Essays on information security practices in organizations
MetadataShow full item record
Organizational employee information security behaviors have received attention in its potential role in cyber security. Recently, practitioners and academics alike have emphasized the need to evaluate end-user computer security behaviors in order to develop more secured information infrastructures. This dissertation evaluates the information security behaviors pertaining to employee security policy compliance from three different aspects with the objective of providing guidelines and implications for better design, development and implementation of information security policies in organizations. The dissertation consists of three inter-related essays, following a manuscript-based multi-essay style thesis format. The first essay evaluates the relative importance of the incentive mechanisms. This essay develops and tests a theoretical model that enhances our understanding of the incentive effects of penalties, pressures and perceived effectiveness in employee compliance to information security policies. The findings suggest that security behaviors can be influenced by both intrinsic and extrinsic motivators. The results indicate that (a) intrinsic motivation of employee perceived effectiveness of their actions plays a major role in security policy compliance, (b) pressures exerted by subjective norms and peer behaviors influence the employee behaviors, and (c) certainty of detection is found to influence security behaviors while surprisingly severity of punishment was found to have negative effect on policy compliance intentions. In the second essay, informed by the literature on Information Security (IS) adoption, protection-motivation theory, deterrence theory and organizational behavior theories, under an umbrella of Taylor-Todd's Decomposed Theory of Planned Behavior an integrated Protection, Motivation and Deterrence model of security policy compliance is developed. The essay also investigates the role of organizational commitment on employee security compliance intentions. The results suggest that (a) perceptions about the severity of breach and response efficacy are likely to affect compliance intentions by shaping attitudes; (b) organizational commitment and social influence have a significant impact on compliance intentions; and (c) resource availability is a significant factor in enhancing self-efficacy, which in turn, is a significant predictor of policy compliance intentions. The results indicate that employees in our sample underestimate the probability of security breaches. In the third essay we investigate whether the synchronization between management and employee perceptions about security values plays a role in employee security behaviors. Much of the information security literature has emphasized the mechanisms such as training and awareness and policy enforcement for creating security conscious environment for better security management. However, empirical research evaluating the effectiveness of these mechanisms in IT security is almost non existent. Moreover, researchers have argued that, if there is a misalignment between individual and organizational goals, there is a greater security threat to information security. In this context, the third essay explores several aspects of policy compliance in organizations using a dyadic approach. In an individual level model we focus on employee perception of security climate and its relation with the policy compliance behavior; and the role training and awareness and policy enforcement play in shaping the security climate perceptions of the employees. In addition, we propose a multi-level theoretical framework that considers the role of the management and employee perception alignment on the employee compliance behavior. Using a matched responses dataset we empirically assess the two models. Our findings suggest that individual employee policy compliance intentions are predicted by their security climate perceptions which in turn were highly associated with the employee perceived training and awareness as well as policy enforcement efforts in their organization. In the test of multi-level model we found that employee policy compliance intentions are mainly driven by personally held beliefs. Multiple surveys were administered to various sample groups in this research program in order to accomplish the research objectives of the three essays. A dyadic investigation approach was undertaken to understand the security policy compliance from a holistic view, which resulted in a set of interesting and insightful findings with implications to both theory and practice.
Showing items related by title, author, creator and subject.
Shambhu Upadhyaya Principal Investigator (2014-04-02)The PIs have submitted a proposal to organize a workshop in secure knowledge management. The workshop will explore critical knowledge management security issues such as secure languages, secure knowledge sharing and secure ...
Kui Ren Principal Investigator (2014-04-02)The economics of Cloud Computing Cloud Computing impels a fundamental shift in how data services are deployed and delivered, enabling flexible, dynamic outsourcing while reducing capital cost commitments for hardware and ...
H. Raghav Rao Principal Investigator (2014-04-02)CNS-0420448<br/>Raghav Rao<br/>Institution: SUNY Buffalo<br/><br/>Title: ITWF: Women and Cyber Security: Gendered Tasks and Inequitable Outcomes<br/><br/>This ITWF project examines the ...