Understanding the Antecedents of Information Security Awareness - An Empirical Study

Employees’ information security awareness (ISA) is a key antecedent of information security behavior. However, to date we know very little about the factors that are responsible for some employees having a higher level of ISA than others. Our study addresses this gap. We propose a model that comprises institutional, individual, and environmental factors preceding ISA. The model was empirically tested with survey data gathered from 475 employees of different organizations and industries. The model was found to explain a substantial proportion (.53) of the variance. The results indicate that providing employees with comprehensible and readily accessible information on security policies and improving employees’ IT knowledge are the two most influential antecedents of ISA. The findings will help refining researchers’ understanding of ISA and will be useful for diverse stakeholders interested in encouraging employees’ information security policy compliant behavior.

[1]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[2]  Cheryl Burke Jarvis,et al.  A Critical Review of Construct Indicators and Measurement Model Misspecification in Marketing and Consumer Research , 2003 .

[3]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[4]  Boas Shamir,et al.  Security-related behavior of PC users in organizations , 1991, Inf. Manag..

[5]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[6]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[7]  Jintae Lee,et al.  A holistic model of computer abuse within organizations , 2002, Inf. Manag. Comput. Secur..

[8]  Wynne W. Chin The partial least squares approach for structural equation modeling. , 1998 .

[9]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[10]  Qing Hu,et al.  The Centrality of Awareness in the Formation of User Behavioral Intention toward Protective Information Technologies , 2007, J. Assoc. Inf. Syst..

[11]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[12]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[13]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[14]  Evangelos A. Kiountouzis,et al.  Investigating Information Security Awareness: Research and Practice Gaps , 2008, Inf. Secur. J. A Glob. Perspect..

[15]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[16]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[17]  Izak Benbasat,et al.  The Influence of Business Managers' IT Competence on Championing IT , 2003, Inf. Syst. Res..

[18]  M. Lindell,et al.  Accounting for common method variance in cross-sectional research designs. , 2001, The Journal of applied psychology.

[19]  Evangelos A. Kiountouzis,et al.  Aligning Security Awareness With Information Systems Security Management , 2009, MCIS.

[20]  Mohammad Rahim,et al.  A Socio-Behavioral Study of Home Computer Users' Intention to Practice Security , 2005, PACIS.

[21]  Yacine Rezgui,et al.  Information security awareness in higher education: An exploratory study , 2008, Comput. Secur..

[22]  Sang M. Lee,et al.  An integrative model of computer abuse based on social control and general deterrence theories , 2004, Inf. Manag..

[23]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[24]  Irene M. Y. Woon,et al.  Forthcoming: Journal of Information Privacy and Security , 2022 .

[25]  Rolph E. Anderson,et al.  Multivariate Data Analysis: Text and Readings , 1979 .

[26]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[27]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[28]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[29]  H. Winklhofer,et al.  Index Construction with Formative Indicators: An Alternative to Scale Development , 2001 .

[30]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[31]  Detmar W. Straub,et al.  Diffusing the Internet in the Arab world: the role of social norms and technological culturation , 2003, IEEE Trans. Engineering Management.

[32]  Steven Furnell Remote PC Security: Securing the home worker , 2006 .

[33]  Mo Adam Mahmood,et al.  Technical opinionAre employees putting your company at risk by not following information security policies? , 2009, Commun. ACM.

[34]  Janine L. Spears The effects of user participation in identifying information security risk in business processes , 2006, SIGMIS CPR '06.

[35]  Viswanath Venkatesh,et al.  Model of Adoption and Technology in Households: A Baseline Model Test and Extension Incorporating Household Life Cycle , 2005, MIS Q..

[36]  Robert E. Crossler,et al.  The effect of computer self-efficacy on security training effectiveness , 2006, InfoSecCD '06.

[37]  Izak Benbasat,et al.  Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation , 1991, Inf. Syst. Res..

[38]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[39]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[40]  S. J. Gaston Information security : strategies for successful management , 1996 .