End-user IT Security Policy Compliance: A Confidence-Building Measures Approach

Transcription

1 End-user IT Security Policy Compliance: A Confidence-Building Measures Approach Abstract Research-in-Progress Emmanuel Ayaburi The University of Texas at San Antonio emmanuel.ayaburi@utsa.edu Corporate information systems security managers are continuously investing in the latest technical security tools to make their defenses against internal and external attacks on their information systems effective and efficient. However, these technical tools do not provide complete protection and organizations are experiencing a rise in security breaches. The cause of some security breaches are attributed to the actions of employees within the organization. Based on literature in international relations, this study advances four propositions to explain how end-user compliance with organizational information security policy (ISP) can be achieved using a confidence-building measures approach. The set of four propositions developed involve trust, prior notification of information system security initiative(s), disclosure of observed non-compliant behavior and promotion of compliant behavior. A laboratory experiment has been proposed as a methodology to assess these propositions. Keywords Compliance, confidence-building measures, information security policy. Introduction Advances in technology, the movement toward cloud based applications and the changing nature of cyber-attacks have converged to increase the risks posed by unintentional or deliberate non-compliance with organization laid down IT security protocols. End-user non-compliance has a direct bearing on the ability of organizations to reduce the risks posed by the full spectrum of cyber threats. Technology dependent organizations over the years have concerned themselves with implementation of the latest state-of-art security technology. However, negligent insiders are among the top causes of data breaches with an industry survey estimating that 39% of organizational data breaches are the result of insider actions (Symantec Corp & Ponemon Institute study, 2011). Until technologies are appropriately used and security policies complied with by users within the organization, the security goals of the firms are less likely to be met. Information security policy (ISP) compliance refers to users behaving in a manner consistent with provisions of the security policy covering the information assets of their organizations so as to achieve a secured information infrastructure (Padayachee 2012). ISP has been studied by a lot of people in academia and industry. Most studies on achieving user security compliance do so from the personality traits perspective (Padayachee, (2012); Sommestad et al. (2014); Siponen et al. 2010). Some of the personality traits identified as having an influence on compliant behavior include self-efficacy, personal beliefs or ethics and threat appraisal. Other studies have looked at environmental factors such as certainty of detection, severity of punishments and swiftness of punishment as having an effect on user compliance (Herath and Rao 2009; Son (2011). Some other studies have looked at the importance of trust in achieving better user compliance with security policy but little attention is paid to how trust in ISP can be developed (Colwill 2009). Trust increases employee affinity, loyalty, organizational culture stability and building of confidence in collective actions taken in the interest of the organization. This study extends from this stream of extant literature to look at how trust in organizational ISP can be built and sustained. Confidence in the actions of management and users holds the potential of strengthening the role of security policies in promoting compliance to the prescribed use of organization information technology

2 infrastructure. Confidence-Building Measures (CBM) consist of activities or measures taken by interested parties to minimize or prevent uncertainties before, during or after a conflict (Chevrier 1998). This concept has been used to achieve compliance from states or governments to an agreed security plan. This study adopts the approach of CBM to investigate user information system security policy compliance behavior. Specifically, the goal of this study is to investigate factors that influence effective user compliance with implementation of information system security policy from a confidence-building measures perspective. Therefore this study seeks answers to the following questions: RQ1: Through what mechanism(s) can end-users trust in ISP be accomplished? RQ2: What is the effect of user trust in ISP on ISP compliance? The rest of the study is structured as follows; next will be a review of the literature on user compliance, followed by the development of user compliance model from CBM perspective and in conclusion will be plans for future testing of the model proposed in this study. Literature Review Previous studies in information technology and security have applied many prominent and useful theories to explain various individual behavior and organizational security policy development. Some of these theories include fear appeals, protection motivation theory and theory of reasoned action (Sommestad et al. 2014). Using theories of protection motivation, deterrence, rewards, innovation diffusion and reasoned action, Siponen et al. (2010) empirically identified normative beliefs, threat appraisal, self-efficacy, visibility, deterrence and reward as factors positively influencing employees compliance with security policies. Some user behaviors that influence effectiveness of information system security in organizations include intentional destruction, detrimental misuse, dangerous tinkering and naïve mistakes (Stanton et al. 2005). A number of research studies have further examined motivators that influence employee intension to comply with workplace security policies. Herath and Rao (2009) conducted an empirical study of employees from 77 organizations and concluded that severity of penalty, certainty of detection, normative belief, peer behavior and perceived effectives of the policies are the motivating factors that encourage employee intention to comply with organizational ISP. Trust has also been used as theoretical framework in some studies to evaluate security behavior. In the organizational context, employees compliance with ISP is based on trust which is achieved through cooperation between management and employees (Furnell and Rajendran 2012). Therefore, this study specifically leverages trust development concepts to model a process of gaining individual trust and positive attitude towards security policy compliance. To do this end, this study extends research from extant literature on security compliance in information systems to adopt the concept of Confidence- Building Measures (CBM) from international relations to study user compliance with ISP. CBM have been used in many circumstances such as in the India-Pakistan conflict, Middle East peace process and Egyptian-Israeli peace treaty to build trust and ensure compliance by parties to the agreed security policies (Ahmed 1998). Despite the importance of CBM in international relations literature, very little research in information system security has explored this mechanism to understand user security compliance behaviors. Some instances where CBM has been used in the information system arena is in the discussion on cooperation between nations in achieving secure national cyberspace (Stauffacher and Kavanagh 2013; Pernik 2014). This study focuses on end-users within the organization where little CBM has been applied. Model Development - Confidence Building Measures (CBM) Confidence-Building Measures (CBM) is an assortment of activities that states engage in to become more sure that each understands the true actions and/or intentions of the other (Chevrier 1998, pg. 1). The primary goal of CMB as originally introduced in the 1970s is to reduce the risk of armed conflicts by building trust and reducing misperceptions and miscalculations of activities. CBM influences the perceptions of one party about the intension of the other party and not its capabilities. CBM has been extensively used in international relations and conflict mediation and it can usefully be applied in other spheres where trust is essential in building or repairing some relationship problems. Confidence is the belief that future outcomes will fall in line with expectations because one places the responsibility (trust) on the entity taking the action. Participants in an agreement who effectively build goodwill at the start of a

3 process will be more willing to see the process through completion because of culture of compliance to agreed principles. Participating States in the Helsinki 1975 Conference on Security and Co-Operation in Europe on confidence-building measures to promote security, justice, peace and cooperation adopted the following: prior notification of major military maneuvers, prior notification of other military maneuvers, and prior notification of major military movements and exchange of observers (Hänggi 2002) as important factors needed to build confidence and achieve a secured Europe. In the organizational setting these could easily translate to transparency, cooperative and stability measures which help maintain an open and secured working environment (Stauffacher and Kavanagh 2013). CMB involves three main actors; designers of the policies, deciders of the policies and all those affected by the policies. Similarly, in the information security setting we have the ISP developers, managers as deciders of the policies and all employees connected in any way to the information system infrastructure. CBM aims to improve relations, signal positive intension and commitment by helping build working trust (Mason and Siegfried 2013). CBM are low risk or low cost mechanism for building confidence and achieving compliance with agreed policies. The objectives of most CBMs are to reduce the causes for mistrust, fear, tensions and hostilities (Pfeiffer 1982). This can help party s gain reliable reciprocity in gestures or actions which maintained a secured environment. These measures help in the exchange of communication and information which aids in validating actions taken my parties. This could result in increased trust in policies. In a seminar organized by ASEAN Regional Forum in September 2012 on Confidence Building Measures in Cyberspace, it was recognized that information security can be addressed through three fronts; capacity building (technical), norm building (personality traits) and confidence building (compliance) 1. Some of the CBMs discussed included exchange of information and terminologies, joint exercises and developing agreements. Whether ISPs are binding or non-binding, deliberated attempts must be made to build confidence in them since sheer compliance by association is difficult to achieve. The use to CMB to build confidence in ISP is therefore not out of place. The goal of any ISP is to provide protection against careless system use with unintended consequences, preventing malicious outsiders and insiders from abusing the organizational information system infrastructure and adhering to regularity requirements (Bowen et al. 2006, page 2). This calls for active cooperation between security managers and employees to build a safe security culture. Prior Notification of Information Systems Security Initiative Prior notification is the disclosure of details of any planned activity that can clarify party s intensions and capabilities before the activity is carried out. CBM as gestures of goodwill can be used to signal intent and gain trust from other party (Landau and Landau 1997). Defects in software used in an organization might require end-user action to implement a patch. Some systems in the network can go for long periods of time without being patched. This exposes the whole network to potential attack. Defensive information security which focuses on reactive measures such as patching software and fixing system vulnerabilities might require the active participation of end users. Although an organization s ISP might require endusers to actively take part in the patching process, end-users may fail to do so because they have not received any information regarding the act and intension of the process that they are involved in. Therefore, a full disclosure of the when and why a certain defensive security measure is put in place prior to its actual execution can win the active cooperation of end-users to ensure it is successfully implementation. Thus, Proposition 1: Prior notification of information systems security initiative(s) has a positive effect on user trust in actions required of them in organizational ISP. Disclosure of Non-compliant Behavior A common approach in CBM is symmetrical information exchange which gives parties the assurance that their gestures will be reciprocated resulting in more emboldened significant actions to comply with policies (Landau and Landau 1997). Successful implementation of an organization s ISP require open communication between the implementing unit and beneficiary unit as measures implemented in secrecy might be misconstrued as violation of a user security and privacy rights. Disclosure of observed noncomplaint behavior raises the level of awareness and increases trust in the sincerity of management to 1 :

4 maintain a secured organizational information system. For example the sharing of information about phishing attacks in the organization, provides employees the awareness they need to avoid going against company policy that prohibits employees from opening suspicious attachments. Hence, Proposition 2: Disclosure of information system security non-complaint behavior(s) has a positive effect on user trust in actions required of them in organizational ISP. Promotion of Security Compliant Behavior It goes without saying that one good deed begets another. Reciprocity is when actions or measures taken my one party lead to a similar and equal action taken by the other party (Pernik 2014). A promise to conduct an action does not necessarily build trust. Positive experiences from actual actions that have been subjected to assessment are essential in building confidence (Pfeiffer 1982). Trust promotes cooperative behavior while suspicion gives rise to competitive behavior. Employees who have experienced cooperative behavior from their peers and management are more likely to respond cooperatively when they have the power to determine an outcome. Cooperative response is an example of reciprocity. Increased transparency in the development and implementation of security policies increases participants honesty and reliability on such measures. Active promotion of security knowledge and encouragement of breach reportage are examples of behaviors that elicit reciprocity in organizations. When management actively promote security knowledge by introducing employees to the latest security measures and shares with employees organizational or industry information about security breaches, employees will most likely reciprocate by sharing any detected breach or suspicious behavior within the organization which are likely to compromise the security of the information infrastructure. Proposition 3: Active promotion of compliant security behavior has a positive effect on user trust in actions required of them in organizational ISP. Trust and Compliance ISP compliance refers to users behaving in manner consistent with provisions of the security policy so as to achieve a secured information infrastructure (Padayachee 2012). A complaint behavior on the part of employees will become a habit if the employees trust in the ability of their actions to achieve the desired goals in a security policy. Despite varied definitions of trust in literature, this study adopts Jјsang and Presti (2004) definition; Trust is the extent to which a given party is willing to depend on something or somebody in a given situation with a feeling of relative security, even though negative consequences are possible pg 1. The existence of trust in a social setting has been acknowledged to be vital for cooperative behavior. Lack of trust in a system or management increases the risk exposure of such systems as they can be subject to abuse. Trust influences actions, responses, increases affinity and loyalty to organization and stabilizes organizational culture (Colwill 2009) which goes a long way to create high security alertness on the part of employees. Increase in trust will strengthen one s belief in the actions required to achieve an intended goal. This consequently builds an end-user s confidence in a system which might result in complaint behavior. Thus, Proposition 4: User trust in organization ISP has a positive effect on user compliance with organization ISP.

5 Disclosure of Noncompliance IS Security Behavior Prior Notification of IS Security Initiative User Trust in ISP Promotion of Compliance IS Security Behavior User Compliance with ISP Figure 1. Research Model Future Research and Concluding Comments Despite the adaption of the concepts of prior notification of information system security initiatives, disclosure of non-compliant behavior and promotion of compliant behavior from CBM as mechanisms for building user trust and subsequent compliance with organization ISP, further empirical testing of the propositions advanced in this study is needed. An empirical examination of the above model will test the utility of CMB as a mechanism for achieving employee compliance with ISP. The above propositions will be tested in a future study through a laboratory experimental methodology since the construct of interest is end-user compliance and not their intension to comply. The experiment will be executed with students in a laboratory with a simulated organization environment where end-users will be brief on a security policy and the construct of interest will be manipulated while compliant behavior of subjects will be monitored and measured. There are limitations to this study as confidence is not the only means of gaining trust. It will therefore be appropriate to investigate other antecedents of trust such as ability, benevolence and integrity (Söllner and Leimeister 2013) alongside constructs from CMB to understand how they influence compliance with ISP. Some theoretical contribution of this research is the introduction of the concept of CMB into information system security policy compliance domain. This provides insight into how security manager can facilitate the achievement of a relatively secured information system infrastructure. REFERENCES Ahmed, M Confidence-building measures between Pakistan and India: An argument for change. Contemporary South Asia, 7(2), Bowen, P., Hash, J. and Wilson, M SP Information Security Handbook: A Guide for Managers. Chevrier, M. I Doubts about confidence: the potential and limits of confidence-building measures for the Biological Weapons Convention, Biological Weapons Proliferation: Reasons for Concern, Courses of Action, Stimson Center Report (24), pp Colwill, C Human factors in information security: The insider threat Who can you trust these days?, Information Security Technical Report (14:4), pp (doi: /j.istr ). Europe, C.-O. I Conference on Security and Co-Operation in Europe Final Act. Journal of Communication, 135. Furnell, S., and Rajendran, A Understanding the influences on information security behaviour, Computer Fraud & Security (2012:3), pp

6 Hänggi, H Good governance of the security sector: its relevance for confidence building, Practical Confidence-Building Measures: Does Good Governance of the Security Sector Matter, pp Herath, T., and Rao, H. R Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness, Decision Support Systems (47:2), pp (doi: /j.dss ). Jјsang, A., and Presti, S. L. (n.d.). Analysing the Relationship between Risk and Trust,. Landau, D., and Landau, S Confidence-building measures in mediation, Mediation Quarterly (15:2), pp Mason, S. J., and Siegfried, M. (n.d.). Confidence Building Measures (CBMs) in Peace Processes, Geneva: Humanitarian Dialogue Centre (available at 06de4-891e-4acb-b58fa8b /en/_AU+Handbook_Confidence+Building+Measures+in+Peace+Processes.pdf). Padayachee, K Taxonomy of compliant information security behavior, Computers & Security (31:5), pp (doi: /j.cose ). Pernik, P. (2014). Advancing Confidence Building in Cyberspace: Sub-Regional Groups To Lead The Way. International Centre for Defence Studies ISSN Pfeiffer, G. (1982) "Comprehensive Study on Confidence-building Measures". UN Report Siponen, M., Pahnila, S., and Mahmood, M. A Compliance with information security policies: An empirical investigation, Computer (43:2), pp Söllner, M., and Leimeister, J. M What We Really Know About Antecedents of Trust: A Critical Review of the Empirical Information Systems Literature on Trust, (available at Sommestad, T., Hallberg, J., Lundholm, K., and Bengtsson, J Variables influencing information security policy compliance: A systematic review of quantitative studies, Information Management & Computer Security (22:1), pp (doi: /IMCS ). Son, J.-Y Out of fear or desire? Toward a better understanding of employees motivation to follow IS security policies, Information & Management (48:7), pp (doi: /j.im ). Stanton, J. M., Stam, K. R., Mastrangelo, P., and Jolton, J Analysis of end user security behaviors, Computers & Security (24:2), pp (doi: /j.cose ). Stauffacher, D. & Kavanagh, C Confidence Building Measures and International Cybersecurity ICT4Peace Publishing, Geneva. capacity/system/files/ict4peace%20- %20International%20Dialogue%20on%20CBMs%20and%20International%20Cyber%20Security.pdf