C HAPTER 12

BEHAVIORAL INFORMATION SECURITY

An Overview, Results, and

Research Agenda

J EFFREY M. S TANTON , K ATHRYN R. S TA M , P AUL M. M ASTRANGELO ,

AND J EFFREY A. J OLTON

Abstract: Information security is a multibillion-dollar problem faced by commercial, non-profit,

and government organizations around the world. Because of their adverse effects on organiza-

tional information systems, viruses, hackers, and malicious insiders can jeopardize organizations'

capabilities to pursue their missions effectively. Although technology-based solutions help to mit-

igate some of the many problems of information security, even the best technology cannot work

successfully unless effective human-computer interaction occurs. Information technology profes-

sionals, managers, and end users all play a significant role in determining whether the behavior

that occurs as people interact with information technology will support the maintenance of effec-

tive security or undermine it. In the present paper we try to apply behavioral science concepts and

techniques to understanding problems of information security in organizations. We analyzed a

large set of interviews, developed a set of behavioral categories, and conducted three survey studies

(N

414) to explore whether and how behavioral science could apply to

the complex set of organizational problems surrounding contemporary information security. We

report these results and provide a future research agenda for researchers who wish to support

organizations' efforts to ensure security of their information assets.

1167, N

298, and N

Keywords:

Information Security, Organizational Psychology, Surveys

INTRODUCTION

Over recent decades, most work organizations have come to depend on information technology.

As connectivity among computers has increased, so has the likelihood of intrusion, theft, deface-

ment, etc. Surprisingly, although organizations sometimes focus more on vulnerability to external

attack, industry research by Ernst and Young (2002) indicated that well over half of the cost

of security failures results from insider activity. Computer scientists, network engineers, infor-

mation technology specialists, and others have developed technological solutions for these infor-

mation security problems (e.g., Won, 2001), and a large software and hardware development

industry is dedicated to the design and marketing of security-related devices such as firewalls and

biometrics.

Many of these developments have resulted in positive business and economic outcomes (Dhillon,

2001), but a constraint appears throughout in the behaviors of the human agents who access, use,

262