Abstract
Bring Your Own Device (BYOD) adoption in organizations continues to grow in recent years, with the aim to improve both organization cost-saving, employee job satisfaction, and employee productivity. A BYOD environment has its unique set of organizational security opportunities and challenges. As a result, BYOD program deployment requires organizations to develop and rollout new information security measures and policies unique to this environment. Successful adoption of BYOD thus requires an effective BYOD information security program deployment. Our study seeks to develop a theoretical foundation for explaining and predicting the effectiveness of a BYOD program deployment. Specifically, we evaluate the applicability of Knapp and Ferrante’s Information Security Policy and Effectiveness (ISPE) model to explain and predict BYOD program deployment effectiveness. The relationships between the fundamental causal factors in the model, namely awareness, enforcement, and maintenance, and the program effectiveness, were evaluated using a sample of 119 BYOD users working in the financial sector in the United States. Our study supports the use of the ISPE model to assess the effectiveness of a BYOD information security program deployment. Security policy awareness, enforcement, and maintenance together account for 72% of the change in the BYOD security program effectiveness.
Similar content being viewed by others
References
Albinus P. Industry continues support of BYOD initiatives. In: Fierce Finance IT. Retrieved from ProQuest Database. (Order NO. 1466199562). 2013.
Al-Omari A, El-Gayar O, Deokar A. Information security policy compliance: the role of information security awareness. In: Proceedings of the 18th Americas conference on information systems. 2012.
Amitai O. The security perimeter is dead; Long live the new endpoint perimeter. 2019. https://www.darkreading.com/vulnerabilities-threats/the-security-perimeter-is-dead-long-live-the-newendpoint-perimeter/a/d-id/1333650. Accessed 4 Sep 2021.
Astani M, Ready K, Tessema M. BYOD Issues and strategies in organizations. Issues Inf Syst. 2013;14:2.
Bauer S, Bernroider EWN. From information security awareness to reasoned compliant action: analyzing information security policy compliance in a large banking organization. ACM SIGMIS Database. 2017;48:3.
Bauer S, Bernroider EWN, Chudzikowski K. End user information security awareness programs for improving information security in banking organizations: preliminary results from an exploratory study. In: Paper presented at the AIS SIGSEC Workshop on Information Security & Privacy (WISP 2013), Milano. 2013.
Bless E, Alanson M, Noble C. Consumerization: what is in store for IT? 2010. http://i.dell.com/sites/content/business/solutions/whitepapers/it/Documents/intel-imr-consumerization-wp_it.pdf.
Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 2010;34(3):523–48.
Bullock L. The future of BYOD: statistics, predictions and best practices to prep for the future. 2019. https://www.forbes.com/sites/lilachbullock/2019/01/21/the-future-of-byodstatistics-predictions-and-best-practices-to-prep-for-the-future/#1c6a1fa91f30. Accessed 4 Sep 2021.
Chatterjee S, Sarker S, Valacich JS. The behavioral roots of information systems security: exploring key factors related to unethical IT use. J Manag Inf Syst. 2015;31(4):49–87. https://doi.org/10.1080/07421222.2014.1001257.
Chen H, Li W. Mobile device users’ privacy security assurance behavior: a technology threat avoidance perspective. Inf Comput Secur. 2017;25:330–44.
Chen Y, Ramamurthy K, Wen K. Impacts of comprehensive information security programs on information security culture. J Comput Inf Syst. 2015;55(3):11–9. https://doi.org/10.1080/08874417.2015.11645767.
Chu AMY, Chau PYK. Development and validation of instruments of information security deviant behavior. Dec Support Syst. 2014;66:93–101. https://doi.org/10.1016/j.dss.2014.06.008.
Clark V, Ivankova N. How do personal contexts shape mixed methods? Considering philosophical, theoretical, and experiential foundations for mixed methods research. In: Clark V, Ivankova N, editors, Mixed methods research: a guide to the field (pp. 191–216). 2016. https://doi.org/10.4135/9781483398341.
Cohen J. A power primer. Psychol Bull. 1992;112(1):155. https://doi.org/10.1037/0033-2909.112.1.155.
Creswell JW. Research design: qualitative, quantitative, and mixed methods approaches. 3rd ed. Thousand Oaks: Sage; 2014. p. 3–224.
Dahbur K, Bashabsheh Z, Bashabsheh D. Assessment of security awareness: a qualitative and quantitative study. Int Manage Rev. 2017;13(1):37–58. http://www.imrjournal.org/.
D’Arcy J, Hovav A, Galletta DF. User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf Syst Res. 2009;20(1):79–98.
David J. Policy enforcement in the workplace. Comput Secur. 2002;21(6):506–13.
Dietz L. Avoiding BYO policy and security pitfalls. Five practical case studies to help you recognize and address potential threats from using personal devices at work. Citrix. 2017. https://www.citrix.com/content/dam/citrix/en_us/documents/products-solutions/avoiding-byo-policy-and-security-pitfalls.pdf.
Dinev T, Hu Q. The centrality of awareness in the formulation of user behavioral intention toward protective information technologies. J Assoc Inf Syst. 2007;8(7):386–408.
Disterer G, Kleiner C. BYOD bring your own device. Procedia Technol. 2013;9:43–53. https://doi.org/10.1016/j.protcy.2013.12.005.
DMS. 3 big risks of BYOD. 2021. https://dmstechnology.com/3-big-risks-of-byod/. Accessed 4 Sep 2021.
Doargajudhur MS, Dell P. Impact of BYOD on organizational commitment: an empirical investigation. Inf Technol People. 2019;32(2):246–68. https://doi.org/10.1108/ITP-11-2017-0378.
Doherty NF, Tajuddin ST. Towards a user-centric theory of value-driven information security compliance. Inf Technol People. 2018;31(2):348–67.
Dolata U. Apple, Amazon, Google, Facebook, Microsoft: market concentration-competition-innovation strategies (Report No. 2017-01). In: Retrieved from Stuttgarter Beiträge zur Organisations-und Innovationsforschung, SOI website: http://hdl.handle.net/10419/152249. 2017.
Drury A, Absalom R. BYOD: an emerging market trend in more ways than one. 2013. https://www.logicalis.com/globalassets/group/pdf-files/logicalisbyodwhitepaperovum.pdf.
Earls A. BYOD: Policies and consequences. SC Mag. 2016;27(5):32–6.
Economy P. The (millennial) workplace of the future is almost here—these 3 things are about to change big time. 2019. https://www.inc.com/peter-economy/the-millennial-workplace-of-future-is-almost-here-these-3-things-are-about-to-change-big-time.html. Accessed 4 Sep 2021.
Faul F, Erdfelder E, Lang AG, Buchner A. G*Power 3: A flexible statistical power analysis program for the social, behavioral, and biomedical sciences. Behav Res Methods. 2007;39:175–91.
Field, A. (2018). Discovering statistics using SPSS statistics (5th ed.), (pp. 334–368). Thousand Oaks, CA: Sage.
Gibbs JP. Crime, punishment, and deterrence. New York: Elsevier; 1975.
Grant RL. Exploring effects of organizational culture upon implementation of information security awareness and training programs within the defense industry located in the Tennessee valley region (Doctoral dissertation). In: Retrieved from ProQuest Dissertations and Theses database. (Order No. 10646759). 2017.
Harris KD, General A, Lookout A. Cybersecurity in the golden state. In: Privacy Enforcement and Protection Unit, California Department of Justice, 2014. 2014. http://napi.net-flow.com/sananselmochamber.org/documents.
2021. /CybersecurityReport.pdf.
Hu Q, Xu Z, Dinev T, Ling H. Does deterrence work in reducing information security policy abuse by employees? Commun ACM. 2011;54(6):54–60. https://doi.org/10.1145/1953122.1953142.
Johnston AC, Warkentin M, McBride M, Carter L. Dispositional and situational factors: Influences on information security policy violations. Eur J Inf Syst. 2016;25(3):231–51. https://doi.org/10.1057/ejis.2015.15.
Kaspersky Lab. The threats from within: how educating your employees on cybersecurity can protect your company. In: Global IT Risks Security Survey 2015. 2015. http://resources.idgenterprise.com/original/AST-0163231_Threats-From-Within-EDU-Ebook_FINAL.pdf.
Klein AG, Gerhard C, Büchner RD, Diestel S, Schermelleh-Engel K. The detection of heteroscedasticity in regression models for psychological data. Psychol Test Assess Model. 2016;58(4):567–92.
Knapp KJ, Ferrante CJ. Policy awareness, enforcement, and maintenance: critical to information security effectiveness in organizations. J Manag Policy Pract 2012;13(5):66–80. Retrieved from http://www.nabusinesspress.com/JMPP/KnappKJ_Web13_5_.pdf.
Knapp KJ, Morris RF, Marshall TE, Byrd TA. Information security policy: an organizational-level process model. Comput Secur. 2009;28(2009):493–508.
Kumar R, Singh H. A proactive procedure to mitigate the BYOD risks on the security of an information system. ACM SIGSOFT Softw Eng Notes. 2015;40(1):1–4. https://doi.org/10.1145/2693208.2693231.
Loucks J, Medcalf R, Buckalew L, Faria F. The financial impact of BYOD: a model of BYOD’s benefits to global companies. 2013. https://www.cisco.com/c/dam/global/ru_ua/assets/pdf/byod-economics_econ_analysis.pdf.
Louisnord NVE. BYOD is now standard practice, implementing it requires safe strategies. 2017. https://channels.theinnovationenterprise.com/articles/byod-is-now-standard-practiceimplementing-it-requires-safe-strategies. Accessed 16 Jun 2020.
Magruder JS, Lewis SX, Burks EJ, Smolinski C. Bring your own device (BYOD): who is running organizations? J Account Finance 2015;15(1):55–61. http://www.na-businesspress.com/JAF/BurksEJ_Web15_1_.pdf.
Mamonov S, Benbunan-Fich R. The impact of information security threat awareness on privacy-protective behaviors. Inf Manag Business Anal. 2018;83:32–44.
May 2017 National Occupational Employment and Wage Estimates. 2018. https://www.bls.gov/oes/current/oes_nat.htm#15-0000.
Misenheimer KJ. Training users to be aware of computer and information security on college and university campuses. J Inf Syst Technol Plan. 2016;8(19):61–75.
Moody GD, Siponen M, Pahnila S. Toward a unified model of information security policy compliance. MIS Q. 2018;42(1):285–311. https://doi.org/10.25300/MISQ/2018/13853.
Padayachee K. An assessment of opportunity-reducing techniques in information security: an insider threat perspective. J Dec Support Syst. 2016;92:47–56. https://doi.org/10.1016/j.dss.2016.09.012.
Pérez-González D, Sara TP, Solana-Gonzalez P. Organizational practices as antecedents of the information security management performance: an empirical investigation. Inf Technol People. 2019;32(5):1262–75. https://doi.org/10.1108/ITP-06-2018-0261.
Safa NS, Maple C, Watson T, Von Solms R. Motivation and opportunity-based model to reduce information security insider threats in organisations. J Inf Secur Appl. 2018;40:247–57. https://doi.org/10.1016/j.jisa.2017.11.001.
Schober P, Boer C, Schwarte LA. Correlation coefficients: Appropriate use and interpretation. Anesth Analg. 2018;126(5):1763–8. https://doi.org/10.1213/ANE.0000000000002864.
Schuessler J. General deterrence theory: Assessing information systems security effectiveness in large versus small businesses. Ph.D. dissertation, University of North Texas, United States. (Publication No. AAT 3377466). 2009.
Security R. Pros & cons of bring your own device (BYOD). 2019. https://blog.rsisecurity.com/pros-cons-of-bring-your-own-device-byod/.
Simon MK, Goes J. Assumption, limitations, delimitations, and scope of the study. 2013. http://www.dissertationrecipes.com.
Siponen M. A conceptual foundation for organizational information security awareness. Inf Manag Comput Secur. 2000;8(1):31–41.
Siponen M, Mahmood MA, Pahnila S. Employees’ adherence to information security policies: an exploratory field study. Inf Manage. 2014;51(2):217–24. https://doi.org/10.1016/j.im.2013.08.006.
Siponen M, Vance A. Neutralization: new insights into the problem of employee information systems security policy violations. MIS Quart. 2010;34:2.
Soomro ZA, Shah MH, Ahmed J. Information security management needs more holistic approach: a literature review. Int J Inf Manage. 2016;36(2):215–25.
Spears JL, Barki H. User participation in information systems security risk management. MIS Quart. 2010;34(3):503–22.
SPSS. IBM SPSS Statistics. 2020. https://www.ibm.com/products/spss-statistics.
Straub DW, Welke RJ. Coping with system risk: Security planning models for management decision making. MIS Quart. 1990;22(4):45–60.
SurveyMonkey. SurveyMonkey Inc. 2019. www.surveymonkey.com, San Mateo, CA: SurveyMonkey Inc.
Tavakol M, Dennick R. Making sense of Cronbach’s alpha. Int J Med Educ. 2011;2:53–5. https://doi.org/10.5116/ijme.4dfb.8dfd.
Tech Pro Research. BYOD booming with 74% using or planning to use. 2014. https://www.techrepublic.com/article/research-byod-booming-with-74-using-or-planning-to-use/#:~:text=Tech%20Pro%20Research%20conducted%20a,what%20part%20they%20are%20playing.
Theoharidou M, Kokolakis S, Karyda M, Kiountouzis E. The insider threat to information systems and the effectiveness of ISO17799. J Comput Secur. 2005;24(6):472–84. https://doi.org/10.1016/j.cose.2005.05.002.
Turek M. Employees say smartphones boost productivity by 34 percent: Frost & Sullivan research. 2016. https://insights.samsung.com/2016/08/03/employees-say-smartphones-boost-productivity-by-34-percent-frost-sullivan-research/.
Uppuluri P, Pittges J, Chase J. Scare and prepare: Increasing awareness, safety, and passion for cyber-security. In: Proceedings of the 45th ACM technical symposium on computer science education, pp 720–720. 2014. https://doi.org/10.1145/2538862.2544294.
Varbanov R. Applications of the BYOD conception: benefits, risks, and approaches. Business Manag Biznes Upravlenie 2014;24(2):80–99. http://hdl.handle.net/10610/1498.
Waterfill MR, Dilworth CA. BYOD: Where the employee and the enterprise intersect. Employee Relat Law J 2014;40(2), 26–36. https://www.jdsupra.com/legalnews/expanded-byod-where-the-employee-and-34259/.
Xu Z, Hu Q. The role of rational calculus in controlling individual propensity toward information security policy non-compliance behavior. In: Proceedings of the 51st Hawaii international conference on system sciences. https://aisel.aisnet.org/cgi/viewcontent.cgi?article=1482&context=hicss-51. 2018.
Zahadat N. Mobile security: A systems engineering framework for implementing bring your own device (BYOD) security through the combination of policy management and technology. (Doctoral dissertation). Retrieved from ProQuest Dissertations and Theses database. (Order No. 10024089). 2016.
Zahadat N, Blessner P, Blackburn T, Olson BA. BYOD security engineering: a framework and its analysis. J Comput Secur. 2015;55:81–99. https://doi.org/10.1016/j.cose.2015.06.011.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of Interest
On behalf of all authors, the corresponding author states that there is no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
An earlier version of this paper was published in the Proceedings 8th International Conference on Information Systems Security and Privacy (ICISSP 2021).
This article is part of the topical collection “Information Systems Security and Privacy” guest edited by Steven Furnell and Paolo Mori.
Appendices
Appendix A
Survey Instrument
Items used a 5-point Likert scale: 1 = strongly disagree, 5 = strongly agree (Knapp, Marshall, Rainer, & Ford, 2005). Each item begins with the phrase, “In the organization”.
Information Security Program Effectiveness
E1 The information security program achieves most of its goals.
E2 The information security program accomplishes its most important objectives.
E3 Generally speaking, information is sufficiently protected.
E4 Overall, the information security program is effective.
E5 The information security program has kept risks to a minimum.
Policy Awareness
PA1 Employees clearly understand the ramifications of violating security policies.
PA2 Necessary efforts are made to educate employees about new security policies.
PA3 Information security awareness is communicated well.
PA4 An effective security awareness program exists.
PA5 A continuous, ongoing security awareness program exists.
Policy Enforcement
PE1 Employees caught violating important security policies are appropriately corrected.
PE2 Information security rules are enforced by sanctioning the employees who break them.
PE3 Repeat security offenders are appropriately disciplined.
PE4 Termination is a consideration for employees who repeatedly break security rules.
Policy Maintenance
PM1 Information security policy is consistently updated on a periodic basis.
PM2 Information security policy is updated when technology changes require it.
PM3 An established information security policy review and update process exists.
PM4 Security policy is properly updated on a regular basis.
Rights and permissions
About this article
Cite this article
Akande, A.O., Tran, V.N. A Theoretical Foundation for Explaining and Predicting the Effectiveness of a Bring Your Own Device Program in Organizations. SN COMPUT. SCI. 3, 370 (2022). https://doi.org/10.1007/s42979-022-01272-0
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s42979-022-01272-0