Productive security: A scalable methodology for analysing employee security behaviours

SOUPS 2016 - 12th Symposium on Usable Privacy and Security

Volumn , Issue , 2019, Pages 253-270

  Beautement, Adam ^a   Becker, Ingolf ^a   Parkin, Simon ^a   Krol, Kat ^a   Angela Sasse, M ^a  

^a UNIVERSITY COLLEGE LONDON   (United Kingdom)

Author keywords

[No Author keywords available]

Indexed keywords

SCALABILITY; SECURITY SYSTEMS; SURVEYS;

LARGE SCALE DATA SETS; MULTI-NATIONAL COMPANIES; ORGANISATIONAL; SCENARIO-BASED; SECURITY MANAGEMENT; SECURITY MANAGER; SECURITY MEASURE; SECURITY POLICY;

PERSONNEL;

EID: 85075915934     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (33)

1. A. Adams and M. A. Sasse. Users are not the enemy. Communications of the ACM, 42(12):40-46, 1999.
2. J. Adams. Risk and morality: Three framing devices. Risk and morality:87-106, 2003.
3. E. Albrechtsen. A qualitative study of users' view on information security. Computers & security, 26(4):276-289, 2007.
4. E. Albrechtsen and J. Hovden. The information security digital divide between information security managers and users. Computers & security, 28(6):476-490, 2009.
5. A. Beautement, R. Coles, J. Griffin, C. Andronis, B. Monahan, D. Pym, M. A. Sasse and M. Wonham. Modelling the human and technological costs and benefits of USB memory stick security. Managing information risk and the economics of security:141-163, 2009.
6. A. Beautement, M. A. Sasse and M. Wonham. The compliance budget: managing security behaviour in organisations. In New Security Paradigms Workshop (NSPW), 2008, pages 47-58.
7. I. Becker, S. Parkin and M. A. Sasse. Combining qualitative coding and sentiment analysis: deconstructing perceptions of usable security in organisations. In. Learning from Authoritative Security Experiment Results (LASER). IEEE, San Jose, California, US, 2016.
8. O. Beris, A. Beautement and M. A. Sasse. Employee rule breakers, excuse makers and security champions: mapping the risk perceptions and emotions that drive security behaviors. In. NSPW. ACM, Twente, Netherlands, 2015.
9. J. M. Blythe, L. Coventry and L. Little. Unpacking security policy compliance: the motivators and barriers of employees' security behaviors. In Symposium On Usable Privacy and Security (SOUPS). USENIX Association, Ottawa, 2015, pages 103-122.
10. V. Braun and V. Clarke. Using thematic analysis in psychology. Qualitative research in psychology, 3(2):77-101, 2006.
11. B. Bulgurcu, H. Cavusoglu and I. Benbasat. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3):523-548, 2010.
12. R. E. Crossler, A. C. Johnston, P. B. Lowry, Q. Hu, M. Warkentin and R. Baskerville. Future directions for behavioral information security research. Computers & security, 32:90-101, 2013.
13. J. D'Arcy, T. Herath and M. K. Shoss. Understanding employee responses to stressful information security requirements: a coping perspective. Journal of management information systems, 31(2):285-318, 2014.
14. G. Dhillon and J. Backhouse. Current directions in is security research: towards socio-organizational perspectives. Information systems journal, 11(2):127-153, 2001.
15. K. H. Guo, Y. Yuan, N. P. Archer and C. E. Connelly. Understanding nonmalicious security violations in the workplace: a composite behavior model. Journal of management information systems, 28(2):203-236, 2011.
16. C. Herley. So long, and no thanks for the externalities: the rational rejection of security advice by users. In New Security Paradigms Workshop (NSPW), 2009, pages 133-144.
17. I. Kirlappos, S. Parkin and M. A. Sasse. Shadow security as a tool for the learning organization. ACM SIGCAS Computers and Society, 45(1):29-37, 2015.
18. S. Pahnila, M. Siponen and A. Mahmood. Employees' behavior towards IS security policy compliance. In Annual Hawaii International Conference on System Sciences HICSS. IEEE, 2007, 156b-156b.
19. K. Parsons, A. McCormac, M. Butavicius, M. Pattinson and C. Jerram. Determining employee awareness using the human aspects of information security questionnaire (HAIS-q). Computers & security, 42:165-176, 2014.
20. SM for Software. Version 1.1. CMU/SEI-93-TR-024. Technical report. 1993.
21. S. L. Pfleeger, M. A. Sasse and A. Furnham. From weakest link to security hero: transforming staff security behavior. Jhsem, 11(4):489-510, 2014.
22. J. T. Reason. The human contribution: unsafe acts, accidents and heroic recoveries. Ashgate Publishing, Ltd., 2008.
23. K. Renaud. Blaming noncompliance is too convenient: what really causes information breaches? Security & privacy, IEEE, 10(3):57-63, 2012.
24. K. Renaud and W. Goucher. The curious incidence of security breaches by knowledgeable employees and the pivotal role a of security culture. In, Human Aspects of Information Security, Privacy, and Trust, pages 361-372. Springer, 2014.
25. H.-S. Rhee, C. Kim and Y. U. Ryu. Self-efficacy in information security: its influence on end users' information security practice behavior. Computers & security, 28(8):816-826, 2009.
26. N. Röder, M. Wiesche, M. Schermann and H. Krcmar. Why managers tolerate workarounds-the role of information systems, 2014.
27. M. Siponen, S. Pahnila and A. Mahmood. Employees' adherence to information security policies: an empirical study. In, New Approaches for Security, Privacy and Trust in Complex Environments, pages 133-144. Springer, 2007.
28. M. Siponen and A. Vance. Neutralization: new insights into the problem of employee information systems security policy violations. MIS quarterly, 34(3):487, 2010.
29. J. M. Stanton, K. R. Stam, P. Mastrangelo and J. Jolton. Analysis of end user security behaviors. Computers & security, 24(2):124-133, 2005.
30. M. A. Tariq, J. Brynielsson and H. Artman. The security awareness paradox: A case study. In IEEE/ ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM), 2014, pages 704-711.
31. K.-L. Thomson and R. von Solms. Towards an information security competence maturity model. Computer fraud & security, 2006(5):11-15, 2006.
32. A. Tsohou, M. Karyda and S. Kokolakis. Analyzing the role of cognitive and cultural biases in the internalization of information security policies: recommendations for information security awareness programs. Computers & security, 52:128-141, 2015.
33. M. Workman, W. H. Bommer and D. Straub. Security lapses and the omission of information security measures: a threat control model and empirical test. Computers in human behavior, 24(6):2799-2816, 2008.