Jonas Hallberg

Variables influencing information security policy compliance: A systematic review of quantitative studies

Purpose – The purpose of this paper is to identify variables that influence compliance with information security policies of organizations and to identify how important these variables are. Design/methodology/approach – A systematic review of empirical studies described in extant literature is performed. This review found 29 studies meeting its inclusion criterion. The investigated variables in these studies and the effect size reported for them were extracted and analysed. Findings – In the 29 studies, more than 60 variables have been studied in relation to security policy compliance and incompliance. Unfortunately, no clear winners can be found among the variables or the theories they are drawn from. Each of the variables only explains a small part of the variation in peoples behaviour and when a variable has been investigated in multiple studies the findings often show a considerable variation. Research limitations/implications – It is possible that the disparate findings of the reviewed studies can b...

The sufficiency of the theory of planned behavior for explaining information security policy compliance

Purpose – This paper aims to challenge the assumption that the theory of planned behaviour (TPB) includes all constructs that explain information security policy compliance and investigates if anticipated regret or constructs from the protection motivation theory add explanatory power. The TPB is an established theory that has been found to predict compliance with information security policies well. Design/methodology/approach – Responses from 306 respondents at a research organization were collected using a questionnaire-based survey. Extensions in terms of anticipated regret and constructs drawn from the protection motivation theory are tested using hierarchical regression analysis. Findings – Adding anticipated regret and the threat appraisal process results in improvements of the predictions of intentions. The improvements are of sufficient magnitude to warrant adjustments of the model of the TPB when it is used in the area of information security policy compliance. Originality/value – This study is t...

Cyber security exercises and competitions as a platform for cyber security experiments

This paper discusses the use of cyber security exercises and competitions to produce data valuable for security research. Cyber security exercises and competitions are primarily arranged to train participants and/or to offer competence contests for those with a profound interest in security. This paper discusses how exercises and competitions can be used as a basis for experimentation in the security field. The conjecture is that (1) they make it possible to control a number of variables of relevance to security and (2) the results can be used to study several topics in the security field in a meaningful way. Among other things, they can be used to validate security metrics and to assess the impact of different protective measures on the security of a system.

A framework for system security assessment

Security assessment is a central ability in the striving for adequate levels of IT security in information systems and networks. In this paper, the issue of system-wide IT security assessment is addressed. The results include a framework for IT security assessment addressing the need to include the influence of system structure in assessments. The purpose of the framework is twofold, to support the development of system security assessment methods and to enable the categorization of existing methods. Moreover, as an example of a possible approach to system security assessment, the CAESAR method is presented. CAESAR enables the calculation of scalar overall system security values as well as system-dependent security values for technical system entities.

A Review of the Theory of Planned Behaviour in the Context of Information Security Policy Compliance

The behaviour of employees influences information security in virtually all organisations. To inform the employees regarding what constitutes desirable behaviour, an information security policy can be formulated and communicated. However, not all employees comply with the information security policy. This paper reviews and synthesises 16 studies related to the theory of planned behaviour. The objective is to investigate 1) to what extent the theory explains information security policy compliance and violation and 2) whether reasonable explanations can be found when the results of the studies diverge. It can be concluded that the theory explains information security policy compliance and violation approximately as well as it explains other behaviours. Some potential explanations can be found for why the results of the identified studies diverge. However, many of the differences in results are left unexplained.

The 14 layered framework for including social and organisational aspects in security management

The ultimate aim of the COINS - COntrolled INformation Security – project is to investigate, assess, and provide tools to improve the information security status in organizations with a focus on public agencies. A central question for the project is how information security issues are communicated within the organizations, specifically underlining that communication is control in a cybernetic sense. The project is carried out in a number of steps embracing to design modelling techniques and metrics for information security issues in organizations (1), collect data from Swedish governmental agencies (2), use the modelling techniques to model communication of information security in organizations from different perspectives (3), to apply metrics on the data in order to assess information security levels in the agencies (4), identify gaps (5) and needs for improvement (6). The 14 layered framework, which is based on well established knowledge within information security: frameworks, models, standards, and terminology is presented. The scientific base is cybernetics, including variety engineering and recursion to provide adaptation and learning. The motivation for the research is that communication of information security issues within organizations tend to be insufficient and the mental connections between IT-security and information security work are weak, which prohibits the organization from learning and adapting in its security work. This is a report on research in progress.

Ethical issues in public health informatics: implications for system design when sharing geographic information

Public health programs today constitute a multi-professional inter-organizational environment, where both health service and other organizations are involved. Developing information systems, including the IT security measures needed to suit this complex context, is a challenge. To ensure that all involved organizations work together towards a common goal, i.e., promotion of health, an intuitive strategy would be to share information freely in these programs. However, in practice it is seldom possible to realize this ideal scenario. One reason may be that ethical issues are often ignored in the system development process. This investigation uses case study methods to explore ethical obstacles originating in the shared use of geographic health information in public health programs and how this affects the design of information systems. Concerns involving confidentiality caused by geographically referenced health information and influences of professional and organizational codes are discussed. The experience presented shows that disregard of ethical issues can result in a prolonged development process for public health information systems. Finally, a theoretical model of design issues based on the case study results is presented.

Measuring IT security - a method based on common criteria's security functional requirements

A networked defense, and the networked information society, requires both trustworthy information systems and that users and societies trust these systems. Since the trustworthiness of systems depends on the level of IT security, the ability to assess the IT security ability is vital. Currently, there are no efficient methods for establishing the level of IT security in information systems. The main results described in this paper are: a set of security functions needed in systems, based on the security functional requirements of the Common Criteria (CC, 1999) and a method using the set of security functions to assess the securability of components in distributed information systems. Work in progress focuses on system-wide evaluations.

Rationale for and Capabilities of IT Security Assessment

The abundance of security threats makes IT security a prerequisite for the use of information technology (IT). Striving for appropriate security, costs for IT security controls should be related to their impact on the level of IT security. This requires the level of IT security to be assessed. However, this insight is to general to guide the design of methods and tools for IT security assessments. Thereby, there is a necessity to explore what are the rationale for IT security assessments, i.e., why, where, and when is it needed. The objective of this study is to explore the rationale for and capabilities required of methods and tools for IT security assessment. The knowledge, about rationale and needed capabilities, should constitute as a foundation for the future development of methods and tools regarding IT security assessment. The study was performed as a case study within the Swedish Armed Forces. Based on interviews and relevant documents, statements directly or indirectly indicating the need for IT security assessments were identified. These statements were carefully analyzed to identify IT security issues. Thereafter, the IT security issues were categorized into six categories: (1) systems development, (2) system operation, (3) risk management, (4) communication and management of security work, (5) competence regarding IT security and (6) attainment and preservation of trust. From these categories, 18 contributions to the rationale for IT security assessments were identified and used to determine capabilities needed of tools and methods for IT security assessments. These capabilities of IT security assessment are presented by criteria ordered in the categories: security assessment domains, security relevant factors, characteristics of security controls, and assessments results.

The Theory of Planned Behavior and Information Security Policy Compliance

ABSTRACT Much of the research on security policy compliance has tested the relationships posited by the theory of planned behavior. This theory explains far from all of the measurable variance in policy compliance intentions. However, it is associated with something called the sufficiency assumption, which essentially states that no variable is missing from the theory. This paper addresses this assumption in the context of information security policy compliance. A meta-analysis of published tests on information security behavior and a review of the literature in related fields are used to identify variables that have the potential to improve the theory’s predictions. These results are tested using a random sample of 645 white-collar workers. The results suggest that the variables anticipated regret and habit improve the predictions. The variables increase the explained variance by 3.4 and 2.6 percentage points, respectively, when they are added individually, and by 5.4 percentage points when both are added.