Information security behavior in organizations : influencing factors and management strategies

Abstract

Employees security behavior is a challenge to the confidentiality, integrity, and availability (CIA) of organizational information. This is because there have been cases of employees compromising organizational information systems (IS) through their behavior whether it is performed with or without intention. Although information security studies are now focusing on insiders’ security behaviors and their impacts on IS, they do not effectively differentiate between security behavior that is intentional or unintentional, and compliant or non-compliant to information security policies. While many studies focus on controlling and preventing unacceptable security behavior, studies that focus on factors encouraging good and desired security behavior are limited. Hence, this research aims are twofold: firstly, to identify different types of intentional and unintentional information security behavior, for both compliant and non-compliant, and; secondly, to examine their influencing factors in order to suggest a taxonomy of information security behavior. By understanding the different categories and influencing factors of employee’s security behavior, organizations may be able to address such behavior in order to protect organizational IS. Security literature has shown that organizations can reduce information security incidents and the cost of technical countermeasures by managing their employees’ security behavior. A recent report from security industry reveals that organizations in the Middle East are being targeted by cyber attackers due to the wealth of the countries and information security practices that are below par in the region. Additionally, security studies suggest examining employees’ security behavior in different cultures and regions, as the majority of the previous studies were conducted in Western culture. Conceptual security behavioral model is proposed based on contemporary information security studies inspired by Islamic principles. Following this, qualitative research approach and multiple-case study on four organizations in Gulf Countries was conducted by interviewing both employees and managers. Moreover, document reviews and participant observation were applied to validate feedback from the participants. The findings indicated that employees’ security culture played an essential role in information security behavioral compliance. Although employees showed their interest to comply with information security policies, non-compliant security behavior was still prevalent since they were lacking in security literacy and awareness. Furthermore, the case organizations’ security countermeasures need to be improved by developing, implementing and enforcing information security policies which are clearly communicated to and understood by all employees. Similarly, the organizations too, need to understand their employees’ behavior. The research findings are corroborated into a proposed model called Integrated Security Behavioral Model (ISBM). ISBM may benefit organizations since the model can be used in assessing, planning and managing their employees’ security behavior and improve their security strategies. The thesis contributes to both research and practice; by fulfilling the research gaps stated above and improve organizations’ best practices through the understanding of employees’ different types of security behavior.