Information Technology Reference
In-Depth Information
Figure 12.2
Framework for Investigating Behavioral Information Security
1. Organizational Factors
2. Individual Factors
3. Policy
Enforcement
4. Security
Training
6. Collective
Security
Knowledge
5. Collective
Policy
Knowledge
7. Employee
Security Accountability
8. Security-Related
Behaviors
collectively possessed by all organization members (#5). This latter construct is portrayed as a stock
or resource in recognition that collective knowledge can be built up through educational, documen-
tary, and enforcement efforts, and can be depleted by neglect and employment attrition.
Next, we found evidence in survey study 2 suggesting that job-relevant attitudes and beliefs (#2)
influence employees' willingness to become engaged with information security-related issues in the
workplace. Organizational commitment, as well as positive and negative feelings about work, may
influence employees' willingness to seek optional training or participate in mandatory training con-
cerning information security (#4). It is likely that individual factors (#2) also comprise basic apti-
tudes and prior knowledge related to technical computer tasks and that these—as well as formal
training—influence the amount of security knowledge collectively possessed by all organization
members (#6). In a parallel construction to collective policy knowledge (#5), collective security
knowledge is portrayed as a stock or resource in recognition that collective knowledge can be built
up through ongoing efforts, and can be depleted by neglect and employment attrition. We recognize
that conceptualizing these areas of collective knowledge as organizational “stocks” or resources is
more speculative than some of the other propositions, but we believe the idea has significant poten-
tial for helping explain the course of security successes and failures at an organization. In our phase
1 qualitative research reported above, we found a large degree of heterogeneity with respect to the
maintenance
of policy at the research sites. In some organizations, policies were fresh in the sense
that someone within the organization was paying attention to them, updating them, promoting them,
and ensuring that employee training and awareness programs included consideration of policies. In
other organizations, policies were stale: Printed binders full of dry boilerplate gathered dust on
bookshelves throughout the facility. These findings led us to the belief that both security policy
knowledge—what an employee is expected to do—and procedural security knowledge—how they
can do it—may comprise critical resources in ensuring positive security behaviors.
Search WWH ::
Custom Search