What is Organizational Identity

Organizational insiders have considerable influence on the effectiveness of information security efforts. However, most research conducted in this area fails to examine what these individuals believe about organizational security efforts. To help bridge this gap, this study assesses the mindset of insiders regarding their relationship with information security efforts and compares it against the mindset of information security professionals. Interviews were conducted with 22 ordinary insiders and 11 information security professionals, which effort provides insight into how insiders gauge the efficacy of recommended responses to information security threats. Several key differences between insiders’ and professionals’ security mindsets are also discussed.

Bridging the Divide: A Qualitative Comparison of Information Security Thought Patterns between Information Security Professionals and Ordinary Organizational Insiders

We present a model of employee compliance with information security policy (ISP) that (1) explicates stable, cognitive beliefs regarding the consequences of compliance and noncompliance as well as state-based affective constructs, namely, positive and negative mood states and episodic, security-related work-impediment events, and (2) provides an expanded conceptualisation of moral considerations and normative influences regarding employees' ISP compliance. Because affect is central to this theorisation, we ensure that the model captures and explains differences in day-to-day affective constructs to account for the often fleeting nature of affective states. We test our multilevel model using an experience-sampling methodology design, in which employees completed daily surveys over a 2-week period, followed by a hierarchal linear modelling statistical assessment. Our contribution to theory is a unique account of ISP compliance that integrates affective factors with constructs from rational choice theory and theory of planned behaviour and that diverges from prior conceptualisations of ISP compliance as a purely stable and reason-based phenomenon. For practitioners, our results suggest that a combination of cognitive and affective influences may produce discrete episodes of ISP compliance that do not coincide with prior behavioural trends.

Cognitive-affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study

Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks

Over the past 15 years, accelerators emerged as a popular and distinct new form of intermediary organization, playing a key role in supporting entrepreneurial and innovation activities. To date, despite significant growth in accelerators research, there is still little understanding of how different forms of accelerators operate, and what outcomes they produce across different contexts. This paper reviews the existing scholarly research on accelerators using the Context–Intervention–Mechanism–Outcome framework and is based on the analysis of 98 research papers on accelerators published in the last 15 years. The analysis identifies four mechanisms which explain how accelerators operate and the role they play in supporting entrepreneurship and innovation: the validation of ideas and products; the provision of product development and models learning; the provision of support to increase startups’ market access and growth; and the provision of support for innovation. The paper identifies the methodological and theoretical gaps in current research and provides avenues to support future research and industry practice.

/pdf/a-systematic-literature-review-on-accelerators-14otmxezbr.pdf

A systematic literature review on accelerators

Despite the importance of information security, far too many organizations, in particular banks, are facing behavioral information security incidents. In the context given by the headquarters of a large European banking organization, this single case study investigates whether individual behavioral compliance with the information security policy is influenced by accumulated security information and information security awareness embedded within the theory of reasoned action in an extended norms approach. We collected empirical data through a three-staged process in which we conducted semi-structured interviews, implemented a survey to test the developed research hypotheses, and engaged in interactive presentations to discuss the results. In particular, the qualitative interviews strengthened internal validity of survey constructs related to neutralization techniques and internal channel use for information acquisition. We found that the attitude toward information security policy compliance, and not only social norms but also personal norms related to neutralization techniques, are all significant variables potentially mitigating the knowing-doing gap reported in related information security research. Besides emphasizing the importance of extended norms, which should be accounted for in information security awareness programs, we also highlight the use of internal and external channels to acquire information as initial drivers of awareness. The empirical findings provide implications to practice and advance theoretical development by generally supporting the developed model that accounts for compliant information security behavior at an international bank.

From Information Security Awareness to Reasoned Compliant Action: Analyzing Information Security Policy Compliance in a Large Banking Organization

Our aim is to understand how information security awareness ISA programs affect the intention of employees for compliant information security behavior. We draw on Protection Motivation Theory PMT to uncover indirect influences of ISA programs, and seek to identify the extent to which intention translates into actual compliance is contingent on monitoring. Based on partial least squares structural equation modeling analysis of 183 survey responses consisting of German bank employees, we find strong empirical evidence for the importance of ISA programs, protection motivation and monitoring. While ISA programs effectively change how employees cope with and assess security threats, only coping appraisal is an important condition for the positive behavioral effects of such programs to occur. However, ISA programs may cause a false sense of security, as vulnerability perceptions are reduced by consuming ISA programs but not affecting intentions for compliant security behavior. Perceived monitoring strengthens this confirmed intention-behavior link.

https://link.springer.com/content/pdf/10.1007%2F978-3-319-20376-8_14.pdf

The Effects of Awareness Programs on Information Security in Banks: The Roles of Protection Motivation and Monitoring

The recent phenomenon of corporate accelerators is an excellent opportunity for incumbent companies to participate in promising innovations from startups all over the globe. Incumbent companies introduce structured accelerator programs for cohorts of startups, which in turn benefit from resources, mentoring and networks. The underlying research analyzes the growing interdisciplinary scientific literature on corporate accelerators to shed light on this uprising topic. We conducted a literature review according to the guideline of Webster and Watson (2002) by analyzing 20 scientific references. The results show that researchers applied qualitative methods to explore accelerators in detail and quantitative methods are used to analyze secondary data on startups and accelerators. Overall, most findings of recent research are of exploratory nature and our results summaries the main findings of the articles. Finally, we extracted a list of success factors for incumbent companies running corporate accelerators as well as for startups participating in such programs. In terms of theoretical impact, the articles analyzed apply open innovation theory, the resource based view and institutional theory to explain corporate accelerators. Our study reveals that Information Systems research has so far neglected to conduct studies researching corporate accelerators although the findings of our review show large potential for future research.

Corporate Accelerators: Transferring Technology Innovation to Incumbent Companies

The purpose of this research is to analyze information security awareness (ISA) programs and the measurement of ISA behavior in banking organizations. The underlying paper summarizes the qualitative and exploratory part of our two-staged mixed methods research on the improvement of employee security behavior concerning IT operational risks. IT operational loss events are often caused by undesirable security behavior of employees concerning information technology. Organizations conduct ISA programs to build employees’ security awareness concerning information technology to prevent IT operational loss events. Ten semi-structured qualitative expert interviews were carried out to explore potentials for improvement of ISA programs. Our findings focus on the character of ISA delivery methods and the implemented controls for these methods. Further research should shed light on the effectiveness of experimental and proactive ISA controlling. The outcome provides input for practice in the area of ISA building in the financial sector.

/pdf/end-user-information-security-awareness-programs-for-kg2jz1uiam.pdf

End User Information Security Awareness Programs for Improving Information Security in Banking Organizations: Preliminary Results from an Exploratory Study

Stefan Bauer

Papers

Prevention is better than cure! Designing information security awareness programs to overcome users' non-compliance with information security policies in banks

From Information Security Awareness to Reasoned Compliant Action: Analyzing Information Security Policy Compliance in a Large Banking Organization

The Effects of Awareness Programs on Information Security in Banks: The Roles of Protection Motivation and Monitoring

Corporate Accelerators: Transferring Technology Innovation to Incumbent Companies

End User Information Security Awareness Programs for Improving Information Security in Banking Organizations: Preliminary Results from an Exploratory Study