nach oben

Information Systems Frontiers

Erschienen in:

03.04.2017

The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats

verfasst von: Robert E. Crossler, France Bélanger, Dustin Ormond

Erschienen in: Information Systems Frontiers | Ausgabe 2/2019

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Individuals can perform many different behaviors to protect themselves from computer security threats. Research, however, generally explores computer security behaviors in isolation, typically looking at one behavior per study, such as usage of malware or strong passwords. However, defense in depth requires that multiple behaviors be performed concurrently for one’s computer to be protected. Addressing this gap in prior research, this study measures 279 individuals’ computer security behaviors and analyzes them with multi-dimensional scaling. We examined three security threats: security related performance degradation, identify theft, and data loss. The results present a mapping of security behaviors performed together with other behaviors on two dimensions for each of these threats. Using expert reviews of the resulting dimensions, the study proposes that response efficacy and response cost help explain why people perform certain behaviors together. These findings can help explain inconsistent results in prior information security research because they focused on one behavior only whereas people perform various security behaviors together in an effort to mitigate specific security threats. The study informs research and practice by identifying security threat-response pairs via expert interviews, surveying individuals on how they perform multiple security behaviors concurrently to mitigate security threats, identifying why certain behaviors are performed together, and using these findings to identify reasons why IS security research has confounding results based on specific individual threat-response pairs used in prior studies.

Vorheriger Artikel Predictive maintenance: strategic use of IT in manufacturing organizations

Nächster Artikel Risks and rewards of cloud computing in the UK public sector: A reflection on three Organisational case studies

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

These titles are representative of the respondents’ titles since some of our experts did not want their detailed titles used to ensure their confidentiality.

Adams, A., & Sasse, M. A. (1999). Users are not the enemy. Communications of the ACM, 42(12), 40–46.CrossRef

Anderson, C. L., & Agarwal, R. (2010). Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions. MIS Quarterly, 34(3), 613–643.CrossRef

Avalanche Technology Group. (2014). Password hacked? A 10 step guide to getting back on track... Should I Change My Password. https://shouldichangemypassword.com/password-hacked. Accessed 5 Jan 2014.

Bélanger, F., Collignon, S., Enget, K., & Negangard, E. (2017). User resistance to the implementation of a mandatory security enhancement. Information & Management. doi:10.1016/j.im.2017.01.003.CrossRef

Boncella, R. J. (2000). Web security for e-commerce. Communications of the Association for Information Systems, 4(11), 1–43.

Boncella, R. J. (2002). Wireless security: an overview. Communications of the Association for Information Systems, 9, 269–282.CrossRef

Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly, 39(4), 837–864.CrossRef

Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., & Boss, R. W. (2009). If someone is watching, I’ll do what I’m asked: mandatoriness, control, and information security. European Journal of Information Systems, 18, 151–164.CrossRef

Breaux, T. D., & Baumer, D. L. (2011). Legally “reasonable” security requirements: a 10-year FTC retrospective. Computers & Security, 30(4), 178–193.CrossRef

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34(3), 523–548.CrossRef

Burns, A.J., Posey, C., Courtney, J.F., Roberts, T.L., & Nanayakkara, P. (2015). Organizational information security as a complex adaptive system: insights from three agent-based models. Information System Frontiers, 1–16. doi:10.1007/s10796-015-9608-8.

Choo, K.-K. R. (2011). The cyber threat landscape: challenges and future research directions. Computers & Security, 30(8), 719–731.CrossRef

Churchill, G. A. (1979). A paradigm for developing better measures of marketing constructs. Journal of Marketing Research, 16, 64–73.CrossRef

Cohen, J. (1969) Statistical power analysis for the behavioral sciences. New York: Academic Press.

Cohen, F. (1987). Computer viruses: theory and experiments. Computers & Security, 6(1), 22–35.CrossRef

Crossler, R.E. (2010). Protection motivation theory: Understanding determinants to backing up personal data. In 2010 43rd Hawaii International Conference on System Sciences (HICSS) (pp. 1–10).

Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013). Future directions for behavioral information security research. Computers & Security, 32(1), 90–101.CrossRef

Crossler, R. E., Long, J. H., Loraas, T. M., & Trinkle, B. S. (2014). Understanding compliance with BYOD (bring your own device) policies utilizing protection motivation theory: bridging the intention-behavior gap. Journal of Information Systems, 28(1), 209–226.CrossRef

D’Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. European Journal of Information Systems, 20(6), 643–658.CrossRef

D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Information Systems Research, 20(1), 79–98.CrossRef

Dang-Pham, D., & Pittayachawan, S. (2015). Comparing intention to avoid malware across contexts in a BYOD-enabled Australian university: a protection motivation theory approach. Computers & Security, 48, 281–297.CrossRef

Deloitte. (2007). 2007 global security survey: the shifting security paradigm.

Dennis, A. R., & Valacich, J. S. (2001). Conducting research in information systems. Communications of the Association for Information Systems, 7(5), 1–41.

Dhillon, G., & Torkzadeh, G. (2006). Value-focused assessment of information system security in organizations. Information Systems Journal, 16, 293–314.CrossRef

Dinev, T., & Hu, Q. (2007). The centrality of awareness in the formation of user behavioral intention toward protective information technologies. Journal of the Association for Information Systems, 8(7), 386–408.CrossRef

Furnell, S. M., Bryant, P., & Phippen, A. D. (2007). Assessing the security perceptions of personal internet users. Computers & Security, 26(5), 410–417.CrossRef

Furnell, S., & Clarke, N. (2012). Power to the people? The evolving recognition of human aspects of security. Computers & Security, 31(8), 983–988.CrossRef

Furnell, S. M., Jusoh, A., & Katsabas, D. (2006). The challenges of understanding and using security: a survey of end-users. Computers & Security, 25(1), 27–35.CrossRef

Grawemeyer, B., & Johnson, H. (2011). Using and managing multiple passwords: a week to a view. Interacting with Computers, 23(3), 256–267.CrossRef

Hair, J. F., Black, W. C., Babin, B. J., & Anderson, R. E. (2010). Multivariate data analysis: a global perspective (7th ed.). Upper Saddle River: Pearson Education.

Hallam-Baker, P. (2005). Prevention strategies for the next wave of cyber crime. Network Security, 2005(10), 12–15.CrossRef

Herath, T., Chen, R., Wang, J., Banjara, K., Wilbur, J., & Rao, H. R. (2014). Security services as coping mechanisms: an investigation into user intention to adopt an email authentication service. Information Systems Journal, 24(1), 61–84.CrossRef

Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), 106–125.CrossRef

Herzberg, A. (2009). Why Johnny can’t surf (safely)? Attacks and defenses for web users. Computers & Security, 28(1–2), 63–71.CrossRef

Highland, H. J. (1996). Random bits & bytes. Computers & Security, 15(1), 4–11.CrossRef

Hu, Q., & Dinev, T. (2005). Is spyware an internet nuisance of public menace? Communications of the ACM, 48(8), 61–66.CrossRef

Ifinedo, P. (2012). Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Computers & Security, 31(1), 83–95.CrossRef

Jarvis, N. (1999). E-commerce and encryption: barriers to growth. Computers & Security, 18(5), 429–431.CrossRef

Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: an empirical study. MIS Quarterly, 34(3), 549–566.CrossRef

Johnston, A. C., Warkentin, M., & Siponen, M. (2015). An enhanced fear appeal rhetorical framework: leveraging threats to the human asset through sanctioning rhetoric. MIS Quarterly, 39(1), 113–134.CrossRef

Keeney, R. L. (1999). The value of internet commerce to the customer. Management Science, 45(4), 533–542.CrossRef

Kim, E. B. (2005). Information security awareness status of full time employees. The Business Review, 3(2), 219.

Kishi, M. (2008). Perceptions and use of electronic media: testing the relationship between organizational interpretation differences and media richness. Information Management, 45(5), 281–287.CrossRef

Kruskal, J. B. (1964). Multidimensional scaling by optimizing goodness of fit to a nonmetric hypothesis. Psychometrika, 29(1), 1–27.CrossRef

Landwehr, C. E. (2001). Computer security. International Journal of Information Security, 1(1), 3–13.CrossRef

Lee, Y. (2011). Understanding anti-plagiarism software adoption: an extended protection motivation theory perspective. Decision Support Systems, 50(2), 361–369.CrossRef

Lee, Y., & Larsen, K. R. (2009). Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software. European Journal of Information Systems, 18(2), 177–187.CrossRef

Lee, M., & Lee, J. (2012). The impact of information security failure on customer behaviors: a study on a large-scale hacking incident on the internet. Information Systems Frontiers, 14(2), 375–393.CrossRef

Li, H., Zhang, J., & Sarathy, R. (2010). Understanding compliance with internet use policy from the perspective of rational choice theory. Decision Support Systems, 48(4), 635–645.CrossRef

Liang, H., & Xue, Y. (2010). Understanding security behaviors in personal computer usage: a threat avoidance perspective. Journal of the Association for Information Systems, 11(7), 394–413.CrossRef

Marett, K., McNab, A. L., & Harris, R. B. (2011). Social networking websites and posting personal information: an evaluation of protection motivation theory. AIS Transactions on Human-Computer Interaction, 3(3), 170–188.CrossRef

Michael, K. (2012). The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Computers & Security, 31(4), 634–635.CrossRef

Moody, G. D., & Siponen, M. (2013). Using the theory of interpersonal behavior to explain non-work-related personal use of the internet at work. Information Management, 50(6), 322–335. doi:10.1016/j.im.2013.04.005.CrossRef

Ng, B.-Y., Kankanhalli, A., & Xu, Y. (. C.). (2009). Studying users’ computer security behavior: a health belief perspective. Decision Support Systems, 46(4), 815–825.

Nicholson, A., Webber, S., Dyer, S., Patel, T., & Janicke, H. (2012). SCADA security in the light of cyber-warfare. Computers & Security, 31(4), 418–436.CrossRef

Pfleeger, S. L., & Caputo, D. D. (2012). Leveraging behavioral science to mitigate cyber security risk. Computers & Security, 31(4), 597–611.CrossRef

Post, G., & Kagan, A. (2000). Management tradeoffs in anti-virus strategies. Information & Management, 37(1), 13–24.CrossRef

Rani Sahu, K., & Dubey, J. (2014). A survey on phishing attacks. International Journal of Computer Applications, 88, 42–45.CrossRef

Rezgui, Y., & Marks, A. (2008). Information security awareness in higher education: an exploratory study. Computers & Security, 27(7–8), 241–253.CrossRef

Rhee, H.-S., Kim, C., & Ryu, Y. U. (2009). Self-efficacy in information security: Its influence on end users’ information security practice behavior. Computers & Security, 28(8), 816–826.CrossRef

Richardson, R. (2007). CSI computer crime and security survey.

Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change. The Journal of Psychology, 91, 93–114.CrossRef

Schou, C. D., & Trimmer, K. J. (2004). Information assurance and security. Journal of Organizational and End User Computing, 16(3), i–vii.

Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: an exploratory field study. Information & Management, 51(2), 217–224.CrossRef

Siponen, M., & Vance, A. (2010). Neutralization: new insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487–502.CrossRef

Son, J.-Y. (2011). Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information & Management, 48(7), 296–302.CrossRef

Sprinthall, R. C. (2003). Basic statistical analysis (7th ed.). Boston: Pearson.

Stanton, J. M., Stam, K. R., Mastrangelo, P., & Jolton, J. (2005). Analysis of end user security behaviors. Computers & Security, 24(2), 124–133.CrossRef

Straub, D. W. (1989). Validating instruments in MIS research. MIS Quarterly, 13(2), 147–169.CrossRef

Symantec. (2011). Symantec internet security threat report: 2011 trends. http://www.symantec.com/threatreport.

Vance, A., & Siponen, M. (2012). IS security policy violations: a rational choice perspective. Journal of Organizational and End User Computing, 24(1), 21–41.CrossRef

Vance, A., Siponen, M., & Pahnila, S. (2012). Motivating IS security compliance: insights from habit and protection motivation theory. Information Management, 49(3–4), 190–198.CrossRef

Vorakulpipat, C., Visoottiviseth, V., & Siwamogsatham, S. (2012). Polite sender: a resource-saving spam email countermeasure based on sender responsibilities and recipient justifications. Computers & Security, 31(3), 286–298.CrossRef

Warren, M., & Leitch, S. (2010). Hacker taggers: a new type of hackers. Information System Frontiers, 12(4), 425–431.CrossRef

Whitman, M. E. (2004). In defense of the realm: understanding the threats to information security. International Journal of Information Management, 24(1), 43–57.CrossRef

Willison, R., & Warkentin, M. (2013). Beyond deterrence: an expanded view of employee computer abuse. MIS Quarterly, 37(1), 1–20.CrossRef

Witte, K. (1992). Putting fear back into fear appeals: the extended parallel process model. Communication Monographs, 59(4), 329–349.CrossRef

Witte, K. (1994). Fear control and danger control: a test of the extended parallel process model (EPPM). Communication Monographs, 61, 113–134.CrossRef

Wood, C. C. (1996). Constructing difficult-to-guess passwords. Information Management & Computer Security, 4(1), 43–44.CrossRef

Woon, I.M.Y., Tan, G.W., & Low, R.T. (2005). A protection motivation theory approach to home wireless security. In International Conference on Information Systems (pp. 367–380).

Workman, M., Bommer, W. H., & Straub, D. W. (2008). Security lapses and the omission of information security measures: a threat control model and empirical test. Computers in Human Behavior, 24(6), 2799–2816.CrossRef

Yang, C.-G., & Lee, H.-J. (2016). A study on the antecedents of healthcare information protection intention. Information System Frontiers, 18(2), 253–263.CrossRef

Zhang, J., Luo, X., Akkaladevi, S., & Ziegelmayer, J. (2009). Improving multiple-password recall: an empirical study. European Journal of Information Systems, 18(2), 165–176.CrossRef

Zikmund, W. G. (2000). Business research methods. Forth Worth: Harcourt College Publishers.

Zviran, M., & Erlich, Z. (2006). Identification and authentication: technology and implementation issues. Communications of the Association for Information Systems, 17(4), 2–31.

Titel: The quest for complete security: An empirical analysis of users’ multi-layered protection from security threats
verfasst von: Robert E. Crossler
France Bélanger
Dustin Ormond
Publikationsdatum: 03.04.2017
Verlag: Springer US
Erschienen in: Information Systems Frontiers / Ausgabe 2/2019
Print ISSN: 1387-3326
Elektronische ISSN: 1572-9419
DOI: https://doi.org/10.1007/s10796-017-9755-1

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2019

Enterprise security investment through time when facing different types of vulnerabilities

Predictive maintenance: strategic use of IT in manufacturing organizations

A model to analyze the challenge of using cyber insurance

Effectiveness of standards consortia: Social network perspectives

Risks and rewards of cloud computing in the UK public sector: A reflection on three Organisational case studies

Using sentiment analysis to improve supply chain intelligence