Embedding Information Security Behaviour of Employees Working Anywhere, Using Any Device

<p>Protecting organisational information assets requires a technical and human response. Organisations have primarily focused on the technical aspects of information security management (ISM). The human response to information security has increased in importance, given the rapid and massive transitioning of employees working from remote locations using any device as a result of the COVID-19 pandemic. Protection of organisational information assets requires an overarching information security strategy (ISS) that comprises technical and human components. Organisational information security strategy as a core component of employees’ information security behaviour is under-researched in the information systems literature. Although some research explores information security from an operational management approach, there is little research on information security from a security strategy perspective.</p> <p>This thesis examines how information security strategies are formulated and operationalised to inform decisions about security tools and programs for embedding security behaviour in employees. This research project used a mixed methodology, qualitative and quantitative, to achieve the research aim. Data was collected using semi-structured interviews with information security practitioners and web-based surveys to understand how information security strategy is operationalised, the effectiveness of security training tools and employees’ security behaviour predictors.</p> <p>The thesis consists of three inter-related papers. In the first paper, a synthesis of the literature validated by security practitioners highlights salient areas that help guide decisionmakers on the procedures and tools for embedding security behaviours to support ISS. The second paper delves into behavioural security and holistically examines malleable traits that could embed employees’ security behaviour. The final paper examines the effectiveness of security interventions in embedding employee security behaviour. The findings showed that an organisation’s one-size-fits-all training strategy may not lead to improvement in employees’ security behaviour; rather, consideration should be given to employee’ preferred learning styles when selecting security training tools. The findings show that organisations can embed security behaviour using mindful security practices.</p> <p>The key contribution to the literature is a practice-oriented framework for the operationalisation of information security strategy with an emphasis on employee security behaviour. The framework developed in this thesis shows the interaction between security strategy, security programs and security behaviour in embedding employee security behaviour.</p>