Information Technology Reference
In-Depth Information
From a theoretical perspective, it would be interesting to pursue the question of how security
personnel judge users' intentions differently based on whether they see the behavior as requiring
a lot of expertise or a little expertise. This question ties in with the notion of trust as a fundamental
component of security in organizations. Knowing whom to trust and under what circumstances to
trust them can make an important difference in security personnel's ability to detect and respond
to potential security problems. If security personnel misjudge the trustworthiness of another actor
based on irrelevant information, this may 1) make it more difficult for certain employees to con-
duct a legitimate activities, and/or; 2) make it easier for individuals with malicious intentions to
carry out detrimental tasks.
RESEARCH PHASE 3: SURVEYS OF NOVICE BEHAVIORS
We used the list of end-user security-related behaviors compiled in the previous phase of research
as the basis for three subsequent survey studies. We focused on the positive or benign security-
related behaviors that could be enacted by employees who did not possess specialized security
training (e.g., regularly changing passwords). Because little systematic research exists concerning
the occurrence of these behaviors in organizations, we believed that an important next step would
be to screen the behaviors against a variety of plausible predictors. At the conclusion of this work
we expected to ascertain a set of patterns relating personal and contextual factors to security
behaviors that we could then use as a basis for proposing a conceptual framework of variables and
processes to guide future research.
Survey Study 1
Genesee Survey Services, a consulting firm based in Rochester, NY, conducts an annual nationwide
study of U.S. workers from a variety of industries. The National Work Opinion Survey (NWOS)
serves as a source of normative data on measures of organizational concern. The NWOS is distributed
by postal mail to a random sample of U.S. employees (using a professionally compiled sampling
frame) along with a postage-paid return envelope. The 2003 version of the NWOS included nine
items customized for the present study based on the list of security-related behaviors described
above. The NWOS sample comprised regular managers and employees, so we sampled only from
the “novice” items in our taxonomy because we expected to find relatively few individuals with
professional security training in the sample. We used three items pertaining to password manage-
ment (e.g., frequency of changing the password), three items pertaining to password sharing (e.g.,
sharing with others in the work group) and three items pertaining to organizational support of
security-related behaviors (e.g., “My company/organization provides training programs to help
employees improve their awareness of computer and information security.”). The survey was dis-
tributed to N
2011 usable surveys were returned for a response rate
of approximately 50 percent. The survey was offered in several versions, and not all of the ver-
sions contained the customized items. After accounting for these variations and missing data we
had N
4000 individuals and N
1167 surveys with usable data on the security-related items.
The NWOS captures information about the respondent's organization and demographics. We
screened these organizational and demographic variables as possible predictors. We factor ana-
lyzed the security-related items using a principal components extraction and varimax rotation.
The breakdown of items into factors reflected our original intentions for the items: three items
indicating password sharing (alpha
.67), three items indicating organizational support of security-
related behaviors (alpha
.77), and three items indicating password management (alpha
.56).
Search WWH ::
Custom Search