information security in organizations: empirical examination of security practices in western new...
Post on 19-Dec-2015
218 views
TRANSCRIPT
Information Security in Organizations: Empirical Examination of Security Practices in Western New York Tejaswini Herath
Assistant Professor, Department of Finance, Operations and Information SystemsBrock UniversitySt. Catharines, Ontario, Canada
Prof. H. Raghav RaoProfessor, Department of Management Science and SystemsAdjunct Professor, Department of Computer Science and EngineeringCo- Director, Center for Excellence in Information Systems Research and
Education (CEISARE)
Acknowledgements:We appreciate the support and collaboration on this project by the Cyber Task Force, Buffalo Division, FBI.We would like to specially thank Supervisory Special Agent Holly Hubert and Intelligence Analyst Susan Lupiani for their assistance and support.Part of this research is funded in part by NSF under grant 0723763 and MDRF grant #F0630.
Research Theme: Information Security in Organizations
Managers
Employees(End users)
Organizations
Mangers are often faced with resource constraints cumbersome practices
non-compliance by employees
How do various end user beliefs, attitudes and perceptions regarding information security mold their security behavior?
How can the employee security behaviors be influenced?
Does the congruence between employee and management security values result in positive employee outcomes? If so how can it be influenced?
What are the drivers/barriers of organizational adoption of security practices
Related Research Questions
Organization/ Managerial Perspective
Employee (End user) Behavior
Management – Employee perspective fit
A multi-faceted research issue
Two simultaneous surveys – Manager survey and Employee survey
Manager Survey Employee Survey Responses Available for
Dyadic Investigation
122 Managers312 employees from
78 organizations
257 matched pairs from
54 organizations
Select Findings of this study were presented at Technology and Homeland Security Forum, Niagara Falls (October 18, 2007)
Respondents(U) Figure 3. Respondents by Business Sector
1%
1%
1%
1%
1%
2%
2%
3%
4%
7%
9%
9%
16%
17%
26%
0% 5% 10% 15% 20% 25% 30%
Water Supply
Transportation
Retail
Pow er/Energy
Aerospace
Oil/Gas
Internet Service Provider
Media Company
Defense Contracting
Service
Financial Services
Education
Medical
Manufacturing
Other
Respondents by Number of Authorized Users
17%
21%
11%26%
6%
19%1 to 20
21 to 50
51 to 100
101 to 500
501 to 1000
1000 or more
Approximately how much is budgeted annually, for information security at your organization?
8%
11%
5%
27%
10%
12%
27%
0% 5% 10% 15% 20% 25% 30%
More than 10%
8-10%
6-7%
3-5%
1-2%
Less than 1%
Unknown
Information security budget as a % of total IT budget in your organization.
80%
48%
34%
4%
3%
2%
2%
5%
2%
0% 10% 20% 30% 40% 50% 60%
None
Less than $50,000
$50,000 to $99,999
$100,000 to $249,999
$250,000 to $499,999
$500,000 to $999,999
$1 to $4.9 million
$5 to $9.9 million
Resource Availability
27% 25%
38%
32% 30%
38%
48%45%
42%
0%
10%
20%
30%
40%
50%
60%
FinancialResources
TechnologicalResources
HumanResources
Disagree
Neither Agree nor Disagree
Agree
Security Climate
20%
13%
67%
31% 33%30%
35%
19% 19%26% 24%
50% 48% 44%41%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Employees value theimportance of security.
Security hastraditionally beenconsidered an
importantorganizational value.
P racticing goodsecurity is part of the
shared beliefs ofemployees.
The overallenvironment fosters
security-mindedthinking.
The need to protectinformation is a basic
assumption ofemployees.
Disagree
NeitherAgree norDisagreeAgree
Employee SurveyEmployee Behaviors: Introduction
People are the weakest link
Organizations have been actively using security technologies - security can not be achieved through only technological tools alone.
Effective information security in organizations depends on three components: people, processes and technology.
Recently call have been made to pay attention to end-user behaviors Importance of “Appropriate Computer Use Policies” – has been
recognized for a long time, yet, we do not have clear understanding of their impact and effectiveness
Divergent security behaviors Incidents, Surveys – provide the evidence of policy ignorance
1. Security Policy Compliance: Role of Extrinsic and Intrinsic Motivators Objective of this study: to evaluate the extrinsic and intrinsic
motivators that encourage information security behaviors in organizations impact of penalties (extrinsic disincentive), social pressures (extrinsic disincentive) perceived value or contribution (intrinsic incentive)
Policy Compliance Intention
Perceived contribution (Perceived employee Effectiveness)
Severity of Penalty
Extrinsic Disincentives Intrinsic Incentives
Certainty of Detection H1a [+]
H1b [+]
H2a [+]
H3 [+]H2b [+]Normative Beliefs
Peer Behavior
Policy Compliance Intention
Perceived contribution (Perceived employee Effectiveness)
Severity of Penalty
Extrinsic Disincentives Intrinsic Incentives
Certainty of Detection H1a [+]
H1b [+]
H2a [+]
H3 [+]H2b [+]Normative Beliefs
Peer Behavior
Normative Beliefs
Policy Compliance Intention
Perceived contribution (Perceived employee Effectiveness)
Severity of Penalty
Extrinsic DisincentivesIntrinsic Incentives
Peer Behavior
Certainty of Detection-0.132**(2.23)
0.205*** (3.29)
0.433***(5.29)
0.186 *** (3.47)0.157** (2.95)
* significant at p < 0.05 level** significant at p < 0.01 level*** significant at p < 0.001 levelt values are indicated in parentheses* significant at p < 0.1
R2= 0.412
Normative Beliefs
Policy Compliance Intention
Perceived contribution (Perceived employee Effectiveness)
Severity of Penalty
Extrinsic DisincentivesIntrinsic Incentives
Peer Behavior
Certainty of Detection-0.132**(2.23)
0.205*** (3.29)
0.433***(5.29)
0.186 *** (3.47)0.157** (2.95)
* significant at p < 0.05 level** significant at p < 0.01 level*** significant at p < 0.001 levelt values are indicated in parentheses* significant at p < 0.1
R2= 0.412
Findings
Discussion
Results indicate that both the intrinsic and extrinsic motivators influence employee intentions of security policy compliance in organizations. Intrinsic motivation plays a role: if the employees perceive their security
compliance behaviors to have a favorable impact on the organization or benefit an organization, they are more likely to take such actions.
Social influence also plays a role in security behaviors.
Certainty of detection was found to have a positive impact on security behavior intention.
Surprisingly, severity of penalty was found to have a negative impact on the security behavior intentions. incentives and penalties can also play a negative role (Benabou and Tirole 2003;
Kohn 1993).
In accordance to views of experts in the field
Implications from practical point of view the implications for design,
development and implementation of secured systems and security policies.
Important for IT management to make efforts to convey to employees that information security is important to an organization and employee actions make a difference in achieving the overall goal of secured information.
Managers can enhance the security compliance by enhancing appropriate security climate in the organizations.
The existence and visibility of the detection mechanisms is perhaps more important than the severity of penalties imposed.
T. Herath and H. R. Rao. 2009. “Encouraging Information Security Behaviors: Role of Penalties, Pressures and Perceived Effectiveness” Decision Support Systems (DSS), Vol. 47, No. 2, pp 154-165.
2. Protection Motivation and 2. Protection Motivation and DeterrenceDeterrence
Premise: Security behaviours are affected by organizational, environmental and behavioural factors
Objective:
Test of an Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd’s Decomposed Theory of Planned Behavior.
protection motivation theory: an evaluation of threat appraisal and response efficacy to identify attitudes towards security policies
environmental factors such as deterrence, facilitating conditions and social influence
role of employees’ organizational commitment on security policy compliance
Model
Resource Availability
Security Policy Attitude
Security Policy Compliance Intention
Organizational commitment
Response Efficacy(Effectiveness of person’s action)
Security Breach Concern level
Perceived Severity of Security Breach
Perceived Probability of Security Breach
Punishment Severity
Detection Certainty
H2 [+]
H3 [+]
H4 [+]
H8 [+]
H6 [-]
H10 [+]
H11 [+]
Subjective Norm
Descriptive Norm
H12 [+]
Self-Efficacy
H13 [+]
Response Cost
H5 [+]
H7 [+]
H1 [+]
H9 [+]H15 [+]
H14 [+]
ResultsResults
Resource Availability
Security Policy Attitude
Security Policy Compliance Intention
Organizational commitment
Response Efficacy(Effectiveness of person’s action)
Security Breach Concern level
Perceived Severity of Security Breach
Perceived Probability of Security Breach
Punishment Severity
Detection Certainty
Subjective Norm
Descriptive Norm
Self-Efficacy
Response Cost
Control VariablesAge (-0.017 (t:0.318))Edu (-0.072 (t:1.302)Gender(0.098* (t:2.05))IT/nonITJob(0.038 (t:0.82))
CompNum (0.093 (t:1.68))AnnualSecBud (0.026 (t:0.498))
Resource Availability
Security Policy Attitude
Security Policy Compliance Intention
Organizational commitment
Response Efficacy(Effectiveness of person’s action)
Security Breach Concern level
Perceived Severity of Security Breach
Perceived Probability of Security Breach
Punishment Severity
Detection Certainty
Subjective Norm
Descriptive Norm
Self-Efficacy
Response Cost
Control VariablesAge (-0.017 (t:0.318))Edu (-0.072 (t:1.302)Gender(0.098* (t:2.05))IT/nonITJob(0.038 (t:0.82))
CompNum (0.093 (t:1.68))AnnualSecBud (0.026 (t:0.498))
FindingsFindingsProtection Motivation ○ Important for IT management to communicate the reality of
security threats to organizational end-users ○ Important for IT management to make efforts to convey to
employees that their actions make a difference in achieving the overall goal of system security
Deterrence ○ Severity of penalty had negative impact, while certainty of detection had positive impact Monitoring is essential
Theory of Planned Behavior
○ Subjective and Descriptive norms both play a role – Appropriate security climate
○ Managers need to make security policy related resources easily available to employees. Implications of self-efficacy for training or organizational development are numerous
○ Organizational Commitment plays a role managerial actions for employee involvement are important.
T. Herath and H. R. Rao. 2009. “Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organizations", European Journal of Information Systems (EJIS), Vol. 18, No. 2, pp. 106-125.
3. Employee Perceptions of Security 3. Employee Perceptions of Security Climate: A Dyadic Investigation of Climate: A Dyadic Investigation of Manager Employee Perception Manager Employee Perception AlignmentAlignment Motivation:
To manage security effectively: training and awareness and policy enforcement.
Successful implementation of IT security controls and policies is only possible when individuals align their value system with those of management (Mishra and Dhillon 2006)
Empirical research on evaluating the effectiveness of these mechanisms is almost non existent - these mechanisms lack the evidence of effectiveness (Aytes and Connolly 2004)
Objectives: Investigation of employee perception of security climate and its relation
with policy compliance behavior; Role of above two organizational socialization processes in shaping the
security climate perceptions of the employees Evaluation of security climate and its influence on end-user policy compliance
from the dyadic perspective of both management and employee views
FindingsFindings This dyadic study sheds light into importance of
understanding various socio-organizational nuances for effective security management
Security climate significantly affects security policy compliance
Training & awareness and policy enforcement both significantly contribute to the security climate perceptions (R2=> 0.47) – thus are important mechanisms for the creating security conscious environment Recent eCrime survey (based on sample of 434 organizations)
suggests that although the policies are in place the training and awareness efforts as well as policy enforcement efforts are much lower in magnitude
19
Policies and enforcement – Mgr responses
13%
24%
33%37%
15%
31% 31%
17%
72%
44%
35%
46%44%
56%
44%
64%
13%18%
11% 7%
44%
25%
45%
29%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Informationsecurity awarenessis communicated
well throughout theorganization.
Users receiveadequate securitytraining prior to
receiving anetwork account.
InformationSecurity policies
are made availableto employees on-
line.
A variety ofbusiness
communications(notices, posters,newsletters, etc.)
are used topromote security
awareness.
Informationsecurity policiesare written in amanner that is
clear andunderstandable.
Policies areconsistently
enforced acrossthe organization.
Informationsecurity rules are
enforced bysanctioning theemployees who
break them.
Employeecomputer
practices areproperly monitored
for policyviolations.
DisagreeNeither Agree nor DisagreeAgree
Contributions: Implications for Contributions: Implications for Practice and TheoryPractice and Theory
Dyadic Test: employee behavior may be driven more by personally held beliefs rather than actual organizational climate Important for management to have a clearer
understanding of the effectiveness of these mechanisms;
Vital for management to gauge how these efforts are perceived by the end-users and to what level they are accepted.
Our study empirically substantiates the need for management awareness of the multiple facets of end-user behaviors.
21