Allen C. Johnston

Fear appeals and information security behaviors: an empirical study

Information technology executives strive to align the actions of end users with the desired security posture of management and of the firm through persuasive communication. In many cases, some element of fear is incorporated within these communications. However, within the context of computer security and information assurance, it is not yet clear how these fear-inducing arguments, known as fear appeals, will ultimately impact the actions of end users. The purpose of this study is to investigate the influence of fear appeals on the compliance of end users with recommendations to enact specific individual computer security actions toward the mitigation of threats. An examination was performed that culminated in the development and testing of a conceptual model representing an infusion of technology adoption and fear appeal theories. Results of the study suggest that fear appeals do impact end user behavioral intentions to comply with recommended individual acts of security, but the impact is not uniform across all end users. It is determined in part by perceptions of self-efficacy, response efficacy, threat severity, and social influence. The findings of this research contribute to information systems security research, human-computer interaction, and organizational communication by revealing a new paradigm in which IT users form perceptions of the technology, not on the basis of performance gains, but on the basis of utility for threat mitigation.

Future directions for behavioral information security research

Information Security (InfoSec) research is far reaching and includes many approaches to deal with protecting and mitigating threats to the information assets and technical resources available within computer based systems. Although a predominant weakness in properly securing information assets is the individual user within an organization, much of the focus of extant security research is on technical issues. The purpose of this paper is to highlight future directions for Behavioral InfoSec research, which is a newer, growing area of research. The ensuing paper presents information about challenges currently faced and future directions that Behavioral InfoSec researchers should explore. These areas include separating insider deviant behavior from insider misbehavior, approaches to understanding hackers, improving information security compliance, cross-cultural Behavioral InfoSec research, and data collection and measurement issues in Behavioral InfoSec research.

The influence of the informal social learning environment on information privacy policy compliance efficacy and intention

Throughout the world, sensitive personal information is now protected by regulatory requirements that have translated into significant new compliance oversight responsibilities for IT managers who have a legal mandate to ensure that individual employees are adequately prepared and motivated to observe policies and procedures designed to ensure compliance. This research project investigates the antecedents of information privacy policy compliance efficacy by individuals. Using Health Insurance Portability and Accountability Act compliance within the healthcare industry as a practical proxy for general organizational privacy policy compliance, the results of this survey of 234 healthcare professionals indicate that certain social conditions within the organizational setting (referred to as external cues and comprising situational support, verbal persuasion, and vicarious experience) contribute to an informal learning process. This process is distinct from the formal compliance training procedures and is shown to influence employee perceptions of efficacy to engage in compliance activities, which contributes to behavioural intention to comply with information privacy policies. Implications for managers and researchers are discussed.

An enhanced fear appeal rhetorical framework: leveraging threats to the human asset through sanctioning rhetoric

Fear appeals, which are used widely in information security campaigns, have become common tools in motivating individual compliance with information security policies and procedures. However, empirical assessments of the effectiveness of fear appeals have yielded mixed results, leading IS security scholars and practitioners to question the validity of the conventional fear appeal framework and the manner in which fear appeal behavioral modeling theories, such as protection motivation theory (PMT), have been applied to the study of information security phenomena. We contend that the conventional fear appeal rhetorical framework is inadequate when used in the context of information security threat warnings and that its primary behavioral modeling theory, PMT, has been misspecified in the extant information security research. Based on these arguments, we propose an enhanced fear appeal rhetorical framework that leverages sanctioning rhetoric as a secondary vector of threats to the human asset, thereby adding the dimension of personal relevance, which is critically absent from previous fear appeal frameworks and PMT-grounded security studies. Following a hypothetical scenario research approach involving the employees of a Finnish city government, we validate the efficacy of the enhanced fear appeal framework and determine that informal sanction rhetoric effectively enhances conventional fear appeals, thus providing a significant positive influence on compliance intentions.

Improved security through information security governance

improved security through information security Governance Within the modern, hyper-connected business landscape, organizations are constantly under attack. According to the 2005 Computer Crime and Security Survey, conducted jointly by the Computer Security Institute (CSI) and the San Francisco Office of the Federal Bureau of Investigation (FBI), 56% of respondents reported unauthorized computer system use during the past year. 2 These unauthorized uses include malicious acts such as theft or destruction of intellectual property, insider abuse and unauthorized access to information that results in a loss of data integrity and confidentiality, as well as malware threats such as viruses, spyware, worms, and Trojans. 2 Based on responses obtained from a sample of 700 security practitioners from government, financial, medical, business, and higher education institutions, the most frequently reported forms of malicious attack were virus attacks and insider abuse at a reported rate of approximately 75% and 50%, respectively. 2 Within the realm of the 639 respondents willing to estimate losses due to threats, the total costs associated with virus attacks were determined to be approximately

Information security management objectives and practices: a parsimonious framework

43 million, while insider abuse costs were nearly

Online health communities: An assessment of the influence of participation on patient empowerment outcomes

7 million. 2 While these figures are an improvement over past years, clearly many firms still operate ineffective information protection programs. Ineffective protection can often be attributed to the manner in which firms go about planning their information security programs. 6 Far too many firms take a reactive approach to information security planning.6 Their strategies for asset protection are derived from the bottom up, based on incidents at the perimeter of the organization. As such, these firms segregate information security from their overall strategic directive, thereby creating a divide between the gover-nance of the firm and the management of information security. The results of such a disconnect can be disastrous, as management and employees may lose touch with the value of appropriate security actions and as business processes become bogged down with unnecessary or improper controls. In scenarios such as these, a different perspective for security planning is warranted. In this article, we examine information security planning at the strategic level of the enterprise and empirically assess its value in enhancing the quality of information security programs. Included in this examination is a survey of security professionals in which they report their perceptions of information security program quality within their respective firms. The results of this study allow us to compare the quality of information security programs implemented …

Analysis of systems development project risks: an integrative framework

Purpose – As part of their continuing efforts to establish effective information security management (ISM) practices, information security researchers and practitioners have proposed and developed many different information security standards and guidelines. Building on these previous efforts, the purpose of this study is to put forth a framework for ISM.Design/methodology/approach – This framework is derived from the development of an a priori set of objectives and practices as suggested by literature, standards, and reports found in academia and practice; the refinement of these objectives and practices based on survey data obtained from 354 certified information security professionals; and the examination of interrelationships between the objectives and practices.Findings – The empirical analysis suggests: four factors (information integrity, confidentiality, accountability, and availability) serve as critical information security objectives; most of the security areas and items covered under ISO 17799...

Information privacy compliance in the healthcare industry

Purpose – The purpose of this paper is to examine how participation in an online health community provides for direct benefits in the form of information utility and social support and an indirect influence on perceptions of patient empowerment.Design/methodology/approach – A multi‐method approach was conducted involving interviews with moderators of 18 online health communities and a field survey of 153 online health community participants.Findings – Online health community participation leads to direct benefits in the form of information utility and social support and that information utility also helps to shape perceptions of patient empowerment among community participants.Research limitations/implications – This research calls into question the role of online health communities as a support mechanism to empower patients to take ownership over their healthcare treatment. Online health communities support the development of patient empowerment by creating and disseminating information that can be used ...

The Influence of Perceived Source Credibility on End User Attitudes and Intentions to Comply with Recommended IT Actions

Information systems development projects are a significant expenditure of time, effort and money for many enterprises. Historically it has been estimated that 50-80% of projects fail to achieve their objectives for a variety of reasons. Researchers have identified numerous factors associated with system development failure. In this paper, we first synthesize the vast research regarding systems development risk factors and provide a framework that illustrates interactions between risk factors. The framework was used to develop an open-ended questionnaire that was answered by an inter-industry group of experienced systems development engineers and project managers. Analysis of their reports indicates that experienced professionals perceive that all risk factors (technical, resource, etc.) ultimately derive from organizationally-oriented factors, to be solved with organizational responses. This holistic viewpoint of risk assessment is counter to that of systems professionals more involved in day-to-day development decision making. For these developers, risks are more likely to be characterized as fitting into traditional discrete categories. This apparent dichotomy of risk importance was further investigated through an intra-organizational study which directly assessed how professionals recognize and treat risks in the development process. Results illustrate that a successful project environment may be characterised as one in which all systems professionals maintain a holistic view of organizational risk and that organizational culture, as opposed to experience, may predicate such an environment. Implications and future research directions are discussed.