Information Technology Reference
In-Depth Information
Finally, survey studies 2 and 3 suggested that policy knowledge (#5) and employee security
knowledge (#6) may each influence employees' security-related behaviors (#8). Policy knowl-
edge (#5) provides the mechanism through which the organization's leadership communicates the
priorities and preferences for security to employees. In effect, employees who have substantial
awareness of the content of policies know what security goals are valued as well as the general reper-
toire of acceptable behaviors that lead to those goals. To enact those behaviors requires at least one
more ingredient, however: Employees must know specifically what steps to take to achieve a certain
security goal. Knowledge of these steps emerges from the security knowledge (#6) developed, in
part, through training programs (#4).
In addition, however, we propose one additional intermediary construct suggested by our research:
employee security accountability (#7). Taken as a whole, our studies suggest that knowledge by itself
is insufficient to make sure that employees do the right thing. Employees must feel that they
“should do it,” in other words, that enacting the prescribed behaviors leads to valued outcomes
and helps to avoid unpleasant ones. We propose that this security accountability (#7) arises pri-
marily from the observation of examples of policy enforcement (#3) that show how the organiza-
tion notices and punishes transgressions as well as from participation in training programs (#4)
that show the organization's commitment to facilitating right behavior.
The elements depicted in Figure 12.2 along with the proposed interconnections among them
represent our latest thinking about the influences of organizational circumstances and personal
factors on security-related behaviors. It seems certain that the elements and interconnections do
not represent an exhaustive list of the possibilities, but the program of qualitative and quantitative
research we have conducted to date has provided supportive information that bolsters our choice
of variables, resources, and organizational processes depicted in the figure.
CONCLUSION
Building on this research, we hope that other researchers can help us advance the application of
behavioral science to problems of information security. Much work remains in order to facilitate
future research in this area. In particular, the research community needs to develop appropriate
protocols and instruments for assessing such variables as employee security accountability. Self-
report instruments for measuring basic security knowledge, policy knowledge, and other con-
structs indicated in Figure 12.2 would also provide benefits for future research. After addressing
measurement and assessment issues, the next pressing need lies in the area of access to organiza-
tions. Like many organizational issues, research on information security in organizations apparently
requires a careful understanding of the context in which security-related behaviors take place. It is
difficult to obtain this level of understanding without access to frank and detailed information from
the various relevant stakeholder groups in the organization, i.e., leaders, technology and security
specialists, and the end-user population. In turn, this access requires the painstaking development
of individual relationships with organizations. A more efficient approach might include the for-
mation of a research consortium, perhaps centered on cooperation with a professional organiza-
tion of security personnel who would provide broad-based access to relevant information from a
wide range of organizations. Finally, we believe that researchers can help to advance the state of
theory in the area of behavioral information security, perhaps building upon some of the ideas
offered in this paper. Relevant theory, focusing on motivation and behavior in organizational con-
texts, can provide guideposts that help with the formulation of future research as well as practical
interventions.
Search WWH ::
Custom Search