This study aims to identify and examine factors influencing employees’ information security awareness (ISA) in the telework environment. Specifically, the authors identify and examine the influence factors rooted in the knowledge-attitude-behavior (KAB) model (i.e., knowledge, attitude, and behavior) and knowledge inertia theory (i.e., experience and learning inertia). This study uses online survey data from 305 employees who have telework experience. We apply the structural equation modeling technique to assess the proposed research model. This research is among the pioneering studies that identify and examine the factors influencing employees’ ISA in the telework environment. Our study is also one of the first to investigate antecedents to employees’ ISA rooted in the KAB model and knowledge inertia theory in a telework environment. Results show that employees’ ISA in the telework environment is significantly influenced by their knowledge, behavior toward following security guidelines, and learning inertia, whereas attitude and experience inertia have no significant effect on employees’ ISA.
Information security policy (ISP) compliance of employees has a profound impact on organization. In the context of information technology innovation and information systems upgrade, employees' information security behavior is one of the most crucial elements in the information security management of organizations. Based on the two-dimensional model of challenge-hindrance stressor theory and affective events theory, this study explores the mediating effects of emotions on the relationship between challenge information security stress and ISP compliance.A field quasi-experimental method was used in this study. Materials include the Challenge Information Security Stress Scale, Information System Security Policy Compliance Scale, and Emotions Scale, which were used to form the two-stage questionnaire surveys. Data of 217 employees from three Chinese companies in Shanghai and Beijing that had passed certifications for information security management system (GB/t22080-2008/ISO/IEC 27001:2005) were collected. Bootstrapping method for multiple mediation models and the Process 3.0 plug-in of SPSS 20.0 were used for data analysis.The findings indicate that challenge information security stress has a positive effect on ISP compliance. Challenge information security stress has a positive effect on positive emotions and a negative effect on negative emotions. Positive emotions have mediating effect between challenge information security stress and ISP compliance, but negative emotions have no mediating effect.The research results expand the research scope of challenging stress in the two-dimensional model of challenge-hindrance stressor theory in the context of organizational information security. The findings reveal the mediating effect of positive emotions in challenge information security stress and ISP compliance relationship, which provides empirical support for the application of positive psychology in the field of management.
Abstract Digital information and data significantly improve the efficiency of government work in China. At the same time, in order to deal with information security and data leakage events, public departments have begun to pay attention to the information security awareness and behaviour of civil servants. Based on organisational culture and protection motivation theory, this study constructed a mediated moderation model to explore the influence mechanism of grassroots civil servants’ awareness of information security. This study collected 324 questionnaires from four regions of China. Results show that organisational culture has a significant positive impact on information security awareness. Professional identity has a significant positive effect on public service motivation and plays a negative moderating role in the relationship between organisational culture and information security awareness. Public service motivation mediates the moderating effect of professional identity on the relationship between organisational culture and information security awareness. The findings of this study offer practical implications and suggestions for further research. Points for practitioners The construction of organisational culture will effectively enhance the information security awareness of Chinese grassroots civil servants. Public departments should consider professional identity as an important factor when selecting grassroots civil servants engaged in information security work. In the implementation of information security management strategy planning, government departments can pay attention to and emphasise the public service motivation of grassroots civil servants.
Purpose To remain competitive in an unpredictable environment where the complexity and frequency of cybercrime are rapidly increasing, a cyber resiliency strategy is vital for business continuity. However, one of the barriers to improving cyber resilience is that security defense and accident recovery do not combine efficaciously, as embodied by emphasizing cyber security defense strategies, leaving firms ill-prepared to respond to attacks. The present study thus develops an expected resilience framework to assess cyber resilience, analyze cyber security defense and recovery investment strategies and balance security investment allocation strategies. Design/methodology/approach Based on the expected utility theory, this paper presents an expected resilience framework, including an expected investment resilience model and an expected profit resilience model that directly addresses the optimal joint investment decisions between defense and recovery. The effects of linear and nonlinear recovery functions, risk interdependence and cyber insurance on defense and recovery investment are also analyzed. Findings According to the findings, increasing the defense investment coefficient reduces defense and recovery investment while increasing the expected resilience. The nonlinear recovery function requires a smaller defense investment and overall security investment than the linear one, reflecting the former’s advantages in lowering cybersecurity costs. Moreover, risk interdependence has positive externalities for boosting defense and recovery investment, meaning that the expected profit resilience model can reduce free-riding behavior in security investments. Insurance creates moral hazard for firms by lowering defensive investment, yet after purchasing insurance, expanded coverage and cost-effectiveness incentivize firms to increase defense and recovery spending, respectively. Originality/value The paper is innovative in its methodology as it offers an expected cyber resilience framework for integrating defense and recovery investment and their effects on security investment allocation, which is crucial for building cybersecurity resilience but receives little attention in cybersecurity economics. It also provides theoretical advances for cyber resilience assessment and optimum investment allocation in other fields, such as cyber-physical systems, power and water infrastructure – moving from a resilience triangle metric to an expected utility theory-based method.
Although organizational information security investment has attracted a great deal of attention from academia and industry, there is a lack of studies on the decision maker's overconfidence. This paper examines the relationship between overconfidence of executives, information security investment and information security performance. The study shows that overconfidence is negatively associated with information security investment and an inverted U-shaped curvilinear relationship existed between information security investment and information security performance. Furthermore, to illustrate the robustness of our results, the suppressing effect and the serial mediating role between overconfidence, information security investment and information security performance are tested finally.
This study explores the relationship between positive emotions and protection-motivated behaviours by focusing on the mediating role of self-efficacy and the moderating role of information security awareness. Based on a sample of 215 full-time employees from various organizations in China, the results of hierarchical regression and moderated path analysis indicate that positive emotions positively influence protection-motivated behaviours, and self-efficacy partially mediates this relationship. In addition, information security awareness has a positive moderating effect on the relationships between positive emotions and self-efficacy and between self-efficacy and protectionmotivated behaviours. Furthermore, the findings show that information security awareness has a positive moderating effect on the mediating effect of self-efficacy between positive emotions and protection-motivated behaviours. The theoretical and practical implications of these results, as well as directions for future research, are discussed.
Abstract This study aims to identify and examine factors influencing employees’ information security awareness (ISA) in the telework environment. Specifically, the authors identify and examine the influence factors rooted in the knowledge-attitude-behavior (KAB) model (i.e., knowledge, attitude, and behavior) and knowledge inertia theory (i.e., experience and learning inertia). This research is among pioneering studies that identify and examine the factors influencing employees’ ISA in the telework environment. Our study is also one of the first to investigate antecedents to employees’ ISA rooted in the KAB model and knowledge inertia theory in a telework environment. Results show that employees’ ISA in the telework environment is significantly influenced by their knowledge, behavior toward following security guidelines, and learning inertia, whereas attitude and experience inertia have no significant effect on employees’ ISA.
With increasing dependence on information technology and information system, enterprises are confronting with a more and more complicated information security environment. Thus, information security has become an intractable problem for many enterprises. Generally speaking, there are two methods to improve enterprises’ information security level, that is, technology and management means. Technology means mainly settle software and hardware security of computers and networks, while management means mainly regulate and restrain the entire enterprise system including software, hardware, and employees. At present, a lot of enterprises mostly employ the technology means to solve information security problems. However, the lack or imperfection of information security institutions leads to bad enterprise information security situation. Therefore, technology and management means to solve information security are complementary to each other. As such, it is urgent and necessary to establish and improve information security institutions for many enterprises. In fact, enterprise information security is a complicated activity which needs different sectors to get involved in. More specifically, the information security departments play the very critical role in the implementation of information security institutions, and all employees should comply with the information security policy. Therefore, only the top management teams have the ability to coordinate the relationship between different departments, determine the introduction of information technology, and deploy the information systems. In response, top management support has an important impact on the construct of information security institutions and the effectiveness of information security management. So far, few studies have investigated the mechanism that how top management support affects information security legitimation, and legitimation information security management. Therefore, it has great theoretical and practical significance to the exploration of whether the legitimation supported by top management can improve the effectiveness of information security management. The objective of the current study is to explore whether legitimation prompted by top management team can improve the effectiveness of enterprise information security management. By doing so, the data was collected from the enterprises which have passed the certification of information security management system, and analyzed by using PLS-SEM. The results indicate that information security awareness can improve top management support(including top management belief and top management participation)and the effectiveness of information security management respectively. In addition, top management belief can improve implementation(the first stage of legitimation)and internalization(the second stage of legitimation). Moreover, implementation can improve the effectiveness of information security management. This paper analyzes the way to enhance effectiveness of information security management, which has a reality-oriented meaning for prompting information security management of enterprises from the standpoint of institution.
'/%3e%3cuse xlink:href='%23a' transform='rotate(23.036 .093 25.536)'/%3e%3cuse xlink:href='%23a' transform='rotate(45.87 1.273 16.18)'/%3e%3cuse xlink:href='%23a' transform='rotate(69.945 .996 12.078)'/%3e%3cuse xlink:href='%23a' transform='rotate(20.66 -19.689 31.932)'/%3e%3c/svg%3e)
