Information security awareness: Its antecedents and mediating effects on security compliant behavior

International Conference on Information Systems (ICIS 2013): Reshaping Society Through Information Systems Design

Volumn 3, Issue , 2013, Pages 2222-2237

  Haeussinger, Felix J ^a   Kranz, Johann J ^a  

^a UNIVERSITY OF GÖTTINGEN   (Germany)

Author keywords

Information security awareness; Information security behavior; Information security policy; Information security training

Indexed keywords

BEHAVIORAL INTENTION; COMPLIANT BEHAVIOR; INFORMATION SECURITY AWARENESS; INFORMATION SECURITY POLICIES; INFORMATION SECURITY TRAININGS; MEDIATING EFFECT; MEDIATING ROLES; SECURITY ISSUES;

INFORMATION SYSTEMS; SECURITY SYSTEMS;

SECURITY OF DATA;

EID: 84897802746     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (57)

1. AIRC. 2008. Attack Intelligence Research Center Annual Threat Report: 2008 Overview and 2009 Predictions, Attack Intelligence Research Center, Alladin Knowledge Systems, Belcamp, MD (available online at http://www. aladdin. com/pdf/airc/AIRC-Annual-Threat-Report2008. pdf).
2. Ajzen, I. 1991. "The Theory of Planned Behavior, " Organizational Behavior and Human Decision Processes (50: 2), pp. 179-211.
3. Anderson, J. C., and Gerbing, D. W. 1988. "Structural equation modeling in practice: A review and recommended two-step approach, " Psychological Bulletin (103: 3), pp. 411-423.
4. Bassellier, G., Benbasat, I., and Reich, B. H. 2003. "The influence of business managers' IT competence on championing IT, " Information Systems Research (14: 4), pp. 317-336.
5. Bandura, A. 1986. Social foundations of thoughts and action: a social cognitive theory, Englewood Cliffs, NJ: Prentice Hall.
6. Baron, R. M., and Kenny, D. A. 1986. "The moderator-mediator variable distinction in social psychological research: Conceptual, strategic and statistical considerations, " Journal of Personality and Social Psychology (51: 6), pp. 1173-1182.
7. Bhattacherjee, A., and Premkumar, G. (2004). "Understanding Changes in Belief and Attitude toward Information Technology Usage: A Theoretical Model and Longitudinal Test, " MIS Quarterly, (28: 2), pp. 229-254.
8. Boss, S., Kirsch, L., Angermeier, I., Shingler, R., and Boss, R. 2009. "If Someone Is Watching, I'll Do What I'm Asked: Mandatoriness, Control, and Information Security, " European Journal of Information Systems (18: 2), pp. 151-164.
9. Brown, S. A., and Venkatesh, V. 2005. "Model of adoption of technology in households: A baseline model test and extension incorporating household life cycle, " MIS Quarterly (29: 3), pp. 399-426.
10. Bulgurcu, B., Cavusoglu, H., and Benbasat, I. 2010. "Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness, " MIS Quarterly, (34: 3), pp. 523-A527.
11. Cavusoglu, H., Mishra, B., and Raghunathan, S. 2004a. "A Model for Evaluating IT Security Investments, " Communications of the ACM (47: 7), pp. 87-92.
12. Chan, M., Woon I., and Kankanhalli A. 2005. "Perceptions of information security at the workplace: linking information security climate to compliant behavior, " Journal of Information Privacy and Security (1: 3), pp. 18-41.
13. Chin, W. W. 1998. "The partial least squares approach for structural equation modeling, " Modern Methods for Business Research, G. A. Marcoulides (Hrsg.). Mahwah, New York: Lawrence erlbaum associates Publishers, pp. 295-336.
14. Crossler, R. E. and Bélanger, F. 2006. "The effect of computer self-efficacy on security training effectiveness, " in Proceedings of the 3rd annual conference on information security curriculum development, ACM Press, New York, USA, pp. 124-129.
15. D'Arcy, J., Hovav, A., and Galletta, D. 2009. "User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach, " Information Systems Research (20: 1), pp. 79-98.
16. Diamantopoulos, A., and Winklhofer, H. M. 2001. "Index construction with formative indicators: An alternative to scale development, " Journal of Marketing Research (38: 2), pp. 269-277.
17. Dinev, T., and Hu, Q. 2007. "The centrality of awareness in the formation of user behavioral intention toward protective information technologies, " Journal of the Association for Information Systems (8: 7), pp. 386-408.
18. Ernst and Young 2003. Global Information Security Survey, New York, http://www. Security management. com/archive/library/EY_Survey1103. pdf.
19. Fishbein, M., and Ajzen, I. 1975. Belief, attitude, intention, and behavior: An introduction to theory and research, Reading: Addison-Wesley.
20. Fornell, C., and Larcker, D. F. 1981. "Evaluating structural equation models with unobservable variables and measurement error, " Journal of Marketing Research (18: 1), pp. 39-50.
21. Frank, J., Shamir, B., and Briggs, W. 1991. "Security-related behavior of pc users in organizations, " Information and Management (21: 3), pp. 127-135.
22. Fulk, J., Steinfield, J., and Power, G. 1987. "A scoial information processing model of media in organizations, " Communication Research (14: 5), pp. 529-552.
23. Furnell, S. M. 2006. "Remote pc security: Securing the home worker, " Network Security (11), pp. 6-12.
24. Gaston, S. J. 1996. Information security: Strategies for successful management, Toronto: CICA Publishing.
25. Galvez, S. M., and Guzman, I. R. 2009. "Identifying Factors that Influence Corporate Information Security Behavior. " in Americas Conference on Information Systems (AMCIS), Paper 765.
26. Gefen, D., and Straub, D. 2005. "A practical guide to factorial validity using PLS-graph: Tutorial and annotated example, " Communications of the AIS (16: 1), pp. 91-109.
27. Hair, J. F., Anderson, R. E., Tatham, R. L., and Black, W. C. 1998. Multivariate data analysis, Englewood Cliffs, NJ: Prentice Hall.
28. Herath, T., and Rao, H. R. 2009a. "Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness, " Decision Support Systems (47: 2), pp. 1-12.
29. Herath, T., and Rao, H. G. 2009b. "Protection motivation and deterrence: A framework for security policy compliance in organisations, " European Journal of Information Systems (18: 2), pp. 106-125.
30. Jarvis, C., Mackenzie, S., and Podsakoff, P. 2003. "A critical review of construct indicators and measurement model misspecification in marketing and consumer research, " Journal of Consumer Research (30: 2), pp. 199-218.
31. Leach, J. 2003. "Improving user security behavior, " Computers & Security (22: 8), pp. 685-693.
32. Lee, J. and Lee, Y. 2002. "A holistic model of computer abuse within organizations, " Information Management and Computer Security, (10: 2), pp. 57-63.
33. Lee, S. M., Lee, S. G., and Yoo, S. 2004. "An integrative model of computer abuse based on social control and general deterrence theories, " Information Management (41: 6), pp. 707-718.
34. Lindell, M. K., and Whitney, D. J. 2001. "Accounting for common method variance in cross-sectional research designs, " Journal of Applied Psychology, (86: 1), pp. 114-121.
35. Loch, K. D., Straub, D. W., and Kamel, S. 2003. "Diffusing the internet in the Arab world: The role of social norms and techological culturation, " Engineering Management (50: 1), pp. 45-63.
36. Moore, G. C., and Benbasat, I. 1991. "Development of an instrument to measure the perceptions of adopting an information technology innovation, " Information Systems Research (2: 3), pp. 192-222.
37. Ng, B. Y., and Rahim, M. A. 2005. "A socio-behavioral study of home computer users' intention to practice security, " in Proceedings of the 9th Pacific Asia Conference on Information Systems, Bangkok, Thailand.
38. NIST 2003. "Building an information technology security awareness and training program, " M. Wilson (eds.), Gaithersburg: National Institute of Standards and Technology, NIST Special Publication, pp. 800-50, retrieved from http://csrc. nist. gov/publications/nistpubs/.
39. Pahnila, S., Siponen, M., and Mahmood, A. 2007. "Employees' Behavior Towards Is Security Policy Compliance, " Proceedings of the 40th Annual Hawaii International Conference on System Sciences, pp. 156-166.
40. Petter S., Straub D., and Rai, A. 2007. "Specifying formative constructs in information systems research, " MIS Quarterly (31: 4), pp. 623-656.
41. Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y., and Podsakoff, N. P. 2003. "Common method biases in behavioral research: A critical review of the literature and recommended remedies, " Journal of Applied Psychology, (88: 5), pp. 879-903.
42. Rezgui, Y., and Marks, A. 2008. "Information security awareness in higher education: An exploratory study, " Computers & Security (27: 7-8), pp. 241-253.
43. Rhee, H.-S., Kim, C., and Ryu, Y. U. 2009. "Self-efficacy in information security: Its influence on end users' information security practice behavior, " Computers & Security (28: 8), pp. 1-11.
44. Ringle, C. M., Wende, S., and Will, A. 2005. Smartpls. Hamburg, Germany: SmartPLS.
45. Rotvold, G. 2008. "How to create a security culture in your organization. " The Information Management Journal (42: 6), pp. 32-38.
46. Siponen, M. 2000. "A conceptual foundation for organizational information security awareness, " Information Management and Computer Security (8: 1), pp. 31-41.
47. Siponen, M., Mahmood, M. A., and Pahnila, S. 2009. "Are employees putting your company at risk by not following information security policies?" Communications of the ACM (52: 12), pp. 145-147.
48. Siponen, M., and Vance, A. 2010. "Neutralization: New insight into the problem of employee information systems security policy violations, " MIS Quarterly (34: 3), pp. 487-502.
49. Sobel, M. 1982. "Asymptotic intervals for indirect effects in structural euquation models, " Sociological methodology. Leinhart, S. (e. d.). San Francisco: Jossy-Bass, pp. 290-312.
50. Spears, J. 2006. "The effects of user participation in identifying information security risk in business processes, " in Proceedings of the 2006 ACM SIGMIS CPR conference on computer personnel research, pp. 351-352.
51. Spears, J. L., and Barki, H. 2010. "User participation in information systems security risk management, " MIS Quarterly (34: 3), pp. 503-522.
52. Stanton, J. M., Stam, K. R., Mastrangelo, P. R., and Jolton, J. 2005. "An analysis of end user security behaviors, " Computers & Security, (24: 2), pp. 124-133.
53. Straub, D. W., and Welke, R. J. 1998. "Coping with systems risk: Security planning models for management decision making, " MIS Quarterly (22: 4), pp. 441-469.
54. Symantec. 2009. Symantec Internet Security Threat Report: Trends for 2008, Symantec Corporation, Cupertino, CA (available online at http://eval. symantec. com/mktginfo/enterprise/white_papers/bwhitepaper_exec_summary_internet_security_threat_report_xiv_04-2009. en-us. pdf).
55. Thomson, M. E., and von Solms, R. 1998. "Information security awareness: Educating your users effectively, " Information Management and Computer Security (6: 4), pp. 167-173.
56. Tsohou, A., Kokolakis, S., Karyda, M., and Kiountouzis, E. 2008. "Investigating information security awareness: Research and practice gaps, " Information Security Journal: A Global Perspective (17: 5-6), pp. 207-227.
57. Tsohou, A., Karyda, M., Kokolakis, S., and Kiountouzis, E. 2010. "Aligning security awareness with information systems security management, " Journal of Information System Security (6: 1), pp. 36-54.