Whose Risk Is It Anyway: How Do Risk Perception and Organisational Commitment Affect Employee Information Security Awareness?

Reeves, Andrew L.; Parsons, Kathryn; Calic, Dragana

doi:10.1007/978-3-030-50309-3_16

Cited by 9 publications

(7 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some researchers have suggested that employee overconfidence and complacency can explain the negative relationship between cyber security training frequency and workplace behaviors (K. Parsons et al, 2013;Pattinson et al, 2016a;Reeves et al, 2020). Employees may feel that, following training, they are well equipped to deal with cyber security threats and are, therefore, less vulnerable.…”

Section: The Case For Fatiguementioning

confidence: 99%

See 1 more Smart Citation

Encouraging Employee Engagement With Cybersecurity: How to Tackle Cyber Fatigue

2021

Self Cite

View full text Add to dashboard Cite

Cybersecurity fatigue is a form of work disengagement specific to cybersecurity. It manifests as a weariness or aversion to cybersecurity-related workplace behaviors or advice and occurs as a result of prior overexposure to cybersecurity-related work demands or training. While some previous theoretical conceptualizations of cybersecurity fatigue are available, this article is the first to capture all dimensions of the phenomenon in a four-component model. The model holds that cybersecurity fatigue can result from overexposure to workplace cybersecurity advice (e.g., training) or cybersecurity actions (e.g., forced password updates). Similarly, we argue that there can be two types of cybersecurity fatigue: attitudinal (e.g., a belief that cybersecurity is not important) and cognitive (e.g., habituated bad behaviors). We present a multidisciplinary review, which draws on research from management, psychology, and information systems. Practitioners can use the four-component model to identify the type of cybersecurity fatigue that may be occurring in employees and adapt workplace processes accordingly to improve behavior. In addition, we present three illustrative case studies, adapted from employee experiences, to demonstrate the application of the four-component model to an organizational context. The review presents a framework for coordinating the existing approaches to cybersecurity fatigue in the current literature.

show abstract

Section: The Case For Fatiguementioning

confidence: 99%

“…However, if complacency was the sole-contributing factor, targeted SETA programs that aim to instill greater awareness should be successful in reducing complacency. In many instances, this is not the case (Pattinson et al, 2016a;Reeves et al, 2020). Instead, suboptimal employee behavior is better explained as a result of fatigue.…”

Section: The Case For Fatiguementioning

confidence: 99%

Encouraging Employee Engagement With Cybersecurity: How to Tackle Cyber Fatigue

2021

Self Cite

View full text Add to dashboard Cite

show abstract

“…However, none provides a clear-cut response to this research question. There is a consensus in all five articles that organizational culture is a cornerstone for security and policy-compliant behavior (Reeves et al , 2020; Hwang et al , 2017; Alzahrani, 2021; Parsons et al , 2015; Li et al , 2019).…”

Section: Resultsmentioning

confidence: 99%

“…Peer- and policy-compliant behavior can only be achieved when the organization has a positive cybersecurity culture. The development of organizational culture often comes from the top management; hence, the development and continued improvement of culture will be assigned to management (Li et al , 2019; Reeves et al , 2020). One interesting finding in the context of developing or harnessing a security culture is that managers have a much lower information security awareness; Reeves et al (2020) therefore recommend that future training should be targeted to management.…”

Section: Resultsmentioning

confidence: 99%

“…ISA is critical in mitigating the risks associated with cybersecurity and is defined by two components, namely, understanding and compliance . Compliance is the employees’ commitment to follow best-practice rules defined by the organization (Reeves et al , 2020). Ajzen (1991) defines a person’s intention to comply as the individual’s motivation to perform a described behavior.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A systematic literature review of how cybersecurity-related behavior has been assessed

Kannelønning

Katsikas

2023

ICS

View full text Add to dashboard Cite

Purpose Cybersecurity attacks on critical infrastructures, businesses and nations are rising and have reached the interest of mainstream media and the public’s consciousness. Despite this increased awareness, humans are still considered the weakest link in the defense against an unknown attacker. Whatever the reason, naïve-, unintentional- or intentional behavior of a member of an organization, the result of an incident can have a considerable impact. A security policy with guidelines for best practices and rules should guide the behavior of the organization’s members. However, this is often not the case. This paper aims to provide answers to how cybersecurity-related behavior is assessed. Design/methodology/approach Research questions were formulated, and a systematic literature review (SLR) was performed by following the recommendations of the Preferred Reporting Items for Systematic Reviews and Meta-Analyses statement. The SLR initially identified 2,153 articles, and the paper reviews and reports on 26 articles. Findings The assessment of cybersecurity-related behavior can be classified into three components, namely, data collection, measurement scale and analysis. The findings show that subjective measurements from self-assessment questionnaires are the most frequently used method. Measurement scales are often composed based on existing literature and adapted by the researchers. Partial least square analysis is the most frequently used analysis technique. Even though useful insight and noteworthy findings regarding possible differences between manager and employee behavior have appeared in some publications, conclusive answers to whether such differences exist cannot be drawn. Research limitations/implications Research gaps have been identified, that indicate areas of interest for future work. These include the development and employment of methods for reducing subjectivity in the assessment of cybersecurity-related behavior. Originality/value To the best of the authors’ knowledge, this is the first SLR on how cybersecurity-related behavior can be assessed. The SLR analyzes relevant publications and identifies current practices as well as their shortcomings, and outlines gaps that future research may bridge.

show abstract

Cybersecurity-Related Behavior of Personnel in the Norwegian Industry

Kannelønning¹,

Katsikas²

2023

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Whose Risk Is It Anyway: How Do Risk Perception and Organisational Commitment Affect Employee Information Security Awareness?

Cited by 9 publications

References 33 publications

Encouraging Employee Engagement With Cybersecurity: How to Tackle Cyber Fatigue

Encouraging Employee Engagement With Cybersecurity: How to Tackle Cyber Fatigue

A systematic literature review of how cybersecurity-related behavior has been assessed

Cybersecurity-Related Behavior of Personnel in the Norwegian Industry

Contact Info

Product

Resources

About