Macquarie University
Browse

Embedding Information Security Behaviour of Employees Working Anywhere, Using Any Device

Download (3.26 MB)
thesis
posted on 2024-07-31, 00:57 authored by Queen Aigbefo

Protecting organisational information assets requires a technical and human response. Organisations have primarily focused on the technical aspects of information security management (ISM). The human response to information security has increased in importance, given the rapid and massive transitioning of employees working from remote locations using any device as a result of the COVID-19 pandemic. Protection of organisational information assets requires an overarching information security strategy (ISS) that comprises technical and human components. Organisational information security strategy as a core component of employees’ information security behaviour is under-researched in the information systems literature. Although some research explores information security from an operational management approach, there is little research on information security from a security strategy perspective.

This thesis examines how information security strategies are formulated and operationalised to inform decisions about security tools and programs for embedding security behaviour in employees. This research project used a mixed methodology, qualitative and quantitative, to achieve the research aim. Data was collected using semi-structured interviews with information security practitioners and web-based surveys to understand how information security strategy is operationalised, the effectiveness of security training tools and employees’ security behaviour predictors.

The thesis consists of three inter-related papers. In the first paper, a synthesis of the literature validated by security practitioners highlights salient areas that help guide decisionmakers on the procedures and tools for embedding security behaviours to support ISS. The second paper delves into behavioural security and holistically examines malleable traits that could embed employees’ security behaviour. The final paper examines the effectiveness of security interventions in embedding employee security behaviour. The findings showed that an organisation’s one-size-fits-all training strategy may not lead to improvement in employees’ security behaviour; rather, consideration should be given to employee’ preferred learning styles when selecting security training tools. The findings show that organisations can embed security behaviour using mindful security practices.

The key contribution to the literature is a practice-oriented framework for the operationalisation of information security strategy with an emphasis on employee security behaviour. The framework developed in this thesis shows the interaction between security strategy, security programs and security behaviour in embedding employee security behaviour.

History

Table of Contents

Chapter 1. Introduction -- Chapter 2. Information Security Strategy: A Scoping Review -- Chapter 3. Strengthening The Security “Weakest Link”: Insights from Habit, Mindfulness and Passive Risk-Taking -- Chapter 4. Effectiveness of Security Interventions for Improving Security Behaviour: Insights from Learning Style Preferences -- Chapter 5. Conclusion -- References -- Appendices

Awarding Institution

Macquarie University

Degree Type

Thesis PhD

Degree

Doctor of Philosophy

Department, Centre or School

Department of Actuarial Studies and Business Analytics

Year of Award

2022

Principal Supervisor

Mauricio Marrone

Additional Supervisor 1

Yvette Blount

Rights

Copyright: The Author Copyright disclaimer: https://www.mq.edu.au/copyright-disclaimer

Language

English

Extent

117 pages

Usage metrics

    Macquarie University Theses

    Categories

    Keywords

    information security strategysecurity behaviourmindfulnesshabitlearning style preference

    Licence

    In Copyright

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC