Reducing cybersecurity risks and insider computer abuse by better securing the human factor: Improving organizational it security compliance
Abstract
One of the greatest heists in the cybersecurity context resulted in $1 bln loss for financial institutions (Kaspersky, 2015) and was result of an email-spoofing attack in which employees clicked on a link that installed malicious software affecting employees machines. This simple mechanic reveals how a simple phishing email can have disastrous consequences on organizational information systems (IS).
Ensuring compliant security behaviors from employees is a “holy grail” for all companies looking to protect organizational assets. Insider computer abuse, the volitional and non-volitional security violation, is identified as one of the greatest concerns for companies. Despite numerous initiatives to encourage organizational IT security compliance, serious security incidents have increased, often stemming from employees’ noncompliant and careless actions (e.g., falling for phishing). Despite the increasing relevance of the employee IS security policy compliance phenomenon, and in light of the digitization of the workplace (e.g. bring your own device, social media use, etc.), important research gaps remain in our understanding of how to effectively reduce employee non-compliant behavior.
While information security research has examined several different theories, methods and techniques for persuading employees to behave securely in organizations, employees still continue to violate IS security policies. In this research paper we set out the research gaps that remain in our understanding of the insider computer abuse and identified the contextual events that precede the IT security policy violation and lead to the employee non-compliant behavior.
Finally, we wish to advance our understanding of this phenomenon through the systematic theory development that can be published in high-ranking international journals by developing new theoretical insights about 1) how to influence employee’s motivation to behave more securely and more in compliance with organizational IT security policies and 2) identify contextual factors (e.g., culture, color, warnings, etc.) that would empower employees to take more informed and better security decisions.
We believe that our findings can help recast extant research and practices that should lead to potentially more effective approach to encouraging employees’ security compliance.
With this theoretical and empirical work, we show how our proposal can make multiple contributions to theory, and how important implications for practitioners can be derived.