Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders

Organizational insiders have considerable influence on the effectiveness of information security efforts. However, most research conducted in this area fails to examine what these individuals believe about organizational security efforts. To help bridge this gap, this study assesses the mindset of insiders regarding their relationship with information security efforts and compares it against the mindset of information security professionals. Interviews were conducted with 22 ordinary insiders and 11 information security professionals, which effort provides insight into how insiders gauge the efficacy of recommended responses to information security threats. Several key differences between insiders’ and professionals’ security mindsets are also discussed.

[1]  Mikko T. Siponen,et al.  Information security management standards: Problems and solutions , 2009, Inf. Manag..

[2]  K. Witte Fear control and danger control: A test of the extended parallel process model (EPPM) , 1994 .

[3]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[4]  Gurpreet Dhillon,et al.  Value‐focused assessment of information system security in organizations , 2006, Inf. Syst. J..

[5]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[6]  Maureen L. Ambrose,et al.  Sabotage in the workplace: The role of organizational injustice , 2002 .

[7]  Michael E. Whitman Enemy at the gate: threats to information security , 2003, CACM.

[8]  Bruce Schneier,et al.  Secrets and Lies: Digital Security in a Networked World , 2000 .

[9]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[10]  D. Straub Effective IS Security , 1990 .

[11]  Mikko T. Siponen,et al.  Using the theory of interpersonal behavior to explain non-work-related personal use of the Internet at work , 2013, Inf. Manag..

[12]  Ann Blandford,et al.  Bridging the gap between organizational and user perspectives of security in the clinical domain , 2005, Int. J. Hum. Comput. Stud..

[13]  Paul Slovic,et al.  Why worry? Worry, risk perceptions, and willingness to act to reduce medical errors. , 2006, Health psychology : official journal of the Division of Health Psychology, American Psychological Association.

[14]  U. Gneezy,et al.  Journal of Economic Perspectives—Volume 25, Number 4—Fall 2011—Pages 191–210 When and Why Incentives (Don’t) Work to Modify Behavior , 2022 .

[15]  Xin Luo,et al.  Consumer motivations in taking action against spyware: an empirical investigation , 2009, Inf. Manag. Comput. Secur..

[16]  P. Hartel Overcoming the insider: reducing employee computer crime through situational crime prevention: Willison R., Siponen M. Communications of the ACM 52(9): 133-137, 2009 , 2009 .

[17]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[18]  David J. Pauleen,et al.  An Inductively Derived Model of Leader-Initiated Relationship Building with Virtual Team Members , 2003, J. Manag. Inf. Syst..

[19]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[20]  Klaus Krippendorff,et al.  Content Analysis: An Introduction to Its Methodology , 1980 .

[21]  Christopher Hadnagy,et al.  Social Engineering: The Art of Human Hacking , 2010 .

[22]  Qing Hu,et al.  Does deterrence work in reducing information security policy abuse by employees? , 2011, Commun. ACM.

[23]  Gurpreet Dhillon,et al.  Computer crimes: theorizing about the enemy within , 2001, Comput. Secur..

[24]  E. Seydel,et al.  Protection Motivation Theory , 2022 .

[25]  P. Slovic,et al.  Risk Perception and Affect , 2006 .

[26]  Steven Prentice-Dunn,et al.  Protection motivation theory. , 1997 .

[27]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[28]  Lakshmi Goel,et al.  Exploring the dynamics of blog communities: the case of MetaFilter , 2009, Inf. Syst. J..

[29]  Anat Hovav,et al.  Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea , 2012, Inf. Manag..

[30]  Sanjay Goel,et al.  Estimating the market impact of security breach announcements on firm values , 2009, Inf. Manag..

[31]  D. S. Gochman,et al.  Handbook of health behavior research , 1997 .

[32]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[33]  P. Slovic Perception of risk. , 1987, Science.

[34]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[35]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[36]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[37]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[38]  Thomas Peltier,et al.  Information Security Risk Analysis: A Pedagogic Model Based on a Teaching Hospital , 2006 .

[39]  Rajendra P. Srivastava,et al.  An Information Systems Security Risk Assessment Model Under the Dempster-Shafer Theory of Belief Functions , 2006, J. Manag. Inf. Syst..

[40]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[41]  M. Patton,et al.  Qualitative evaluation and research methods , 1992 .

[42]  Clay Posey,et al.  When Computer Monitoring Backfires: Invasion of Privacy and Organizational Injustice as Precursors to Computer Abuse , 2011 .

[43]  Irene Woon,et al.  A Protection Motivation Theory Approach to Home Wireless Security , 2005, ICIS.

[44]  M. Whitman,et al.  Management Of Information Security , 2004 .

[45]  Mikko T. Siponen,et al.  Overcoming the insider: reducing employee computer crime through Situational Crime Prevention , 2009, CACM.

[46]  R. W. Rogers,et al.  Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat. , 1987, Journal of personality and social psychology.

[47]  S. Krimsky,et al.  Social Theories of Risk , 1992 .

[48]  R. Folger,et al.  RETALIATION IN THE WORKPLACE: THE ROLES OF DISTRIBUTIVE, PROCEDURAL, AND INTERACTIONAL JUSTICE , 1997 .

[49]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[50]  Isabelle Fagnot,et al.  Behavioral Information Security , 2007 .

[51]  Jackie Rees Ulmer,et al.  Management of Information Security: Challenges and Research Directions , 2007, Commun. Assoc. Inf. Syst..

[52]  Michael D. Myers,et al.  The qualitative interview in IS research: Examining the craft , 2007, Inf. Organ..

[53]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[54]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[55]  Mary Lacity,et al.  Understanding Qualitative Data: A Framework of Text Analysis Methods , 1994, J. Manag. Inf. Syst..

[56]  Tom L. Roberts,et al.  Insiders' Protection of Organizational Information Assets: Development of a Systematics-Based Taxonomy and Theory of Diversity for Protection-Motivated Behaviors , 2013, MIS Q..

[57]  R. Bennett,et al.  Development of a measure of workplace deviance. , 2000, The Journal of applied psychology.

[58]  Anat Hovav,et al.  Deterring internal information systems misuse , 2007, CACM.

[59]  Jeffrey M. Stanton,et al.  The Visible Employee: Using Workplace Monitoring and Surveillance to Protect Information Assets—Without Compromising Employee Privacy or Trust , 2006 .

[60]  Tom L. Roberts,et al.  Motivating the Insider to Protect Organizational Information Assets: Evidence from Protection Motivation Theory and Rival Explanations , 2011 .

[61]  Detmar W. Straub,et al.  Discovering and Disciplining Computer Abuse in Organizations: A Field Study , 1990, MIS Q..

[62]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[63]  Nic Fleming The bonus myth: How paying for results backfires , 2011 .

[64]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[65]  Leiser Silva,et al.  Fighting Against Windmills: Strategic Information Systems and Organizational Deep Structures , 2007, MIS Q..

[66]  Qing Hu,et al.  User behaviour towards protective information technologies: the role of national cultural differences , 2009, Inf. Syst. J..

[67]  K. Witte Putting the fear back into fear appeals: The extended parallel process model , 1992 .

[68]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[69]  B.J. Brooker,et al.  A Framework for the Evaluation of State Breach Reporting Laws , 2007, 2007 IEEE Systems and Information Engineering Design Symposium.

[70]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[71]  Matthew B. Miles,et al.  Qualitative Data Analysis: An Expanded Sourcebook , 1994 .

[72]  Tom L. Roberts,et al.  Proposing the online community self-disclosure model: the case of working professionals in France and the U.K. who use online communities , 2010, Eur. J. Inf. Syst..

[73]  David E. Cook Information Security Management: Global Changes in the New Millennium , 2002, Eur. J. Inf. Syst..

[74]  Xiaolan Fu,et al.  The Impact of Individualism—Collectivism, Social Presence, and Group Diversity on Group Decision Making Under Majority Influence , 2007, J. Manag. Inf. Syst..

[75]  Richard Baskerville,et al.  A longitudinal study of information system threat categories: the enduring problem of human error , 2005, DATB.

[76]  B. Frey,et al.  Motivation crowding theory , 2001 .

[77]  Melissa L. Finucane,et al.  Risk as Analysis and Risk as Feelings: Some Thoughts about Affect, Reason, Risk, and Rationality , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[78]  M. Goldberg,et al.  What to Convey in Antismoking Advertisements for Adolescents: The use of Protection Motivation Theory to Identify Effective Message Themes , 2003 .

[79]  Mikko T. Siponen,et al.  A Critical Assessment of IS Security Research between 1990-2004 , 2007, ECIS.

[80]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[81]  Andrea Everard,et al.  Privacy Concerns Versus Desire for Interpersonal Awareness in Driving the Use of Self-Disclosure Technologies: The Case of Instant Messaging in Two Cultures , 2011, J. Manag. Inf. Syst..

[82]  James Backhouse,et al.  Opportunities for computer crime: considering systems risk from a criminological perspective , 2006, Eur. J. Inf. Syst..

[83]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[84]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[85]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[86]  R. Willison,et al.  Motivations for employee computer crime: understanding and addressing workplace disgruntlement through the application of organisational justice , 2009 .