert Pattinson,et al.  Individual differences and Information Security Awareness , 2017, Comput. Hum. Behav..

[4]  Agata McCormac,et al.  More than the individual: Examining the relationship between culture and Information Security Awareness , 2020, Comput. Secur..

[5]  P. Slovic,et al.  FACTS AND FEARS: UNDERSTANDING PERCEIVED RISK.: P/3 , 1980 .

[6]  Malcolm Robert Pattinson,et al.  A Study of Information System Risk Perceptions at a Local Government Organisation , 2013, ACIS.

[7]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[8]  Hennie A. Kruger,et al.  A prototype for assessing information security awareness , 2006, Comput. Secur..

[9]  Nick Feamster,et al.  User Perceptions of Smart Home IoT Privacy , 2018, Proc. ACM Hum. Comput. Interact..

[10]  A. Cohen Organizational Commitment and Turnover: A Met A-Analysis. , 1993 .

[11]  Indira R. Guzman,et al.  Examining the linkage between organizational commitment and information security , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[12]  Malcolm Robert Pattinson,et al.  The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies , 2017, Comput. Secur..

[13]  L. Porter,et al.  The Measurement of Organizational Commitment. , 1979 .

[14]  James H. Dulebohn,et al.  Is the employee-organization relationship dying or thriving? A temporal meta-analysis. , 2019, The Journal of applied psychology.

[15]  Fariborz Farahmand,et al.  Risk Perceptions of Information Security: A Measurement Study , 2009, 2009 International Conference on Computational Science and Engineering.

[16]  Filipo Sharevski,et al.  Experiential User-Centered Security in a Classroom: Secure Design for IoT , 2019, IEEE Communications Magazine.

[17]  S. Rayner,et al.  How Fair Is Safe Enough? The Cultural Approach to Societal Technology Choice1 , 1987 .

[18]  Osman Culha,et al.  The Effects of Organizational Training on Organizational Commitment , 2010 .

[19]  Shari Lawrence Pfleeger,et al.  Going Spear Phishing: Exploring Embedded Training and Awareness , 2014, IEEE Security & Privacy.

[20]  Sadie Creese,et al.  Privacy is the Boring Bit: User Perceptions and Behaviour in the Internet-of-Things , 2017, 2017 15th Annual Conference on Privacy, Security and Trust (PST).

[21]  Baruch Fischhoff,et al.  Facts and Fears: Societal Perception of Risk , 1981 .

[22]  Malcolm Robert Pattinson,et al.  Factors that Influence Information Security Behavior: An Australian Web-Based Study , 2015, HCI.

[23]  LowryPaul Benjamin,et al.  Proposing the control-reactance compliance model CRCM to explain opposing motivations to comply with organisational information security policies , 2015 .

[24]  Malcolm Robert Pattinson,et al.  Matching training to individual learning styles improves information security awareness , 2019, Inf. Comput. Secur..

[25]  M. Butavicius,et al.  The Influence of Organizational Information Security Culture on Information Security Decision Making , 2015 .

[26]  Richard Bell,et al.  A manual for repertory grid technique , 1977 .

[27]  Constantine Kontoghiorghes,et al.  Predicting Motivation To Learn and Motivation To Transfer Learning Back to the Job in a Service Organization--A New Systemic Model for Training Effectiveness. , 2008 .

[28]  Malcolm Robert Pattinson,et al.  The Information Security Awareness of Bank Employees , 2016, HAISA.

[29]  B. Fischhoff,et al.  Facts and Fears: Understanding Perceived Risk , 2005 .

[30]  Lynette Drevin,et al.  Key elements of an information security culture in organisations , 2019, Inf. Comput. Secur..

[31]  ParsonsKathryn,et al.  The Human Aspects of Information Security Questionnaire (HAIS-Q) , 2017 .

[32]  Lennart Sjöberg,et al.  The Different Dynamics of Personal and General Risk , 2003 .

[33]  Michael Siegrist,et al.  A New Look at the Psychometric Paradigm of Perception of Hazards , 2005, Risk analysis : an official publication of the Society for Risk Analysis.

[34]  Choi Sang Long,et al.  The relationship between training and organizational commitment among academicians in Malaysia , 2015 .

[35]  Şahin M. Çetin,et al.  A Meta-analysis of the Relationship Between Organizational Commitment and Organizational Citizenship Behavior: Test of Potential Moderator Variables , 2015, Employee Responsibilities and Rights Journal.

[36]  John P. Meyer,et al.  A three-component conceptualization of organizational commitment , 1991 .

[37]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[38]  Gavriel Salvendy,et al.  Perception of information security , 2010, Behav. Inf. Technol..

[39]  Paul Benjamin Lowry,et al.  Proposing the control‐reactance compliance model (CRCM) to explain opposing motivations to comply with organisational information security policies , 2015, Inf. Syst. J..

[40]  Sam Supakkul,et al.  Goal-oriented security threat mitigation patterns: a case of credit card theft mitigation , 2009, PLoP '09.