Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs
Introduction
Information security research has its focus on the “human factor”, as humans are considered to be information security's weakest link. Information security management employs security policies as a means to define what is expected from individuals in an organization, including end-users, IT personnel, contractors and decision makers, in relation to information security. It is often the case, however, that information system users fail to comply with security policies. To tackle this problem, but also to address regulatory compliance requirements (e.g., HIPAA, FISMA), information security awareness programs have become key components of security management.
Awareness programs include activities that aim to make users “aware” of security issues and policies. Widely used security awareness standards and guidelines (ENISA, 2010; NIST 800-16, 1998; NIST 800-50, 2003; NIST 800-53, 2013) provide directions on developing material that informs employees about the importance of information security and the content of security policies. Standards and guidelines mainly focus on the processes and contents of the awareness program, addressing the question “What behaviour do we want to reinforce?” (NIST 800-50, 2003). Awareness programs are compiled following the assumption that users fail to adopt secure practices either because they are not aware of the risks, or because they do not understand the implications of security violations, or because they do not understand how they are expected to act. Security standards and guidelines, however, do not take into consideration whether knowledge of the awareness material will actually result to improved security behavior.
Transforming security behavior goes beyond the acquisition of knowledge of security policies and awareness of the importance of security. Research on security policy compliance (e.g., Bulgurcu et al., 2010, D'Arcy et al., 2009, Herath and Rao, 2009b) indicates that, in order to influence users' security behavior, we need to affect the way in which users perceive risks and make security-related decisions. Awareness programs need to go beyond the simple communication of security-related information and align with the process of individual decision-making.
Awareness programs, in this perspective, fall short in examining how individuals formulate their perceptions and beliefs about security, and in taking into consideration the role of beliefs and biases for shaping users' security behavior. A number of studies have identified this gap, highlighting the need to alter the view for designing awareness strategies. Karjalainen and Siponen (2011) indicate that programs that rely on one-way transmission of predetermined contents are not suitable for security awareness. Rhee et al. (2012) show that optimism biases of MIS executives affect vulnerability perceptions and call for more systematic awareness efforts taking into account the role of relative biases. However, extant literature lacks a systematic examination of the implications of biases for information security awareness programs. Security awareness research and practice needs to understand ‘how to bolster security behaviour’, besides identifying what security behavior to promote. To do that, we need to understand how individuals internalize security awareness information and illuminate the role of biases for shaping security-related decision making.
The role of biases has been extensively studied with regard to raising health and safety awareness. Relevant literature in health and safety, as well as in other disciplines such as behavioral economics, has identified that the thinking processes behind perceiving risks and making risk-related decisions are subject to specific cognitive and cultural biases, such as the affect heuristic (i.e., a mental shortcut in which current emotional state influences decisions) and optimism bias (Gilovich et al., 2002). For example, research suggests that the affect heuristic leads many young people to initiate cigarette smoking, ignoring the severe health risks of this activity (Slovic et al., 2004). Based on this finding, modern anti-smoking campaigns use advertisements that evoke strong negative emotions, such as fear or sadness (Biener et al., 2004). On the contrary, information security awareness is still dominated by a “normative paradigm” of communicating facts and figures (Stewart, 2009, Stewart and Lacey, 2012), assuming that increased knowledge will inescapably result to enhanced security behavior.
This paper argues that individuals receive and process information security awareness information through the filter of cognitive and cultural biases. Drawing on the fact that both information security awareness programs and safety awareness programs seek to manage risk by influencing individual behavior, we identify and analyze security-related biases from contiguous disciplines (such as behavioral economics and health and safety). We then discuss the implications of these biases on formulating risk perceptions and shaping information security behavior and finally propose a set of recommendations for designing security awareness programs so as to accommodate the traits of security decision-making. Research implications for this study involve a call for exploring the role of individual information internalization processes for information security awareness and information security behavior research. Practical implications involve recommendations for planning and executing security awareness programs to avoid neglecting the effect of cognitive and cultural biases.
The paper continues with an analysis of information security policy compliance literature that identifies the role of individual perceptions and beliefs, as well as the influence of information security awareness on security compliance. In Section 3 we draw on relevant research to compile a conceptual framework of cognitive and cultural biases, which is employed on the following section to analyze the role of biases for information security behavior. We then propose a set of recommendations for the implementation of information security awareness programs with respect to the internalization processes of information security information by individuals (Section 5). Finally, we present the conclusions and implications of the study.
Section snippets
Background: factors affecting information security compliance
Information security policy (ISP) compliance studies draw on various theoretical backgrounds (e.g. theory of reasoned action, theory of planned behavior, protection motivation theory and neutralization theory) to identify factors that affect users' intention to comply with information security policies. Sommestad et al. (2014) reviewed 29 quantitative studies and found more than 60 variables that are determinants of ISP compliance and incompliance. Common variables identified to determine
The role of biases in human behavior and decision-making
People are renowned for behaving in ways they cannot justify, in which case they are often labelled irrational. For example, instead of conducting a complete analysis of risks and benefits before registering to a social network or online shopping, people intuitively decide whether to trust or not the social networking site or the online shop. However, most people would not do something they consider irrational, if this would certainly lead to a severe loss. Thus, people are guided by intuition
Analyzing the effect of cognitive and cultural biases on ISP compliance
As shown in Section 2, relative research has demonstrated the role of information security awareness as an antecedent of ISP compliance. However, we still need to understand the cognitive processes that lead towards, or away from, ISP compliance. While providing security-related information and enhancing the understanding of information security policies promotes analytic reasoning, we should not ignore that experiential/intuitive reasoning relies on heuristics and is dominated by cognitive and
Addressing biases via security awareness programs
Security management schemes commonly involve a pyramid structure of security communication, including awareness, training and education levels (Peltier, 1995; Katsikas, 2000; NIST 800-50, 2003). At the base level, there exist awareness programs that are important means for disseminating security information across an organization. Awareness programs aim at stimulating security behaviors, motivating stakeholders to recognize security concerns and respond to them. At the middle pyramid level,
Conclusions and further research
Effective information security governance is largely associated with security awareness programs as literature has identified their role in influencing users' intention to comply with information security policies. Security managers draw on standards and best-practice guidelines to plan and implement these programs. However, standards and guidelines adopt a normative – prescriptive approach, following the assumption that communicating security-related information and emphasizing its importance
Aggeliki Tsohou is a Lecturer at the Department of Informatics at the Ionian University in Greece. She holds a B.Sc. in Informatics, an M.Sc. in Information Systems and a Ph.D. in Information Security Management. She has worked as a Post-Doctoral Researcher at the University of Jyväskylä, Department of Computer Science and Information Systems, Finland and as a Senior Research Fellow at Brunel Business School, UK. Her research interests include information security and privacy management, risk
References (66)
- et al.
It won't happen to me: promoting secure behaviour among internet users
Comput Hum Behav
(2010) - et al.
A literature review of the anchoring effect
J Socio-Economics
(2011) - et al.
Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness
Decis Support
(2009) - et al.
Factors affecting perception of information security and their impacts on IT adoption and security practices
Int J Human-Comput Stud
(2011) Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory
Comput Secur
(2012)Health care management and information systems security: Awareness, training or education?
International Journal of Medical Informatics
(2000)Risky business: what we have yet to learn about risk management
J Syst Softw
(2000)- et al.
Unrealistic optimism on information security management
Comput Secur
(2012) - et al.
Behavioral decision theory perspectives on risk and safety
Acta Psychol
(1984) A safety approach to information security communications
Inf Secur Tech Rep
(2009)
Motivating is security compliance: insights from habit and protection motivation theory
Inform Manage
Privacy in electronic commerce and the economics of immediate gratification
When predictions fail: the dilemma of unrealistic optimism
Greater Manchester police fined over stolen data stick
The impact of emotional tone, message, and broadcast parameters in youth anti-smoking advertisements
J Health Commun
Testing the cultural theory of risk in France
Risk Anal
Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness
MIS Quarterly
A literature review of cognitive biases in negotiation process
Int J Confl Manag
Incorporating the irrelevant: anchors in judgments of belief and value
User awareness of security countermeasures and its impact on information systems misuse
Information Syst Res
MINERVA-DM: a memory process model for judgments of likelihood
Psychol Rev
Risk and culture: an assay on the selection of technological and environmental dangers
Secure USB flash drives
The new users' guide: how to raise information security awareness
Fighting to close the gap
Time discounting and time preference: a critical review
J Econ Literature
A cognitive map of people's online risk perceptions and attitudes: an empirical study
Sensitizing employees' corporate is security risk perception
Information security Awareness: Its antecedents and mediating effects on security compliant behavior
Designing a security awareness program: Part I
Inf Syst Secur
Protection motivation and deterrence: a framework for security policy compliance in organisations
Eur J Inform Syst
The affect effect in insurance decisions
J Risk Uncertain
Cited by (119)
Information security policies compliance in a global setting: An employee's perspective
2023, Computers and SecurityEmployees’ information security awareness (ISA) in public organisations: insights from cross-cultural studies in Sweden, France, and Tunisia
2024, Behaviour and Information Technology
Aggeliki Tsohou is a Lecturer at the Department of Informatics at the Ionian University in Greece. She holds a B.Sc. in Informatics, an M.Sc. in Information Systems and a Ph.D. in Information Security Management. She has worked as a Post-Doctoral Researcher at the University of Jyväskylä, Department of Computer Science and Information Systems, Finland and as a Senior Research Fellow at Brunel Business School, UK. Her research interests include information security and privacy management, risk analysis, security and privacy awareness and training programs, and standardization.
Maria Karyda is an Assistant Professor at the Department of Information and Communication Systems Engineering at the University of the Aegean, Greece. She obtained a B.Sc. in Informatics, an M.Sc. in Information Systems and a Ph.D. in Information Systems Security from the Athens University of Economics and Business, Greece. Her research interests include organizational aspects of information systems security management, the use and application of security policies and security culture and awareness.
Spyros Kokolakis is an Assistant Professor at the Department of Information and Communication Systems Engineering at the University of the Aegean, Greece. He received a B.Sc. in Informatics from the Athens University of Economics and Business in 1991 and a Ph.D. in Information Systems from the same university in 2000. His current research interests include information systems security management, risk analysis, and security policies design and implementation. He is a member of AIS.