Information Technology Reference
In-Depth Information
Multiple regression results indicated that training, computer usage, self-efficacy, and number
of individuals supervised all served as predictors of positive password behavior. The multiple
R-squared in this analysis was .33, F(4,408)
44.4, p
.001. The most influential predictor was
self-efficacy, with a beta weight of .45, p
.001. Training (beta
.11, p
.05) and computer
usage (beta
.05) both had modest positive relations to password behavior. Finally, the
number of employees supervised had a negative beta weight (beta
.15, p
.05), indicating
that the greater one's supervisory responsibilities, the worse one's reported password behavior
was. Taken in overview, these results complement and extend the results of the first two surveys by
suggesting that task knowledge and self-efficacy have meaningful associations with novice security-
related behaviors. In the next section, we offer a framework for understanding these results and
becoming prepared for next steps in behavioral research on information security.
.09, p
PROPOSED RESEARCH FRAMEWORK AND NEXT STEPS
Looking back over the three phases of research, it appears evident that the research tools and tech-
niques of behavioral science can provide a variety of data about security-related behaviors in
organizations. Our qualitative work revealed the nature and scope of behavioral security problems
faced by individuals with responsibility for information security. We used these insights to
develop and test a categorized list of criterion behaviors for use in subsequent studies. Our subse-
quent survey work suggested that organizational, demographic, and attitudinal factors could pre-
dict some of the novice behaviors that information security professionals consider easy targets for
improvement (e.g., password management). Taken together, these studies suggest that security
behaviors relate to a combination of relevant organizational and personal factors and a variety of
mediating influences (see Figure 12.2).
Figure 12.2 organizes our thinking about the groups of variables, processes, and resources likely
to be relevant to understanding, predicting, and influencing security-related behaviors into a pro-
posed set of causal processes. Three different types of elements in the figure include rectangles for
variables or families of variables, ovals for activities or behaviors, and cylinders for “stocks” or
resources that can be built or depleted over time. (Calling something a stock or resource elevates it
beyond being simply a variable: A stock or resource can be measured using a variable, but it further
signifies a real supply of something—such as disk space, money, caseload, morale, or inventory—
that can be used up, depleted, and/or replenished. See Karnopp and Rosenberg, 1975, for further
details.) The elements in the figure are numbered to match the following narrative description.
Organizational factors (#1) appear in the upper left of the figure in recognition of results from the
first survey. In the first survey, we found organizational predictors that set the stage for the behav-
ioral repertoires of employees. For instance, in military settings the conditions may exist where the
value of information security is continually reinforced through everyday practices, training, and
socialization. We do not know, at this stage of the research, what specific organizational practices or
characteristics may have the greatest effect on information security. At least three candidates exist,
however. First, we propose that strong and visible leadership in an organization can contribute to set-
ting the stage for positive security behaviors. When leaders publicly endorse, support, and abide by
the organization's security policies, employees may internalize aspects of the organization's mission
and values in their attitudes and beliefs (#2). Second, we propose that organizational factors such as
the organization's mission and slack financial resources will influence the allocation of resources to
processes of enforcing organizational policies (#3) and running security training and awareness pro-
grams (#4). Finally, we propose that organizational factors such the degree of bureaucratic central-
ization and hierarchical nature of the organization will influence the amount of policy knowledge
Search WWH ::
Custom Search