human information security behaviors: differences across geographies and cultures in a global user...
TRANSCRIPT
Human Information Security Behaviors: Differences Across Geographies and Cultures in a Global User
Survey
Authors
Lance Hayden
University of Texas
School of Information, Sanchez Building (SZB) 564, 1 University Station D7000, Austin, TX
78712-0390
Email: [email protected]
Data Leakage Worldwide, a 2008 research study commissioned by Cisco Systems, Inc.
explored the information security behaviors of information technology (IT) users and decision
makers in ten countries around the world. Based upon an online survey, the results published
by Cisco Systems concluded that end users engage in risky information security behaviors
that negatively impacted the companies for which the worked. The survey also revealed
differences in awareness of proper security practices between end users and IT decision
makers, as well as a lack of effectiveness in company security policies. One important aspect
of the research was the exploration of differences in information security behaviors between
respondents in different countries. While the Cisco study is important, a number of questions
exist regarding the methods used, data collected, and conclusions made in the survey
publications. But regardless of these critiques, the study provides a useful starting point for
research into human information security behaviors.
Introduction
In September 2008 Cisco Systems, Inc., a multinational network equipment manufacturer,
announced the results of a global research study, Data Leakage Worldwide, which explored
data security risks faced by organizations relying on information technology (IT)
infrastructures around the world. The study analyzed the effectiveness of corporate
information security policies and associated user security behaviors across ten countries in
the Americas, Europe, and Asia-Pacific regions (Vamosi, 2008). The research study was
commissioned by Cisco and the survey research conducted by Insight Express, a commercial
research firm. Among the goals and findings of the survey was the analysis of differences
exhibited across different countries in how IT users and managers perceived information
security, how they incorporated security into their daily practices, and how effective were the
organizational policies designed to promote or enforce security behaviors among IT users
(Cisco, 2008a). The results of the global survey were published as three separate Cisco white
papers (Cisco, 2008a; Cisco, 2008b; and Cisco, 2008c) as well as three detailed data
presentations by the research firm InsightExpress (InsightExpress,, 2008a; InsightExpress,
2008b; and InsightExpress, 2008c). All associated white papers and data presentations were
made public and posted on Cisco’s corporate web site as part of a public relations campaign
designed to publicize the result of the research study.
The Cisco research study and the resulting publications merits further consideration by
information science practitioners. The study occupies a unique intersection between the study
of human information behaviors across cultural and regional boundaries and the study of
information security behaviors by users of IT. While a variety of research studies have
explored one or another of these topics, the Cisco study provides new insights into both. This
paper describes the background and findings of the research study, but also offers a critique
of the research in terms of its scope and analytical direction. The study privileges certain
research findings most directly relevant to the marketing of commercial security technologies
while seeming to ignore equally interesting questions about information security and human
information behaviors at the social and cultural levels. The result is a study that is compelling
to the field of information science but also incomplete. Researchers into areas of human
information behavior, the development of socio-technical systems in global environments,
and information security may all find the Cisco study a source of inspiration for future
research directions and projects.
Human Information Behavior and Information Security
Behavior
A great deal of research has been conducted into human information behavior in general as
well as into specific aspects of the use of information in a variety of environments and under
a variety of influences.
General studies of human information behaviors and user information needs have been
conducted within information science for decades. These studies have been effectively
summarized over time in a number of reviews (Wilson, 1997; Spink & Cole, 2006; Wilson,
2006; Case, 2007), including multi-disciplinary analyses of information behavior research.
Research studies have also been conducted into human information behaviors in specific
organizational or industrial contexts, including manufacturing organizations (White, 1986)
and healthcare environments (Reddy & Jansen, 2008).
More directly interesting to the Cisco Systems research are those studies that explore human
information behaviors in the context of information security or from the perspective of cultural
and regional influences on information seeking and use. While less common within the
information science literature or the literatures of other fields, there are nevertheless
numerous studies that address these aspects of human information behavior as well.
Cultural and regional effects on the use of information, particularly in the context of IT, are
increasingly important as globalization exerts a more profound influence on society and
industry. Jarvenpaa & Ives (1994) explored the perceived challenges of building globally
connected information and knowledge networks that would provide users with the necessary
information to complete tasks and support organizational goals, while creating new and
unforeseen challenges for business and technology managers tasked with managing these
large and increasingly distributed networked entities. At the time of Jarvenpaa & Ives article,
the nascent Internet had not yet seen the development of the global World Wide Web and
even technologically sophisticated organizations had yet to realize the potential benefits (and
risks) that new information technologies represented. Zaheer & Zaheer studied the ways that
country differences influenced the information seeking behaviors of firms competing in the
global finance industry. The authors were concerned with the differences in how these firms,
located in different countries, engaged in an information-intensive industry that was highly
similar globally, particularly how the firms looked for information that would help them
prosper. Where Zaheer & Zaheer studied different organizations engaged in a global industry,
Dutta (2008) reviewed various research studies into the information behaviors of indigenous
peoples in developing countries, including both urban and rural users. And Chau, Cole,
Massey, Montoya-Weiss, & O’Keefe (2002) conducted empirical research into the information
behaviors of online consumers in the United States and in Hong Kong, looking for evidence
that cultural differences could account for differences in online consumer behaviors.
Information security behaviors among users have also proved a fruitful subject for research in
information science and other fields. No accepted definition for information security behavior
exists, although some scholars have attempted to define information security behavior
through the creation of taxonomies and categories of types of information behavior specific to
security practitioners (Vroom & von Solms, 2004; Stanton, Stram, Mastrangelo, & Jolton,
2005). More generally, information security behaviors can reasonably be inferred as the ways
in which IT users and other individuals interact with information resources that have been
determined to require certain protections. Assignation of such protection or the requirement
of security information behaviors in regards to particular systems or data is a complex
process influenced by state, organizational, and individual decisions and activities. Some
studies, including empirical research efforts, have closely examined the roles and behaviors of
users in the context of information security (Thomson & von Solms, 1998; Adams & Sasse,
1999). Other studies have examined security from the larger organizational context, exploring
security awareness, policy, and enforcement more broadly (Siponen, 2000; Workman,
Bommer, & Straub, 2008; Herath & Rao, 2009). Common themes across these studies, and
ones which are similar to the purposes and results of the Cisco data leakage research study,
include the need to understand how users conceptualize security practices and
responsibilities, and how both individual and management behaviors can be improved in
order to make information security efforts more effective in the environments in which they
exist.
The Cisco Global Data Leakage Study — Background, Methods,
and Findings
Cisco Systems is a global manufacturer of networking equipment, beginning with the routers
and switches that function as the core infrastructure of the Internet. In addition to network
hardware and software systems, Cisco has grown into other IT markets, creating and
manufacturing many other IT products including systems for Internet telephony, online
collaboration, and information storage. The growth of the company into areas of information
technology that were increasingly concerned with processing and managing user data rather
than simply transmitting that data “over the wire” have caused Cisco to require more
sophisticated capabilities for information security. Today Cisco also manufactures and
markets security products and services as part of its corporate strategy, and the data leakage
research project discussed here represents a component of Cisco’s security marketing efforts.
The situating of this research study into Cisco’s security marketing strategy proves a limiting
factor to the research findings, a critique I will elaborate upon later. But the results of the
Cisco-sponsored survey nonetheless offer important insights into the differences in
information security behavior across regions and cultures.
The stated purpose for commissioning the data leakage survey was “to understand the
challenges that increasingly distributed mobile businesses face in protecting sensitive
information” (Cisco, 2008a, p. 1). Networking technology has allowed organizations to attain
global reach while centralizing IT environments within a single organization. Many multi-
national companies, including Cisco, have relatively mono-cultural IT infrastructures built upon
standard user computing systems and backend network infrastructures. A Cisco employee,
for instance, traveling from the corporate headquarters in San Jose, California to corporate
offices in Bangalore, Dubai, Budapest, or Sao Paulo find a remarkable uniformity in IT
environments all of which conform to Cisco’s technological culture. Of course the social
cultures between these regions are far less homogenous. While many companies attempt to
train their employees about proper security behaviors, Cisco questions the effectiveness of
these efforts noting that hundreds of millions of sensitive pieces of data have been stolen in
recent years. Cisco also points out that many of these incidents are not the result of hackers
breaking into corporate systems but the result of employee behaviors (whether intentional or
not) (2008a, p.2).
In an attempt to better understand how geographical and cultural differences influence
employee security behaviors, Cisco commissioned InsightExpress to conduct a global survey
into the problem of data leakage and risky security behaviors on the part of users and the
effectiveness of organizational responses to these risks. It was hoped that by understanding
user behaviors when dealing with issues of information security that IT organizations would be
better able to respond to internal security risks and encourage more security-conscious user
practices. InsightExpress conducted the research through two surveys conducted in ten
countries (Australia, Brazil, China, France, Germany, India, Italy, Japan, the United Kingdom,
and the United States). For each country in the study, InsightExpress conducted an online
survey of individual respondents. Respondents were divided into two categories: “end users,”
defined in the study as a “non-IT professional” and “IT decision makers,” who were defined as
“having some influence in purchasing or policy decisions regarding information technology. It
was not clear from the published information how membership in a category was established
(for instance by self-selection on the part of the respondent or by a survey question related to
job roles within the respondent’s organization.) Approximately 100 respondents of each type
for each country were included in the research study for a total of 1009 end-users and 1011
IT decision makers (n=2020 respondents total). Survey data was collected over a period from
July 16 – August 4, 2008 (InsightExpress, 2008a, p. 2). Country selection for the research
study was based upon “contrasting social and business cultures, as well as each workforce’s
relative tenure with the Internet and corporate IP [Internet Protocol]-based networks” (Cisco,
2008a, p. 2).
InsightExpress published the survey findings in three separate report presentations (2008a,
2008b, & 2008c). Cisco incorporated the resulting data into three accompanying white
papers (2008a, 2008b, & 2008c), specially structured corporate documents that are
designed both to convey the results of the research and to act as a marketing tool usable by
Cisco employees when promoting Cisco’s products and services. While the InsightExpress
publications offer much more specific detail regarding the data, the Cisco white papers
attempt to contextualize the survey findings and embed them within narrative structures that
are more likely to be well-received by specific (primarily Cisco customer) audiences. Both the
InsightExpress presentations and the Cisco white papers divided the survey findings into three
broad categories: a general report on the survey and the common security risks and mistakes
faced by users of IT systems (InsightExpress, 2008a; Cisco, 2008a), a review of the survey
findings that specifically addressed the risk of “insider threats” represented by malicious or
disgruntled users who deliberately attempted to subvert organizational security controls
(InsightExpress, 2008b; Cisco, 2008b), and an analysis of the effectiveness of security policies
employed by organizations as a response to security risks (InsightExpress, 2008c; Cisco,
2008c). For clarity, this paper will discuss the findings of the overall research study as
represented within these same three categories selected by Cisco in its publication of the
results.
General User Security Findings
The survey research found that IT end users in all countries exhibited “risky
behaviors that put corporate and personal data at risk” despite the presence of
security mechanisms put in place by their organizations. The Cisco white paper
Data Leakage Worldwide: Common Risks and Mistakes Employees Make (2008a)
highlighted four findings that applied to IT end user security behaviors generally:
• The use of unauthorized programs and applications led to as many as half of all
security incidents resulting in data loss
• 44% of employees misuse corporate computers, including unauthorized sharing
of devices
• 39% of IT decision makers reported employees accessing physical and network
resources without authorization
• 46% of users reported sharing files between work and personal computers
when working from home (p. 1).
While these findings were foregrounded in the published Cisco white paper, they
represented a subset of the findings generated by the InsightExpress research
data. InsightExpress included other key findings, such as end user respondents
indicating that over half of all end users deliberately bypass or change security
settings on company-issued computers in order to visit restricted web sites
(InsightExpress, 2008a, p. 7).
While the research generated security behavior findings applicable to respondents
across all surveyed countries, of special interest are those findings that show
significant differences in information security behavior between countries. Cisco
highlighted five findings that it described as “noteworthy” examples of such
differences:
• Computer abuse in China is so problematic as to require regular audit for
unauthorized content by IT decision makers
• 65% of Japanese end users reported violating corporate IT policies and this
trend is increasing
• Respondents in India used corporate resources such as email and instant
messaging for personal use, and changed security settings to view unauthorized
Web content
• Brazilian users reported using corporate resources for personal use such as
downloading music
• With only 16% of end users reporting compliance with security policies, France
had the lowest rate of IT policy compliance in the study (Cisco, 2008a, p. 2).
As with the general user respondent findings, Cisco chose a subset of findings to
promote within the white paper. To understand the differences between security
behaviors between particular countries that were statistically significant a reader
would have to refer back to the data presentation provided by InsightExpress,
which provides a great deal more detail regarding differences between country
respondents (2008a).
Insider Threat Findings
The second Cisco white paper published from this research study was Data Leakage Worldwide: The High Cost of Insider Threats (Cisco, 2008b), and is
accompanied by a supporting InsightExpress data presentation (2008b). The
second white paper attempts to present the survey results in the context of how
risky end user behaviors presented “insider threat” risks to IT decision makers
and, by extension, organizations that were dependent upon IT infrastructures.
Insider threats are considered to be security-related behaviors by employees who
were “uninformed, careless, or disgruntled.” Cisco found that the risks posed by
these user behaviors are more dangerous than is commonly recognized by IT
professionals, and more likely to cause financial losses due to data loss than
threats from external sources such as hackers or cybercriminals (Cisco, 2008b, p.
1).
To support these conclusions, Cisco cited findings from the survey data. Roughly
dividing these findings into those results related to negligence on the part of end
users and those related to disgruntled employees who deliberately committed
security violations, Cisco concluded that universal serial bus (USB) drives were the
most common potential data loss vector cited by IT decision makers responding
to the survey. In addition to specific means of data loss, Cisco identified other
threats including a lack of awareness and diligence regarding proper security
behavior on the part of end users as well as a lack of awareness by IT decision
makers regarding the number and nature of security incidents that their
organizations experienced over a particular time period. In one case of deliberate
security violations on the part of disgruntled employees, Cisco cited a finding that
over 10% of end user respondents claimed to have stolen data or computers that
they then sold for a profit (2008b, p. 3).
Unlike Data Leakage Worldwide: Common Risks and Mistakes Employees Make,
Cisco’s second white paper does not make an effort to address differences in
behaviors between countries. For these findings readers must to refer to the
accompanying presentation, Data Leakage Worldwide: The Insider Threat and the Cost of Data Loss (InsightExpress, 2008b). As in the case of the first published
data results, the InsightExpress presentation contains much more detail regarding
the formal results of the survey, including which countries exhibited significant
differences in referenced end user and IT decision maker responses.
Effectiveness of Security Policies Findings
Cisco’s final survey-related white paper, Data Leakage Worldwide: The Effectiveness of Security Policies (2008c) and the accompanying data
presentation (InsightExpress, 2008c) discusses the research findings related to
how organizations attempt to deal with risky security behaviors by IT end users
and the extent to which those attempts are or are not successful. As with the
previous two white papers, Cisco chooses certain survey findings to promote and
includes findings that apply generally to security practices globally. In this white
paper, as with the first, Cisco also discusses country differences between certain
behaviors although these discussions are not exhaustive and are conducted at a
high level of abstraction.
Cisco’s primary conclusions regarding organizational security policies are that they
are often ineffectual and in many cases do not even exist within an organization
(as evidenced by 23% of the survey responses). One key finding Cisco draws from
the research data is that a large discrepancy (20-30% of respondents across
various countries) exists between end user and IT decision maker awareness of
the presence of security policies within an organization. Cisco concludes from this
discrepancy “IT is not sufficiently educating and communicating security policies
to employees, and that employees may not be paying attention” (Cisco, 2008c, p.
1).
After discussing general problems with security policy effectiveness, Cisco
examines differences between countries in regards to how policies are
implemented, disseminated, and received by end users. Cisco is particularly
concerned with failures to communicate security policies and expected behavioral
norms within organizations both at the time of hiring new employees and
throughout an employee’s tenure. Some of the findings cited and conclusions
drawn from the survey data include:
European respondents, particularly those from the United Kingdom, France,
and Germany exhibited a higher prevalence for the belief “that security
policies were never communicated to them or that they were never
educated about the policy”
Companies in Australia, China, Japan, and the United States communicated
security policies most often to newly hired employees
The United States had the largest gap (42%) between IT decision maker
responses that newly hired employees were educated on company security
policies, and IT end user responses claiming that policies had not been
communicated at the time they were hired (2008c, p. 3).
Critiques of the Study
Cisco’s Data Leakage Worldwide study contains a great deal of information of interest to the
information science research community. The analysis of cross-cultural security behaviors by
IT end users represents a relatively unique research perspective that is missing from the
literature. However, the study also has several flaws that must be addressed in the course of
any discussion of its findings and any conclusions drawn or generalizations made regarding
the research findings. These problems include a lack of transparency regarding
InsightExpress’ research methods and the data collected as a result of those methods, and
questions of possible confirmation and publication bias in the findings and conclusions that
Cisco draws from the research data.
Uncertain Methods and Data Quality
The Cisco research study exhibits a problematic lack of transparency into the
methods and data used in conducting the survey. InsightExpress, commissioned
by Cisco to conduct the survey, is a provider of commercial research to industry
and is under no obligation to disclose survey instruments or methods that might
be considered the intellectual property of the firm. While the research data
presentations published as part of the study contained a great deal of data
regarding the survey results, including notations of statistical significance and the
levels of reported significance, no access is given to the specific research
instruments or statistical analyses that were used for the study. A reader is
unable, as a result, to make a judgment regarding the selection of survey
respondents, the survey instrument itself, or which statistical techniques were
used to generate findings.
Without detailed information regarding the structure and conduct of the research
study it becomes impossible to assess the quality of the study, and quite possible
that some areas of the study were flawed to the degree that the findings are
rendered suspect. One example of the uncertainties surrounding InsightExpress’
methods is the collections of almost exactly 100 respondents from each country
surveyed, for both IT end users and IT decision makers. According to
InsightExpress the primary research instrument was an online survey that was
posted for twenty days. It seems coincidental that a survey posted for a set time
period would collect data from almost exactly the same number (n=100) of
respondents across two distinct categories of respondent and ten separate
countries. Without any insight into how the survey was structured or managed,
however, any conclusions that might be drawn about methodological problems
remain speculative. Of course if respondents were selected or the data altered to
create a predetermined data set, then the overall findings and conclusions of the
research study would be subject to question.
Bias in Findings and Conclusions
Cisco uses the findings of the InsightExpress survey to make certain conclusions,
promoted within the published white papers, which may not be supported by the
data in the research presentations. One of the pitfalls of commercially sponsored
social research is the temptation by industries or companies to privilege certain
findings that may support the company’s strategies while ignoring or downplaying
findings that do not support or even refute those strategies. While there is no
direct evidence that Cisco sought to mislead or otherwise misrepresent the results
of the InsightExpress survey, there are instances where evidence of confirmation
bias or publication bias may be present.
In one example, a conclusion cited previously, Cisco finds that computer abuse in
China was so prevalent that it required Chinese IT decision makers to regularly
audit for unauthorized content. This conclusion directly supports Cisco’s corporate
goals given that China is a large market for Cisco’s products, including security
products that can be used to facilitate such audits. But neither InsightExpress nor
Cisco defines what constitutes abuse or unauthorized content, or specifically
relates unauthorized content to data loss in a security sense. Unauthorized
content could also refer to any data that is proscribed for political or cultural
reasons unrelated to IT security. Such content may also different markedly
between countries and cultures, and assuming that the data supporting this
conclusion was the result of a generic survey question rather than specific
questions regarding types of content that were problematic, the conclusion is
questionable. By making conclusions that support Cisco sales and marketing
efforts, but do not acknowledge the discrepancies in the data, Cisco weakens its
own arguments although given that the research is intended for a non-academic
audience this may not be viewed as a limitation. It would likely be seen as non-
productive for Cisco to explore larger socio-political implications of the research,
particularly when such explorations would offer little or no benefit to company
sales.
Directions for Future Research
While the Cisco Data Leakage Worldwide study is a useful contribution to research into
human information behavior and information security literatures, it is incomplete. Ostensibly
commissioned to explore cultural and national differences in information security behaviors
at both the individual and organizational levels, the research conclusions that Cisco chose to
publish do not demonstrate a sincere interest in the socio-cultural differences in the way users
perceive information security across different geographic regions. Perhaps to expect a
commercial technology vendor to exhibit such scholarly curiosity is unfair. Cisco purchased
the research behind this study as part of a corporate strategy to further the company’s
business interests, not as an academic research project. Yet the findings made available
through the InsightExpress data presentations offer tantalizing glimpses into the effects of
globalization on human information behaviors. Despite the methodological and analytical
critiques offered previously, the Cisco study remains important, if for no other reason than its
novelty.
Data Leakage Worldwide can and should act as a starting point for further research into
information security behaviors across cultures and regions. One way in which the existing
study could be leveraged into further research would be to obtain the full set of instruments,
methods, and data used by InsightExpress. While this approach offers ease of analysis, it
might prove much more difficult logistically. The proprietary nature of the research makes it
likely that InsightExpress would not be willing to share or make public details about the study,
nor does Cisco have much motivation to do so either. Researchers seeking to make use of the
existing data are then forced to analyze and extrapolate based only on the publicly available
reports.
Researchers might also use the Cisco research study as a starting point for planning and
conducting follow-on research into information security behaviors. It might be useful to
attempt to replicate the results of the Cisco study by designing a similar survey instrument
and gathering data from similar respondents across the same countries analyzed as part of
this study. A rigorous empirical methodology combined with more transparency in data
collection and findings could be contrasted with the results of the Cisco study to determine if
discrepancies exist.
A final example of the research that might grow from a close reading of the Cisco study is the
potential for more in-depth qualitative inquiry into the ways that IT security behaviors
manifest within companies. The Cisco study was based on an online survey, with no evidence
that the researchers attempted to elicit additional data from respondents in the form of
interviews or other means of data collection. Yet many of the findings of the research imply
not only differing behaviors between countries but different contexts and even different
definitions of what constitutes security or risk. The study makes many descriptive claims
regarding information security behaviors without attempting to analyze why those differences
may exist, and whether the differences are localized in the individual, in the company for
which the individual works, or in the way that the survey instrument structured individual
responses. Without such insights much of the value to be gained by answering the questions
posed by the research remains untapped.
This final point on the nature of information security behaviors between countries is
instructive not only for information researchers looking to learn from or expand upon the
Cisco survey. Cisco has raised questions through this research study that are important to its
own success as a producer and marketer of IT security technologies. In the white papers Cisco
concludes that organizations need to improve their security policies and security awareness
programs in order to counter the threats of negligent and disgruntled employees. But the
research study stops short of attempting to understand why some users are not aware of
proper security behaviors, despite the presence of formal policies and procedures, or why
some users choose to deliberately circumvent security or to harm their employer by stealing
or abusing IT systems and data. These reasons are also, quite possibly, subject to cultural and
regional differences that are not explored.
One of Cisco’s purposes in conducting the survey was to demonstrate a global awareness that
is appropriate to a multinational firm with an IT infrastructure and employees in most
countries on the planet. Fostering such a global image is important to Cisco’s marketing and
public relations. But future success in the global marketplace will also depend upon a
deliberate understanding of the differences between cultures not only at a general descriptive
level but also at the level of individual human choices and motivations. Data Leakage
Worldwide shows that such differences exist and can impact how companies control sensitive
information and protect the privacy and security of users and customers. As such, the Cisco
study should be seen as an important initial step in understanding human information
behaviors in an information security context.
References
REFERENCES
Adams, A., & Sasse, M. A. (1999). Users are not the enemy. Communications of the ACM, 42
(12), 40-46.
Case, D. O. (2007). Looking for information (2nd ed.). Amsterdam: Emerald Group Publishing.
Chau, P. Y. K., Cole, M., Massey, A. P., Montoya-Weiss, M., & O’Keefe, R. M. (2002). Cultural
differences in the online behavior of consumers: Understanding how different cultures use the
net - as well as perceive the same Web sites - can translate to truly global e-commerce.
Communications of the ACM, 45(10), 138-143.
Cisco Systems. (2008a). Data leakage worldwide: Common risks and mistakes employees
make . Retrieved from Cisco Systems, Inc. Web site:
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-
499060.html.
Cisco Systems. (2008b). Data leakage worldwider: The high cost of insider threats . Retrieved
from Cisco Systems, Inc. Web site:
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-
506224.html.
Cisco Systems. (2008c). Data leakage worldwide: The effectiveness of security policies .
Retrieved from Cisco Systems, Inc. Web site:
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-
503131.html.
Dutta, R. (2008). Information needs and information-seeking behavior in developing
countries: A review of the research . The International Information and Library Review, 2009
(41), 41-51. doi:10.1016/j.iilr.2008.12.001.
Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations:
Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2),
154-165. doi:10.1016/j.dss.2009.02.005.
InsightExpress. (2008a). The challenge of data leakage for businesses and employees around
the world. Retrieved from Cisco Systems, Inc. Web site:
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/
Cisco_STL_Data_Leakage_2008_PR1.pdf.
InsightExpress. (2008b). Data leakage worldwide: The effectiveness of corporate security
policies. Retrieved from Cisco Systems, Inc. Web site:
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/
Cisco_STL_Data_Leakage_2008_.pdf.
InsightExpress. (2008c). Data leakage worldwide: The insider threat and the cost of data loss.
Retrieved from Cisco Systems, Inc. Web site:
http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/
Cisco_STL_Data_Leakage_2008.pdf.
Jarvenpaa, S. L., & Ives, B. (1994). The global network organization of the future: Information
management opportunities and challenges. Journal of Management Information Systems, 10
(4), 25-57.
Reddy, M. C., & Jansen, B. J. (2008). A model for understanding collaborative information
behavior in context: A study of two healthcare teams. Information Processing and
Management, 44(1), 256-273. doi:10.1016/ j.ipm.2006.12.010.
Siponen, M. T. (2000). A conceptual foundation for organizational information security
awareness. Information Management & Computer Security, 8(1), 31-41.
Spink, A., & Cole, C. (2006). Human information behavior: Integrating diverse approaches and
information use. Journal of the American Society for Information Science and Technology, 57
(1), 25-35.
Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user security
behaviors. Computers and Security, 24(2), 124-133. doi:10.1016/j.cose.2004.07.001.
Thomson, M. E., & von Solms, R. (1998). Information security awareness: educating your
users effectively. Information Management & Computer Security, 6(4), 167-173.
Vamosi, R. (2008, September 30). Cisco study highlights data loss risks worldwide. cnet news.
Retrieved from http://news.cnet.com/8301-1009_3-10054314-83.html.
Vroom, C., & von Solms, R. (2004). Towards information security behavioral compliance.
Information Management & Computer Security, 6(4), 167-173.
White, D. A. (1986). Information use and needs in manufacturing organizations:
Organizational factors in information behavior. International Journal of Information
Management, 1986(6), 157-170.
Wilson, T. D. (1997). Information behavior: An interdisciplinary perspective. Information
Processing and Management, 33(4), 551-572.
Wilson, T. D. (2006). On user studies and information needs. Journal of Documentation, 62(6),
658-670.
Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of
information security measures: A threat control model and empirical test. Computers in
Human Behavior, 24(6), 2799-2816. doi:10.1016/j.chb.2008.04.005.
Zaheer, S., & Zaheer, A. (1997). Country effects on information seeking in global electronic
networks. Journal of International Business Studies, 28(1), 77-100.