1 / 21

Information Security in Organizations: Empirical Examination of Security Practices in Western New York

Information Security in Organizations: Empirical Examination of Security Practices in Western New York . Tejaswini Herath Assistant Professor, Department of Finance, Operations and Information Systems Brock University St. Catharines, Ontario, Canada Prof. H. Raghav Rao

marilu
Télécharger la présentation

Information Security in Organizations: Empirical Examination of Security Practices in Western New York

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security in Organizations: Empirical Examination of Security Practices in Western New York Tejaswini Herath Assistant Professor, Department of Finance, Operations and Information Systems Brock University St. Catharines, Ontario, Canada Prof. H. Raghav Rao Professor, Department of Management Science and Systems Adjunct Professor, Department of Computer Science and Engineering Co- Director, Center for Excellence in Information Systems Research and Education (CEISARE) Acknowledgements: We appreciate the support and collaboration on this project by the Cyber Task Force, Buffalo Division, FBI. We would like to specially thank Supervisory Special Agent Holly Hubert and Intelligence Analyst Susan Lupiani for their assistance and support. Part of this research is funded in part by NSF under grant 0723763 and MDRF grant #F0630.

  2. Research Theme: Information Security in Organizations Organizations Employees (End users) Managers Mangers are often faced with resource constraints  cumbersome practices  non-compliance by employees

  3. Related Research Questions Organization/ Managerial Perspective Employee (End user) Behavior Management – Employee perspective fit A multi-faceted research issue • What are the drivers/barriers of organizational adoption of security practices • How do various end user beliefs, attitudes and perceptions regarding information security mold their security behavior? • How can the employee security behaviors be influenced? • Does the congruence between employee and management security values result in positive employee outcomes? If so how can it be influenced?

  4. Two simultaneous surveys – Manager survey and Employee survey Select Findings of this study were presented at Technology and Homeland Security Forum, Niagara Falls (October 18, 2007)

  5. Respondents

  6. Approximately how much is budgeted annually, for information security at your organization? Information security budget as a % of total IT budget in your organization. 80%

  7. Security Climate

  8. Employee Survey Employee Behaviors: Introduction • People are the weakest link • Organizations have been actively using security technologies - security can not be achieved through only technological tools alone. • Effective information security in organizations depends on three components: people, processes and technology. • Recently call have been made to pay attention to end-user behaviors • Importance of “Appropriate Computer Use Policies” – has been recognized for a long time, yet, we do not have clear understanding of their impact and effectiveness • Divergent security behaviors • Incidents, Surveys – provide the evidence of policy ignorance

  9. 1. Security Policy Compliance: Role of Extrinsic and Intrinsic Motivators • Objective of this study: to evaluate the extrinsic and intrinsic motivators that encourage information security behaviors in organizations • impact of penalties (extrinsic disincentive), • social pressures (extrinsic disincentive) • perceived value or contribution (intrinsic incentive)

  10. Findings

  11. Discussion • Results indicate that both the intrinsic and extrinsic motivators influence employee intentions of security policy compliance in organizations. • Intrinsic motivation plays a role: if the employees perceive their security compliance behaviors to have a favorable impact on the organization or benefit an organization, they are more likely to take such actions. • Social influence also plays a role in security behaviors. • Certainty of detection was found to have a positive impact on security behavior intention. • Surprisingly, severity of penalty was found to have a negative impact on the security behavior intentions. • incentives and penalties can also play a negative role (Benabou and Tirole 2003; Kohn 1993). • In accordance to views of experts in the field

  12. Implications • from practical point of view the implications for design, development and implementation of secured systems and security policies. • Important for IT management to make efforts to convey to employees that information security is important to an organization and employee actions make a difference in achieving the overall goal of secured information. • Managers can enhance the security compliance by enhancing appropriate security climate in the organizations. • The existence and visibility of the detection mechanisms is perhaps more important than the severity of penalties imposed. T. Herath and H. R. Rao. 2009. “Encouraging Information Security Behaviors: Role of Penalties, Pressures and Perceived Effectiveness” Decision Support Systems (DSS), Vol. 47, No. 2, pp 154-165.

  13. 2. Protection Motivation and Deterrence Premise: Security behaviours are affected by organizational, environmental and behavioural factors Objective: • Test of an Integrated Protection Motivation and Deterrence model of security policy compliance under the umbrella of Taylor-Todd’s Decomposed Theory of Planned Behavior. • protection motivation theory: an evaluation of threat appraisal and response efficacy to identify attitudes towards security policies • environmental factors such as deterrence, facilitating conditions and social influence • role of employees’ organizational commitment on security policy compliance

  14. Response Efficacy (Effectiveness of person’s action) H14 [+] Organizational commitment Response Cost Resource Availability H5 [+] H15 [+] H9 [+] H6 [-] H7 [+] Self-Efficacy Perceived Severity of Security Breach H2 [+] Security Breach Concern level Security Policy Attitude H8 [+] H1 [+] H4 [+] Perceived Probability of Security Breach Security Policy Compliance Intention H3 [+] H10 [+] H13 [+] H12 [+] Punishment Severity H11 [+] Subjective Norm Descriptive Norm Detection Certainty Model

  15. Results

  16. Findings T. Herath and H. R. Rao. 2009. “Protection Motivation and Deterrence: A Framework for Security Policy Compliance in Organizations", European Journal of Information Systems (EJIS), Vol. 18, No. 2, pp. 106-125.

  17. 3. Employee Perceptions of Security Climate: A Dyadic Investigation of Manager Employee Perception Alignment • Motivation: • To manage security effectively: training and awareness and policy enforcement. • Successful implementation of IT security controls and policies is only possible when individuals align their value system with those of management(Mishra and Dhillon 2006) • Empirical research on evaluating the effectiveness of these mechanisms is almost non existent - these mechanisms lack the evidence of effectiveness (Aytes and Connolly 2004) • Objectives: • Investigation of employee perception of security climate and its relation with policy compliance behavior; • Role of above two organizational socialization processes in shaping the security climate perceptions of the employees • Evaluation of security climate and its influence on end-user policy compliance from the dyadic perspective of both management and employee views

  18. Findings • This dyadic study sheds light into importance of understanding various socio-organizational nuances for effective security management • Security climate significantly affects security policy compliance • Training & awareness and policy enforcement both significantly contribute to the security climate perceptions (R2=> 0.47) – thus are important mechanisms for the creating security conscious environment • Recent eCrime survey (based on sample of 434 organizations) suggests that although the policies are in place the training and awareness efforts as well as policy enforcement efforts are much lower in magnitude 19

  19. Policies and enforcement – Mgr responses

  20. Contributions: Implications for Practice and Theory • Dyadic Test: employee behavior may be driven more by personally held beliefs rather than actual organizational climate • Important for management to have a clearer understanding of the effectiveness of these mechanisms; • Vital for management to gauge how these efforts are perceived by the end-users and to what level they are accepted. • Our study empirically substantiates the need for management awareness of the multiple facets of end-user behaviors. 21

More Related