A qualitative study of users' view on information security

doi:10.1016/j.cose.2006.11.004

Computers & Security

Volume 26, Issue 4, June 2007, Pages 276-289

https://doi.org/10.1016/j.cose.2006.11.004 Get rights and content

Abstract

Users play an important role in the information security performance of organisations by their security awareness and cautious behaviour. Interviews of users at an IT-company and a bank were qualitatively analyzed in order to explore users' experience of information security and their personal role in the information security work. The main patterns of the study were: (1) users state to be motivated for information security work, but do not perform many individual security actions; (2) high information security workload creates a conflict of interest between functionality and information security; and (3) documented requirements of expected information security behaviour and general awareness campaigns have little effect alone on user behaviour and awareness. The users consider a user-involving approach to be much more effective for influencing user awareness and behaviour.

Introduction

The information security role of users is an important part of a holistic approach to information security management. Dhillon and Backhouse (2000) have argued that the role, responsibility and integrity of users are important principles of information security management in new forms of organisations, which can be characterized by blurred organisational and geographical borders; use of mobile equipment; and information and knowledge being the organisation's most important resources. Users should play an active part in the information security work by preventing unwanted incidents; protecting an organisation's material and immaterial assets; and reacting to incidents. Users can contribute with several security actions in their daily work, e.g. locking the computer when absent from it; password etiquette; cautious use of e-mail and Internet; avoid using unlicensed software; cautious use of organisational assets when working outside the organisation; and reporting information security breaches. A user can be characterized as a person with legitimate access to the organisation's information systems. This study concentrates itself on users with no management responsibility and low degree of information security awareness and knowledge about information systems.

This paper aims at providing knowledge of users' experience of information security and their individual security role in daily work. This purpose is approached by qualitative interviews of users at a Norwegian bank and a Norwegian IT-company. The following research questions are discussed in the paper:

-
How do users experience their own information security role and the administrative information security measures in their work processes?
-
Why do users experience the information security work the way they state?
-
Are there arguments in the users' views on information security that imply alternative approaches to information security management at the studied companies?

Editorials of this journal have called for more papers on the human factor in information security (Schultz, 2004, Schultz, 2005). Current human related information security research has been categorized into four main directions by Stanton et al. (2005): (1) user interfaces of security-related systems; (2) information security management concerns for risk, business processes and finance; (3) organisational issues related to information security behaviour; and (4) counterproductive computer usage. This paper positions itself into the third line by studying users' understandings of organisational issues related to individual information security behaviour, as the study mainly is about administrative aspects, and does not discuss users' views on technological security measures.

A user's view on information security is created by several interlocking organisational, technological and individual factors. The context of a user's work may, e.g. create information security trade-offs. Furthermore, social norms and interactions at the work place influence individual understanding of information security. The quality of information security management also affects users' awareness, motivation and behaviour in some way. Technological information security solutions influence users by framing what it is possible for users to do in information systems as well as function as a foolproof security mechanism for whatever actions users may do. Individual factors such as motivation, knowledge, attitudes, values and behaviour also influence individual views on information security. How people perceive risk is also a part of the explanation for users' view on information security. The paper mainly explains users' experiences of information security by organisational factors. It is, however, impossible to neglect individual and technological factors in this exploration due to the interwoven relations between organisation, technology and individuals.

Section snippets

Users' role in information security

The information security function of each user is an important part of information security. Users are often the weakest link in the information security chain (Schneier, 2000), as users might be a single or the least reliable barrier to prevent unwanted incidents. Hence, users should contribute with information security actions such as cautious use of e-mail and password etiquette. Loss prevention behaviour is created by a combination of several factors (Aarø and Rise, 1996): personal

The study

The research questions were approached by analysing qualitative data from two interview studies of users in a service centre at a Norwegian IT-company and in a department of customer counselling at a Norwegian bank. The two cases were chosen because the researcher had cooperated with security professionals at the companies on past occasions, thus the security professional functioned as gatekeepers for the interviews. Both cases were interesting to study as they are organisations where

Results

This section presents the major patterns in the data material. Three main findings are presented: users' view on their information security role and responsibility; users' perception of functionality issues related to information security; and users' evaluation of behavioural effects of information security measures. First, an interpretation of the informants' information security awareness is presented. This presentation of awareness among the informants is valuable in order to understand the

Discussion

In Section 4, three main patterns of results are mapped: users do not perform many information security actions; users prioritise other work tasks in front of information security; and users experience current tools for influencing individuals as ineffective for that purpose. The interviews indicate that a main problem regarding users' role in the information security work is their lack of motivation and knowledge regarding information security and related work. This poor quality of users'

Conclusion

The results of this qualitative study of users and information security should not be seen as generalized facts. Rather, the results are interpretations of some users' experiences of information security in their daily work. It should thus be considered whether the findings are transferable to certain organisations by comparing them to the context of this study. The results of this study are created by qualitative interviews of users in a service centre at an IT-company and in a consultancy

Acknowledgements

The author thanks Prof. Jan Hovden at the Norwegian University of Science and Technology for valuable input and discussions. The author also thanks the interviewed users and the security officers at the studied companies for sharing their experiences on information security. Eirik Albrechtsen's PhD project is financed by Vesta insurance company.

Eirik Albrechtsen is a PhD student at the Department of Industrial Economics and Technology Management at the Norwegian University of Science and Technology. He obtained his Master of Science degree at the same Department in 2002. His current research interests include human and organisational aspects of information security and information security management strategies.

References (43)

D. Besnard et al.
Computer security impaired by legitimate users
Computers and Security
(2004)
J. Lund et al.
Accident prevention. Presentation of a model placing emphasis on human, structural and cultural factors
Safety Science
(2004)
J. Rasmussen
Human errors. A taxonomy for describing human malfunction in industrial installations
Journal of Occupational Accidents
(1982)
J. Rasmussen
Risk management in a dynamic society: a modeling problem
Safety Science
(1997)
E. Schultz
Security training and awareness – fitting a square peg in a round hole
Computers and Security
(2004)
E. Schultz
The human factor in security
Computers and security
(2005)
N. Stanton et al.
Risk homeostasis and risk assessment
Safety Science
(1996)
J.M. Stanton et al.
Analysis of end user security behaviours
Computers and Security
(2005)
L.A. Aarø et al.
Den menneskelige faktor
Norwegian [The human factor]
(1996)
A. Adams et al.
Users are not the enemy
Communications of the ACM
(1999)

P.S. Adler et al.

The usability challenge

E. Albrechtsen et al.

Gammeldags tenkning i moderne organisasjoner? Om IKT-sikkerhet i kunnskapsorganisasjoner. Norwegian [old-fashioned thinking in modern organisations? On ICT-security in knowledge organisations]

C. Argyris et al.

Organizational learning II

(1996)

U. Beck

Risk society: towards a new modernity

(1992)

H. Braverman

Labor and Monopoly Capital

(1974)

N. Brunsson

The organization of hypocrisy

Talk, decisions and actions in organizations

(2002)

G. Dhillon et al.

Information system security management in the new millennium

Communications of the ACM

(2000)

G. Dhillon et al.

Current directions in IS security research: towards socio-organizational perspectives

Information Systems Journal

(2001)

M. Douglas et al.

Risk and culture

An essay on the selection of technological and environmental dangers

(1982)

P. Ehn

Scandinavian design: on participation and skill

B. Fischoff et al.

How safe is safe enough?

Cited by (253)

When expectation fails and motivation prevails: the mediating role of awareness in bridging the expectancy-capability gap in mobile identity protection
2023, Computers and Security
Identity theft poses a significant threat to mobile users, yet mobile identity protection is often overlooked in cybersecurity literature. Despite various technical solutions proposed, little attention has been given to the motivational aspects of protection. Moreover, the disparity between individuals' expectations and their ability to safeguard their mobile identities exacerbates the problem. This study adopts a mixed-methods approach and draws on expectancy-value theory to address these gaps and explore the impact of expectations, capabilities, motivational values, technical measures, and awareness on individuals' intentions to achieve mobile identity protection. Our research reveals that protection awareness acts as a crucial mediator between individuals' expectations and capabilities. Additionally, motivational values not only enhance technical protection measures but also significantly influence identity protection intentions. Furthermore, we identify the moderating effect of protection experience on individuals' expectations and perceived value of identity protection. This study contributes to mobile security literature by highlighting the pivotal role of protection awareness in bridging the divide between individual expectations and actual capabilities in mobile identity protection.
A quest for research and knowledge gaps in cybersecurity awareness for small and medium-sized enterprises
2023, Computer Science Review
The proliferation of information and communication technologies in enterprises enables them to develop new business models and enhance their operational and commercial activities. Nevertheless, this practice also introduces new cybersecurity risks and vulnerabilities. This may not be an issue for large organizations with the resources and mature cybersecurity programs in place; the situation with small and medium-sized enterprises (SMEs) is different since they often lack the resources, expertise, and incentives to prioritize cybersecurity. In such cases, cybersecurity awareness can be a critical component of cyberdefense. However, research studies dealing with cybersecurity awareness or related domains exclusively for SMEs are rare, indicating a pressing need for research addressing the cybersecurity awareness requirements of SMEs.
Prior to that, though, it is crucial to identify which aspects of cybersecurity awareness require further research in order to adapt or conform to the needs of SMEs. In this study, we conducted a systematic literature review that focused on cybersecurity awareness, prioritizing those performed with a particular focus on SMEs. The study seeks to analyze and evaluate such studies primarily to determine knowledge and research gaps in the cybersecurity awareness field for SMEs, thus providing a direction for future research.
The recent trends in cyber security: A review
2022, Journal of King Saud University - Computer and Information Sciences
During recent years, many researchers and professionals have revealed the endangerment of wireless communication technologies and systems from various cyberattacks, these attacks cause detriment and harm not only to private enterprises but to the government organizations as well. The attackers endeavor new techniques to challenge the security frameworks, use powerful tools and tricks to break any sized keys, security of private and sensitive data is in the stale mark. There are many advancements are being developed to mitigate these attacks. In this conjunction, this paper gives a complete account of survey and review of the various exiting advanced cyber security standards along with challenges faced by the cyber security domain. The new generation attacks are discussed and documented in detail, the advanced key management schemes are also depicted. The quantum cryptography is discussed with its merits and future scope of the same. Overall, the paper would be a kind of technical report to the new researchers to get acquainted with the recent advancements in Cyber security domain.
Information systems security research agenda: Exploring the gap between research and practice
2021, Journal of Strategic Information Systems
Citation Excerpt :
Duality in secure systems development is succinctly defined by White and Dhillon (2005) as resulting when an “information system and its security are designed, built and implemented into an organizational environment separately, allowing for the possibility of conflict between a system’s functionality and its security.” System developers continue to consider security as an afterthought in terms of having different priorities between security goals and information use (Karlsson et al. 2017), or even when the proposed system sees resistance to security implementation (Albrechtsen 2007). Spagnoletti and Resca (2008) characterize such duality in terms of a “drift” - when the technological system does not match the original design.
This paper undertakes a systematic review of the Information Systems Security literature. The literature review consists of three parts: First, we perform topic modeling of major Information Systems journals to understand the field's debates. Second, we conduct a Delphi Study composed of the Chief Information Security Officers of major corporations in the US to identify security issues that they view as important. Third, we compare Topic Modeling and the Delphi Study results and discuss key debates, gaps, and contradictions within the academic literature. Further, extant Information Systems Security literature is reviewed to discuss where the academic community has placed the research emphasis and what is now required in the discipline. Based on our analysis, we propose a future agenda for Information Systems security research.
Ethical requirements in job advertisements: A deep learning approach
2024, European Management Review
Management of cyber risks in the library: analysis of information security awareness of Estonian library employees
2024, Library Management

View all citing articles on Scopus

View full text

A qualitative study of users' view on information security

Abstract

Introduction

Section snippets

Users' role in information security

The study

Results

Discussion

Conclusion

Acknowledgements

Computers and Security

Safety Science

Journal of Occupational Accidents

Safety Science

Computers and Security

Computers and security

Safety Science

Computers and Security

Den menneskelige faktor

Norwegian [The human factor]

Users are not the enemy

Communications of the ACM

The usability challenge

Gammeldags tenkning i moderne organisasjoner? Om IKT-sikkerhet i kunnskapsorganisasjoner. Norwegian [old-fashioned thinking in modern organisations? On ICT-security in knowledge organisations]

Organizational learning II

Risk society: towards a new modernity

Labor and Monopoly Capital

The organization of hypocrisy

Talk, decisions and actions in organizations

Information system security management in the new millennium

Communications of the ACM

Current directions in IS security research: towards socio-organizational perspectives

Information Systems Journal

Risk and culture

An essay on the selection of technological and environmental dangers

Scandinavian design: on participation and skill

How safe is safe enough?