The pathway to security – mitigating user negligence

Kennedy, Sarah

doi:10.1108/ics-10-2014-0065

Cited by 14 publications

(15 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…PricewaterhouseCoopers (2017) reported that current employees remain as the top source of security incidents with 30 per cent of such incidents were caused by current employees. Another report revealed that 64 per cent of data breaches were due to employees’ behaviour and system glitches (Kennedy, 2016). A survey by Kaspersky Lab (2017) showed that 59 per cent of information security incidents were caused by careless or uninformed employee actions.…”

Section: Introductionmentioning

confidence: 99%

Security monitoring and information security assurance behaviour among employees

Ahmad

Ong

Liew

et al. 2019

ICS

View full text Add to dashboard Cite

Purpose The purpose of this research is to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour. Security assurance behaviour represents employees’ intentional and effortful actions aimed towards protecting information systems. The behaviour is highly desired as it tackles the human factor within the information security framework. The authors posited that security assurance behaviour is a learned behaviour that can be enhanced by the implementation of information security monitoring. Design/methodology/approach Theoretical framework underlying this study with six constructs, namely, subjective norm, outcome expectation, information security monitoring, information security policy, self-efficacy and perceived inconvenience, were identified as significant in determining employees’ security assurance behaviour (SAB). The influence of these constructs on SAB could be explained by social cognitive theory and is empirically supported by past studies. An online questionnaire survey as the main research instrument is adopted to elicit information on the six constructs tested in this study. Opinion from industry and academic expert panels on the relevance and face validity of the questionnaire were obtained prior to the survey administration. Findings Findings from this research indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy. This study also demonstrates that employees tend to abandon security behaviour when the behaviour is perceived as inconvenient. Hence, organisations must find ways to reduce the perceived inconvenience using various security automation methods and specialised security training. Reducing perceived inconvenience is a challenge to information security practitioners. Research limitations/implications There are some limitations in the existing work that could be addressed in future studies. One of them is the possible social desirability bias due to the self-reported measure adopted in the study. Even though the authors have made every effort possible to collect representative responses via anonymous survey, it is still possible that the respondents may not reveal true behaviour as good conduct is generally desired. This may lead to a bias towards favourable behaviour. Practical implications In general, the present research provides a number of significant insights and valuable information related to security assurance behaviour among employees. The major findings could assist security experts and organisations to develop better strategies and policies for information security protection. Findings of this research also indicate that organisations will benefit from information security monitoring by encouraging security behaviours that extend beyond the security policy. Social implications In this research, the social cognitive learning theory is used to explain the influence of information security monitoring and other social learning factors on employees’ security assurance behaviour; the finding implies that monitoring emphases expected behaviours and helps to reinforce organisational norms. Monitoring may also accelerate learning when employees become strongly mindful of their behaviours. Hence, it is important for organisations to communicate the monitoring practices implemented, even more imperative whenever security monitoring employed is unobtrusive in nature. Nonetheless, care must be taken in this communication to avoid resentment and mistrust among employees. Originality/value This study is significant in a number of ways. First, this study highlights significant antecedents of security assurance behaviour, which helps organisations to assess their current practices, which may nurture or suppress information security. Second, using users’ perspective, this study provides recommendations pertaining to monitoring as a form of information security measure. Third, this study provides theoretical contribution to the existing information security literature via the application of the social cognitive learning theory.

show abstract

Section: Introductionmentioning

confidence: 99%

Security monitoring and information security assurance behaviour among employees

Ahmad

Ong

Liew

et al. 2019

ICS

View full text Add to dashboard Cite

show abstract

“…The consequence is that users might act to circumvent the ritual (Blythe et al, 2013). Awareness and training programmes are the standard organisational response to this (Yildirim, 2016), but the effectiveness of such drives is patchy (Banfield, 2016;Kennedy and Kennedy, 2016). Training does not work because it can not overcome a reluctance that stems from previous negative experiences with unattractive software.…”

Section: Beauty In Securitymentioning

confidence: 99%

An Investigation into the “Beautification” of Security Ceremonies

Bella

Renaud

Sempreboni

et al. 2019

Proceedings of the 16th International Joint Conference on E-Business and Telecommunications

View full text Add to dashboard Cite

Beautiful Security" is a paradigm that requires security ceremonies to contribute to the 'beauty' of a user experience. The underlying assumption is that people are likely to be willing to engage with more beautiful security ceremonies. It is hoped that such ceremonies will minimise human deviations from the prescribed interaction, and that security will be improved as a consequence. In this paper, we explain how we went about deriving beautification principles, and how we tested the efficacy of these by applying them to specific security ceremonies. As a first step, we deployed a crowd-sourced platform, using both explicit and metaphorical questions, to extract general aspects associated with the perception of the beauty of real-world security mechanisms. This resulted in the identification of four beautification design guidelines. We used these to beautify the following existing security ceremonies: Italian voting, user-to-laptop authentication, password setup and EU premises access. To test the efficacy of our guidelines, we again leveraged crowd-sourcing to determine whether our "beautified" ceremonies were indeed perceived to be more beautiful than the original ones. The results of this initial foray into the beautification of security ceremonies delivered promising results, but must be interpreted carefully.

show abstract

“…Previous research has shown that well designed end-user security education can be effective in mitigating against IT infrastructure issues [91,92,93]. This could be in the form of web-based training materials, contextual training, and embedded training to enhance users' ability to avoid attacks.…”

Section: User Education and Engagementmentioning

confidence: 99%

Security challenges and solutions for e-business

James

Bul’ajoul

Shehu

et al. 2018

Information Security: Foundations, Technologies and Applications

View full text Add to dashboard Cite

The advantages of economic growth and increasing ease of operation afforded by e-business and ecommerce developments are unfortunately matched by growth in cyberattacks. This paper outlines the common attacks faced by e-business and describes the defenses that can be used against them. It also reviews the development of newer security defense methods. These are: (1) biometrics for authentication; parallel processing to increase power and speed of defenses; (2) data mining and machine learning to identify attacks; (3) peer-to-peer security using blockchains; (4) enterprise security modelling and security as a service; and (5) user education and engagement. The review finds overall that one of the most prevalent dangers is social engineering in the form of phishing attacks. Recommended counteractions include education and training, and the development of new machine learning and data sharing approaches so that attacks can be quickly discovered and mitigated.

show abstract

The pathway to security – mitigating user negligence

Cited by 14 publications

References 2 publications

Security monitoring and information security assurance behaviour among employees

Security monitoring and information security assurance behaviour among employees

An Investigation into the “Beautification” of Security Ceremonies

Security challenges and solutions for e-business

Contact Info

Product

Resources

About