Human Information Security Behaviors: Differences Across Geographies and Cultures in a Global User

Survey

Authors

Lance Hayden

University of Texas

School of Information, Sanchez Building (SZB) 564, 1 University Station D7000, Austin, TX

78712-0390

Email: lhayden@ischool.utexas.edu

Data Leakage Worldwide, a 2008 research study commissioned by Cisco Systems, Inc.

explored the information security behaviors of information technology (IT) users and decision

makers in ten countries around the world. Based upon an online survey, the results published

by Cisco Systems concluded that end users engage in risky information security behaviors

that negatively impacted the companies for which the worked. The survey also revealed

differences in awareness of proper security practices between end users and IT decision

makers, as well as a lack of effectiveness in company security policies. One important aspect

of the research was the exploration of differences in information security behaviors between

respondents in different countries. While the Cisco study is important, a number of questions

exist regarding the methods used, data collected, and conclusions made in the survey

publications. But regardless of these critiques, the study provides a useful starting point for

research into human information security behaviors.

Introduction

In September 2008 Cisco Systems, Inc., a multinational network equipment manufacturer,

announced the results of a global research study, Data Leakage Worldwide, which explored

data security risks faced by organizations relying on information technology (IT)

infrastructures around the world. The study analyzed the effectiveness of corporate

information security policies and associated user security behaviors across ten countries in

the Americas, Europe, and Asia-Pacific regions (Vamosi, 2008). The research study was

commissioned by Cisco and the survey research conducted by Insight Express, a commercial

research firm. Among the goals and findings of the survey was the analysis of differences

exhibited across different countries in how IT users and managers perceived information

security, how they incorporated security into their daily practices, and how effective were the

organizational policies designed to promote or enforce security behaviors among IT users

(Cisco, 2008a). The results of the global survey were published as three separate Cisco white

papers (Cisco, 2008a; Cisco, 2008b; and Cisco, 2008c) as well as three detailed data

presentations by the research firm InsightExpress (InsightExpress,, 2008a; InsightExpress,

2008b; and InsightExpress, 2008c). All associated white papers and data presentations were

made public and posted on Cisco’s corporate web site as part of a public relations campaign

designed to publicize the result of the research study.

The Cisco research study and the resulting publications merits further consideration by

information science practitioners. The study occupies a unique intersection between the study

of human information behaviors across cultural and regional boundaries and the study of

information security behaviors by users of IT. While a variety of research studies have

explored one or another of these topics, the Cisco study provides new insights into both. This

paper describes the background and findings of the research study, but also offers a critique

of the research in terms of its scope and analytical direction. The study privileges certain

research findings most directly relevant to the marketing of commercial security technologies

while seeming to ignore equally interesting questions about information security and human

information behaviors at the social and cultural levels. The result is a study that is compelling

to the field of information science but also incomplete. Researchers into areas of human

information behavior, the development of socio-technical systems in global environments,

and information security may all find the Cisco study a source of inspiration for future

research directions and projects.

Human Information Behavior and Information Security

Behavior

A great deal of research has been conducted into human information behavior in general as

well as into specific aspects of the use of information in a variety of environments and under

a variety of influences.

General studies of human information behaviors and user information needs have been

conducted within information science for decades. These studies have been effectively

summarized over time in a number of reviews (Wilson, 1997; Spink & Cole, 2006; Wilson,

2006; Case, 2007), including multi-disciplinary analyses of information behavior research.

Research studies have also been conducted into human information behaviors in specific

organizational or industrial contexts, including manufacturing organizations (White, 1986)

and healthcare environments (Reddy & Jansen, 2008).

More directly interesting to the Cisco Systems research are those studies that explore human

information behaviors in the context of information security or from the perspective of cultural

and regional influences on information seeking and use. While less common within the

information science literature or the literatures of other fields, there are nevertheless

numerous studies that address these aspects of human information behavior as well.

Cultural and regional effects on the use of information, particularly in the context of IT, are

increasingly important as globalization exerts a more profound influence on society and

industry. Jarvenpaa & Ives (1994) explored the perceived challenges of building globally

connected information and knowledge networks that would provide users with the necessary

information to complete tasks and support organizational goals, while creating new and

unforeseen challenges for business and technology managers tasked with managing these

large and increasingly distributed networked entities. At the time of Jarvenpaa & Ives article,

the nascent Internet had not yet seen the development of the global World Wide Web and

even technologically sophisticated organizations had yet to realize the potential benefits (and

risks) that new information technologies represented. Zaheer & Zaheer studied the ways that

country differences influenced the information seeking behaviors of firms competing in the

global finance industry. The authors were concerned with the differences in how these firms,

located in different countries, engaged in an information-intensive industry that was highly

similar globally, particularly how the firms looked for information that would help them

prosper. Where Zaheer & Zaheer studied different organizations engaged in a global industry,

Dutta (2008) reviewed various research studies into the information behaviors of indigenous

peoples in developing countries, including both urban and rural users. And Chau, Cole,

Massey, Montoya-Weiss, & O’Keefe (2002) conducted empirical research into the information

behaviors of online consumers in the United States and in Hong Kong, looking for evidence

that cultural differences could account for differences in online consumer behaviors.

Information security behaviors among users have also proved a fruitful subject for research in

information science and other fields. No accepted definition for information security behavior

exists, although some scholars have attempted to define information security behavior

through the creation of taxonomies and categories of types of information behavior specific to

security practitioners (Vroom & von Solms, 2004; Stanton, Stram, Mastrangelo, & Jolton,

2005). More generally, information security behaviors can reasonably be inferred as the ways

in which IT users and other individuals interact with information resources that have been

determined to require certain protections. Assignation of such protection or the requirement

of security information behaviors in regards to particular systems or data is a complex

process influenced by state, organizational, and individual decisions and activities. Some

studies, including empirical research efforts, have closely examined the roles and behaviors of

users in the context of information security (Thomson & von Solms, 1998; Adams & Sasse,

1999). Other studies have examined security from the larger organizational context, exploring

security awareness, policy, and enforcement more broadly (Siponen, 2000; Workman,

Bommer, & Straub, 2008; Herath & Rao, 2009). Common themes across these studies, and

ones which are similar to the purposes and results of the Cisco data leakage research study,

include the need to understand how users conceptualize security practices and

responsibilities, and how both individual and management behaviors can be improved in

order to make information security efforts more effective in the environments in which they

exist.

The Cisco Global Data Leakage Study — Background, Methods,

and Findings

Cisco Systems is a global manufacturer of networking equipment, beginning with the routers

and switches that function as the core infrastructure of the Internet. In addition to network

hardware and software systems, Cisco has grown into other IT markets, creating and

manufacturing many other IT products including systems for Internet telephony, online

collaboration, and information storage. The growth of the company into areas of information

technology that were increasingly concerned with processing and managing user data rather

than simply transmitting that data “over the wire” have caused Cisco to require more

sophisticated capabilities for information security. Today Cisco also manufactures and

markets security products and services as part of its corporate strategy, and the data leakage

research project discussed here represents a component of Cisco’s security marketing efforts.

The situating of this research study into Cisco’s security marketing strategy proves a limiting

factor to the research findings, a critique I will elaborate upon later. But the results of the

Cisco-sponsored survey nonetheless offer important insights into the differences in

information security behavior across regions and cultures.

The stated purpose for commissioning the data leakage survey was “to understand the

challenges that increasingly distributed mobile businesses face in protecting sensitive

information” (Cisco, 2008a, p. 1). Networking technology has allowed organizations to attain

global reach while centralizing IT environments within a single organization. Many multi-

national companies, including Cisco, have relatively mono-cultural IT infrastructures built upon

standard user computing systems and backend network infrastructures. A Cisco employee,

for instance, traveling from the corporate headquarters in San Jose, California to corporate

offices in Bangalore, Dubai, Budapest, or Sao Paulo find a remarkable uniformity in IT

environments all of which conform to Cisco’s technological culture. Of course the social

cultures between these regions are far less homogenous. While many companies attempt to

train their employees about proper security behaviors, Cisco questions the effectiveness of

these efforts noting that hundreds of millions of sensitive pieces of data have been stolen in

recent years. Cisco also points out that many of these incidents are not the result of hackers

breaking into corporate systems but the result of employee behaviors (whether intentional or

not) (2008a, p.2).

In an attempt to better understand how geographical and cultural differences influence

employee security behaviors, Cisco commissioned InsightExpress to conduct a global survey

into the problem of data leakage and risky security behaviors on the part of users and the

effectiveness of organizational responses to these risks. It was hoped that by understanding

user behaviors when dealing with issues of information security that IT organizations would be

better able to respond to internal security risks and encourage more security-conscious user

practices. InsightExpress conducted the research through two surveys conducted in ten

countries (Australia, Brazil, China, France, Germany, India, Italy, Japan, the United Kingdom,

and the United States). For each country in the study, InsightExpress conducted an online

survey of individual respondents. Respondents were divided into two categories: “end users,”

defined in the study as a “non-IT professional” and “IT decision makers,” who were defined as

“having some influence in purchasing or policy decisions regarding information technology. It

was not clear from the published information how membership in a category was established

(for instance by self-selection on the part of the respondent or by a survey question related to

job roles within the respondent’s organization.) Approximately 100 respondents of each type

for each country were included in the research study for a total of 1009 end-users and 1011

IT decision makers (n=2020 respondents total). Survey data was collected over a period from

July 16 – August 4, 2008 (InsightExpress, 2008a, p. 2). Country selection for the research

study was based upon “contrasting social and business cultures, as well as each workforce’s

relative tenure with the Internet and corporate IP [Internet Protocol]-based networks” (Cisco,

2008a, p. 2).

InsightExpress published the survey findings in three separate report presentations (2008a,

2008b, & 2008c). Cisco incorporated the resulting data into three accompanying white

papers (2008a, 2008b, & 2008c), specially structured corporate documents that are

designed both to convey the results of the research and to act as a marketing tool usable by

Cisco employees when promoting Cisco’s products and services. While the InsightExpress

publications offer much more specific detail regarding the data, the Cisco white papers

attempt to contextualize the survey findings and embed them within narrative structures that

are more likely to be well-received by specific (primarily Cisco customer) audiences. Both the

InsightExpress presentations and the Cisco white papers divided the survey findings into three

broad categories: a general report on the survey and the common security risks and mistakes

faced by users of IT systems (InsightExpress, 2008a; Cisco, 2008a), a review of the survey

findings that specifically addressed the risk of “insider threats” represented by malicious or

disgruntled users who deliberately attempted to subvert organizational security controls

(InsightExpress, 2008b; Cisco, 2008b), and an analysis of the effectiveness of security policies

employed by organizations as a response to security risks (InsightExpress, 2008c; Cisco,

2008c). For clarity, this paper will discuss the findings of the overall research study as

represented within these same three categories selected by Cisco in its publication of the

results.

General User Security Findings

The survey research found that IT end users in all countries exhibited “risky

behaviors that put corporate and personal data at risk” despite the presence of

security mechanisms put in place by their organizations. The Cisco white paper

Data Leakage Worldwide: Common Risks and Mistakes Employees Make (2008a)

highlighted four findings that applied to IT end user security behaviors generally:

• The use of unauthorized programs and applications led to as many as half of all

security incidents resulting in data loss

• 44% of employees misuse corporate computers, including unauthorized sharing

of devices

• 39% of IT decision makers reported employees accessing physical and network

resources without authorization

• 46% of users reported sharing files between work and personal computers

when working from home (p. 1).

While these findings were foregrounded in the published Cisco white paper, they

represented a subset of the findings generated by the InsightExpress research

data. InsightExpress included other key findings, such as end user respondents

indicating that over half of all end users deliberately bypass or change security

settings on company-issued computers in order to visit restricted web sites

(InsightExpress, 2008a, p. 7).

While the research generated security behavior findings applicable to respondents

across all surveyed countries, of special interest are those findings that show

significant differences in information security behavior between countries. Cisco

highlighted five findings that it described as “noteworthy” examples of such

differences:

• Computer abuse in China is so problematic as to require regular audit for

unauthorized content by IT decision makers

• 65% of Japanese end users reported violating corporate IT policies and this

trend is increasing

• Respondents in India used corporate resources such as email and instant

messaging for personal use, and changed security settings to view unauthorized

Web content

• Brazilian users reported using corporate resources for personal use such as

downloading music

• With only 16% of end users reporting compliance with security policies, France

had the lowest rate of IT policy compliance in the study (Cisco, 2008a, p. 2).

As with the general user respondent findings, Cisco chose a subset of findings to

promote within the white paper. To understand the differences between security

behaviors between particular countries that were statistically significant a reader

would have to refer back to the data presentation provided by InsightExpress,

which provides a great deal more detail regarding differences between country

respondents (2008a).

Insider Threat Findings

The second Cisco white paper published from this research study was Data Leakage Worldwide: The High Cost of Insider Threats (Cisco, 2008b), and is

accompanied by a supporting InsightExpress data presentation (2008b). The

second white paper attempts to present the survey results in the context of how

risky end user behaviors presented “insider threat” risks to IT decision makers

and, by extension, organizations that were dependent upon IT infrastructures.

Insider threats are considered to be security-related behaviors by employees who

were “uninformed, careless, or disgruntled.” Cisco found that the risks posed by

these user behaviors are more dangerous than is commonly recognized by IT

professionals, and more likely to cause financial losses due to data loss than

threats from external sources such as hackers or cybercriminals (Cisco, 2008b, p.

1).

To support these conclusions, Cisco cited findings from the survey data. Roughly

dividing these findings into those results related to negligence on the part of end

users and those related to disgruntled employees who deliberately committed

security violations, Cisco concluded that universal serial bus (USB) drives were the

most common potential data loss vector cited by IT decision makers responding

to the survey. In addition to specific means of data loss, Cisco identified other

threats including a lack of awareness and diligence regarding proper security

behavior on the part of end users as well as a lack of awareness by IT decision

makers regarding the number and nature of security incidents that their

organizations experienced over a particular time period. In one case of deliberate

security violations on the part of disgruntled employees, Cisco cited a finding that

over 10% of end user respondents claimed to have stolen data or computers that

they then sold for a profit (2008b, p. 3).

Unlike Data Leakage Worldwide: Common Risks and Mistakes Employees Make,

Cisco’s second white paper does not make an effort to address differences in

behaviors between countries. For these findings readers must to refer to the

accompanying presentation, Data Leakage Worldwide: The Insider Threat and the Cost of Data Loss (InsightExpress, 2008b). As in the case of the first published

data results, the InsightExpress presentation contains much more detail regarding

the formal results of the survey, including which countries exhibited significant

differences in referenced end user and IT decision maker responses.

Effectiveness of Security Policies Findings

Cisco’s final survey-related white paper, Data Leakage Worldwide: The Effectiveness of Security Policies (2008c) and the accompanying data

presentation (InsightExpress, 2008c) discusses the research findings related to

how organizations attempt to deal with risky security behaviors by IT end users

and the extent to which those attempts are or are not successful. As with the

previous two white papers, Cisco chooses certain survey findings to promote and

includes findings that apply generally to security practices globally. In this white

paper, as with the first, Cisco also discusses country differences between certain

behaviors although these discussions are not exhaustive and are conducted at a

high level of abstraction.

Cisco’s primary conclusions regarding organizational security policies are that they

are often ineffectual and in many cases do not even exist within an organization

(as evidenced by 23% of the survey responses). One key finding Cisco draws from

the research data is that a large discrepancy (20-30% of respondents across

various countries) exists between end user and IT decision maker awareness of

the presence of security policies within an organization. Cisco concludes from this

discrepancy “IT is not sufficiently educating and communicating security policies

to employees, and that employees may not be paying attention” (Cisco, 2008c, p.

1).

After discussing general problems with security policy effectiveness, Cisco

examines differences between countries in regards to how policies are

implemented, disseminated, and received by end users. Cisco is particularly

concerned with failures to communicate security policies and expected behavioral

norms within organizations both at the time of hiring new employees and

throughout an employee’s tenure. Some of the findings cited and conclusions

drawn from the survey data include:

European respondents, particularly those from the United Kingdom, France,

and Germany exhibited a higher prevalence for the belief “that security

policies were never communicated to them or that they were never

educated about the policy”

Companies in Australia, China, Japan, and the United States communicated

security policies most often to newly hired employees

The United States had the largest gap (42%) between IT decision maker

responses that newly hired employees were educated on company security

policies, and IT end user responses claiming that policies had not been

communicated at the time they were hired (2008c, p. 3).

Critiques of the Study

Cisco’s Data Leakage Worldwide study contains a great deal of information of interest to the

information science research community. The analysis of cross-cultural security behaviors by

IT end users represents a relatively unique research perspective that is missing from the

literature. However, the study also has several flaws that must be addressed in the course of

any discussion of its findings and any conclusions drawn or generalizations made regarding

the research findings. These problems include a lack of transparency regarding

InsightExpress’ research methods and the data collected as a result of those methods, and

questions of possible confirmation and publication bias in the findings and conclusions that

Cisco draws from the research data.

Uncertain Methods and Data Quality

The Cisco research study exhibits a problematic lack of transparency into the

methods and data used in conducting the survey. InsightExpress, commissioned

by Cisco to conduct the survey, is a provider of commercial research to industry

and is under no obligation to disclose survey instruments or methods that might

be considered the intellectual property of the firm. While the research data

presentations published as part of the study contained a great deal of data

regarding the survey results, including notations of statistical significance and the

levels of reported significance, no access is given to the specific research

instruments or statistical analyses that were used for the study. A reader is

unable, as a result, to make a judgment regarding the selection of survey

respondents, the survey instrument itself, or which statistical techniques were

used to generate findings.

Without detailed information regarding the structure and conduct of the research

study it becomes impossible to assess the quality of the study, and quite possible

that some areas of the study were flawed to the degree that the findings are

rendered suspect. One example of the uncertainties surrounding InsightExpress’

methods is the collections of almost exactly 100 respondents from each country

surveyed, for both IT end users and IT decision makers. According to

InsightExpress the primary research instrument was an online survey that was

posted for twenty days. It seems coincidental that a survey posted for a set time

period would collect data from almost exactly the same number (n=100) of

respondents across two distinct categories of respondent and ten separate

countries. Without any insight into how the survey was structured or managed,

however, any conclusions that might be drawn about methodological problems

remain speculative. Of course if respondents were selected or the data altered to

create a predetermined data set, then the overall findings and conclusions of the

research study would be subject to question.

Bias in Findings and Conclusions

Cisco uses the findings of the InsightExpress survey to make certain conclusions,

promoted within the published white papers, which may not be supported by the

data in the research presentations. One of the pitfalls of commercially sponsored

social research is the temptation by industries or companies to privilege certain

findings that may support the company’s strategies while ignoring or downplaying

findings that do not support or even refute those strategies. While there is no

direct evidence that Cisco sought to mislead or otherwise misrepresent the results

of the InsightExpress survey, there are instances where evidence of confirmation

bias or publication bias may be present.

In one example, a conclusion cited previously, Cisco finds that computer abuse in

China was so prevalent that it required Chinese IT decision makers to regularly

audit for unauthorized content. This conclusion directly supports Cisco’s corporate

goals given that China is a large market for Cisco’s products, including security

products that can be used to facilitate such audits. But neither InsightExpress nor

Cisco defines what constitutes abuse or unauthorized content, or specifically

relates unauthorized content to data loss in a security sense. Unauthorized

content could also refer to any data that is proscribed for political or cultural

reasons unrelated to IT security. Such content may also different markedly

between countries and cultures, and assuming that the data supporting this

conclusion was the result of a generic survey question rather than specific

questions regarding types of content that were problematic, the conclusion is

questionable. By making conclusions that support Cisco sales and marketing

efforts, but do not acknowledge the discrepancies in the data, Cisco weakens its

own arguments although given that the research is intended for a non-academic

audience this may not be viewed as a limitation. It would likely be seen as non-

productive for Cisco to explore larger socio-political implications of the research,

particularly when such explorations would offer little or no benefit to company

sales.

Directions for Future Research

While the Cisco Data Leakage Worldwide study is a useful contribution to research into

human information behavior and information security literatures, it is incomplete. Ostensibly

commissioned to explore cultural and national differences in information security behaviors

at both the individual and organizational levels, the research conclusions that Cisco chose to

publish do not demonstrate a sincere interest in the socio-cultural differences in the way users

perceive information security across different geographic regions. Perhaps to expect a

commercial technology vendor to exhibit such scholarly curiosity is unfair. Cisco purchased

the research behind this study as part of a corporate strategy to further the company’s

business interests, not as an academic research project. Yet the findings made available

through the InsightExpress data presentations offer tantalizing glimpses into the effects of

globalization on human information behaviors. Despite the methodological and analytical

critiques offered previously, the Cisco study remains important, if for no other reason than its

novelty.

Data Leakage Worldwide can and should act as a starting point for further research into

information security behaviors across cultures and regions. One way in which the existing

study could be leveraged into further research would be to obtain the full set of instruments,

methods, and data used by InsightExpress. While this approach offers ease of analysis, it

might prove much more difficult logistically. The proprietary nature of the research makes it

likely that InsightExpress would not be willing to share or make public details about the study,

nor does Cisco have much motivation to do so either. Researchers seeking to make use of the

existing data are then forced to analyze and extrapolate based only on the publicly available

reports.

Researchers might also use the Cisco research study as a starting point for planning and

conducting follow-on research into information security behaviors. It might be useful to

attempt to replicate the results of the Cisco study by designing a similar survey instrument

and gathering data from similar respondents across the same countries analyzed as part of

this study. A rigorous empirical methodology combined with more transparency in data

collection and findings could be contrasted with the results of the Cisco study to determine if

discrepancies exist.

A final example of the research that might grow from a close reading of the Cisco study is the

potential for more in-depth qualitative inquiry into the ways that IT security behaviors

manifest within companies. The Cisco study was based on an online survey, with no evidence

that the researchers attempted to elicit additional data from respondents in the form of

interviews or other means of data collection. Yet many of the findings of the research imply

not only differing behaviors between countries but different contexts and even different

definitions of what constitutes security or risk. The study makes many descriptive claims

regarding information security behaviors without attempting to analyze why those differences

may exist, and whether the differences are localized in the individual, in the company for

which the individual works, or in the way that the survey instrument structured individual

responses. Without such insights much of the value to be gained by answering the questions

posed by the research remains untapped.

This final point on the nature of information security behaviors between countries is

instructive not only for information researchers looking to learn from or expand upon the

Cisco survey. Cisco has raised questions through this research study that are important to its

own success as a producer and marketer of IT security technologies. In the white papers Cisco

concludes that organizations need to improve their security policies and security awareness

programs in order to counter the threats of negligent and disgruntled employees. But the

research study stops short of attempting to understand why some users are not aware of

proper security behaviors, despite the presence of formal policies and procedures, or why

some users choose to deliberately circumvent security or to harm their employer by stealing

or abusing IT systems and data. These reasons are also, quite possibly, subject to cultural and

regional differences that are not explored.

One of Cisco’s purposes in conducting the survey was to demonstrate a global awareness that

is appropriate to a multinational firm with an IT infrastructure and employees in most

countries on the planet. Fostering such a global image is important to Cisco’s marketing and

public relations. But future success in the global marketplace will also depend upon a

deliberate understanding of the differences between cultures not only at a general descriptive

level but also at the level of individual human choices and motivations. Data Leakage

Worldwide shows that such differences exist and can impact how companies control sensitive

information and protect the privacy and security of users and customers. As such, the Cisco

study should be seen as an important initial step in understanding human information

behaviors in an information security context.

References

REFERENCES

Adams, A., & Sasse, M. A. (1999). Users are not the enemy. Communications of the ACM, 42

(12), 40-46.

Case, D. O. (2007). Looking for information (2nd ed.). Amsterdam: Emerald Group Publishing.

Chau, P. Y. K., Cole, M., Massey, A. P., Montoya-Weiss, M., & O’Keefe, R. M. (2002). Cultural

differences in the online behavior of consumers: Understanding how different cultures use the

net - as well as perceive the same Web sites - can translate to truly global e-commerce.

Communications of the ACM, 45(10), 138-143.

Cisco Systems. (2008a). Data leakage worldwide: Common risks and mistakes employees

make . Retrieved from Cisco Systems, Inc. Web site:

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-

499060.html.

Cisco Systems. (2008b). Data leakage worldwider: The high cost of insider threats . Retrieved

from Cisco Systems, Inc. Web site:

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-

506224.html.

Cisco Systems. (2008c). Data leakage worldwide: The effectiveness of security policies .

Retrieved from Cisco Systems, Inc. Web site:

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/white_paper_c11-

503131.html.

Dutta, R. (2008). Information needs and information-seeking behavior in developing

countries: A review of the research . The International Information and Library Review, 2009

(41), 41-51. doi:10.1016/j.iilr.2008.12.001.

Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in organizations:

Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2),

154-165. doi:10.1016/j.dss.2009.02.005.

InsightExpress. (2008a). The challenge of data leakage for businesses and employees around

the world. Retrieved from Cisco Systems, Inc. Web site:

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/

Cisco_STL_Data_Leakage_2008_PR1.pdf.

InsightExpress. (2008b). Data leakage worldwide: The effectiveness of corporate security

policies. Retrieved from Cisco Systems, Inc. Web site:

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/

Cisco_STL_Data_Leakage_2008_.pdf.

InsightExpress. (2008c). Data leakage worldwide: The insider threat and the cost of data loss.

Retrieved from Cisco Systems, Inc. Web site:

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns895/

Cisco_STL_Data_Leakage_2008.pdf.

Jarvenpaa, S. L., & Ives, B. (1994). The global network organization of the future: Information

management opportunities and challenges. Journal of Management Information Systems, 10

(4), 25-57.

Reddy, M. C., & Jansen, B. J. (2008). A model for understanding collaborative information

behavior in context: A study of two healthcare teams. Information Processing and

Management, 44(1), 256-273. doi:10.1016/ j.ipm.2006.12.010.

Siponen, M. T. (2000). A conceptual foundation for organizational information security

awareness. Information Management & Computer Security, 8(1), 31-41.

Spink, A., & Cole, C. (2006). Human information behavior: Integrating diverse approaches and

information use. Journal of the American Society for Information Science and Technology, 57

(1), 25-35.

Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user security

behaviors. Computers and Security, 24(2), 124-133. doi:10.1016/j.cose.2004.07.001.

Thomson, M. E., & von Solms, R. (1998). Information security awareness: educating your

users effectively. Information Management & Computer Security, 6(4), 167-173.

Vamosi, R. (2008, September 30). Cisco study highlights data loss risks worldwide. cnet news.

Retrieved from http://news.cnet.com/8301-1009_3-10054314-83.html.

Vroom, C., & von Solms, R. (2004). Towards information security behavioral compliance.

Information Management & Computer Security, 6(4), 167-173.

White, D. A. (1986). Information use and needs in manufacturing organizations:

Organizational factors in information behavior. International Journal of Information

Management, 1986(6), 157-170.

Wilson, T. D. (1997). Information behavior: An interdisciplinary perspective. Information

Processing and Management, 33(4), 551-572.

Wilson, T. D. (2006). On user studies and information needs. Journal of Documentation, 62(6),

658-670.

Workman, M., Bommer, W. H., & Straub, D. (2008). Security lapses and the omission of

information security measures: A threat control model and empirical test. Computers in

Human Behavior, 24(6), 2799-2816. doi:10.1016/j.chb.2008.04.005.

Zaheer, S., & Zaheer, A. (1997). Country effects on information seeking in global electronic

networks. Journal of International Business Studies, 28(1), 77-100.