Information Security in Organizations: Empirical Examination of Security Practices in Western New York - PowerPoint PPT Presentation


PPT – Information Security in Organizations: Empirical Examination of Security Practices in Western New York PowerPoint presentation | free to download - id: 1ed52f-ZDc1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Information Security in Organizations: Empirical Examination of Security Practices in Western New York


St. Catharines, Ontario, Canada. Prof. H. Raghav Rao ... Technology and Homeland Security Forum, Niagara Falls (October 18, 2007) Respondents ... – PowerPoint PPT presentation

Number of Views:94
Avg rating:3.0/5.0
Slides: 22
Provided by: teju7


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Information Security in Organizations: Empirical Examination of Security Practices in Western New York

Information Security in Organizations Empirical
Examination of Security Practices in Western New
Tejaswini Herath Assistant Professor, Department
of Finance, Operations and Information
Systems Brock University St. Catharines, Ontario,
Canada Prof. H. Raghav Rao Professor, Department
of Management Science and Systems Adjunct
Professor, Department of Computer Science and
Engineering Co- Director, Center for Excellence
in Information Systems Research and Education
Acknowledgements We appreciate the support and
collaboration on this project by the Cyber Task
Force, Buffalo Division, FBI. We would like to
specially thank Supervisory Special Agent Holly
Hubert and Intelligence Analyst Susan Lupiani for
their assistance and support. Part of this
research is funded in part by NSF under grant
0723763 and MDRF grant F0630.
Research Theme Information Security in
Employees (End users)
Mangers are often faced with resource constraints
? cumbersome practices ? non-compliance by
Related Research Questions
A multi-faceted research issue
  • What are the drivers/barriers of organizational
    adoption of security practices
  • How do various end user beliefs, attitudes and
    perceptions regarding information security mold
    their security behavior?
  • How can the employee security behaviors be
  • Does the congruence between employee and
    management security values result in positive
    employee outcomes? If so how can it be influenced?

  • Two simultaneous surveys Manager survey and
    Employee survey

Manager Survey Employee Survey Responses Available for Dyadic Investigation
122 Managers 312 employees from 78 organizations 257 matched pairs from 54 organizations
Select Findings of this study were presented at
Technology and Homeland Security Forum, Niagara
Falls (October 18, 2007)
Approximately how much is budgeted annually, for
information security at your organization?
Information security budget as a of total IT
budget in your organization.
(No Transcript)
Security Climate
Employee Survey
  • Employee Behaviors Introduction
  • People are the weakest link
  • Organizations have been actively using security
    technologies - security can not be achieved
    through only technological tools alone.
  • Effective information security in organizations
    depends on three components people, processes
    and technology.
  • Recently call have been made to pay attention to
    end-user behaviors
  • Importance of Appropriate Computer Use Policies
    has been recognized for a long time, yet, we do
    not have clear understanding of their impact and
  • Divergent security behaviors
  • Incidents, Surveys provide the evidence of
    policy ignorance

1. Security Policy Compliance Role of Extrinsic
and Intrinsic Motivators
  • Objective of this study to evaluate the
    extrinsic and intrinsic motivators that encourage
    information security behaviors in organizations
  • impact of penalties (extrinsic disincentive),
  • social pressures (extrinsic disincentive)
  • perceived value or contribution (intrinsic

  • Results indicate that both the intrinsic and
    extrinsic motivators influence employee
    intentions of security policy compliance in
  • Intrinsic motivation plays a role if the
    employees perceive their security compliance
    behaviors to have a favorable impact on the
    organization or benefit an organization, they are
    more likely to take such actions.
  • Social influence also plays a role in security
  • Certainty of detection was found to have a
    positive impact on security behavior intention.
  • Surprisingly, severity of penalty was found to
    have a negative impact on the security behavior
  • incentives and penalties can also play a negative
    role (Benabou and Tirole 2003 Kohn 1993).
  • In accordance to views of experts in the field

  • from practical point of view the implications for
    design, development and implementation of secured
    systems and security policies.
  • Important for IT management to make efforts to
    convey to employees that information security is
    important to an organization and employee actions
    make a difference in achieving the overall goal
    of secured information.
  • Managers can enhance the security compliance by
    enhancing appropriate security climate in the
  • The existence and visibility of the detection
    mechanisms is perhaps more important than the
    severity of penalties imposed.

T. Herath and H. R. Rao. 2009. Encouraging
Information Security Behaviors Role of
Penalties, Pressures and Perceived Effectiveness
Decision Support Systems (DSS), Vol. 47, No. 2,
pp 154-165.
2. Protection Motivation and Deterrence
  • Premise Security behaviours are affected by
    organizational, environmental and behavioural
  • Objective
  • Test of an Integrated Protection Motivation and
    Deterrence model of security policy compliance
    under the umbrella of Taylor-Todds Decomposed
    Theory of Planned Behavior.
  • protection motivation theory an evaluation of
    threat appraisal and response efficacy to
    identify attitudes towards security policies
  • environmental factors such as deterrence,
    facilitating conditions and social influence
  • role of employees organizational commitment on
    security policy compliance

Protection Motivation Important for IT management to communicate the reality of security threats to organizational end-users Important for IT management to make efforts to convey to employees that their actions make a difference in achieving the overall goal of system security
Deterrence Severity of penalty had negative impact, while certainty of detection had positive impact ? Monitoring is essential
Theory of Planned Behavior Subjective and Descriptive norms both play a role Appropriate security climate Managers need to make security policy related resources easily available to employees. Implications of self-efficacy for training or organizational development are numerous
Organizational Commitment plays a role ? managerial actions for employee involvement are important.
T. Herath and H. R. Rao. 2009. Protection
Motivation and Deterrence A Framework for
Security Policy Compliance in Organizations",
European Journal of Information Systems (EJIS),
Vol. 18, No. 2, pp. 106-125.
3. Employee Perceptions of Security Climate A
Dyadic Investigation of Manager Employee
Perception Alignment
  • Motivation
  • To manage security effectively training and
    awareness and policy enforcement.
  • Successful implementation of IT security controls
    and policies is only possible when individuals
    align their value system with those of management
    (Mishra and Dhillon 2006)
  • Empirical research on evaluating the
    effectiveness of these mechanisms is almost non
    existent - these mechanisms lack the evidence of
    effectiveness (Aytes and Connolly 2004)
  • Objectives
  • Investigation of employee perception of security
    climate and its relation with policy compliance
  • Role of above two organizational socialization
    processes in shaping the security climate
    perceptions of the employees
  • Evaluation of security climate and its influence
    on end-user policy compliance from the dyadic
    perspective of both management and employee views

  • This dyadic study sheds light into importance of
    understanding various socio-organizational
    nuances for effective security management
  • Security climate significantly affects security
    policy compliance
  • Training awareness and policy enforcement both
    significantly contribute to the security climate
    perceptions (R2gt 0.47) thus are important
    mechanisms for the creating security conscious
  • Recent eCrime survey (based on sample of 434
    organizations) suggests that although the
    policies are in place the training and awareness
    efforts as well as policy enforcement efforts are
    much lower in magnitude

Policies and enforcement Mgr responses
Contributions Implications for Practice and
  • Dyadic Test employee behavior may be driven more
    by personally held beliefs rather than actual
    organizational climate
  • Important for management to have a clearer
    understanding of the effectiveness of these
  • Vital for management to gauge how these efforts
    are perceived by the end-users and to what level
    they are accepted.
  • Our study empirically substantiates the need for
    management awareness of the multiple facets of
    end-user behaviors.