Elsevier

Computers & Security

Volume 52, July 2015, Pages 128-141
Computers & Security

Analyzing the role of cognitive and cultural biases in the internalization of information security policies: Recommendations for information security awareness programs

https://doi.org/10.1016/j.cose.2015.04.006Get rights and content

Highlights

  • Security literature lacks an examination of cognitive and cultural biases' role.

  • We study how cognitive and cultural biases affect security compliance behavior.

  • Security awareness programs could alleviate the effect of biases.

  • We provide recommendations for security awareness programs towards this goal.

Abstract

Standards and best practices for information security awareness programs focus on the content and processes of the programs, without taking into consideration how individuals internalize security-related information and how individuals make security related decisions. Relevant literature, however has identified that individual perceptions, beliefs, and biases significantly influence security policy compliance behavior. Security awareness programs need, therefore, to be aligned with the factors affecting the internalization of the communicated security objectives. This paper explores the role of cognitive and cultural biases in shaping information security perceptions and behaviors. We draw upon related literature from contiguous disciplines (namely behavioral economics and health and safety research) to develop a conceptual framework and analyze the role of cognitive and cultural biases in information security behavior. We discuss the implications of biases for security awareness programs and provide a set of recommendations for planning and implementing awareness programs, and for designing the related material. This paper opens new avenues for information security awareness research with regard to security decision making and proposes practical recommendations for planning and delivering security awareness programs, so as to exploit and alleviate the effect of cognitive and cultural biases on shaping risk perceptions and security behavior.

Introduction

Information security research has its focus on the “human factor”, as humans are considered to be information security's weakest link. Information security management employs security policies as a means to define what is expected from individuals in an organization, including end-users, IT personnel, contractors and decision makers, in relation to information security. It is often the case, however, that information system users fail to comply with security policies. To tackle this problem, but also to address regulatory compliance requirements (e.g., HIPAA, FISMA), information security awareness programs have become key components of security management.

Awareness programs include activities that aim to make users “aware” of security issues and policies. Widely used security awareness standards and guidelines (ENISA, 2010; NIST 800-16, 1998; NIST 800-50, 2003; NIST 800-53, 2013) provide directions on developing material that informs employees about the importance of information security and the content of security policies. Standards and guidelines mainly focus on the processes and contents of the awareness program, addressing the question “What behaviour do we want to reinforce?” (NIST 800-50, 2003). Awareness programs are compiled following the assumption that users fail to adopt secure practices either because they are not aware of the risks, or because they do not understand the implications of security violations, or because they do not understand how they are expected to act. Security standards and guidelines, however, do not take into consideration whether knowledge of the awareness material will actually result to improved security behavior.

Transforming security behavior goes beyond the acquisition of knowledge of security policies and awareness of the importance of security. Research on security policy compliance (e.g., Bulgurcu et al., 2010, D'Arcy et al., 2009, Herath and Rao, 2009b) indicates that, in order to influence users' security behavior, we need to affect the way in which users perceive risks and make security-related decisions. Awareness programs need to go beyond the simple communication of security-related information and align with the process of individual decision-making.

Awareness programs, in this perspective, fall short in examining how individuals formulate their perceptions and beliefs about security, and in taking into consideration the role of beliefs and biases for shaping users' security behavior. A number of studies have identified this gap, highlighting the need to alter the view for designing awareness strategies. Karjalainen and Siponen (2011) indicate that programs that rely on one-way transmission of predetermined contents are not suitable for security awareness. Rhee et al. (2012) show that optimism biases of MIS executives affect vulnerability perceptions and call for more systematic awareness efforts taking into account the role of relative biases. However, extant literature lacks a systematic examination of the implications of biases for information security awareness programs. Security awareness research and practice needs to understand ‘how to bolster security behaviour’, besides identifying what security behavior to promote. To do that, we need to understand how individuals internalize security awareness information and illuminate the role of biases for shaping security-related decision making.

The role of biases has been extensively studied with regard to raising health and safety awareness. Relevant literature in health and safety, as well as in other disciplines such as behavioral economics, has identified that the thinking processes behind perceiving risks and making risk-related decisions are subject to specific cognitive and cultural biases, such as the affect heuristic (i.e., a mental shortcut in which current emotional state influences decisions) and optimism bias (Gilovich et al., 2002). For example, research suggests that the affect heuristic leads many young people to initiate cigarette smoking, ignoring the severe health risks of this activity (Slovic et al., 2004). Based on this finding, modern anti-smoking campaigns use advertisements that evoke strong negative emotions, such as fear or sadness (Biener et al., 2004). On the contrary, information security awareness is still dominated by a “normative paradigm” of communicating facts and figures (Stewart, 2009, Stewart and Lacey, 2012), assuming that increased knowledge will inescapably result to enhanced security behavior.

This paper argues that individuals receive and process information security awareness information through the filter of cognitive and cultural biases. Drawing on the fact that both information security awareness programs and safety awareness programs seek to manage risk by influencing individual behavior, we identify and analyze security-related biases from contiguous disciplines (such as behavioral economics and health and safety). We then discuss the implications of these biases on formulating risk perceptions and shaping information security behavior and finally propose a set of recommendations for designing security awareness programs so as to accommodate the traits of security decision-making. Research implications for this study involve a call for exploring the role of individual information internalization processes for information security awareness and information security behavior research. Practical implications involve recommendations for planning and executing security awareness programs to avoid neglecting the effect of cognitive and cultural biases.

The paper continues with an analysis of information security policy compliance literature that identifies the role of individual perceptions and beliefs, as well as the influence of information security awareness on security compliance. In Section 3 we draw on relevant research to compile a conceptual framework of cognitive and cultural biases, which is employed on the following section to analyze the role of biases for information security behavior. We then propose a set of recommendations for the implementation of information security awareness programs with respect to the internalization processes of information security information by individuals (Section 5). Finally, we present the conclusions and implications of the study.

Section snippets

Background: factors affecting information security compliance

Information security policy (ISP) compliance studies draw on various theoretical backgrounds (e.g. theory of reasoned action, theory of planned behavior, protection motivation theory and neutralization theory) to identify factors that affect users' intention to comply with information security policies. Sommestad et al. (2014) reviewed 29 quantitative studies and found more than 60 variables that are determinants of ISP compliance and incompliance. Common variables identified to determine

The role of biases in human behavior and decision-making

People are renowned for behaving in ways they cannot justify, in which case they are often labelled irrational. For example, instead of conducting a complete analysis of risks and benefits before registering to a social network or online shopping, people intuitively decide whether to trust or not the social networking site or the online shop. However, most people would not do something they consider irrational, if this would certainly lead to a severe loss. Thus, people are guided by intuition

Analyzing the effect of cognitive and cultural biases on ISP compliance

As shown in Section 2, relative research has demonstrated the role of information security awareness as an antecedent of ISP compliance. However, we still need to understand the cognitive processes that lead towards, or away from, ISP compliance. While providing security-related information and enhancing the understanding of information security policies promotes analytic reasoning, we should not ignore that experiential/intuitive reasoning relies on heuristics and is dominated by cognitive and

Addressing biases via security awareness programs

Security management schemes commonly involve a pyramid structure of security communication, including awareness, training and education levels (Peltier, 1995; Katsikas, 2000; NIST 800-50, 2003). At the base level, there exist awareness programs that are important means for disseminating security information across an organization. Awareness programs aim at stimulating security behaviors, motivating stakeholders to recognize security concerns and respond to them. At the middle pyramid level,

Conclusions and further research

Effective information security governance is largely associated with security awareness programs as literature has identified their role in influencing users' intention to comply with information security policies. Security managers draw on standards and best-practice guidelines to plan and implement these programs. However, standards and guidelines adopt a normative – prescriptive approach, following the assumption that communicating security-related information and emphasizing its importance

Aggeliki Tsohou is a Lecturer at the Department of Informatics at the Ionian University in Greece. She holds a B.Sc. in Informatics, an M.Sc. in Information Systems and a Ph.D. in Information Security Management. She has worked as a Post-Doctoral Researcher at the University of Jyväskylä, Department of Computer Science and Information Systems, Finland and as a Senior Research Fellow at Brunel Business School, UK. Her research interests include information security and privacy management, risk

References (66)

  • A. Vance et al.

    Motivating is security compliance: insights from habit and protection motivation theory

    Inform Manage

    (2012)
  • A. Acquisti

    Privacy in electronic commerce and the economics of immediate gratification

  • D.A. Armor et al.

    When predictions fail: the dilemma of unrealistic optimism

  • BBC News

    Greater Manchester police fined over stolen data stick

    (2012)
  • L. Biener et al.

    The impact of emotional tone, message, and broadcast parameters in youth anti-smoking advertisements

    J Health Commun

    (2004)
  • J. Brenot et al.

    Testing the cultural theory of risk in France

    Risk Anal

    (1998)
  • B. Bulgurcu et al.

    Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness

    MIS Quarterly

    (2010)
  • A. Caputo

    A literature review of cognitive biases in negotiation process

    Int J Confl Manag

    (2013)
  • G.B. Chapman et al.

    Incorporating the irrelevant: anchors in judgments of belief and value

  • J. D'Arcy et al.

    User awareness of security countermeasures and its impact on information systems misuse

    Information Syst Res

    (2009)
  • M.R.P. Dougherty et al.

    MINERVA-DM: a memory process model for judgments of likelihood

    Psychol Rev

    (1999)
  • M. Douglas et al.

    Risk and culture: an assay on the selection of technological and environmental dangers

    (1982)
  • ENISA

    Secure USB flash drives

    (2008)
  • ENISA

    The new users' guide: how to raise information security awareness

    (2010)
  • Ernst & Young Global Information Security Survey

    Fighting to close the gap

    (2012)
  • S. Frederick et al.

    Time discounting and time preference: a critical review

    J Econ Literature

    (2002)
  • J.I. Gabriel et al.

    A cognitive map of people's online risk perceptions and attitudes: an empirical study

  • S. Haag et al.

    Sensitizing employees' corporate is security risk perception

  • F. Haeussinger et al.

    Information security Awareness: Its antecedents and mediating effects on security compliant behavior

  • S. Hansche

    Designing a security awareness program: Part I

    Inf Syst Secur

    (2001)
  • T. Herath et al.

    Protection motivation and deterrence: a framework for security policy compliance in organisations

    Eur J Inform Syst

    (2009)
  • C.K. Hsee et al.

    The affect effect in insurance decisions

    J Risk Uncertain

    (2000)
  • Cited by (119)

    View all citing articles on Scopus

    Aggeliki Tsohou is a Lecturer at the Department of Informatics at the Ionian University in Greece. She holds a B.Sc. in Informatics, an M.Sc. in Information Systems and a Ph.D. in Information Security Management. She has worked as a Post-Doctoral Researcher at the University of Jyväskylä, Department of Computer Science and Information Systems, Finland and as a Senior Research Fellow at Brunel Business School, UK. Her research interests include information security and privacy management, risk analysis, security and privacy awareness and training programs, and standardization.

    Maria Karyda is an Assistant Professor at the Department of Information and Communication Systems Engineering at the University of the Aegean, Greece. She obtained a B.Sc. in Informatics, an M.Sc. in Information Systems and a Ph.D. in Information Systems Security from the Athens University of Economics and Business, Greece. Her research interests include organizational aspects of information systems security management, the use and application of security policies and security culture and awareness.

    Spyros Kokolakis is an Assistant Professor at the Department of Information and Communication Systems Engineering at the University of the Aegean, Greece. He received a B.Sc. in Informatics from the Athens University of Economics and Business in 1991 and a Ph.D. in Information Systems from the same university in 2000. His current research interests include information systems security management, risk analysis, and security policies design and implementation. He is a member of AIS.

    View full text