A major stream of research within the field of information systems security examines the use of organizational policies that specify how users of information and technology resources should behave ...

Organizational information security policies: a review and research framework

Threat modeling – A systematic literature review

We present a model of employee compliance with information security policy (ISP) that (1) explicates stable, cognitive beliefs regarding the consequences of compliance and noncompliance as well as state-based affective constructs, namely, positive and negative mood states and episodic, security-related work-impediment events, and (2) provides an expanded conceptualisation of moral considerations and normative influences regarding employees' ISP compliance. Because affect is central to this theorisation, we ensure that the model captures and explains differences in day-to-day affective constructs to account for the often fleeting nature of affective states. We test our multilevel model using an experience-sampling methodology design, in which employees completed daily surveys over a 2-week period, followed by a hierarchal linear modelling statistical assessment. Our contribution to theory is a unique account of ISP compliance that integrates affective factors with constructs from rational choice theory and theory of planned behaviour and that diverges from prior conceptualisations of ISP compliance as a purely stable and reason-based phenomenon. For practitioners, our results suggest that a combination of cognitive and affective influences may produce discrete episodes of ISP compliance that do not coincide with prior behavioural trends.

Cognitive-affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study

Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks

An integrative model of information security policy compliance with psychological contract

Purpose – This paper aims to provide an overview of theories used in the field of employees’ information systems (IS) security behavior over the past decade. Research gaps and implications for future research are worked out by analyzing and synthesizing existing literature. Design/methodology/approach – This paper presents the results of a literature review comprising 113 publications. The literature review was designed to identify applied theories and to understand the cognitive determinants in the research field. A meta-model that explains employees’ IS security behavior is introduced by assembling the core constructs of the used theories. Findings – The paper identified 54 used theories, but four behavioral theories were primarily used: Theory of Planned Behavior (TPB), General Deterrence Theory (GDT), Protection Motivation Theory (PMT) and Technology Acceptance Model (TAM). By synthesizing results of empirically tested research models, a survey of factors proven to have a significant influence on empl...

/pdf/information-security-awareness-and-behavior-a-theory-based-4m948bwed1.pdf

Information security awareness and behavior: a theory-based literature review

Today's organizations are highly dependent on information management and processes. Information security is one of the top issues for researchers and practitioners. In literature, there is consent that employees are the weakest link in IS security. A variety of researchers discuss explanations for employees' security related awareness and behavior. This paper presents a theory-based literature review of the extant approaches used within employees' information security awareness and behavior research over the past decade. In total, 113 publications were identified and analyzed. The information security research community covers 54 different theories. Focusing on the four main behavioral theories, a state-of-the-art overview of employees' security awareness and behavior research over the past decade is given. From there, gaps in existing research are uncovered and implications and recommendations for future research are discussed. The literature review might also be useful for practitioners that need information about behavioral factors that are critical to the success of a organization's security awareness.

/pdf/employees-information-security-awareness-and-behavior-a-zc76a6te9i.pdf

Employees' Information Security Awareness and Behavior: A Literature Review

Managing information and content on an enterprise-wide scale is challenging. Enterprise content management (ECM) can be considered as an integrated approach to information management. While this concept received much attention from practitioners, ECM research is still an emerging field of IS research. Most authors that deal with ECM claim that there is little scholarly literature available. After approximately one decade of ECM research, this paper provides an in-depth review of the body of academic research: the ECM domain, its evolution, and main topics are characterized. An established ECM research framework is adopted, refined, and explained with its associated elements and working definitions. On this basis, 68 articles are reviewed, classified, and concepts are derived. Prior research is synthesized and findings are integrated in a conceptcentric way. Further, implications for research and practice, including future trends, are drawn.

Enterprise Content Management - A Literature Review

Nowadays, documents can be scattered across a company in different versions, formats, and languages, and even on different systems. Not only is the resulting content chaos inefficient, it brings with it a number of risks. However, information that is contained in unstructured documents is increasingly becoming a key business resource. Enterprise content management (ECM) is used to manage unstructured content on an enterprise-wide scale. Despite the practical importance of ECM, research is still at an immature state and the process perspective is widely neglected. We suggest a process-oriented approach to identifying, assessing, documenting, classifying and visualizing enterprise content. Within a globally operating engineering company, we check to what extent the applicability of the designed research artifact can be assumed. We give process-oriented guidelines to identify and document enterprise content. Our 7W Framework (7WF) for content assessment contains a collection of metadata (attributes, typical attribute values) to create customized content surveys. Different visual representations of content are proposed, including a document map. Combining business processes and the content of an enterprise, the document map is able to integrate the ECM perspectives and provides decision support. Technical requirements can be derived from it and indepth analysis of business-critical content is enabled.

Towards a process-oriented approach to assessing, classifying and visualizing enterprise content with document maps

Employees are considered to be the weakest link in information systems (IS) security. Many companies and organizations started to implement security education, training and awareness (SETA) programs. These provide their employees awareness of information security risks and the necessary skills to protect a companies’ or organizations’ information assets. To ensure that SETA programs are efficiently aligned to an organization’s objectives, it is essential to identify the most important areas on which to concentrate. In research, there is a lack of generic process models for conducting SETA needs assessments. In this study, we aim to close this gap by suggesting a systematic approach to capturing, evaluating, and depicting the current state of employees’ security awareness and behavior. Actual behavior is evaluated by determining the target values and measuring actual values with respect to security metrics. In order to contribute to both, practical and academic knowledge, we used an action design research (ADR) approach to draw general design principles from organizational intervention within an international engineering company.

Bernd Hohler

Papers

Information security awareness and behavior: a theory-based literature review

Employees' Information Security Awareness and Behavior: A Literature Review

Enterprise Content Management - A Literature Review

Towards a process-oriented approach to assessing, classifying and visualizing enterprise content with document maps

Towards A Needs Assessment Process Model For Security, Education, Training And Awareness Programs: An Action Design Research Study