Information Security in Organizations:
Empirical Examination of Security
Practices in Western New York
Tejaswini Herath
Assistant Professor, Department of Finance, Operations and Information Systems
Brock University
St. Catharines, Ontario, Canada
Prof. H. Raghav Rao
Professor, Department of Management Science and Systems
Adjunct Professor, Department of Computer Science and Engineering
Co- Director, Center for Excellence in Information Systems Research and
Education (CEISARE)
Acknowledgements:
We appreciate the support and collaboration on this project by the Cyber Task Force, Buffalo Division, FBI.
We would like to specially thank Supervisory Special Agent Holly Hubert and Intelligence Analyst Susan
Lupiani for their assistance and support.
Part of this research is funded in part by NSF under grant 0723763 and MDRF grant #F0630.
Research Theme: Information Security in
Organizations
Organizations
Managers
Employees
(End users)
Mangers are often faced with resource constraints
 cumbersome practices
 non-compliance by employees
Related Research Questions
A multi-faceted research issue
Organization/ Managerial
Perspective
Employee (End user)
Behavior
Management – Employee
perspective fit
 What are the drivers/barriers of organizational adoption of
security practices
How do various end user beliefs, attitudes and perceptions
regarding information security mold their security behavior?
 How can the employee security behaviors be influenced?
Does the congruence between employee and management
security values result in positive employee outcomes? If so how
can it be influenced?


Two simultaneous surveys – Manager survey and Employee
survey
Manager Survey
Employee Survey
Responses Available for
Dyadic Investigation
122 Managers
312 employees from
257 matched pairs from
78 organizations
54 organizations
Select Findings of this study were presented at
Technology and Homeland Security Forum, Niagara Falls (October 18, 2007)
Respondents
(U) Figure 3. Respondents by Business Sector
Other
26%
Manuf acturing
17%
Medical
16%
Education
9%
Financial Services
9%
Service
7%
Def ense Contracting
4%
Media Company
Respondents by Number of
Authorized Users
3%
Internet Service Provider
2%
Oil/Gas
2%
Aerospace
1%
Pow er/Energy
1%
Retail
1%
Transportation
1%
Water Supply
1%
0%
19%
17%
6%
1 to 20
21 to 50
51 to 100
5%
10%
15%
20%
25%
21% 101 to 500
30%
26%
11%
501 to 1000
1000 or more
Approximately how much is budgeted annually,
for information security at your organization?
2%
$5 to $9.9 million
5%
$1 to $4.9 million
2%
$500,000 to $999,999
2%
$250,000 to $499,999
3%
$100,000 to $249,999
4%
$50,000 to $99,999
34%
Less than $50,000
48%
None
0%
10%
20%
30%
40%
50%
60%
Information security budget as a % of total IT
budget in your organization.
Unknown
27%
Less than 1%
12%
1-2%
80%
10%
3-5%
27%
6-7%
5%
8-10%
11%
More than 10%
8%
0%
5%
10%
15%
20%
25%
30%
Resource Availability
60%
48%
50%
45%
40%
30%
42%
38%38%
32%
27%
Disagree
30%
Neither Agree nor Disagree
Agree
25%
20%
10%
0%
Financial
Resources
Technological
Resources
Human
Resources
Security Climate
100%
90%
80%
67%
70%
60%
48%
50%
41%
50%
40%
30%
Disagree
44%
35%
33%
31%
19%
30%
26%
24%
19%
20%
20%
13%
10%
0%
Emplo yees value the
impo rtance o f security.
Security has
traditio nally been
co nsidered an
impo rtant
o rganizatio nal value.
P racticing go o d
security is part o f the
shared beliefs o f
emplo yees.
The o verall
enviro nment fo sters
security-minded
thinking.
The need to pro tect
info rmatio n is a basic
assumptio n o f
emplo yees.
Neither
Agree nor
Disagree
Agree
Employee Survey
Employee Behaviors: Introduction

People are the weakest link

Organizations have been actively using security technologies security can not be achieved through only technological tools alone.
Effective information security in organizations depends on three
components: people, processes and technology.


Recently call have been made to pay attention to end-user
behaviors



Importance of “Appropriate Computer Use Policies” – has been
recognized for a long time, yet, we do not have clear understanding of
their impact and effectiveness
Divergent security behaviors
Incidents, Surveys – provide the evidence of policy ignorance
1. Security Policy Compliance: Role of
Extrinsic and Intrinsic Motivators

Objective of this study: to evaluate the extrinsic and intrinsic
motivators that encourage information security behaviors in
organizations
 impact of penalties (extrinsic disincentive),
 social pressures (extrinsic disincentive)
 perceived value or contribution (intrinsic incentive)
Severity of Penalty
Certainty of Detection
H1a [+]
H1b [+]
Normative Beliefs
Policy
Compliance
Intention
H2a [+]
H2b [+]
Peer Behavior
Perceived contribution
(Perceived employee
Effectiveness)
Extrinsic Disincentives
Intrinsic Incentives
H3 [+]
Findings
Severity of Penalty
Certainty of Detection
-0.132**(2.23)
R2= 0.412
0.205*** (3.29)
Policy Compliance
Intention
0.433***(5.29)
Normative Beliefs
Peer Behavior
Extrinsic Disincentives
0.157** (2.95)
0.186 *** (3.47)
Perceived contribution
(Perceived employee
Effectiveness)
Intrinsic Incentives
* significant at p < 0.05 level
** significant at p < 0.01 level
*** significant at p < 0.001 level
t values are indicated in parentheses
* significant at p < 0.1
Discussion

Results indicate that both the intrinsic and extrinsic motivators influence
employee intentions of security policy compliance in organizations.

Intrinsic motivation plays a role: if the employees perceive their security
compliance behaviors to have a favorable impact on the organization or
benefit an organization, they are more likely to take such actions.

Social influence also plays a role in security behaviors.

Certainty of detection was found to have a positive impact on security
behavior intention.

Surprisingly, severity of penalty was found to have a negative impact on the
security behavior intentions.

incentives and penalties can also play a negative role (Benabou and Tirole 2003;
Kohn 1993).

In accordance to views of experts in the field
Implications

from practical point of view the implications for design,
development and implementation of secured systems and
security policies.

Important for IT management to make efforts to convey to
employees that information security is important to an
organization and employee actions make a difference in
achieving the overall goal of secured information.

Managers can enhance the security compliance by enhancing
appropriate security climate in the organizations.

The existence and visibility of the detection mechanisms is
perhaps more important than the severity of penalties imposed.
T. Herath and H. R. Rao. 2009. “Encouraging Information Security Behaviors: Role of Penalties,
Pressures and Perceived Effectiveness” Decision Support Systems (DSS), Vol. 47, No. 2, pp 154-165.
2. Protection Motivation and Deterrence
Premise: Security behaviours are affected by organizational,
environmental and behavioural factors
Objective:

Test of an Integrated Protection Motivation and Deterrence model
of security policy compliance under the umbrella of Taylor-Todd’s
Decomposed Theory of Planned Behavior.

protection motivation theory: an evaluation of threat appraisal and
response efficacy to identify attitudes towards security policies

environmental factors such as deterrence, facilitating conditions and
social influence

role of employees’ organizational commitment on security policy
compliance
Model
Response Cost
Response Efficacy
(Effectiveness of
person’s action)
H14 [+]
Organizational
commitment
Resource
Availability
H5 [+]
H15 [+]
H9 [+]
Perceived Severity of
Security Breach
Perceived Probability of
Security Breach
H6 [-]
H7 [+]
Self-Efficacy
H2 [+]
Security Breach
Concern level
H4 [+]
H8 [+]
Security Policy
Attitude
H1 [+]
Security Policy
Compliance Intention
H3 [+]
H10 [+]
H12 [+]
H13 [+]
Punishment Severity
H11 [+]
Detection Certainty
Subjective
Norm
Descriptive
Norm
Results
Response Efficacy
(Effectiveness of
person’s action)
Response
Cost
Organization
al
commitment
Resource
Availability
Age (-0.017 (t:0.318))
Edu (-0.072 (t:1.302)
Gender(0.098* (t:2.05))
IT/nonITJob(0.038 (t:0.82))
Self-Efficacy
Perceived Severity
of Security Breach
Perceived
Probability of
Security Breach
Control Variables
Security
Breach
Concern level
CompNum (0.093 (t:1.68))
AnnualSecBud (0.026 (t:0.498))
Security Policy
Attitude
Security Policy
Compliance Intention
Punishment
Severity
Detection Certainty
Subjective
Norm
Descriptive
Norm
Findings
Protection Motivation
○
○
Important for IT management to communicate the reality of
security threats to organizational end-users
Important for IT management to make efforts to convey to
employees that their actions make a difference in achieving the
overall goal of system security
Deterrence
○
Severity of penalty had negative impact, while certainty of
detection had positive impact  Monitoring is essential
Theory of Planned
Behavior
○
Subjective and Descriptive norms both play a role – Appropriate
security climate
Managers need to make security policy related resources easily
available to employees. Implications of self-efficacy for training
or organizational development are numerous
Organizational Commitment plays a role  managerial actions
for employee involvement are important.
○
○
T. Herath and H. R. Rao. 2009. “Protection Motivation and Deterrence: A Framework for Security Policy Compliance in
Organizations", European Journal of Information Systems (EJIS), Vol. 18, No. 2, pp. 106-125.
3. Employee Perceptions of Security Climate: A
Dyadic Investigation of Manager Employee
Perception Alignment

Motivation:

To manage security effectively: training and awareness and policy
enforcement.

Successful implementation of IT security controls and policies is only possible
when individuals align their value system with those of management (Mishra
and Dhillon 2006)

Empirical research on evaluating the effectiveness of these mechanisms is
almost non existent - these mechanisms lack the evidence of effectiveness
(Aytes and Connolly 2004)

Objectives:

Investigation of employee perception of security climate and its relation
with policy compliance behavior;

Role of above two organizational socialization processes in shaping the
security climate perceptions of the employees

Evaluation of security climate and its influence on end-user policy compliance
from the dyadic perspective of both management and employee views
Findings

This dyadic study sheds light into importance of
understanding various socio-organizational nuances for
effective security management

Security climate significantly affects security policy
compliance

Training & awareness and policy enforcement both
significantly contribute to the security climate perceptions
(R2=> 0.47) – thus are important mechanisms for the
creating security conscious environment

Recent eCrime survey (based on sample of 434 organizations)
suggests that although the policies are in place the training and
awareness efforts as well as policy enforcement efforts are much lower
in magnitude
19
Policies and enforcement – Mgr responses
100%
90%
80%
70%
56%
60% 44%
44%
44%
50%
20%
45%
29%
25%
31%
24%
18%
13%
46%
44%
40%
30%
72%
64%
11%
7%
33%31%35%
37%
17%
13%15%
10%
0%
Information
Users receive
Information
A variety of
security awareness adequate security Security policies
business
is communicated
training prior to are made available communications
well throughout the
receiving a
to employees on- (notices, posters,
organization.
network account.
line.
newsletters, etc.)
are used to
promote security
awareness.
Information
security policies
are written in a
manner that is
clear and
understandable.
Policies are
consistently
enforced across
the organization.
Information
Employee
security rules are
computer
enforced by
practices are
sanctioning the properly monitored
employees who
for policy
break them.
violations.
Disagree
Neither Agree nor Disagree
Agree
Contributions: Implications for Practice and
Theory

Dyadic Test: employee behavior may be driven more by
personally held beliefs rather than actual organizational
climate



Important for management to have a clearer
understanding of the effectiveness of these
mechanisms;
Vital for management to gauge how these efforts are
perceived by the end-users and to what level they are
accepted.
Our study empirically substantiates the need for
management awareness of the multiple facets of enduser behaviors.
21