Monday 29 June 2009

If someone is watching, I'll do what I'm asked: ...

... mandatoriness, control, and information security

an article by Scott R Boss (Bentley University), Laurie J Kirsch (University of Pittsburgh), Ingo Angermeier (Spartanburg Regional Medical Center), Raymond A Shingler (Spartanburg Regional Medical Center) and R Wayne Boss (University of Colorado at Boulder) in European Journal of Information Systems (2009)

An earlier version of this paper was presented in Montreal, Quebec, Canada at the International Conference on Information Systems, 2008

Abstract

Information security has become increasingly important to organisations. Despite the prevalence of technical security measures, individual employees remain the key link – and frequently the weakest link – in corporate defences. When individuals choose to disregard security policies and procedures, the organisation is at risk. How, then, can organisations motivate their employees to follow security guidelines? Using an organisational control lens, we build a model to explain individual information security precaution-taking behaviour. Specific hypotheses are developed and tested using a field survey. We examine elements of control and introduce the concept of “mandatoriness”, which we define as the degree to which individuals perceive that compliance with existing security policies and procedures is compulsory or expected by organisational management. We find that the acts of specifying policies and evaluating behaviours are effective in convincing individuals that security policies are mandatory. The perception of mandatoriness is effective in motivating individuals to take security precautions, thus if individuals believe that management watches, they will comply.


No comments: