Skip to main content
SpringerLink
Log in

An Empirical Study on Information Security Behaviors and Awareness

  • Chapter
  • First Online:
The Economics of Information Security and Privacy

Abstract

In this chapter, we investigate some key factors which have effects on employees’ behaviors in violating rules which are related to information leaks given the condition that the behaviors are totally prohibited by their organization. By using collected data from a survey that we conducted, and employing a stepwise logit model, we analyze the relationships above. The primary results are as follows: First of all, myopic cognition and hyperopic cognition measured by the CFC scale have effects on the behaviors of violating organizational rules in almost all cases. Next, in many cases, individuals whose information security awareness is higher tend not to violate the rules. Third, the behavior of violating the rules is independent of the size of the organization, and is not related to the degree of workplace satisfaction and the evaluation toward the managers in some cases. Fourth, in an organization in which permanent employment is implemented, individuals tend to violate the rules. It is not easy to control psychological factors such as an individual’s attitude toward risk. Conversely, the factors regarded as organizational attributes, such as the degree of workplace satisfaction or the employment system utilized, may be controlled by designing the appropriate organizational environment. Consequently, we consider that it may be effective to improve information security awareness by information security education and training.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    These studies provide good reviews about these theories regarding information security [23, 38].

  2. 2.

    System dynamics is a method for modeling and analyzing the holistic behavior of complex problems as they evolve over time. System dynamics has been used to gain insight into some of the most challenging strategy questions facing businesses and government for several decades.

  3. 3.

    Generally, a behavioral model using a logit regression equation is devoted to explaining and predicting human behavior and has been used in the various fields for a long time.

  4. 4.

    We point out the following characteristics: (1) we can obtain the desired sample size for statistical analysis; (2) imposing conditions on attributes of respondents beforehand has a predilection for a Bayesian approach; and (3) because the Web-based survey is conducted agilely, it is easy to collect data set for analysis.

  5. 5.

    Of course, we do not intend to ignore this statistical problem. We expect that future studies on the representativeness of data from Web-based surveys will be promoted.

  6. 6.

    Because some respondents select “I do not know whether or not the measures are prohibited within the organization” or “the measures are prohibited with some conditions within the organization” in the survey, these respondents are excluded.

  7. 7.

    If the respondent selects option “B” when the probability is 99 %, we assume that he tolerates all the risks.

  8. 8.

    Cronbach’s alpha of the scale was 0.691, which showed adequate internal consistency of the scale. The alpha is above the recommended level of 0.6.

References

  1. Ajzen, I.: The theory of planned behavior. Organ. Behav. Hum. Decis. Process. 50, 179–211 (1991)

    Article  Google Scholar 

  2. Albrechtsen, E.: A qualitative study of users’ view on information security. Comput. Secur. 26, 276–289 (2007)

    Article  Google Scholar 

  3. Albrechtsen, E., Hovden, J.: The information security digital divide between information security managers and users. Comput. Secur. 28, 476–490 (2009)

    Article  Google Scholar 

  4. Albrechtsen, E., Hovden, J.: Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Comput. Secur. 29, 432–445 (2010)

    Article  Google Scholar 

  5. Aurigemma, S., Panko, R.: A composite framework for behavioral compliance with information security policies. In: Proceedings of 45th Hawaii International Conference on System Sciences, Maui, pp. 3248–3257 (2012)

    Google Scholar 

  6. Becker, G.M., Degroot, M.H., Marschak, J.: Measuring utility by a single response sequential method. Behav. Sci. 9, 226–232 (1964)

    Article  Google Scholar 

  7. Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Roles of information security awareness and percieved fairness in information security policy compliance. In: Proceedings of the Fifteenth Americas Conference on Information Systems, San Francisco, Paper 419, 1-9 (2009)

    Google Scholar 

  8. Cappelli, D.M., Desai, A.G., Moore, A.P., Shimeall, T.J., Weaver, E.A., Willke, B.J.: Management and education of the risk of insider threat (MERIT): mitigating the risk of sabotage to employers’ information, systems, or networks. Technical Note, Software Engineering Institute, Carnegie Mellon University, CMU/SEI-2006-TN-041 (2007)

    Google Scholar 

  9. Chang, K.M.: Predicting unethical behavior: a comparison of the theory of reasoned action and the theory of planned behavior. J. Bus. Ethics 17(16), 1825–1834 (1998)

    Article  Google Scholar 

  10. Chen, J.V., Chen, C.C., Yang, H.H.: An empirical evaluation of key factors contributing to internet abuse in the workplace. Ind. Manage. Data Syst. 108(1), 87–106 (2008)

    Article  Google Scholar 

  11. Couper, M.P.: Web surveys: a review of issues and approaches. Piblic Opin. Q. 64, 464–494 (2000)

    Article  Google Scholar 

  12. Cramer, J.S., Hatog, J., Jonker, N., Van Praag, C.M.: Low risk aversion encourages the choice for entrepreneurship: an empirical test of a truism. J. Econ. Behav. Organ. 48, 29–36 (2002)

    Article  Google Scholar 

  13. Cressey, D.R.: Other People’s Money: A Study in the Social Psychology of Embezzlement. Patterson-Smith, Montclair (1973)

    Google Scholar 

  14. D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information system misuse: a deterrence approach. Inf. Syst. Res. 20, 1–20 (2008)

    Google Scholar 

  15. Foltz, C.B., Schwager, P.H., Anderson, J.E.: Why users (fail to) read computer usage policies. Ind. Manage. Data Syst. 108(6), 701–712 (2008)

    Article  Google Scholar 

  16. Galletta, D.F., Polak, P.: An empirical investigation of antecedents of internet abuse in the workplace. In: Proceedings of the Second Annual Workshop on HCI Research in MIS, Seattle, pp. 47–51 (2003)

    Google Scholar 

  17. Greitzer, F.L., Hohimer, R.E.: Modeling human behavior to anticipate insider attacks. J. Strateg. Secur. IV(2), 25–48 (2011)

    Google Scholar 

  18. Greitzer, F.L., Kangas, L.J., Noonan, C.F., Dalton, A.C., Hohimer, R.E.: Identifying at-risk employees: modeling psychosocial precursors of potential insider threats. In: Proceedings of 45th Hawaii International Conference on System Sciences, Maui, pp. 2392–2401 (2012)

    Google Scholar 

  19. Hosmer, D.W., Lemeshow, S.: Applied Logistic Regression, 2nd edn. Wiley-Interscience, New York (2000)

    Book  MATH  Google Scholar 

  20. Information-Technology Promotion Agency: Information Security White Paper. Information-Technology Promotion Agency, Tokyo (2011)

    Google Scholar 

  21. Kahneman, D., Tversky, A.: Prospect theory: an analysis of decision under risk. Econometrica 47(2), 263–292 (1979)

    Article  MATH  Google Scholar 

  22. Komatsu, A., Akai, K., Ueda, M., Matsumoto, T.: Is the security measurement situation a social dilemma? Applying Bot measurement operation. IPSK SIG Technical Report, 2009-CSEC-46(40), 1-8 (2009)

    Google Scholar 

  23. Lee, J., Lee, Y.: A holistic model of computer abuse within organizations. Inf. Manage. Comput. Secur. 10(2), 57–63 (2002)

    Article  Google Scholar 

  24. Lee, S.M., Lee, S.G., Yoo, S.: An integrative model of computer abuse based on social control and general deterrence theories. Inf. Manage. 40, 707–718 (2004)

    Article  Google Scholar 

  25. Lim, V.K.G.: The IT way of loafing on the job: cyberloafing, neutralizing and organizational justice. J. Organ. Behav. 23, 675–694 (2002)

    Article  Google Scholar 

  26. Mcilwraith, A.: Information Security and Employee Behaviour: How to Reduce Risk Through Employee Education, Training and Awareness. Gower, Hampshire (2006)

    Google Scholar 

  27. Peace, A.G., Galletta, D.F., Thong, J.Y.L.: Software piracy in the workplace: a model and empirical test. J. Manage. Inf. Syst. 20(1), 153–177 (2003)

    Google Scholar 

  28. Pee, L.G., Woon, I.M.Y., Kankanhalli, A.: Explaining non-work-related computing in the workplace: a comparison of alternative models. Inf. Manage. 45, 120–130 (2008)

    Article  Google Scholar 

  29. Pfleeger, S.L., Stolfo, S.J.: Addressing the insider threat. IEEE Comput. Reliab. Soc. 7(6), 10–13 (2009)

    Google Scholar 

  30. Pfleeger, S.L., Predd, J.B., Hunker, J., Bulford, C.: Insiders behaving badly: addressing bad actors and their actions. IEEE Trans. Inf. Forensics Secur. 5(1), 169–179 (2010)

    Article  Google Scholar 

  31. Predd, J.B., Pfleeger, S.L., Hunker, J., Bulford, C.: Insiders behaving badly. IEEE Secur. Priv. 6, 66–70 (2008)

    Article  Google Scholar 

  32. Reason, J., Parker, D., Lawton R.: Organizational controls and safety: the varieties of rule-related behaviour. J. Occup. Organ. Psychol. 71, 289–304 (1998)

    Article  Google Scholar 

  33. Riketta, M.: Attitudinal organizational commitment and job performance: a meta-analysis. J. Organ. Behav. 23, 257–266 (2002)

    Article  Google Scholar 

  34. Strathman, A., Gleicher, F., Boninger, D.S., Edwards, C.S.: The consideration of future consequences: weighing immediate and distant outcomes of behavior. J. Personal. Soc. Psychol. 66(4), 742–752 (1994)

    Article  Google Scholar 

  35. Straub, D.: Effective IS security: an empirical study. Inf. Syst. Res. 1(3), 255–276 (1990)

    Article  Google Scholar 

  36. Takemura, T.: A quantitative study on Japanese workers’ awareness to information security using the data collected by web-based survey. Am. J. Econ. Bus. Adm. 2(1), 20–26 (2010)

    Google Scholar 

  37. Takemura, T.: Empirical analysis of behavior on information security. In: The Proceeding of 2011 IEEE International Conferences on Internet of Things, and Cyber, Physical and Social Computing, Dalian, pp. 358–363 (2011)

    Google Scholar 

  38. Theoharidou, M., Kokolakis, S., Karyda, M., Kiountouzis, E.: The insider threat to information systems and the effectiveness of ISO17799. Comput. Secur. 24, 472–484 (2005)

    Article  Google Scholar 

  39. Thomson, M.E., Solms R.: Information security awreness: educating your users effectively. Inf. Manage. Comput. Secur. 6(4), 167–173 (1998)

    Article  Google Scholar 

  40. Tsukahara, Y.: Human motivating behavior and employee’s behavior. In: Chida, R., Tsukahara, Y., Yamamoto, M. (eds.) Behavioral Eonomics: Theory and Practice, pp. 50–71. Keiso-shobo, Tokyo (2010)

    Google Scholar 

  41. Wells, J.T.: Principles of Fraud Examination, 3rd edn. Wiley, Hoboken (2010)

    Google Scholar 

  42. Woon, I.M.Y., Pee, L.G.: Behavioral factors affecting internet abuse in the workplace: an empirical investigation. In: Proceedings of the Third Annual Workshop on HCI Research in MIS, Washington, DC, pp. 80–84 (2004)

    Google Scholar 

  43. Workman, M., Gathegi, J.: Punishment and ethics deterrents: a study of insider security contravention. J. Am. Soc. Inf. Sci. Technol. 58(2), 212–222 (2007)

    Article  Google Scholar 

  44. Zhang, J., Reithel, B.J., Li, H.: Impact of perceived technical protection on security behaviors. Inf. Manage. Comput. Secur. 17(4), 330–340 (2009)

    Article  Google Scholar 

Download references

Acknowledgements

This work is supported in part by a Grant-in-Aid from the Zengin Foundation for Studies on Economics and Finance and by the Japan Society for the Promotion of Science: Grant-in-Aid for Young Scientists (B) (22730241).This chapter incorporates some valuable comments by anonymous reviewers for WEIS 2012. All remaining errors are our own.

Author information

Authors and Affiliations

  1. The Research Institute for Socionetwork Strategies, Kansai University, 3-3-35, Yamate-cho, Suita, Osaka, Japan

    Toshihiko Takemura

  2. Security Economics Laboratory, IT Security Center, Information-Technology Promotion Agency, 2-28-8 Hon-Komagome, Bunkyo-ku, Tokyo, Japan

    Ayako Komatsu

Authors
  1. Toshihiko Takemura
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ayako Komatsu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Toshihiko Takemura .

Editor information

Editors and Affiliations

  1. Westfälische Wilhelms-Universität Münster, Münster, Germany

    Rainer Böhme

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Takemura, T., Komatsu, A. (2013). An Empirical Study on Information Security Behaviors and Awareness. In: Böhme, R. (eds) The Economics of Information Security and Privacy. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39498-0_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-39498-0_5

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-39497-3

  • Online ISBN: 978-3-642-39498-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation