CHAPTER 1: DEVELOPING THE RESEARCH AGENDA/INTRODUCTION

1.2 Research Background

1.2.1 Human Factors in Information Security

People are at the centre of technological design along with use of designed products, and this makes technological systems, in the context of information systems, an asset as well as a threat. Due to the value placed on data and corporate information, organisations place a premium on addressing the human elements and risks in information security in order to effectively deal with the incidents of information security breaches (Katzenbeisser and Petitcolas, 2016), and this is among the motivating factors for undertaking this research. In public organisational policies as well as standards, there are codes of conduct which are designed for people to adhere to concerning information systems security; further, it is humans that execute organisational information security policies. The human factors are major forces which are behind the effectiveness as well as the failure of security systems. Asadi et al. (2019) state that the technical solutions are not sufficient as insider threats have become a fundamental issue in the public sector. There is evidence that the human factors undermine information security with devastating effects, as the examples in the UAE and globally (covered in the background section) show, in addition to public organisations having underdeveloped information security systems and policies. The direct factors are those that are dependent on the individual’s characteristics and have a significant impact on the information security management system.

Sheeran and Rivis (2017) explained that the indirect factors are based on external issues like the organisational issues related to adequate budget, types of culture as well as governmental policies which have proper influence to the direct factors and the information security system.

16

Human errors are defined as intrusions into systems which otherwise work properly;

putting greater focus on human factors and internal threats will serve to significantly reduce the threats and risks to public information systems. Tsai et al. (2016) contend that security policies are being designed to restrain human behaviours (especially addictive behaviours) to mitigate the threats to information systems due to them (human errors and misbehaviour). Human behaviour is hard to define and measure as well as control in public organisations, especially when such behaviour is mediated by addictive behaviour. Public organisations are apprehensive about their employees adhering to information security policies and following the rules and guidelines geared towards ensuring information security, such as careful management of access codes, safe browsing, avoiding clicking e-mail links from unknown sources, and not using external devices such as flash disks to store company data, among other security policies. It is clear that there is a gap in the research, as well as a lack of understanding and appreciation of addictive human behaviour and its effects on information security threats and countermeasures.

Further, there is a dearth of adequate sensitization programmes to educate public organisation employees on information security policies and procedures (Zhang et al., 2019). Public sector staff without the requisite skills on information security, coupled with inadequate training on information security, are contributing to the weak performance of information security and increasing threats and risks to data and information systems. For instance, when people in critical areas such as the finance department are not aware of how to use email encryption, the end result is unencrypted emails containing sensitive information being sent to the customers.

Meoli et al. (2020) determined that unsecure information is being exposed to the public domain and then it is obtained by criminals who use it for malicious purposes, including ransomware and fraud. Public organisations are not focused on insiders’ behaviour with respect to information security and their technological competency although training programmes are

17

supposed to be held regularly, based on a competent information security policy (ISP) to provide employees with adequate skills and knowledge as well as to control their behaviour in order to confront the challenges of information security.

Dwivedi et al. (2019) stated that human behaviour is affected by the dimensions of the culture. The organisational culture is related to the employees’ perceptions of their shared beliefs as well as the values among the employees in the working environment. The organisational culture influences the beliefs of individuals and their human behaviour. In the context of information security, this cultural effect has been tested by researchers. For example, the effect of the organisational culture has been tested in alignment with information security principles such as confidentiality, integrity and accountability (Asadi et al., 2019). The results showed that the organisational culture is influencing examined principles of the information security. Hofstede’s cultural framework has been used for the organisational cultural in the information security investigation context. It has been applied in an empirical information system study and identified changes that existed in the cross-organisational behaviour at the time of testing the technology acceptance model (TAM). Hofstede defines culture as the collective programming of mind that can distinguish one group of people from another (Soomro et al., 2016).

The countermeasures for the cultural effect on human behaviour are information security policy, training and cultural awareness as well as management support. D’Arcy and Teh (2019) mentioned that the information security measures are shifting from technology towards the human factors. Asadi et al. (2019) investigated the influence as well as effect of information security policies on culture. The policies will set guidelines to influence human behaviour by means of using the system. The security policies are created for communicating the security

18

protocols, assigning roles as well as responsibilities, along with providing guidance to employees to make sure they correctly handle security incidents. Hina et al. (2019) discussed that creating, updating and communicating as well as promoting policies is an element of the security management programme to make employees aware of information security incidents.

Training as well as awareness is required for people to thrive in the culture of information security. It provides the employee with the knowledge and skills required to use the information system. The training aligned with employee awareness should be based on information security policies as well as responsibilities (Yu et al., 2020) without ignoring the organisational culture aspect. The training is focused on the forming of habits in relation to users’ perception as well as procedural options. It enables the employees to retain experience in using the information system. Finally, management support is an important factor in the information security culture as it is required to create a supportive working environment in the organisation. Support as well as management leadership is a contributor in implementing efforts towards information security. Birkel et al. (2019) mentioned that it is imperative that managers should develop strategies to protect assets as well as formulate the organisational budget.

Therefore, compliant employees are the result of implementing countermeasures that encourage or/and force them to comply. Additionally, rewards or threats that could motivate the potential non-compliant insiders will also motivate the compliant insiders.

The countermeasures philosophy is described as the philosophical method information system management practices to guarantee compliance or to minimise non-compliance between employees. There are two leading philosophies regarding methods to guarantee compliance. The first approach is a positive developmental one, with a focus on the inspiration to comply, as this is the development philosophy. The next one is more negative, which is the deterrence

19

philosophy, with a focus on generating fear in a situation of failure to comply. An example of the development philosophy is describing why compliance is favourable for the employees (for example, as it may offer a sense of personal fulfilment). An example of the deterrence philosophy is advising employees that individuals who do not fulfil the existing or/and newly established policies will be punished in different ways.

The deterrence theories warn employees, with sanctions to push them to obey IS policies, while the development theories encourage employees to follow the policies and procedures by proposing a reward or by notifying employees of the inherent benefits and general safe environment they will have when the policies are complied with.

Theories of deterrence have been utilized in dealing with criminal acts as well as in information security research and in governmental actions during the last decade, particularly the General Deterrence Theory (GDT), which was adapted, contextualised and adopted in IS research in the 1990s. There is another potential explanation why deterrence theory is generally used in IS security research: IS security shortages indigenous theories on IS, and there is lack of sufficient and healthy developmental theories (if we make exception on Protection Motivation Theory, PMT) that was adapted, contextualised and adopted in IS research.

The growth of security incidents related to employee actions led some researchers to explore the idea that the deterrence theory was not successful enough. Therefore, they began looking at another approach, the development theory, which uses encouragement to motivate insiders to obey information system policies. However, the increase in incidents cannot be definitely stated to be due to the futility of the deterrence theory.

20