Relationship between stakeholders information value perception and information security behaviour

Transcription

1 Relationship between stakeholders information value perception and information security behaviour Sharul Tajuddin 1,2,a), Wendy Olphert 1, b) and Neil Doherty 1,c) 1 (Loughborough University, Centre for Information Management, Loughborough, LE11 3TU, Leicestershire, UK) 2 (Institut Teknologi Brunei, School of Computing and Informatics, Brunei Darussalam) a) Corresponding author: s.t.haji-tajuddin@lboro.ac.uk b) c.w.olphert@lboro.ac.uk c) n.f.doherty@lboro.ac.uk Abstract. The study, reported in this paper, aims to explore the relationship between the stakeholders perceptions about the value of information and their resultant information security behaviours. Moreover, this study seeks to explore the role of national and organisational culture in facilitating information value assignment. A number of studies have suggested that such problems are not related primarily to technology problems or procedural deficiencies, but rather to stakeholders poor compliance with the security measures that are in place. Research indicates that compliance behaviour is affected by many variables including perceived costs and benefits, national and organisational culture and norms. However, there has been little research to understand the concept of information value from the perspective of those who interact with the data, and the consequences for information security behaviours. This study seeks to address this gap in the research. Data will be presented from a pilot study consisting of interviews with 6 participants from public organisations in Brunei Darussalam which illustrate the nature of the value assignment process, together with an initial model of the relationship between perceived information value and information security behaviours. INTRODUCTION This paper is the starting point of our work on information security compliance. It describes our early ideas and distinguishes our approach from other work. An interpretive framework was developed to represent the ideas as an alternative approach towards understanding compliance behaviour with information security countermeasures. Information Security is a concept that formed from the recognition that information is valuable and that it requires protection. The ISO defines information as an asset, which, like other important business assets, is essential to an organisation s business and consequently needs to be appropriately protected. By definition, an asset has a value to the organisation, hence it requires protection [1]. Information protection is typically accomplished through the implementation of countermeasures against the threats and vulnerabilities of information security, for example, implementation of technological processes and mechanisms such as firewall and authorization and authentication systems, set-up of deterrence procedure such as password control and enforcement of organisational policy on information handling procedures. The efficiency of the implemented processes and mechanism depends a lot on the stakeholder s decision as to whether they use the processes and mechanisms or not. To help ensure that stakeholders are willing to use the countermeasures in place, many organisations are spending large sums of money to train and educate their stakeholders and to set up an information security awareness environment in the organisation. Despite the appreciation of the current information security landscape and the cautious approaches by organisations towards achieving appropriate information security, information security breaches and incidents are on

2 the rise. Such breaches may lead to loss or misuse of information, personal records, or other data. Some resulted in the loss of millions of data records; some affected millions of people, and some cost the affected businesses financially [2]. 2. BACKGROUND RESEARCH/RELATED WORK Information value Information has become the representative of organisations values and knowledge; information acts as a transforming agent in organisational development by facilitating organisational learning. Many organisations have developed their information into a rich repository of knowledge that has had great impacts in achieving their objectives. The more organisations see information security as an integral part of their business processes and the dependency on information increases, the more they value information as an important asset to their activity [3], [4]. Value that is derived from its capacity to support decisions or control processes by the furnishing of information [5] have brought about its commodification, in the sense that it has a market value, and it is appropriable. This phenomenon signifies information is appreciated more if it contributes positively to the organisation objectives thus warranting appropriate protection over it. Information Security It has become the focus of businesses and governments to address information security, not only because of the demand of their business processes but also because of the need to adhere to regulations and legislation. Examples of such regulations and legislation are The Data Protection Act; the Financial Services Authority regulations; the European Commission (EC) Data Protection Directive; the Sarbanes-Oxley Act of the United States; and a few others.it is also a de facto standard for organisations business processes and corporate governances to conform to the International Organisation for Standardization (ISO) to earn international recognition. Achieving such standards may portray that the organisation as having a good reputation in their obligation to uphold information security and provide appropriate protection for their information. [6,7] postulate that working towards international standards such as ISO will help improve the organisation s information security. Well established information security models such as the CIA triads [8], Parkerian Hexad [9] and Information Assurance (IA) [10] predominantly focus on the technical aspects of information security and do not clearly define the importance of human elements of information security. Human contributions to the success and efficiency of information security are not explicitly defined. Goals outlined by these models are left to the individual or organisations to translate and find effective ways in which to attain them. Despite the advancements in technology, the availability of guidelines and policies and properly designed organisational strategy, people are still required to use the technology, observe good practices and comply with the organisation s policies and strategies. A new, socio-technical approach that includes not only technology design, but also other important elements such as processes, organisational strategy and people is in need. The socio-technical approach is about harnessing the people's strengths and technical aspects of organisational structure and processes in order to achieve joint optimization. Information Security Behaviour Information Security behaviour has been the subject of studies by many researchers with the aim to understand why stakeholders behave the way they do in a wide variety of information security contexts. There are many models provided by various information scientists that attempt to explain this behaviour and predict how specific behaviour is constructed [14] Such models typically have their roots into theories such as the theory of planned behaviour (TPB) and theory of reasoned action (TRA) popularised by [15]. They propose that behaviour towards information security is a result of stakeholders decision-making processes based on factors such as knowledge, awareness and experience. It is therefore expected that stakeholders who receive any form of awareness, education and training (AET) initiatives would demonstrate better security behaviour than stakeholders who do not receive any [16]. This notion leads to an indication that human behaviour is a key area for information security and contributes significantly to the

3 effectiveness of information security. Some research suggests that most information security incidents are the result of careless employees who do not comply with organisational security procedures or policies. This carelessness, therefore, can place the organisations assets and business in danger [17]. Similarly, a study by [18] supports the suggestion by [19,20] that as human and organisational factors play a significant role in information security, vulnerabilities are not to be blamed on technological problems alone. The relation of vulnerabilities with human behaviour led to researchers such as [25, 26] to postulate that humans are the weakest link' in information security, a conclusion similarly reached by the consultancy firm PriceWaterhouseCoopers in their 2012 survey of information security breaches in 414 United Kingdom organisations. It is due to this realization that much research has been dedicated to finding solutions on how to improve human compliance with information security countermeasures. Some of the areas that are being studied include human decision-making when facing with information security issues [12], [27], determinants of human intention to behave [14, 28, 29 30] and how intention to behave can be used to predict the choice of actual behaviour [31]. Perceived value The term perceived value is a common term used in the marketing field. Controlling the perceived value of a product increases the viability for purchasing the product [32]. Perceived value is an important determinant of consumer shopping behaviour [33] in which the value assigned by consumers to certain products greatly determines the likelihood of a purchase. In the context of this study, stakeholders' perceived value describes the value assigned by stakeholders to particular information. As a result of initial review of current literature, the research postulates that perceived value in relation to information could potentially be created based on variables such as its importance, the sensitivity of the information, and/or the influence of organisational and national culture. It is postulated that the higher the value assigned by stakeholders to certain information, the more protection is expected, and compliance with protection and security countermeasures will increase. It is also deemed that the perceived value of information will always be relative and contextual in nature and be influenced by others perceptions. A group of stakeholders might have a collective perception of the value of a piece of information which is accepted as the actual value of that information but a quantified actual value might never be achieved. Factors that influence Information Security behaviour Many studies have extracted, adapted and tested various constructs, determinants and antecedents believed to have influence on human intention to behave and predictions of the actual behaviour. Studies by [14, 19, 20, 29, 30, 34] found that the individual's perception of social normative pressures has a positive impact on the individual's intention to behave. The same studies also found out that the individual's perception of their ability to manage and cope with the situation faced (coping appraisal) also has the same impact on the individual s intention to behave. [28] study found out that self-efficacy coupled with a positive change in employees' perception of the current organisational information security climate (state) had a positive impact on employee s compliant behaviour. [23] posit that benefit and cost of compliance, as well as non-compliance, can influence employee's attitudes to information security. A study by [12] suggests that stakeholders' actual and anticipated costs and benefits of their behaviour largely influence their intention to comply with information security countermeasures. They further suggest that when stakeholders perceive that the costs are likely to outweigh the benefits, the likely outcome is that they will circumvent security. Other researchers have studied various ways for improving information security compliance. [35] has worked on involving stakeholders in information security design, [36, 37] used e-learning and interactive computer-based learning to improve awareness. [38, 39] suggest that better communication and discussion of information security amongst employees will help improve behaviour towards information security. [30, 40] found that deterrence methods are effective in influencing employee compliance behaviour. Further, [41, 42] suggest that in order to have an effective improvement information security, the organisation s culture needs to be changed to foster a more holistic view of information security. Researchers such as [43] have looked into persuasive technology to influence stakeholders to choose more appropriate behaviour when faced with information security issues. Other factors,

4 including elements of human characteristics and traits have been studied to understand the act of compliance phenomena (Shropshire et al., 2006). Such characteristics and traits include: thinking before acting, delaying gratification, following norms and rules, and planning, organizing, and prioritizing tasks and agreeableness, friendliness, pro-social and communal orientation towards others are positively related to Information Security compliance behaviour. [27] assume that risky computing behaviour is a result of individual choices that are at least weakly guided by considerations of the probability and desirability of consequences, and propose that conscious thought about consequences plays some role in guiding risky behaviour. The model proposed by [27] postulates that the antecedents of a stakeholder s choice process are the stakeholder s perceptions of several factors such as availability and usability of safe practices, probability of negative consequences, significance of negative consequences, ease of recovery, and beliefs regarding peer behaviour. The stakeholder's perceptions of these factors are formed based on the knowledge of the stakeholder about the factors constructed from various information sources such as training attended, news and media, through communication from peers and friends, policies and procedures as well as personal experience. [45] in their study to explain privacy disclosure behaviour on social network sites combine theory of planned behaviour (TPB) [46] with privacy calculus theory [47]. [46] suggests that behaviour can be explained by behavioural beliefs, normative beliefs, and self-efficacy as antecedents of attitudes, subjective norms, and perceived behavioural control, respectively. This finding may also be relevant to the use of information security countermeasures; that is, if the stakeholder perceives the value of information they are handling as high they might equally see the need for the protection of the information as high. Although there has been much research on this issue, the question why stakeholders engage in risky behaviour is still valid and perplexes researchers. Providing answers to this question will help information security personnel in their quest to improve the situation. To better understand stakeholder decision making on behaviour in the context of information security, we present in this paper an interpretative model that seeks explanation from a different perspective to that investigated by other researchers. The model assumes that the decision made by stakeholders on their compliance behaviour is relative to a perceived value they assign to the information. PROPOSED MODEL A preliminary interpretative model is proposed, which describes the possible relationship between stakeholders behaviour with information security countermeasures and the process of assigning value to information, particularly towards the compliance with information security policies (ISP). The proposed model, which is depicted in figure 1, comprises two main components; the inner circles and the outer square tabs. FIGURE 1. Proposed interpretive model for the study

5 The inner circles depict the process of how stakeholders form their information security compliance behaviour. The assumption is that it starts with a stakeholder assigning value to the information they are working with. At this stage, the value is based on the stakeholder s perceived assessments of existing situations and knowledge. The assigned value of the information or information value translates into the stakeholder s information security behaviour." In the next half of the cycle, existing information security behaviours are predicted to influence the actual value of the information. These representations in turn feed into commonly accepted information value. The cycle of value assigning process is predicted to be significantly influenced by four major variables: importance metrics, security metrics, value dimensions and cultural impacts. The outer square tabs represent the various level of stakeholders in an organisation that according to [35] will have a different view of the information valuation process and who may be differently influenced by the variables mentioned above as well as the management s objectives and structures. This model raises numerous issues regarding the relationships of its various components and its overall efficacy in predicting stakeholder behaviour. The model aims to help understand how stakeholders choose to behave towards compliance with information security countermeasures. It is believed that the value placed on information will have a significant impact on how stakeholders choose to behave. So, it is important to understand the process by which stakeholders perceive information value and how the perceived information value can influence and affect their decision to behave. Particularly, it is of interest to explore the mediating relationship of stakeholders perceived value of information with information security compliance. On the other hand, it is postulated that stakeholders actual behaviour towards information security compliance may significantly impact the value of information. Based on the assumptions outlined above, it is postulated, that stakeholder's perceived value of information will have a significant impact on how they judge to behave towards complying or not complying with information security countermeasures instigated to protect that information. It is also postulated that what stakeholders believe the value of the information to be will have an impact on how they choose to behave. This helps to derive the assumptions that the higher the perceived value of information, the higher the likelihood of compliance with information security countermeasures; conversely the better protection of information by stakeholders will have an impact on the perceived value of the information. It is also noted that other issues such as the importance and sensitivity of information, cultural factors, as well as other value dimensions, may have an impact on how value to information is created by the stakeholder. In the light of these findings, it is also the objective of this study to explore how these variables may influence the information value creation' process in an organisation. The value dimensions factors used in this study are factors that may influence stakeholders preference judgment as described by [48] in the context of consumer value creation towards satisfaction on product and services. [48] suggests that consumers construct value from different dimensions such as economic, social, altruistic and aesthetic value. The researchers believe that some of these dimensions of value would have a similar impact on stakeholders information security compliance decisions. 4.0 PILOT STUDY RESULTS AND DISCUSSION To begin investigating the validity of this framework, we have designed a two-phase study. In the initial phase, semi-structured interviews will be to explore the following questions: What is information value according to information security stakeholders and how is it being signified? What value creating processes and value creation activities might significantly influence perceived value? What is the impact of perceived information value on stakeholders information security behaviour? What is the impact of actual value of the information on the perceived information value? What is the impact of organisational and national culture on how stakeholders appreciate information value?

6 Before carrying out the data collection interviews a series of pilot interviews were carried out. The purpose of the pilot interviews was to benchmark or be a testing ground' to measure the feasibility of the interview structures and questions. Five Brunei government s staffs that are currently in the United Kingdom were interviewed. The pilot results show very positive indicators that support the model under investigation. The following is a summary of findings grouped under some common themes. Themes used are mostly pre-determined from the model but some surfaced during the analysis of the data. Value of information Responses for this theme indicate that the process of assigning value to information varies by the context in terms of how, where and why the information is being utilised. Some of the values assigned to information are categorised under monetary value, national security and self-esteem. These themes indicate the various dimensions that are considered important to the stakeholders; the less the information is perceived to have a beneficial effect for the respondents, the less attention is paid to its protection and security. The information that relates to the above categories is seen to have higher value than others. Importance Metrics The importance of information to the development of the respondent's work is also undeniable. Stakeholders are appreciative when they clearly recognize how information explicitly facilitates the accomplishment of their tasks. One way this is expressed, is in terms of the importance of information to help in securing promotion. Promotion is associated with being able to respect and handle information appropriately, and efficiency and effectiveness of rendering services. There is also a notion that indicates that importance of information relates to the level of responsibilities and hierarchical level in the organisation, for example, lower level staff such as clerks are seen to have less responsibility towards information as they are perceived as not to handle important data or information. Confidentiality and Sensitivity of Information Confidentiality and sensitivity of information are two themes that are seen to have great potential in influencing value assignment to information. Some information is considered to be sensitive because it concerns family dignity or national secrets, other types are considered sensitive because such information will cause confusion, havoc and fear when not handled and protected appropriately, which might end up in civil unrest. It is for these reasons that the respondents think that protection of such information become more important. Cultural Impacts Cultural norms that include peer pressure are also seen as factors that can influence how much stakeholders value information and information protection. Due to family ties and the feeling of responsibility people are willing to bend rules to share information or give access to others. Responding to a request by prominent person in the community for sensitive information is seen as a reason to breach rules, respecting ranks in some organisations is also another source of rule breaching. The belief that sharing is caring is seen as an embedded cultural value in this national context (Brunei Darussalam), and most of the time cannot be ignored. CONCLUSIONS AND FURTHER WORK The research is exploratory by nature and takes a pragmatic approach. Despite being at the early stage of the study, positive indications emerge in support of some of the assumptions in the interpretative model. This is evidenced from the responses of interviewees categorised into the various themes. On the other hand, evidence to support the assumption that "the actual behaviour performed by stakeholders will have an impact on the value of the information" does not clearly surface from the pilot results. This is an aspect that will be investigated in further detail in the next phase of the study. The initial findings from the pilot study provide support to carry on with the full-scale study. It is expected that more themes and patterns will emerge from the data collected in the full-scale study and would empirically populate the proposed interpretive model so that it may be used in facilitating predictions on stakeholders information security behaviour. The interviews for the next phase are planned to involve 46 employees at different levels of responsibilities from various government departments and institutions within the 12 government ministries in Brunei Darussalam. Three

7 levels of responsibilities as depicted by the model (square tabs) in figure 1 are chosen to be one of the demographic divisions of the interviewees. These are sub-categorised as IT/IS personnel, Information Owner/Manager (further sub-categorized as Manager and Supervisor) and general stakeholders. Where possible, one representative from each category in each ministry will be selected. REFERENCES [1] M. Gerber and R. Von Solms, Management of risk in the information age, Comput. Secur., vol. 24, no. 1, pp , Feb [2] J. Widman, 10 Massive Security Breaches, Information week Security, [3] E. Orna, Information strategy in practice. Gower Publishing Limited, 2004, p [4] T. H. Davenport and La. Prusak, Working Knowledge, how organizations mange what they know. USA: Harvard Business School Press, 2000, p [5] A. Mowshowitz, On the market value of information commodities. I. The nature of information and information commodities, J. Am. Soc. Inf. Sci., vol. 43, no. 3, pp , Apr [6] Rossouw von solms, Information Management & Computer Security Information security management ( 1 ): why information security is so important, Inf. Manag. Comput. Secur., vol. 6, no. 4, pp , [7] N. F. Doherty and H. Fulford, Aligning the information security policy with the strategic information systems plan, Comput. Secur., vol. 25, no. 1, pp , Feb [8] Y. Cherdantseva and J. Hilton, Information Security and Information Assurance. The Discussion about the Meaning, Scope and Goals., [Online]. Available: [Accessed: 14-Sep-2012]. [9] G. S. Dardick, Cyber Forensics Assurance, in Australian Digital Forensics Conference, [10] K. S. Wilson, Conflicts Among the Pillars of Information Assurance, IEE Comput. Soc., no. August, pp , [11] A. Adams and A. Sasse, User are not the enemy, Commun. ACM, vol. 42, no. 12, pp , [12] A. Beautement, M. A. Sasse, and M. Wonham, The Compliance Budget : Managing Security Behaviour in Organisations, Security, [13] S. El Aoufi, Economic Evaluation of Information Security, Vrije University Amsterdam, [14] M. Siponen, A. Vance, and R. Willison, New Insights for an Old Problem: Explaining Software Piracy through Neutralization Theory, MIS Q., vol. 34, no. 3, pp , [15] M. Fishbein and Ic. Ajzen, Predicting and Changing Behaviour: The Reasoned Action Approach. Tylor & Francis, 2011, p [16] P. Puhakainen and M. Siponen, Imporving employees compliance through information system security training: an action research study, MIS Q., vol. 34, no. 4, pp , [17] J. M. Stanton, K. R. Stam, P. Mastrangelo, and J. Jolton, Analysis of end user security behaviors, Comput. Secur., vol. 24, no. 2, pp , Mar [18] S. Kraemer, P. Carayon, and J. Clem, Human and organizational factors in computer and information security: Pathways to vulnerabilities, Comput. Secur., vol. 28, no. 7, pp , Oct [19] M. T. Siponen and H. Oinas-kukkonen, A review of Information Security Issues and Respective Contributions, DATA BASE Adv. Inf. Syst., vol. 38, no. 1, pp , [20] S. Pahnila, M. Siponen, and A. Mahmood, Which Factors Explain Employees Adherence to Information Security Policies? An Empirical Study, in Pacific Asia Conference on information system, [21] L. Muniandy and B. Muniandy, State of Cyber Security and the Factors Governing its Protection in Malaysia, Int. J. Appl. Sci. Technol., vol. 2, no. 4, pp , [22] Eric Savitz, Humans: The Weakest Link In Information Security - Forbes, pp , [23] B. Bulgurcu, C. Hasan, and I. Benbasat, Information security policy compliance: an empirical study of rationaly based beliefs and information security awareness, MIS Q. Exec., vol. 34, no. 3, pp , [24] G. Notoatmodjo, Exploring the Weakest Link : A Study of Personal Password Security, no. December, [25] J. V. Harrison, Enhancing network security by preventing user-initiated malware execution, Int. Conf. Inf. Technol. Coding Comput. - Vol. II, pp Vol. 2, 2005.

8 [26] M. A. Sasse, S. Brostoff, and D. Weirich, Transforming the weakest link a human/computer interaction approach to usable and effective security, BT Technol. J., vol. 19, no. 3, p. 122, [27] K. Aytes and T. Conolly, A Research Model for Investigating Human Behavior Related to Computer Security, in AMCIS 2003 Proceedings, [28] M. Chan, I. Woon, and A. Kankanhalli, Perceptions of Information Security at the Workplace : Linking Information Security Climate to Compliant Behavior Mark Chan National University of Singapore Irene Woon School of Computing, National University of Singapore Atreyi Kankanhalli School of Com, J. Inf. Priv. Secur., vol. 1, no. 3, pp , [29] T. Herath and H. R. Rao, Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness, Decis. Support Syst., vol. 47, no. 2, pp , May [30] P. Ifinedo, Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory, Comput. Secur., vol. 31, no. 1, pp , Feb [31] N. Mohamed and I. H. Ahmad, Information privacy concerns, antecedents and privacy measure use in social networking sites: Evidence from Malaysia, Comput. Human Behav., vol. 28, no. 6, pp , Nov [32] S. P. Rajh, Comparison of perceived value structural models, Mark. Sci. J. Crotia, vol. 24, no. 1, pp , [33] A. Eggert and W. Ulaga, Customer perceived value: a substitute for satisfaction in business markets?, J. Bus. Ind. Mark., vol. 17, no. 2/3, pp , [34] M. Siponen, S. Pahnila, and A. Mahmood, Factors Influencing Protection Motivation and IS Security Policy Compliance. IEEE, 2006, pp [35] E. Albrechtsen, A qualitative study of users view on information security, Comput. Secur., vol. 26, no. 4, pp , Jun [36] C. Chen, R. S. Shaw, and S. Yang, Mitigating Information Security Risks by Increasing User Security Awareness : A Case Study of an Information Security Awareness System, Inf. Secur., vol. 24, no. 1, pp. 1 14, [37] S. M. Furnell, M. Gennatou, and P. S. Dowland, A prototype tool for information security awareness and training, Logist. Inf. Manag., vol. 15, no. 5/6, pp , [38] S. Hansche, Designing a Security Awareness Program: Part 1, Inf. Syst. Secur., vol. 9, no. 6, pp. 1 9, Jan [39] ENISA, The new users guide: How to raise information security awareness (EN) ENISA [40] M. Siponen and A. Vance, Neutralization: New insights into the problem of employee information systems security policy violations, MIS Q., vol. 34, no. 3, pp , [41] E. M. Power, Developing a Culture of Privacy: A Case Study, vol. 5, no. 6. IEEE Computer Society, 2007, pp [42] R. Power and D. Forte, Case Study: a bold new approach to awareness and education, and how it met an ignoble fate, Comput. Fraud Secur., vol. 2006, no. 5, pp. 7 10, May [43] A. C. Yeo, M. Rahim, and Y. Y. Ren, Use of Persuasive Technology to Change End- Users IT Security Aware Behaviour : A Pilot Study, Int. J. Hum. Soc. Sci., vol. 4, no. 9, pp , [44] J. Shropshire, A. Johnston, M. Schmidt, and A. C. Johnston, Personality and IT security : An application of the five-factor model Personality and IT security : An application of the five-factor model, in AMCIS 2006 Proceedings, [45] X. Li and X. Chen, Factors Affecting Privacy Disclosure on Social Network Sites: An Integrated Model, 2010 Int. Conf. Multimed. Inf. Netw. Secur., pp , [46] I. Ajzen, The Theory of Planned Behavior, Organ. Behav. Hum. Decis. Process., vol. 50, pp , [47] E. F. Stone and D. L. Stone, Privacy in organizatios: theoretical issues, research findings, and protection mechanism, Management, vol. 8, pp , [48] Morris B. Holbrook, The Nature of Customer Value: An Axiology of Services in the Consumption Experience., in Service Quality: New Directions in Theory and Practice., R. Rust and R. Oliver, Eds. CA: Thousand Oaks, 1994, pp