Tejaswini Herath

Protection motivation and deterrence: a framework for security policy compliance in organisations

Enterprises establish computer security policies to ensure the security of information resources; however, if employees and end-users of organisational information systems (IS) are not keen or are unwilling to follow security policies, then these efforts are in vain. Our study is informed by the literature on IS adoption, protection-motivation theory, deterrence theory, and organisational behaviour, and is motivated by the fundamental premise that the adoption of information security practices and policies is affected by organisational, environmental, and behavioural factors. We develop an Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todds Decomposed Theory of Planned Behaviour. Furthermore, we evaluate the effect of organisational commitment on employee security compliance intentions. Finally, we empirically test the theoretical model with a data set representing the survey responses of 312 employees from 78 organisations. Our results suggest that (a) threat perceptions about the severity of breaches and response perceptions of response efficacy, self-efficacy, and response costs are likely to affect policy attitudes; (b) organisational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, which in turn, is a significant predictor of policy compliance intentions. We find that employees in our sample underestimate the probability of security breaches.

Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness

Secure management of information systems is crucially important in information intensive organizations. Although most organizations have long been using security technologies, it is well known that technology tools alone are not sufficient. Thus, the area of end-user security behaviors in organizations has gained an increased attention. In information security observing end-user security behaviors is challenging. Moreover, recent studies have shown that the end users have divergent security views. The inability to monitor employee IT security behaviors and divergent views regarding security policies, in our view, provide a setting where the principal agent paradigm applies. In this paper, we develop and test a theoretical model of the incentive effects of penalties, pressures and perceived effectiveness of employee actions that enhances our understanding of employee compliance to information security policies. Based on 312 employee responses from 77 organizations, we empirically validate and test the model. Our findings suggest that security behaviors can be influenced by both intrinsic and extrinsic motivators. Pressures exerted by subjective norms and peer behaviors influence employee information security behaviors. Intrinsic motivation of employee perceived effectiveness of their actions was also found to play an important role in security policy compliance intentions. In analyzing the penalties, certainty of detection was found to be significant while surprisingly, severity of punishment was found to have a negative effect on security behavior intentions. We discuss the implications of our findings for theory and practice.

A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings

Deterrence theory is one of the most widely applied theories in information systems (IS) security research, particularly within behavioral IS security studies. Based on the rational choice view of human behavior, the theory predicts that illicit behavior can be controlled by the threat of sanctions that are certain, severe, and swift. IS scholars have used deterrence theory to predict user behaviors that are either supportive or disruptive of IS security, and other IS security-related outcome variables. A review of this literature suggests an uneven and often contradictory picture regarding the influence of sanctions and deterrence theory in general in the IS security context. In this paper, we set out to make sense of the discrepant findings in the IS deterrence literature by drawing upon the more mature body of deterrence literature that spans multiple disciplines. In doing so, we speculate that a set of contingency variables and methodological and theoretical issues can shed light on the inconsistent findings and inform future research in this area. The review and analysis presented in this paper facilitates a deeper understanding of deterrence theory in the IS security domain, which can assist in cumulative theory-building efforts and advance security management strategies rooted in deterrence principles.

Offshore Outsourcing: Risks, Challenges, and Potential Solutions

Abstract While offshore outsourcing is associated with several benefits, these ventures also pose many risks. In this paper, through an in-depth review, we develop a type 1 analysis theory about the various risks involved in offshore outsourcing projects, the challenges faced by managers in these collaboration initiatives, and solutions that may aid in overcoming those challenges. This paper contributes to both the theoretical and practice domains by providing a comprehensive offshoring challenges and solutions framework.

An investigation of email processing from a risky decision making perspective

The prevalence of cyber crimes has threatened the business model enabled by email. Users have to evaluate email related risks before forming their attitude and read intention toward commercial emails. Drawing on a seminal theoretical framework in risky decision making, we propose a research model that incorporates computer risk taking propensity and email risk perception as influential in cultivating commercial email attitude and read intention. The research model is empirically validated using survey data and the results provide significant support. This study contributes to the literature on email use by exploring the process of risky decision making and influence sources.

Balanced Scorecard Implementation of Security Strategies: A Framework for IT Security Performance Management

The article develops a conceptual framework for strategic implementation of IT security using a balanced scorecard (BSC) approach. Current research has mostly looked at economics of IT security, technical considerations, and behavioral aspects of what counter measures are available to firms instead of how successful or cost effective the investments or counter measures are. More specifically, our article provides a framework for building and implementing scorecards for information security performance management.

IT security auditing: A performance evaluation decision model

Compliance with ever-increasing privacy laws, accounting and banking regulations, and standards is a top priority for most organizations. Information security and systems audits for assessing the effectiveness of IT controls are important for proving compliance. Information security and systems audits, however, are not mandatory to all organizations. Given the various costs, including opportunity costs, the problem of deciding when to undertake a security audit and the design of managerial incentives becomes an important part of an organizations control process. In view of these considerations, this paper develops an IT security performance evaluation decision model for whether or not to conduct an IT security audit. A Bayesian extension investigates the impact of new information regarding the security environment on the decision. Since security managers may act in an opportunistic manner, the model also incorporates agency costs to determine the incentive payments for managers to conduct an audit. Cases in which the agency model suggests that it is optimal not to conduct an IT security audit are also discussed.

An examination of an e-authentication service as an intervention in e-mail risk perception

ABSTRACT In this article, we develop a three-stage study to examine the role of an e-mail authentication and identification service (eATS) intervention in affecting end-user e-mail risk perceptions. We deploy the eATS and find that it reduces users’ risk perception. Pre-intervention risk perception is found to be positively associated with user perception of the e-authentication service’s usefulness. Moreover, perceived usefulness of the service negatively relates to e-mail risk perception in the post-use stage. Finally, privacy concerns related to the e-authentication service dilute this relationship between usefulness of service and e-mail risk perception reduction.

Social Web: Web 2.0 Technologies to Enhance Knowledge Communities

In recent years, online social networks have grown immensely and become widely popular among Internet users. In general, a social network is a social structure consisting of nodes (which are generally individuals or organizations) that are connected by one or more specific types of relations. These online groups are made up of those who share passions, beliefs, hobbies, or lifestyles. These networks allow the development of communities that exploit the capacity of the Internet to expand users’ social worlds to include people in distant locations, binding them more strongly. The Internet helps many people find others who share their interests regardless of the distance between them. These social networks use a variety of communication and collaboration technologies such as blogging, video conferencing, and Wiki tools to name a few, which can be used to harness collective intelligence. Thus, they provide great communication potential and tremendous opportunities for both casual users and professionals to share knowledge with others and thus benefit from the collective pool of shared knowledge. For instance, in the context of learning where communication of knowledge about issues and experience may be limited by traditional means, educators can share experiences and teaching materials that can advance eLearning. In other communities such as the health care domain, doctors and nurses can share practices, experiences, and other resources to provide better health care. Another example can be experiences and knowledge shared by emergency workers which can improve emergency responses in various dimensions. In this chapter, we discuss how Web 2.0 technologies can enhance knowledge-based professional communities. Specifically, we identify a few select communities and discuss the technologies that are used, the ways in which they can be used, and the potential opportunities and challenges encountered by these communities.

Control mechanisms in information security: a principal agent perspective

End user security behaviours are an important part of enterprise-wide information security. Although organisations have been actively using security technologies and practices, it is known that information security cannot be achieved through technological tools alone. In order to find appropriate control mechanisms to encourage employee security behaviours in organisations, we look at this problem through a principal agent perspective. Since employee security behaviours cannot be continuously monitored and employees may have conflicting views regarding security policies (moral hazard problem), we believe that the principal agent paradigm can provide insight in developing effective controls.