CURBING MISBEHAVIOUR WITH INFORMATION SECURITY MEASURES: AN EMPIRICAL EVIDENCE FROM A CASE STUDY
Hanifah Abdul Hamid & Nuradli Ridzwan Shah Mohd Dali
DOI:
https://doi.org/10.33102/abqari.vol17no1.82Keywords:
Cloud computing, information security, behaviour, measuresAbstract
Organisations generally are still struggling with information security breaches despite various technical protections to secure their valuable information which is especially stored in cloud applications. The fact that human behaviour is the weakest link of the security chain. Security compromise causes substantial financial and nonfinancial losses to the organisations which jeopardise organisations’ reputation. Technical protection alone is seemed insufficient to ensure information safety. Therefore, this research takes it from the socio-technical perspective to strengthen information security. Addressing these factors are significant to help successfully create a healthy security culture in the organisation. Nevertheless, human behaviour is subjective in nature. Their behaviour depends upon the way they think feel and act towards security issues which needs an in depth understanding towards their security behaviour. Hence, adapting the sequential exploratory mixed-method approach, through the theoretical lens of social cognitive theory and security measures from extended deterrence theory, this study examines the information security behaviour of employees at an IT department of a public university, as the case study. Partial least square was used to analyse data collected via survey. Study shows that personal values and behaviour, apart from the effective technical security measures, are important factors towards inculcating information security compliance behaviour.
Keywords: Cloud computing, information security, behaviour, measures.
Abstrak
Pada umumnya, organisasi masih bergelut dengan pelanggaran keselamatan maklumat walaupun terdapat pelbagai perlindungan teknikal untuk mendapatkan maklumat berharga mereka yang terutama disimpan dalam aplikasi awan. Ini disebabkan hakikat bahawa tingkah laku manusia adalah pautan paling lemah dalam rangkaian keselamatan. Kompromi keselamatan menyebabkan kerugian kewangan dan bukan kewangan yang besar kepada organisasi yang menjejaskan reputasi organisasi. Perlindungan teknikal sahaja tidak mencukupi untuk memastikan keselamatan maklumat. Oleh itu, kajian ini mengambilnya dari perspektif sosio-teknikal untuk mengukuhkan keselamatan maklumat. ini meneliti tingkah laku keselamatan maklumat pekerja di jabatan IT universiti awam dalam bentuk kajian kes. Model “Partial Least Square” digunakan untuk menganalisis data yang dikumpulkan melalui tinjauan kajiselidik. Kajian menunjukkan nilai-nilai peribadi dan tingkahlaku, selain daripada pelan tindakan keselamatan teknikal yang dijalankan Menangani faktor-faktor ini penting untuk membantu mewujudkan budaya keselamatan yang sihat dalam organisasi. Walau bagaimanapun, tingkah laku manusia bersifat subjektif. Tingkah laku mereka bergantung kepada cara mereka berfikir dan bertindak terhadap isu keselamatan yang memerlukan pemahaman mendalam terhadap tingkah laku keselamatan mereka. Oleh itu, menyesuaikan pendekatan kaedah campuran bercampur-gugur, melalui teori teori kognitif sosial dan langkah-langkah keselamatan dari teori pencegahan yang diperpanjang, kajian secara efektif, adalah faktor penting untuk menanamkan tingkah laku pematuhan keselamatan maklumat.
Kata kunci: perkomputeran awan, keselamatan maklumat, tingkah laku, pelan tindakan.
Downloads
References
Abdul Hamid, H., & Yusof, M. M. (2016). Conceptualizing global cloud landscape: A review of adoption issues and challenges. Research Journal of Applied Sciences, 11(6), 333–339. http://doi.org/10.3923/rjasci.2016.333.339.
Al-Hamar, M., Dawson, R., & Guan, L. (2010). A culture of trust threatens security and privacy in Qatar. Proceedings - 10th IEEE International Conference on Computer and Information Technology, CIT-2010, 7th IEEE International Conference on Embedded Software and Systems, ICESS-2010, ScalCom-2010, (Cit), 991–995. http://doi.org/10.1109/CIT.2010.182.
Alfawaz, S., Nelson, K., & Mahannak, K. (2010). QUT digital repository : Information security culture : A behaviour compliance conceptual framework. In Security, Information Aisc, Conference.
Alfawaz, S., Nelson, K., & Mohannak, K. (2010). Information Security culture: A behaviour compliance conceptual framework. In AISC ’10 Proceedings of the Eighth Australasian Conference on Information Security - Volume 105 (pp. 47–55). Brisbane: Australian Computer Society, Inc.
AlHogail, A. (2015). Design and validation of information security culture framework. Computers in Human Behavior, 49, 567–575. http://doi.org/10.1016/j.chb.2015.03.054
Alnatheer, M. a. (2015). Information Security Culture Critical Success Factors. 2015 12th International Conference on Information Technology - New Generations, 731–735. http://doi.org/10.1109/ITNG.2015.124
Alnatheer, M., & Nelson, K. (2009). Proposed framework for understanding information security culture and practices in the Saudi context. In Proceedings of the 7th Australian Information Security Management Conference (pp. 6–17). Perth, Western Australia: Edith Cowan University.
Bachlechner, D., Thalmann, S., & Maier, R. (2014). Security and compliance challenges in complex IT outsourcing arrangements: A multi-stakeholder perspective. Computers & Security, 40, 38–59. http://doi.org/10.1016/j.cose.2013.11.002.
Bandura, A. (1977). Self-efficacy: toward a unifying theory of behavioral change. Psychological Review, 84(2), 191–215. http://doi.org/10.1037/0033-295X.84.2.191
Bandura, A. (1986). Social foundations of thought and action: A social cognitive theory. (National Inst of Mental Health Rockville MD US, Ed.). Englewood Cliffs, NJ, US: Prentice-Hall series in social learning theory.
Bandura, A. (1989). Social cognitive theory. Annals of Child Development, 6(Six theories of child development), 1–60.
Bozic, G. (2012). The role of a stress model in the development of information security culture. Proceedings of the 35th International Convention MIPRO, May 2012, 1555–1559.
Colella, A., Castiglione, A., & Santis, A. De. (2014). The Role of trust and co-partnership in the societal digital security culture approach. 2014 International Conference on Intelligent Networking and Collaborative Systems, 350–355. http://doi.org/10.1109/INCoS.2014.142.
Connolly, L., Lang, M., & Tygar, D. (2014). Managing Employee security behaviour in organisations: The role of cultural factors and individual values. ICT Systems Security and Privacy Protection, 428, 417–430.
Connolly, L., Lang, M., & Tygar, J. D. (2015). Investigation of employee security behaviour: A grounded theory approach. IFIP Advances in Information and Communication Technology, 455, 283–296. http://doi.org/10.1007/978-3-319-18467-8_19
D’Arcy, J., & Hovav, A. (2009). Does one size fit all? Examining the differential effects of IS security countermeasures. Journal of Business Ethics, 89, 59–71. http://doi.org/10.1007/s10551-008-9909-7.
D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79–98. http://doi.org/10.1287/isre.1070.0160.
Da Veiga, A., & Eloff, J. H. P. (2010). A framework and assessment instrument for information security culture. Computers & Security. http://doi.org/10.1016/j.cose.2009.09.002.
Furnell, S., & Moore, L. (2014). Security literacy: The missing link in today’s online society? Computer Fraud and Security, 2014(5), 12–18. http://doi.org/10.1016/S1361-3723(14)70491-9.
Hassan, N. H., & Ismail, Z. (2012). A conceptual model for investigating factors influencing information security culture in healthcare environment. Procedia - Social and Behavioral Sciences, 65(ICIBSoS), 1007–1012. http://doi.org/10.1016/j.sbspro.2012.11.234.
Hassan, N. H., & Ismail, Z. (2015). A conceptual model towards information security culture in health informatics. In The Malaysia-Japan Model on Technology Partnership (pp. 187–196). Springer Japan. http://doi.org/10.1007/978-4-431-54439-5.
Herath, T., & Rao, H. R. (2009a). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154–165. http://doi.org/10.1016/j.dss.2009.02.005
Herath, T., & Rao, H. R. (2009b). Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems. http://doi.org/10.1057/ejis.2009.6.
Hirschi, T. (1986). On the compatibility of rational choice and social control theories of crime. The Reasoning Criminal: Rational Choice Perspectives on Offending, 105–118.
Leiwo, J., & Heikkuri, S. (1998). An analysis of ethics as foundation of information security in\ndistributed systems. Proceedings of the Thirty-First Hawaii International Conference on System Sciences, 6(c). http://doi.org/10.1109/HICSS.1998.654776
Lieberman, P. E. (2010). Deterrence theory. Billboard, 1(45), 8–8. http://doi.org/doi: http://dx.doi.org/10.4135/9781412952514.
Munteanu, A.-B., & Fotache, D. (2015). Enablers of information security culture. Procedia Economics and Finance, 20(15), 414–422. http://doi.org/10.1016/S2212-5671(15)00091-X.
Ng, B. Y., Kankanhalli, A., & Xu, Y. (Calvin). (2009). Studying users’ computer security behavior: A health belief perspective. Decision Support Systems, 46(4), 815–825. http://doi.org/10.1016/j.dss.2008.11.010.
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers and Security, 42, 165–176. http://doi.org/10.1016/j.cose.2013.12.003.
Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organizations. Computers & Security, 53, 65–78. http://doi.org/10.1016/j.cose.2015.05.012.
Siponen, M., Adam Mahmood, M., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information and Management, 51(2), 217–224. http://doi.org/10.1016/j.im.2013.08.006.
Sohrabi Safa, N., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70–82. http://doi.org/http://dx.doi.org/10.1016/j.cose.2015.10.006.
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), 215–225. http://doi.org/10.1016/j.ijinfomgt.2015.11.009
Thomson, K.-L., von Solms, R., & Louw, L. (2006). Cultivating an organizational information security culture. Computer Fraud & Security, 2006(10), 7–11. http://doi.org/10.1016/S1361-3723(06)70430-4.
Topa, I., & Karyda, M. (2015). Identifying factors that influence employees’ security behavior for enhancing ISP compliance. In S. Fischer-Hübner, C. Lambrinoudakis, & J. López (Eds.), Trust, Privacy and Security in Digital Business. Valencia, Spain: Springer.
Van Niekerk, J. F., & Von Solms, R. (2010). Information security culture: A management perspective. Computers & Security, 29(4), 476–486. http://doi.org/10.1016/j.cose.2009.10.005.
Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: Insights from Habit and Protection Motivation Theory. Information and Management, 49(3–4), 190–198. http://doi.org/10.1016/j.im.2012.04.002.
Downloads
Published
How to Cite
Issue
Section
License
The copyright of this article will be vested to author(s) and granted the journal right of first publication with the work simultaneously licensed under the Creative Commons Attribution 4.0 International (CC BY 4.0) license, unless otherwise stated.
