An Information Security Policy Compliance Reinforcement and Assessment Framework
- Authors: Gundu, Tapiwa
- Date: 2017
- Subjects: Computer security Information technology -- Security measures Business -- Data processing -- Security measures Computer networks -- Security measures
- Language: English
- Type: Thesis , Doctoral , PhD
- Identifier: http://hdl.handle.net/10353/9556 , vital:34445
- Description: The majority of SMEs have adopted the use of information communication and technology (ICT) services. However, this has exposed their systems to new internal and external security vulnerabilities. These SMEs seem more concerned with external threat related vulnerabilities rather than those from internal threats, although researchers and industry are suggesting a substantial proportion of security incidents to be originating from insiders. Internal threat is often addressed by, firstly, a security policy in order to direct activities and, secondly, organisational information security training and awareness programmes. These two approaches aim to ensure that employees are proficient in their roles and that they know how to carry out their responsibilities securely. There has been a significant amount of research conducted to ensure that information security programmes communicate the information security policy effectively and reinforce sound security practice. However, an assessment of the genuine effectiveness of such programmes is seldom carried out. The purposes of this research study were, firstly, to highlight the flaws in assessing behavioural intentions and equating such behavioural intentions with actual behaviours in information security; secondly, to present an information security policy compliance reinforcement and assessment framework which assists in promoting the conversion of intentions into actual behaviours and in assessing the behavioural change. The approach used was based on the Theory of Planned Behaviour, knowledge, attitude and behaviour theory and Deterrence Theory. Expert review and action research methods were used to validate and refine the framework. The action research was rigorously conducted in four iterations at an SME in South Africa and involved 30 participating employees. The main findings of the study revealed that even though employees may have been well trained and are aware of information security good practice, they may be either unable or unwilling to comply with such practice. The findings of the study also revealed that awareness drives which lead to secure behavioural intents are merely a first step in information security compliance. The study found that not all behavioural intentions converted to actual secure behaviours and only 64% converted. However, deterrence using rewards for good behaviour and punishment for undesirable behaviour was able to increase the conversion by 21%.
- Full Text:
- Date Issued: 2017
- Authors: Gundu, Tapiwa
- Date: 2017
- Subjects: Computer security Information technology -- Security measures Business -- Data processing -- Security measures Computer networks -- Security measures
- Language: English
- Type: Thesis , Doctoral , PhD
- Identifier: http://hdl.handle.net/10353/9556 , vital:34445
- Description: The majority of SMEs have adopted the use of information communication and technology (ICT) services. However, this has exposed their systems to new internal and external security vulnerabilities. These SMEs seem more concerned with external threat related vulnerabilities rather than those from internal threats, although researchers and industry are suggesting a substantial proportion of security incidents to be originating from insiders. Internal threat is often addressed by, firstly, a security policy in order to direct activities and, secondly, organisational information security training and awareness programmes. These two approaches aim to ensure that employees are proficient in their roles and that they know how to carry out their responsibilities securely. There has been a significant amount of research conducted to ensure that information security programmes communicate the information security policy effectively and reinforce sound security practice. However, an assessment of the genuine effectiveness of such programmes is seldom carried out. The purposes of this research study were, firstly, to highlight the flaws in assessing behavioural intentions and equating such behavioural intentions with actual behaviours in information security; secondly, to present an information security policy compliance reinforcement and assessment framework which assists in promoting the conversion of intentions into actual behaviours and in assessing the behavioural change. The approach used was based on the Theory of Planned Behaviour, knowledge, attitude and behaviour theory and Deterrence Theory. Expert review and action research methods were used to validate and refine the framework. The action research was rigorously conducted in four iterations at an SME in South Africa and involved 30 participating employees. The main findings of the study revealed that even though employees may have been well trained and are aware of information security good practice, they may be either unable or unwilling to comply with such practice. The findings of the study also revealed that awareness drives which lead to secure behavioural intents are merely a first step in information security compliance. The study found that not all behavioural intentions converted to actual secure behaviours and only 64% converted. However, deterrence using rewards for good behaviour and punishment for undesirable behaviour was able to increase the conversion by 21%.
- Full Text:
- Date Issued: 2017
An information security policy compliance reinforcement and assessment framework
- Authors: Gundu, Tapiwa
- Date: 2017
- Subjects: Computer security Information technology--Security measures Information resources management--Security measures
- Language: English
- Type: Thesis , Doctoral , Information Systems
- Identifier: http://hdl.handle.net/10353/11554 , vital:39084
- Description: The majority of SMEs have adopted the use of information communication and technology (ICT) services. However, this has exposed their systems to new internal and external security vulnerabilities. These SMEs seem more concerned with external threat related vulnerabilities rather than those from internal threats, although researchers and industry are suggesting a substantial proportion of security incidents to be originating from insiders. Internal threat is often addressed by, firstly, a security policy in order to direct activities and, secondly, organisational information security training and awareness programmes. These two approaches aim to ensure that employees are proficient in their roles and that they know how to carry out their responsibilities securely. There has been a significant amount of research conducted to ensure that information security programmes communicate the information security policy effectively and reinforce sound security practice. However, an assessment of the genuine effectiveness of such programmes is seldom carried out. The purposes of this research study were, firstly, to highlight the flaws in assessing behavioural intentions and equating such behavioural intentions with actual behaviours in information security; secondly, to present an information security policy compliance reinforcement and assessment framework which assists in promoting the conversion of intentions into actual behaviours and in assessing the behavioural change. The approach used was based on the Theory of Planned Behaviour, knowledge, attitude and behaviour theory and Deterrence Theory. Expert review and action research methods were used to validate and refine the framework. The action research was rigorously conducted in four iterations at an SME in South Africa and involved 30 participating employees. The main findings of the study revealed that even though employees may have been well trained and are aware of information security good practice, they may be either unable or unwilling to comply with such practice. The findings of the study also revealed that awareness drives which lead to secure behavioural intents are merely a first step in information security compliance. The study found that not all behavioural intentions converted to actual secure behaviours and only 64percent converted. However, deterrence using rewards for good behaviour and punishment for undesirable behaviour was able to increase the conversion by 21percent.
- Full Text:
- Date Issued: 2017
- Authors: Gundu, Tapiwa
- Date: 2017
- Subjects: Computer security Information technology--Security measures Information resources management--Security measures
- Language: English
- Type: Thesis , Doctoral , Information Systems
- Identifier: http://hdl.handle.net/10353/11554 , vital:39084
- Description: The majority of SMEs have adopted the use of information communication and technology (ICT) services. However, this has exposed their systems to new internal and external security vulnerabilities. These SMEs seem more concerned with external threat related vulnerabilities rather than those from internal threats, although researchers and industry are suggesting a substantial proportion of security incidents to be originating from insiders. Internal threat is often addressed by, firstly, a security policy in order to direct activities and, secondly, organisational information security training and awareness programmes. These two approaches aim to ensure that employees are proficient in their roles and that they know how to carry out their responsibilities securely. There has been a significant amount of research conducted to ensure that information security programmes communicate the information security policy effectively and reinforce sound security practice. However, an assessment of the genuine effectiveness of such programmes is seldom carried out. The purposes of this research study were, firstly, to highlight the flaws in assessing behavioural intentions and equating such behavioural intentions with actual behaviours in information security; secondly, to present an information security policy compliance reinforcement and assessment framework which assists in promoting the conversion of intentions into actual behaviours and in assessing the behavioural change. The approach used was based on the Theory of Planned Behaviour, knowledge, attitude and behaviour theory and Deterrence Theory. Expert review and action research methods were used to validate and refine the framework. The action research was rigorously conducted in four iterations at an SME in South Africa and involved 30 participating employees. The main findings of the study revealed that even though employees may have been well trained and are aware of information security good practice, they may be either unable or unwilling to comply with such practice. The findings of the study also revealed that awareness drives which lead to secure behavioural intents are merely a first step in information security compliance. The study found that not all behavioural intentions converted to actual secure behaviours and only 64percent converted. However, deterrence using rewards for good behaviour and punishment for undesirable behaviour was able to increase the conversion by 21percent.
- Full Text:
- Date Issued: 2017
- «
- ‹
- 1
- ›
- »