D. Study II: Information Security Awareness: Its Antecedents and Mediating
2 Background
3.1 Institutional Antecedents of ISA
Institutional antecedents refer to an organization’s security management practices. In the ISS literature, these factors are often summarized under the term “management support” (Chan et al. 2005). The greater the management support, the more resources are available for security issues (Kankanhalli et al. 2003, Herath and Rao 2009b).
Scholars have emphasized that reasonable resources for security management are essential for establishing sufficient levels of security awareness among employees (Tsohou et al. 2009). Reviewing the ISS literature carefully, SETA programs and information security policy provision (ISP provision) are identified as vital institutional factors that can have an impact on employees’ ISA.
3.1.1 Information Security Policy Provision
The development of corporate ISPs is a primary resource of ISS management practices (Chan et al. 2005). A policy in general is defined as ‘‘a course of action, guiding principle, or procedure considered expedient’’ (Houghton Mifflin. 2000). In the context of organizational information security, an ISP can be broadly defined as statements by an organization providing guidance about ISS related responsibilities, rules, and guidelines which prescribe how the IS resources are used properly and in a secure way (Whitman et al. 2001, Whitman 2008, D'Arcy et al. 2009).
Prior research offers contradicting results with regard to the effect of ISPs. While many studies found corporate ISPs to be effective for preventing IS misuse behavior, others revealed that the existence of an ISP had only limited influence on ISS related behavior.
D’Arcy et al. (2009) for example, found corporate ISPs to be effective for preventing IS misuse behavior in organizations, and ascribed this effect to deterrence mechanisms of ISPs comparable to the mechanisms of societal laws. Similarly, Straub and Nance (1990) discovered policies and guidelines that specify rules for proper use of information
systems to be one of the security management’s most effective deterrence measures against computer abuse. Kwon and Johnson (2011) gathered qualitative and quantitative data from IT managers of 250 healthcare organizations, and found that IS security policies were positively associated with the security performance of the organizations. Conversely, the literature also provides studies in which ISPs could not be proved to positively influence information security behavior (Foltz 2000, Wiant 2003, Lee et al. 2004). Such inconsistent results, the literature argues, are due to employees’
lack of awareness of security policies (Thomson and von Solms 1998, Siponen 2000).
In this respect, scholars emphasize that the “simple” existence of ISPs is not enough, and highlight the importance of promoting ISPs and ensuring that they are comprehensible, easily available, and understandable. These aspects for effectively promoting ISPs are summarized here under the term ISP provision. There is broad empirical evidence that ISP provision is positively associated with security related behavior. For example, Chan et al. (2005) found that making ISPs readily available for employees’ reference, as part of security management practices, is positively associated with their policy compliance behavior. Similarly, Siponen et al. (2009) found that the visibility of policies plays an important role in employees’ compliance with organizational security policies. Herath and Rao (2009b) also showed that ISPs should be made easily accessible and available to employees online, and should furthermore be written in a clear and understandable way, as this has positive effects on the intention to comply. However, none of these studies investigated ISA. Based on the definition of ISA, it is claimed in this thesis that the reported positive direct effects of ISP provision on behavioral intention are largely a result of an increase in employees’ awareness regarding ISP, and therefore also of security issues in general. This argument is consistent with the notion of D'Arcy and Hovav (2007b), who state that to enhance the individual’s awareness of security policies, these should be available online and phrased in a manner that is easy to understand. The rationale employed here is that promoting easily accessible and comprehensible ISPs firstly raises employees’ contextual awareness and knowledge, and secondly the situational intention to comply. Accordingly, it is contended in this study/thesis that ISA at least partially mediates the positive effect of ISP provision on security compliant behavior. Hence,
Hypothesis 2a: ISP provision positively influences employees’ level of ISA.
Hypothesis 2b: ISA mediates the positive effects of ISP provision on the intentions to comply with ISPs.
3.1.2 SETA Programs
The mere existence of an ISP does not guarantee that employees internalize and comprehend it (Whitman 2003, Herath and Rao 2009a). Thus, once an organization has developed an ISP, its content, rules and specifications need to be communicated and trained throughout the organizations’ employees and IS-‐users (Rotvold 2008).
Institutional security education, training, and awareness raising programs typically referred to as SETA programs are the most important and qualified instrument for this purpose, and accordingly are one of the major ISS management resources (e.g., Chan et al. 2005, Puhakainen 2006, D'Arcy et al. 2009). In praxis and in the literature there exists a great variety of different designs, methods, and nomenclatures of institutional security training activities. Some of the various practices are e.g., the explanation of ISPs (Straub and Welke 1998), periodic newsletters, emails and presentations concerning ISS relevant issues (Spurling 1995, Herath and Rao 2009a), ISS workshops and seminars (Thomson and von Solms 1998), providing posters, flyers, and lectures (Crossler and Bélanger 2006), supporting online-‐ and computer-‐based learning (Chen et al. 2006), or periodic security refresher courses (Hansche 2001a, von Solms and von Solms 2004).
SETA programs aim to improve organizational information security by increasing employees’ knowledge and awareness of potential security risks, policies, and responsibilities. Furthermore, they aim at providing employees with the skills necessary to comply with organizational ISS procedures (Straub and Welke 1998, Whitman et al.
2001, Lee and Lee 2002, D'Arcy et al. 2009). Thus, SETA programs intend to sensitize employees to the value of ISS, as well as to qualify them for security conscious use of organizational information resources.
Several studies provided evidence that SETA programs are an essential building block of security management and that they influence information security behavior positively.
For example, Straub and Welke (1998) and Chan et al. (2005) empirically proved that SETA programs, being part of security management practices, lead to greater intentions
on the part of employees to comply with ISPs. Jenkins et al. (2010) designed an experiment which showed that training videos significantly increased employees’
security password policy compliance. Other studies argue that SETA programs promote an individual’s self-‐efficacy or perceived behavioral control regarding a related topic (Bandura 1989), which have been frequently proven to be essential prerequisites of ISS behavior (Lee et al. 2008, Ng et al. 2009, Jenkins et al. 2010, Herath and Rao 2009b, Bulgurcu et al. 2010). Other studies based on GDT argue that SETA programs communicate the presence of sanctions for policy violations, and therefore have a significant influence on employee security behavior by improving their perception of the certainty and severity of those sanctions (Straub and Welke 1998, D’Arcy et al. 2009). In addition, scholars emphasize the role of SETA programs on employees’ ISA (e.g., Straub and Welke 1998, D’Arcy et al. 2009). Siponen et al. (2009) state that security education helps employees to become aware and develop an interest in security issues. They also contend that SETA Programs raise employees’ consciousness about the vulnerability of their organization owing to ISS threats. As the primary goals of SETA programs are on ISS education, training, and awareness it is contended here that these programs have a positive impact on ISA and that the influence on intention to comply is at least partially mediated by ISA. Thus,
Hypothesis 3a: The provision of SETA programs positively influences employees’ level of ISA.
Hypothesis 3b: ISA mediates the positive effects of SETA programs on the intention to comply with ISPs.
3.2 Individual Antecedents of ISA