Information Technology Reference
In-Depth Information
administer, and maintain information resources. The success of security appears to depend upon
the effective behavior of the individuals involved in its use. Appropriate and constructive behav-
ior by end users, system administrators, and others can enhance the effectiveness of information
security, while inappropriate and destructive behaviors can inhibit its effectiveness. Human
behavior is complex and multi-faceted, and this complexity defies the expectations for control
and predictability that technology developers routinely assume for the technology with which
they work. As the Organisation for Economic Co-Operation and Development's Guidelines for
the Security of Information Systems state, “Each participant is an important actor for ensuring
security. Participants, as appropriate to their roles, should be aware of the relevant security risks
and preventive measures, assume responsibility and take steps to enhance the security of informa-
tion systems and networks” (OECD, 2002, p. 8). This statement represents a shift in perspective
from the guidelines that the OECD published ten years earlier: Whereas the earlier guidelines
were technology centric, the current guidelines emphasize that the actions of individuals and organiza-
tions influence security.
This paper takes this perspective on information security to heart by focusing on “behavioral
information security,” which is defined as the human actions that influence the availability, confi-
dentiality, and integrity of information systems. We have investigated these behaviors and their
motivational antecedents through a linked series of studies. Our goal in the present paper lies in
discussing the results from these studies and drawing out the implications of these results for
future science and practice in organizations. With this paper we hope to continue the process
started by other researchers of substantiating the claim that social, organizational, and behavioral
scientists have much to contribute in addressing the problems of information security faced by
contemporary work organizations. We expect that this contribution can come from applying
researchers' established expertise in understanding and influencing the behaviors involved in the
use of information technology. In the remainder of this paper we review some of the literature that
we drew upon in framing this line of research. We then briefly overview the results of three stud-
ies we conducted that have explored this new research area. Finally, we describe our vision for
future research in the behavioral aspects of information security.
Technology, Human Factors, Management, and the Behavioral Gap
At the low end, losses from security breaches have been estimated at approximately $20 bil-
lion per year across all U.S. organizations (Security Wire Digest, 2000). These losses have
spurred increased spending on information security specialists and technology: According to a
2002 industry survey by Information Security magazine, very large organizations spend an
average of $6 million per year apiece on information security. Smaller organizations spend on
average nearly 20 percent of their overall information technology budgets on security-related
products.
Product development in this new sub-industry has received ample intellectual backing from an
array of academic research programs on cryptography, public key infrastructure, watermarking,
access control, intrusion detection, and related topics. The CiteSeer automated indexing facility
(http://citeseer.nj.nec.com) lists more than ten thousand academic science and engineering arti-
cles related to information security. Although relatively small by comparison, bodies of research
in the human factors and business management have also developed in information security. In the
next few pages, we provide overviews of the research in these areas and then discuss how new
research might fit into the neglected gap between the different areas.
Search WWH ::




Custom Search