Abstract
Insider threats pose a significant risk to organizational data security, and many organizations implement information security policies (ISPs) to reduce insider threats. This study used the unified theory of acceptance and use of technology 2 (UTAUT2) to examine factors that predict compliance among nonmalicious employees. A partial least squares structural equation modeling approach was used to examine survey data collected from N = 158 nonmalicious employees. The analysis indicated that social influence and facilitating conditions were the only UTAUT2 factors significantly predicting nonmalicious employees’ compliance. The study’s findings suggest that organizations should focus on building workplace cultures emphasizing ISP compliance’s social importance.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
AlGhamdi, S., Win, K.T., Vlahu-Gjorgievska, E.: Information security governance challenges and critical success factors: systematic review. Comput. Secur. 99(12), 102030 (2020). https://doi.org/10.1016/j.cose.2020.102030
AlMhiqani, M.N., et al.: A new taxonomy of insider threats: an initial step in understanding authorised attack. Int. J. Inf. Syst. Manage. 1(4), 343–359 (2018). https://doi.org/10.1504/IJISAM.2018.094777
Alotaibi, M.J., Furnell, S., Clarke, N.: A framework for reporting and dealing with end-user security policy compliance. Inf. Comput. Secur. 27(1), 2–25 (2019). https://doi.org/10.1108/ICS-12-2017-0097
Alqahtani, M., and Braun, R.: Reviewing influence of UTAUT2 factors on cyber security compliance: a literature review. J. Inf. Assur. Cyber Secur. 2021, 666987 (2021b). https://doi.org/10.5171/2021.666987
Alsowail, R.A., Al-Shehari, T.: Empirical detection techniques of insider threat incidents. IEEE Access 8, 7838–78402 (2020). https://doi.org/10.1109/ACCESS.2020.2989739
Amankwa, E., Loock, M., Kritzinger, E.: Establishing information security policy compliance culture in organizations. Inf. Comput. Secur. 26(4), 420–436 (2018). https://doi.org/10.1108/ICS-09-2017-0063
Aurigemma, S., Mattson, T.: Exploring the effect of uncertainty avoidance on taking voluntary protective security actions. Comput. Secur. 73(3), 219–234 (2018). https://doi.org/10.1016/j.cose.2017.11.001
Chen, L., Zhen, J., Dong, K., Xie, Z.: Effects of sanction on the mentality of information security policy compliance. Rivista Argentina de Clınica Psicologica. 29(1), 39–49 (2020). https://doi.org/10.24205/03276716.2020.6
Chen, X., Wu, D., Chen, L., Teng, J.K.L.L.: Sanction severity and employees’ information security policy compliance: investigating mediating, moderating, and control variables. Inf. Manage. 55(8), 1049–1060 (2018). https://doi.org/10.1016/j.im.2018.05.011
Cram, W.A., Proudfoot, J.G., D’Arcy, J.: Organizational information security policies: a review and research framework. Eur. J. Inf. Syst. 26(6), 605–641 (2017). https://doi.org/10.1057/s41303-017-0059-9
D’Arcy, J., Lowry, P.B.: Cognitive-affective drivers of employees’ daily compliance with information security policies: a multilevel, longitudinal study. Inf. Syst. J. 29(1), 43–69 (2019). https://doi.org/10.1111/isj.12173
Elifoglu, H., Abel, I., Tasseven, Q.: Minimizing insider. threat risk with behavioral monitoring. Rev. Bus. 38(2), 61–74(2018). https://www.ignited.global/case/business/minimizing-insider-threat-risk-behavioural-monitoring
Glasofer, A., Townsend, A.B.: Determining the level of evidence: Nonexperimental research designs. Nursing Critical Care 15(1), 24–27 (2020). https://doi.org/10.1097/01.CCN.0000612856.94212.9b
Gratian, M., Bandi, S., Cukier, M., Dykstra, J., and Ginther, A. (2018). Correlating human traits and cyber security behavior intentions. Computers and Security, 73(3), 345–358. https://doi.org/10.1016/j.cose.2017.11.015
Hadlington, Lee: The “human factor” in cybersecurity: Exploring the accidental insider. In: McAlaney, John, Frumkin, Lara A., Benson, Vladlena (eds.) Psychological and Behavioral Examinations in Cyber Security:, pp. 46–63. IGI Global (2018). https://doi.org/10.4018/978-1-5225-4053-3.ch003
Hina, S., Panneer Selvam, D.D.D., Lowry, P.B.: Institutional governance and protection motivation: theoretical insights into shaping employees’ security compliance behavior in higher education institutions in the developing world. Comput. Secur. 87(11), 101594 (2019). https://doi.org/10.1016/j.cose.2019.101594
Homoliak, I., Toffalini, F., Guarnizo, J., Elovici, Y., Ochoa, M.: Insight into insiders and it: a survey of insider threat taxonomies, analysis, modeling, and countermeasures. ACM Comput. Surv. 52(2), 1–40 (2019). https://doi.org/10.1145/3303771
Ifinedo, P.: Effects of organization insiders’ self-control and relevant knowledge on participation in information systems security deviant behavior. In: SIGMIS-CPR 2017: Proceedings of the 2017 ACM SIGMIS Conference on Computers and People Research, pp. 79–86. Association for Computing Machinery (2017). https://doi.org/10.1145/3084381.3084384
Kim, A., Oh, J., Ryu, J., Lee, K.: A review of insider threat detection approaches with IoT perspective. IEEE Access, 8, 78847–78867 (2020). https://doi.org/10.1109/ACCESS.2020.2990195
Lee, H.-J., Kho, H.-S., Roh, E.-H., and Han, K.-S.: A study on the fac tors of experience and habit on information security behavior of new services – based on PMT and UTAUT2. J. Digital Contents Soc. 19(1), 93–102 (2018). https://doi.org/10.9728/dcs.2018.19.1.93
Mamonov, S., Benbunan-Fich, R.: The impact of information security threat awareness on privacy-protective behaviors. Comput. Human Behav. 83, 32–44 (2018). https://doi.org/10.1016/j.chb.2018.01.028
Muller, S.R., Burrell, D.N.: social cybersecurity and human behavior. Int, J. Hyperconnect. Internet of Things 6(1), 1–13 (2022). https://doi.org/10.4018/IJHIoT.305228
Muller, S.R., Lind, M.L.: Factors in information assurance professionals’ intentions to adhere to information security policies. Int. J. Syst. Softw. Secur. Protect. 11(1), 17–32 (2020). https://doi.org/10.4018/IJSSSP.2020010102
Paananen, H., Lapke, M., and Siponen, M.: State of the art in information security policy development. Comput. Secur. 88(1), 101608 (2020). https://doi.org/10.1016/j.cose.2019.101608
Prabhu, S., Thompson, N.: A unified classification model of in- sider threats to information security [paper presentation]. In: ACIS 2020: 31st Australasian Conference on Information Systems, Wellington, New Zealand (2020). http://hdl.handle.net/20.500.11937/81763
Rahimian, F., Bajaj, A., Bradley, W.: Estimation of deficiency risk and prioritization of information security controls: a data-centric approach. Int. J. Account. Syst. 20, 38–64 (2016). https://doi.org/10.1016/j.accinf.2016.01.004
Safa, N.S., Maple, C., Watson, T., Von Solms, R.: Motivation and opportunity-based model to reduce information security insider threats in organisations. J. Inf. Secur. Appl. 40(6), 247–257 (2018). https://doi.org/10.1016/j.jisa.2017.11.001
Theis, M.C., et al.: Common sense guide to mitigating insider threats (6th ed). Software Engineering Institute (2019). https://doi.org/10.1184/R1/12363665.v1
U.S. Bureau of Labor Statistics. (2022b, January 20). Labor force statistics from the current population survey: Employment status of the civilian noninstitutional population by age, sex, and race. https://www.bls.gov/cps/cpsaat11.htm
Venkatesh, V., Thong, J.Y.L., Xu, X.: Consumer acceptance and use of information technology: extending the unified theory of acceptance and use of technology. MIS Q. 36, 157–178 (2012). https://doi.org/10.2307/41410412
Wang,X., Tan, Q., Shi, J., Su, S., Wang, M.: Insider threat detection us- ing characterizing user behavior. In: 2018 IEEE Third International Conference on Data Science in Cyberspace, 2018, pp. 476–482 (2018). https://doi.org/10.1109/DSC.2018.00077
Yang, J., Zhang, Y., Lanting, C.J.M.: Exploring the impact of QR codes in authentication protection: a study based on PMT and TPB. Wireless Pers. Commun. 96(4), 5315–5334 (2017). https://doi.org/10.1007/s11277-016-3743-5
Zeng, N., Liu, Y., Gong, P., Hertogh, M., König, M.: Do right PLS and do PLS right: a critical review of the application of PLS-SEM in construction management research. Front. Eng. Manage. 8(3), 356–369 (2021). https://doi.org/10.1007/s42524-021-0153-5
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Morris, E.D., Muller, S.R. (2023). Analyzing Information Security Among Nonmalicious Employees. In: Nguyen, T.D.L., Verdú, E., Le, A.N., Ganzha, M. (eds) Intelligent Systems and Networks. ICISN 2023. Lecture Notes in Networks and Systems, vol 752. Springer, Singapore. https://doi.org/10.1007/978-981-99-4725-6_74
Download citation
DOI: https://doi.org/10.1007/978-981-99-4725-6_74
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-4724-9
Online ISBN: 978-981-99-4725-6
eBook Packages: Computer ScienceComputer Science (R0)