A theory-based review of information security behavior in the organization and home context

The use of interconnected information and communication systems has broadened computer users' vulnerability to cyber-attacks. However, effective information security measures are dependent on users' willingness to apply available security technologies. Automation of security measures are often recommended, but not all security challenges can be solved in this way. In addition, users often bypass such measures through insecure behaviors. The purpose of this paper is to provide a systematic review of academic literature, analyzing existing research on information security behavior. The findings are synthesized to produce a theory-based perspective, indicating the dominant theoretical approaches used to date. It is found that limited research attention has been given to information security behavior in the home context. Our findings motivate for further research into information security beyond technical issues and the organizational context.

[1]  Richard Kissel,et al.  Glossary of Key Information Security Terms , 2014 .

[2]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[3]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[4]  Yair Levy,et al.  A Systems Approach to Conduct an Effective Literature Review in Support of Information Systems Research , 2006, Informing Sci. Int. J. an Emerg. Transdiscipl..

[5]  Michael Workman,et al.  Gaining Access with Social Engineering: An Empirical Study of the Threat , 2007, Inf. Secur. J. A Glob. Perspect..

[6]  JinKyu Lee,et al.  The impact of information security failure on customer behaviors: A study on a large-scale hacking incident on the internet , 2012, Inf. Syst. Frontiers.

[7]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[8]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[9]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[10]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[11]  A. Tenbrunsel,et al.  Organizational Behavior and Human Decision Processes , 2013 .

[12]  Detmar W. Straub,et al.  Featured Talk: Measuring Secure Behavior: A Research Commentary , 2012 .

[13]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[14]  Mohammad Rahim,et al.  A Socio-Behavioral Study of Home Computer Users' Intention to Practice Security , 2005, PACIS.

[15]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[16]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[17]  Habib Ullah Khan,et al.  Security behaviors of smartphone users , 2016, Inf. Comput. Secur..

[18]  Herbert J. Mattord,et al.  Principles of Information Security, 4th Edition , 2011 .

[19]  J. Day,et al.  Computer and Internet Use in the United States: 2003 , 2005 .

[20]  Teodor Sommestad,et al.  Social Groupings and Information Security Obedience Within Organizations , 2015, SEC.

[21]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[22]  Teodor Sommestad,et al.  The sufficiency of the theory of planned behavior for explaining information security policy compliance , 2015, Inf. Comput. Secur..

[23]  Young U. Ryu,et al.  I Am Fine but You Are Not: Optimistic Bias and Illusion of Control on Information Security , 2005, ICIS.

[24]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[25]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[26]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[27]  Younghwa Lee,et al.  An empirical investigation of anti-spyware software adoption: A multitheoretical perspective , 2008, Inf. Manag..

[28]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[29]  Robert LaRose,et al.  Promoting personal responsibility for internet safety , 2008, CACM.

[30]  Patrick Y. K. Chau,et al.  Explaining the Misuse of Information Systems Resources in the Workplace: A Dual-Process Approach , 2014, Journal of Business Ethics.

[31]  Ayako Komatsu,et al.  Human aspects of information security: An empirical study of intentional versus actual behavior , 2013, Inf. Manag. Comput. Secur..

[32]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[33]  Steven Furnell,et al.  Assessing the security perceptions of personal Internet users , 2007, Comput. Secur..

[34]  Barbara Kitchenham,et al.  Procedures for Performing Systematic Reviews , 2004 .

[35]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[36]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[37]  Sunil Hazari,et al.  An Empirical Investigation of Factors Influencing Information Security Behavior , 2008 .

[38]  Ying Li,et al.  A Call For Research On Home Users' Information Security Behaviour , 2011, PACIS.

[39]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[40]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[41]  Pearl Brereton,et al.  Systematic literature reviews in software engineering - A systematic literature review , 2009, Inf. Softw. Technol..

[42]  Gurpreet Dhillon,et al.  Information Systems Security Governance Research : A Behavioral Perspective , 2006 .

[43]  StraubDetmar,et al.  Security lapses and the omission of information security measures , 2008 .

[44]  John Leach Improving user security behaviour , 2003, Comput. Secur..

[45]  Princely Ifinedo,et al.  Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory , 2012, Comput. Secur..

[46]  Mike Potts The state of information security , 2012, Netw. Secur..

[47]  Mo Adam Mahmood,et al.  Employees' adherence to information security policies: An exploratory field study , 2014, Inf. Manag..

[48]  Maria Karyda,et al.  Identifying Factors that Influence Employees' Security Behavior for Enhancing ISP Compliance , 2015, TrustBus.

[49]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[50]  Mathupayas Thongmak,et al.  Factors Affecting Computer Crime Protection Behavior , 2015, PACIS.

[51]  Ping An Wang Information security knowledge and behavior: An adapted model of technology acceptance , 2010, 2010 2nd International Conference on Education Technology and Computer.

[52]  Rathindra Sarathy,et al.  Understanding compliance with internet use policy from the perspective of rational choice theory , 2010, Decis. Support Syst..

[53]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[54]  M. Angela Sasse,et al.  Pretty good persuasion: a first step towards effective password security in the real world , 2001, NSPW '01.

[55]  I. Ajzen The theory of planned behavior , 1991 .