Elsevier

Computers & Security

Volume 32, February 2013, Pages 90-101
Computers & Security

Future directions for behavioral information security research

https://doi.org/10.1016/j.cose.2012.09.010Get rights and content

Abstract

Information Security (InfoSec) research is far reaching and includes many approaches to deal with protecting and mitigating threats to the information assets and technical resources available within computer based systems. Although a predominant weakness in properly securing information assets is the individual user within an organization, much of the focus of extant security research is on technical issues. The purpose of this paper is to highlight future directions for Behavioral InfoSec research, which is a newer, growing area of research. The ensuing paper presents information about challenges currently faced and future directions that Behavioral InfoSec researchers should explore. These areas include separating insider deviant behavior from insider misbehavior, approaches to understanding hackers, improving information security compliance, cross-cultural Behavioral InfoSec research, and data collection and measurement issues in Behavioral InfoSec research.

Introduction

Information Security (InfoSec) research is far reaching and includes technical, behavioral, managerial, philosophical, and organizational approaches that address the protection and mitigation of threats to information assets (Zafar and Clark, 2009). Though some of the Information Systems research in the InfoSec field has considered socio-philosophical concerns or socio-organizational concerns, it has primarily focused on technical issues concerning the design and implementation of security subsystems (Choo, 2011; Zafar and Clark, 2009), such as advanced technical approaches to prevent intrusion into organizational systems (Hansen et al., 2007), detection of denial of service attacks (Zhi-jun et al., 2012), and more advanced solutions for firewall protection (Ayuso et al., 2012). Although these technical, externally focused efforts are important, one area that is a predominant weakness in properly securing information assets is the individual user within an organization (Leach, 2003; Posey et al., 2011b; Sasse et al., 2001; Stanton et al., 2005; Vroom and von Solms, 2004; Warkentin and Willison, 2009). This is a particularly important problem because researchers estimate that nearly half of intrusions and security violations occur from within an organization by organizational insiders (Baker et al., 2010; Richardson, 2011). Until recently, research exploring the operational aspect of information security has been lacking.

Behavioral InfoSec research is a subfield of the broader InfoSec field that focuses on the behaviors of individuals which relate to protecting information and information systems assets (Fagnot, 2008; Stanton et al., 2006), which includes computer hardware, networking infrastructure, and organizational information. Recently, a number of studies have been published about the behaviors of individuals in protecting these assets. These studies include those that provide insight into insider abuse of information systems (Siponen and Willison, 2009; Willison, 2006; Willison and Backhouse, 2006), as well as applying General Deterrence Theory (GDT) to understand human behavior as it relates to computer crime and intentional abuse (Straub and Nance, 1990; Straub and Welke, 1998). Further studies have adapted Protection Motivation Theory (PMT) to understand the behaviors of individuals when it comes to the performance of a number of security measures, such as the use of anti-malware software (Johnston and Warkentin, 2010; Lee and Larsen, 2009; Liang and Xue, 2010), compliance with security policies (Herath and Rao, 2009b; Ifinedo, 2012), backing up data (Crossler, 2010), properly securing home wireless networks (Woon et al., 2005), and adoption of anti-plagiarism software (Lee, 2011). Beyond PMT, other empirical studies exist that investigate behavioral factors that affect such areas as security policy compliance (Bulgurcu et al., 2010; Herath and Rao, 2009a; Hu et al., 2011a, Hu et al., 2012; Siponen and Vance, 2010; Warkentin et al., 2011a), information systems misuse (D'Arcy and Hovav, 2007; D'Arcy et al., 2009; Posey et al., 2011b), and computer abuse (Lee et al., 2004; Posey et al., 2011a).

Even with the number of Behavioral InfoSec research studies being published, significant challenges still remain that must be overcome as this research stream moves forward. The ensuing paper identifies these challenges and presents approaches that could be utilized to address them. Resulting from this analysis are future directions that Behavioral InfoSec researchers should explore.

Section snippets

Identifying future behavioral information security research directions

In this section, we present the methodology utilized to identify the future directions of Behavioral InfoSec research. The process leveraged input from the International Federation for Information Processing (IFIP) Working Group 8.11/11.13 on Information Systems Security Research via contributions from participants of the Dewald Roode Information Security Workshop, which is prominent in promoting this area of research, as well as other scholars that are members of the IFIP Working Group. Five

Future behavioral information security research directions

In this section, we propose and discuss several areas of interesting future Behavioral InfoSec research resulting from the IFIP Working Group's members' discussions and analyses as well as methodological challenges that need to be faced. The research areas include the following categories:

  • Separating insider deviant behavior from insider misbehavior

  • Unmasking the mystery of the hacker world

  • Improving information security compliance

  • Cross-cultural InfoSec research.

The methodological challenges

Discussion and conclusion

Behavioral InfoSec presents a number of opportunities to explore issues at the intersection of people, technology, and organizations. The dynamic nature of a field coupled with technology in the midst of contrary human forces leads to a challenging and ever changing target (Dlamini et al., 2009). In this paper, we have presented a number of issues that future Behavioral InfoSec researchers can tackle as they investigate these challenges. As these research issues are addressed, the InfoSec

Dr. Robert E. Crossler is an Assistant Professor in the Management and Information Systems department at Mississippi State University. He received his Ph.D. in Information Systems from Virginia Tech. His research focuses on the factors that affect the security and privacy decisions that individuals make. He has several publications in the IS field, including such outlets as MIS Quarterly, Decision Support Systems, Journal of Information Systems Security, Americas Conference on Information

References (106)

  • M.D. Myers et al.

    The qualitative interview in IS research: examining the craft

    Information and Organization

    (2007)
  • A. Nicholson et al.

    SCADA security in the light of cyber-warfare

    Computers & Security

    (2012)
  • C. Posey et al.

    Understanding the mindset of the abusive insider: an examination of insiders' causal reasoning following internal security changes

    Computers & Security

    (2011)
  • M.K. Rogers et al.

    Self-reported computer criminal behavior: a psychological analysis

    Digital Investigation

    (2006)
  • M. Siponen et al.

    Information security management standards: problems and solutions

    Information & Management

    (2009)
  • J.M. Stanton et al.

    Analysis of end user security behaviors

    Computers & Security

    (2005)
  • M. Theoharidou et al.

    The insider threat to information systems and the effectiveness of ISO17799

    Computers & Security

    (2005)
  • C. Vroom et al.

    Towards information security behavioural compliance

    Computers & Security

    (2004)
  • R. Willison

    Understanding the perpetration of employee computer crime in the organisational context

    Information and Organization

    (2006)
  • A. Acquisti et al.

    Privacy attitudes and privacy behavior

    Economics of Information Security

    (2004)
  • I. Ajzen

    Attitudes, personality and behavior

    (2005)
  • B. Anderson et al.

    Neural correlates of gender differences in distinguishing malware warnings and legitimate websites: a NeuroIS study

    (2012)
  • C.L. Anderson et al.

    Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions

    MIS Quarterly

    (2010)
  • W. Baker et al.

    Verizon 2010 data breach investigations report

    (2010)
  • A.M. Bossler et al.

    The general theory of crime and computer hacking: low self-control hackers?

  • B. Bulgurcu et al.

    Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

    MIS Quarterly

    (2010)
  • L.E. Cohen et al.

    Social change and crime rate trends: a routine activity approach

    American Sociological Review

    (1979)
  • R.E. Crossler

    Protection motivation theory: understanding determinants to backing up personal data

    (2010)
  • J. D'Arcy et al.

    User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach

    Information Systems Research

    (2009)
  • J. D'Arcy et al.

    A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings

    European Journal of Information Systems

    (2011)
  • J. D'Arcy et al.

    Deterring internal information systems misuse

    Communications of the ACM

    (2007)
  • A. Dimoka

    What does the brain tell us about trust and distrust? Evidence from a functional neuroimaging study

    MIS Quarterly

    (2010)
  • A. Dimoka

    How to conduct a functional magnetic resonance (fMRI) study in social science research

    MIS Quarterly

    (2012)
  • A. Dimoka et al.

    On the use of neurophysiological tools in information systems research: developing a research agenda for NeuroIS

    MIS Quarterly

    (2012)
  • M. Douglas

    Risk and blame: essays in cultural theory

    (1992)
  • K.M. Eisenhardt et al.

    Theory building from cases: opportunities and challenges

    The Academy of Management Journal Archive

    (2007)
  • I.J. Fagnot

    Behavioral information security

  • B.G. Glaser et al.

    The discovery of grounded theory: strategies of qualitative research

    (1967)
  • K.H. Guo et al.

    Understanding nonmalicious security violations in the workplace: a composite behavior model

    Journal of Management Information Systems

    (2011)
  • D. Halbert

    Discourses of danger and the computer hacker

    The Information Society

    (1997)
  • T. Herath et al.

    Protection motivation and deterrence: a framework for security policy compliance in organisations

    European Journal of Information Systems

    (2009)
  • S.M. Ho et al.

    Lie to me: gender deception and detection in computer-mediated communications

    (2012)
  • G. Hofstede

    Culture's consequences: comparing values, behaviors, institutions, and organizations across nations

    (2001)
  • R.C. Hollinger

    Hackers: computer heroes or electronic highwaymen?

    ACM SIGCAS Computers and Society

    (1991)
  • Q. Hu et al.

    Managing employee compliance with information security policies: the role of top management and organizational culture

    Decision Sciences

    (2012)
  • Q. Hu et al.

    Does deterrence work in reducing information security policy abuse by employees?

    Communications of the ACM

    (2011)
  • Q. Hu et al.

    How can you tell a hacker from a geek? Ask whether he spends more time on computer games than sports!

    (2011)
  • M.L. Jensen et al.

    Technology dominance in complex decision making: the case of aided credibility assessment

    Journal of Management Information Systems

    (2010)
  • M.L. Jensen et al.

    Effects of automated and participative decision support in computer-aided credibility assessment

    Journal of Management Information Systems

    (2011)
  • A.C. Johnston et al.

    Fear appeals and information security behaviors: an empirical study

    MIS Quarterly

    (2010)

    • Cited by (546)

    • Enhancing cybersecurity capability investments: Evidence from an experiment

      2024, Technology in Society

    • Fortifying healthcare: An action research approach to developing an effective SETA program

      2024, Computers and Security

    • How memory anxiety can influence password security behavior

      2024, Computers and Security

    • Simulation of the role of emphasis on scheduling in the optimal incentive scheme for marine engineering employee's routine job and information security compliance

      2024, Journal of Ocean Engineering and Science
      Citation Excerpt :

      In practice, many employees often prefer to comply with the marine ISPs with insufficient effort, but to pay attention almost exclusively to their day-to-day routine jobs, after they are delegated by the marine engineering employer to carry out the two different tasks in the same time period [9,10]. Previous investigations [11–19] have shown that employee's failure to comply with the marine ISPs may impair not only the asset, reputation and competitiveness of the organization, but also the performance of her routine job [9,10,20]. A number of factors, such as information security awareness, organizational culture and punishment, are known to influence employee's intentional compliance behaviors [7,14,16,17,21].

    • How to keep your information secure? Toward a better understanding of users security behavior

      2024, Technological Forecasting and Social Change

    • Facilitating and impeding factors to insiders’ prosocial rule breaking in South Korea

      2024, Computers and Security
    View all citing articles on Scopus

    Dr. Robert E. Crossler is an Assistant Professor in the Management and Information Systems department at Mississippi State University. He received his Ph.D. in Information Systems from Virginia Tech. His research focuses on the factors that affect the security and privacy decisions that individuals make. He has several publications in the IS field, including such outlets as MIS Quarterly, Decision Support Systems, Journal of Information Systems Security, Americas Conference on Information Systems, The Annual Conference of the Decision Sciences Institute, and Hawaii International Conference on System Sciences.

    Dr. Allen C. Johnston is an Assistant Professor in the School of Business at the University of Alabama at Birmingham. He received his Ph.D. in Information Systems from Mississippi State University. His works can be found in such outlets as MIS Quarterly, European Journal of Information Systems, Communications of the ACM, and DATA BASE for Advances in Information Systems. The primary focus of his research has been in the area of information assurance and computer security, with a specific concentration on the behavioral aspects of information security and privacy.

    Dr. Paul Benjamin Lowry is an Associate Professor of Information Systems at the Department of Information Systems of the City University of Hong Kong. He received his Ph.D. in Management Information Systems from the University of Arizona. His works have been published in such outlets as MIS Quarterly; Journal of Management Information Systems; Journal of the Association for Information Systems; Information Systems Journal; European Journal of Information Systems; and others. Dr. Lowry's research interests include behavioral security issues, HCI, E-commerce and supply chains, and Scientometrics.

    Dr. Qing Hu is the Chair and Union Pacific Professor in Information Systems in the Department of Supply Chain and Information Systems at Iowa State University. He received his Ph.D. in Computer Information Systems from the University of Miami, Florida. His work has appeared in some of the top journals in the information systems discipline such as MIS Quarterly, Information Systems Research, Journal of Management Information Systems, Journal of the Association for Information Systems, California Management Review, and Communications of the ACM. His research interests include strategic IT management, IT value, information security, and cross culture issues in information technology.

    Dr. Merrill Warkentin is a Professor of MIS and the John and Carole Ferguson Notable Scholar in the College of Business at Mississippi State University. He earned his Ph.D. from the University of Nebraska-Lincoln. His research has appeared in such journals as MIS Quarterly, Decision Sciences, European Journal of Information Systems, Decision Support Systems, Communications of the ACM, and Information Systems Journal. He is the AIS Departmental Editor for IS Security & Privacy, and the next chair of the IFIP Working Group on Information Systems Security Research. His primary research focus is in behavioral IS security issues.

    Dr. Richard Baskerville is Board of Advisors Professor in the Department of Computer Information Systems, J. Mack Robinson College of Business at Georgia State University. His research specializes in security of information systems, methods of information systems design and development, and the interaction of information systems and organizations. He is co-editor of the European Journal of Information Systems. He is chair of the International Federation for Information Processing Working Group on Information Systems Security Research. Baskerville holds degrees from the University of Maryland, and the London School of Economics.

    View full text
    Copyright © 2012 Elsevier Ltd. All rights reserved.