Factors that influence an organizations information security hiring decisions

1 Introduction

Chief Information Officers (CIOs), Chief Information Security Officers (CISOs) and other C-suite executives are, these days, quite convinced that humans represent a major threat to the security of an organization’s computer systems and the information that these systems store and process. This realization relates to the behavior of employees whilst they are “operating” a computer which can range between accidental-naïve incidents to deliberate-malicious actions. The research described in this paper was specifically focused on the accidental-naive (and therefore not deliberate-malicious) behavior of employees. For example, such behavior includes the opening of unsolicited email attachments or the inadvertent sharing of passwords with others by writing them on post-it notes and sticking them to their computer monitor. Therefore, if organizations could minimize this type of behavior, that increases the risk of an information security incident, the organization’s information assets would be more secure. So, how can this be achieved? Before this question can be addressed it is necessary to establish why employees unknowingly behave badly when they use a computer. Individuals may not be aware of the consequences of certain behaviors, they may also have limited knowledge of computers, or their attitude towards their employer or computers may influence their subsequent behavior. In other words, what variables are associated with poor accidental-naïve behavior by computer users? If the most significant of these factors can be identified, whether they are individual, organizational or interventional factors, information security professionals will be better placed to design and implement information security interventions that will mitigate this type of behavior. In turn, this will raise the level of information security within their organizations.

This research examines the impact that a selection of factors had on the self-reported accidental-naïve behavior of employees. These factors include their age; the highest level of education that they completed; their ability to control impulsivity; their familiarity with computers; and their personality traits.

1.1 Literature Review

An extensive literature review into the factors that affect information security behavior was conducted by Abraham [] in 2011. Although Abraham reported a healthy amount of research in this area, most of these studies related to the type of user behavior that impacts on “compliance with security policies”. That is, deliberate and possibly malicious behavior. For example, Pahnila et al. [] examined how the attitudes towards compliance, normative beliefs and habits influence the intention to comply with organizational policies. Abraham [] reported no evidence of research that was concerned with accidental-naïve behavior, as in this current research. In addition, many of these studies focussed on factors such as attitudes, beliefs and self-efficacy. Very few involved the factors that were examined in this current study such as the ability to control impulsivity and familiarity with computers. For example, a study conducted by D’Arcy et al. [] examined the behavior of insider computer users, specifically focussing on “intentional insider misuse” and how certain controls and practices deter such deliberate actions. In contrast, Anderson et al. [], examined the behavioral intentions of “home” computer users. They focused on the impact of factors such as attitude, self-efficacy, subjective norms and psychological ownership.

Since 2011, although there has been an escalation in information security behavioral research, there is still a dearth of research pertaining to factors that affect the accidental-naïve behavior of organisational computer users. Notwithstanding this situation, a relevant study by Vance et al. [] examined the influence of factors such as perceived security, rewards and vulnerability on employee intention to comply with information system security policies. Also, relevant to this current study, due to the fact that it involved the use of personality traits, was a recent study conducted by Kajzer et al. [] that examined the effectiveness of different types of information security awareness messages. Messages in this context included newsletters, email, face-to-face instruction, screensavers, signage, seminars, training and education events.

1.2 Aim of this Paper

The aim of this paper is twofold. The first aim is to report on a web-based survey that elicited information from anonymous Australian working adults for the purpose of testing the following two types of hypotheses.

General Hypotheses. A number of studies have been conducted that examined similar factors in regard to various types of behavior in a variety of domains including information technology use (It is beyond the scope of this paper to provide a literature review that is more extensive than Sect.  above). The following hypotheses relate to self-reported information security behavior and the extent to which it is risky.

Age is positively associated with self-reported behavior.

Level of education completed is positively associated with self-reported behavior.

Ability to control impulsivity is positively associated with self-reported behavior.

Familiarity with computers is positively associated with self-reported behavior.

Exploratory Hypotheses. These hypotheses are exploratory because there is no evidence of previous research regarding the traditional five personality traits and how they impact accidental-naive behavior of computer users.

Openness is associated with self-reported behavior.

Concientiousness is associated with self-reported behavior.

Extraversion is associated with self-reported behavior.

Agreeableness is associated with self-reported behavior.

Emotional stability is associated with self-reported behavior.

The second aim of this paper is to report on the data analysis and how the results can be interpreted in order to improve this type of behavior. This, in turn, will potentially provide a greater level of information security within the respective employee organizations.

The structure of this paper is as follows. The next section provides an explanation of the web-based survey instrument, its validity and how information was collected. Following this, the results are presented and discussed, limitations are conceded and conclusions are expressed.

2 Method

This research utilized the Qualtrics web-based survey software to develop an online survey questionnaire. This questionnaire was distributed to selected respondents who were registered with Qualtrics as people who were interested in responding to questionnaires for a fee. This ‘panel’ of respondents was selected because they qualified as “Working Australian Adults”. These respondents received an email from Qualtrics that contained a clickable link which directed them to the questionnaire. Respondents were excluded if they did not use a computer at work and they were filtered out if their responses appeared to be too “mechanical”, that is, not thought out (known as content non-responsivity). A total of 500 responses were considered valid for analysis with SPSS software. The questionnaire took an average of 30 min to complete.

The following data was collected via the questionnaire:

Self-Reported Behavior. Participants were asked to rate each of 21 behaviors on a 5-point rating scale ranging from “Strongly disagree” to “Strongly agree”. Three questions were posed for each of seven focus areas that were gleaned from information security standards and guidelines [–] and via interviews with senior management and certified information security auditors (CISAs). These focus areas are:

• Password Management

• Email Use

• Internet Use

• Social Networking Site Use

• Mobile Computing

• Information Handling and

• Incident Reporting.

Approximately half of the items were expressed in negative terms and questions were presented in a random order of focus area. Each participant recorded 21 scores between 1 and 5. Scores were aggregated after adjusting for reversed questions. Consequently, the higher a participant’s aggregated score, the better behaved the participant was likely to be.

Age. Participants were asked to indicate their age within one of six ranges, namely, “20 or under”, “21–30”, “31–40”, “41–50”, “51–60” and “61 or over”.

Level of Education Completed. Participants were asked to indicate the highest level of education they completed on the 5-point scale, “Did not graduate from high school”, “Year 12 or equivalent”, “Some post-secondary”, “Bachelor degree” and “Post-graduate degree”.

Familiarity with Computers. On a 5-point Likert scale participants were asked to indicate how often they engage in each of 13 different computer activities (Refer Table  below) using the question: How frequently do you engage in the following computer activities using any type of computer or portable device? Scales were assigned scores as follows: “Daily” = 4, “Weekly” = 3, “Monthly” = 2, “Less than Monthly” = 1 and “Never” = zero. The 13 scores were aggregated to represent a participant’s familiarity with computers. In other words, the higher the aggregated score, the more familiar a participant was considered to be with computers.

Personality Traits. This survey used an abbreviated version of the Big Five Inventory (BFI) personality test [], namely, the Ten-Item Personality Inventory (TIPI) developed by Gosling et al. []. This measure consists of 10 items each using 7-point ratings (Disagree strongly = 1 to Agree strongly = 7). Two items represent each personality trait, namely, Agreeableness, Conscientiousness, Extraversion, Openness and Emotional stability. A measure for each trait is calculated as the sum of the scores for the two relevant items. This abbreviated method of measuring personality traits was considered adequate and appropriate for an exploratory study of this nature because it consumed much less time to complete than longer versions of the BFI.

Table 1. Percentage of participants (N = 500) who engage in various computer activities (the basis for assessing familiarity with computers).

Full size table

Ability to Control Impulsivity. A participant’s ability to control impulsivity was measured by utilizing Frederick’s [] cognitive reflection test. This test consists of three mathematically-simple questions for which intuitive answers are not correct []. Each correct answer earns a score of 1, therefore a participant can score between zero (none correct) and three (all correct). Participants who do well in this test tend to be more patient in decisions, that is, they are assumed to be less impulsive in their decision-making.

2.1 Validation

This research was primarily interested in how individual factors influenced self-reported accidental-naive behavior of participants and to a lesser extent how the composite model of independent variables predicted this behavior. Consequently, Standard Multiple Regression was used to analyse the data.

Sample Size. This study, which comprised nine independent variables and one dependent variable, used a sample size of 500 participants. According to Green [], a minimum sample size for such a study can be calculated as the sum of the number of independent variables plus 104. Consequently, the sample size of this study is not only far greater than 113 but also satisfies the Miles and Shevlin [] recommended sample size of 200, when using up to 20 predictors that have a medium effect (i.e. how well they predict self-reported behavior).

Multicollinearity. Table  below shows the Pearson correlation coefficients (r) and descriptive statistics for all 10 variables in the model. The correlations between each of the independent variables are all less than 0.7, which is considered acceptable according to Cohen []. The correlations between the independent variables and the dependent variable, self-reported behavior, are mostly greater than 0.3. This is also considered acceptable, particularly since the Tolerance values are all greater than 0.10 and the VIF (Variance Inflation Factor) values are well below 10. Hence it is reasonable to assume that multi-collinearity has not been violated [, ].

Table 2. Descriptive statistics and variable intercorrelations

Full size table

3 Results and Discussion

This paper reports on exploratory research that empirically tested the effect of various factors on the self-reported behavior of employees. These factors are not intended to entirely predict a participant’s self-reported behaviour because there are many other individual, organizational and interventional factors that have this same potential. In this study ‘self-reported behavior’ relates to accidental-naïve behavior of employees whilst they are using a computer. Standard multiple regression analyses were conducted to investigate the impact of nine factors on self-reported behavior. A summary of these results is shown in Fig.  below.

Fig. 1.

Regression model

Full size image

The strength of the relationships between the independent variables and the dependent variable are shown in the model together with the amount of variance (39 %) in self-reported behavior that is accounted for by the independent variables combined (R2). The dependent variable, self-reported behavior, was represented by 21 items. The Cronbach Alpha reliability coefficient for these items was 0.918. Since this is greater than the recommended value of 0.7 [], construct reliability is assured. Note that the higher the score a participant gets for self-reported accidental-naive behavior, the better (that is, less risky) their behavior is assumed to be.

The independent variable Conscientiousness (37 %) makes the strongest individual contribution towards explaining the self-reported behavior of participants. Other predictor variables that contributed to a lesser extent in explaining self-reported behavior, in order of effect, were Age (15 %), Agreeableness (15 %), Ability to control impulsivity (12 %), Openness (12 %) and Familiarity with computers (10 %). The relationships between each of the independent variables and the dependent variable, self-reported behavior, are discussed in more detail below.

Age (β = 0.15, p < 0.001) was shown to be significantly and positively associated with self-reported behavior, accounting for 15 % of the variance. This result suggests that the younger an employees is, the more likely he or she may behave in a risky manner. This result is in concert with D’Arcy and Greene’s [] study that tested the relationship between Age and Compliance with information security policies and found that “older employees are more likely to comply” []. Consequently, hypothesis H1: Age is positively associated with self-reported behavior is supported.

Level of Education Completed (β = −0.03) was found not to be significantly associated with self-reported behavior. This result is counter-intuitive since the expectation was that people with a higher education would be more aware of the consequences of serious security breaches and would therefore behave better. Whether or not this contributed to the result, hypothesis H2: Level of education completed is positively associated with self-reported behavior is not supported.

Ability to Control Impulsivity (β = 0.12, p < 0.01) was shown to be significantly and positively associated with self-reported behavior. It is assumed that a participant with a higher cognitive impulsivity score employed a more deliberative decision making style and therefore was less impulsive. Consequently, hypothesis H3: Ability to control impulsivity is positively associated with self-reported behavior is supported.

Familiarity with Computers (β = −0.10, p < 0.05) was shown to be significantly and negatively associated with self-reported behavior. This is a counter-intuitive finding since the expectation was that people who were more familiar with computers would behave better, in a less risky manner, than those with less experience. This result is possibly due to the complacency of people who should know better. Another explanation for this unexpected result may be due to the fact that some of the 13 computer activities (Refer Table  in Sect. : Method) are not generally thought to be “good” activities, for example, “Internet Gambling” and “Peer to Peer sharing”. Whether or not this contributed to a negative impact, hypothesis H4: Familiarity with computers is positively associated with self-reported behavior is not supported.

Openness (β = 0.12, p < 0.01) was shown to be significantly and positively associated with self-reported behavior. The more open a person tended to be, the better behaved they were in front of a computer. Consequently, hypothesis H5a: Openness is associated with self-reported behavior is supported.

Conscientiousness (β = 0.37, p < 0.001) was found to be significantly and positively associated with self-reported behavior. This result suggests that the more conscientious a person is, the more likely he or she will behave in a less risky manner. This personality trait was the highest contributor of all the independent variables, accounting for 37 % of the variance. Consequently, hypothesis H5b: Conscientiousness is associated with self-reported behavior is supported.

Extraversion (β = −0.01) was shown not to be significantly associated with self-reported behavior. Consequently, hypothesis H5c: Extraversion is associated with self-reported behavior is not supported.

Agreeableness (β = 0.15, p < 0.01) was shown to be significantly and positively associated with self-reported behavior. The more agreeable a person is, the more likely he or she will behave better, that is, in a less risky manner. Consequently, hypothesis H5d: Agreeableness is associated with self-reported behavior is supported.

Emotional Stability (β = −0.04) was shown not to be significantly associated with self-reported behavior and therefore hypothesis H5e: Emotional stability is associated with self-reported behavior is not supported.

Table  below summarizes these results.

Table 3. Results of the multiple regression

Full size table

4 Limitations and Future Directions

This research reports on the accidental-naïve behavior of employees whilst they are using a computer. In this study this was measured by self-report, i.e., by asking each employee a series of questions about how they do behave, and how they would behave, when using a computer.

Although there are good reasons to be cautious of self-reported behavior, Workman’s [] study of social engineering found a correlation of 0.89 between self-reported behavior and objective measures of behavior (measured via the propensity to respond to a phishing email). In addition, approximately 80 % of the variance in behavior could be explained by self-report, and hence, the value of self-reported behavior should not be discounted. Furthermore, Spector [] argued that self-report studies should not be dismissed as being an inferior methodology, and instead, they can provide valuable data as an initial test of hypotheses.

The nature of any self-report study that focuses on an employee’s behavior is that their responses may be influenced by the social desirability bias []. When asked to respond to questions about how they use a computer as part of their job role, employees may feel the need to respond in a manner that is not truthful. Rather, they may provide the answer they believe their management or peers would find acceptable. The study questionnaire described in this paper minimizes the likelihood of social desirability bias because the design of the questionnaire refrained from asking survey participants to provide their name or the name of their employer. Notwithstanding this anonymity, they were also given additional assurances in the survey itself, as well as in the distribution email, of confidentiality and anonymity. Future research by the authors will seek to validate this self-report approach with alternative techniques.

5 Conclusion

This paper addresses the “future directions that Behavioral Information Security researchers should explore” [] by examining how a small selection of individual, organizational and interventional factors influence an employee’s accidental-naïve behavior relating to their use of computers and the protection of information at their place of work.

The major conclusions of this exploratory investigation are that an employee’s accidental-naive behavior is likely to be less risky if the employee is more conscientious; older; more agreeable; less impulsive; more open; and surprisingly, less familiar with computers.

These findings, albeit preliminary, may motivate some managers to attempt to minimize the accidental-naive behavior of employees by addressing some of these factors directly. For example, to counteract low employee conscientiousness and low agreeableness, they could offer an incentive, like a bonus, to all staff if the number of information security incidents is less than, say, in the previous year. In regard to addressing the tendency of employees to be impulsive, management could introduce specialized training that encourages employees to think before they act in situations such as receiving rogue emails with malicious embedded links.

Finally, future research relating to improving computer-based behavior, particularly the accidental-naïve type, is needed to empirically test a variety of management interventions to ascertain which are the most effective and cost-efficient.

References

1. Abraham, S.: Information security behaviour: factors and research directions. In: AMCIS 2011 Proceedings - All Submissions, Paper 462 (2011)

   Google Scholar 

2. Pahnila, S., Siponen, M., Mahmood, A.: Employees’ behavior towards IS security policy compliance. In: 40th Annual Hawaii International Conference on System Sciences (HICSS 2007). IEEE, Hawaii (2007)

   Google Scholar 

3. D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20(1), 79–98 (2009)

   CrossRef  Google Scholar 

4. Anderson, C., Agarwal, R.: Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions. MIS Q. 34(3), 613–643 (2010)

   Google Scholar 

5. Vance, A., Siponen, M., Pahnila, S.: Motivating IS security compliance: insights from habit and protection motivation theory. Inf. Manag. 49(3), 190–198 (2012)

   CrossRef  Google Scholar 

6. Kajzer, M., et al.: An exploratory investigation of message-person congruence in information security awareness campaigns. Comput. Secur. 43, 64–76 (2014)

   CrossRef  Google Scholar 

7. AS/NZS_ISO/IEC_27002: Information Technology - Security Techniques - Code of practice for Information security management. Standards Australia/Standards New Zealand (2006)

   Google Scholar 

8. NIST_SP800_100: Information Security Handbook: A Guide for Managers. National Institute of Standards and Technology, MD (2006)

   Google Scholar 

9. COBIT5: A Business Framework for the Governance and Management of Enterprise IT. ISACA, IL (2012)

   Google Scholar 

10. John, O.P., Donahue, E.M., Kentle, R.L.: The Big Five Inventory—Versions 4a and 54. University of California, Institute of Personality and Social Research, Berkeley (1991)

    Google Scholar 

11. Gosling, S.D., Rentfrow, P.J., Swann Jr., W.B.: A very brief measure of the Big-Five personality domains. J. Res. Pers. 37(6), 504–528 (2003)

    CrossRef  Google Scholar 

12. Frederick, S.: Cognitive reflection and decision making. J. Econ. Perspect. 19(4), 25–42 (2005)

    CrossRef  Google Scholar 

13. Welsh, M., Burns, N., Delfabbro, P.: The cognitive reflection test: how much more than numerical ability? In: Proceedings of the 35th Annual Conference of the Cognitive Science Society (2013)

    Google Scholar 

14. Green, S.B.: How many subjects does it take to do a regression analysis. Multivar. Behav. Res. 26, 499–510 (1991)

    CrossRef  Google Scholar 

15. Miles, J., Shevlin, M.: Applying Regression and Correlation: A Guide for Students and Researchers. SAGE Publications, London (2001)

    Google Scholar 

16. Cohen, J.W.: Statistical Power Analysis for the Behavioral Sciences, 2 ed. Lawrence Erlbaum Associates, New Jersey (1988)

    Google Scholar 

17. Pallant, J.: SPSS Survival Manual: A Step-by-Step Guide to Data Analysis using SPSS for Windows, 3 ed. Allen & Unwin, NSW (2007)

    Google Scholar 

18. Nunnally, J., Bernstein, I.: Psychological Theory. McGraw-Hill, New York (1994)

    Google Scholar 

19. D’Arcy, J., Greene, G.: Security culture and the employment relationship as drivers of employees’ security compliance. Inf. Manage. Comput. Secur. 22(5), 474–489 (2014)

    Google Scholar 

20. Workman, M.: Gaining access with social engineering: an empirical study of the threat. Inf. Syst. Secur. 16(6), 315–331 (2007)

    CrossRef  Google Scholar 

21. Spector, P.E.: Using self-report questionnaires in OB research: a comment on the use of a controversial method. J. Organ. Behav. 15(5), 385–392 (1994)

    CrossRef  Google Scholar 

22. Edwards, A.L.: The relationship between the judged desirability of a trait and the probability that the trait will be endorsed. J. Appl. Psychol. 37(2), 90–93 (1953)

    CrossRef  Google Scholar 

23. Crossler, R.E., et al.: Future directions for behavioral information security research. Comput. Secur. 32, 90–101 (2013)

    CrossRef  Google Scholar 

Download references

Acknowledgements

This project is supported by a Premier's Research and Industry Fund grant provided by the South Australian Government Department of Further Education, Employment, Science and Technology.

Author information

Authors and Affiliations

1. Adelaide Business School, The University of Adelaide, Adelaide, SA, Australia

   Malcolm Pattinson

2. Defence Science and Technology Organisation, Edinburgh, SA, Australia

   Marcus Butavicius, Kathryn Parsons, Agata McCormac & Dragana Calic

Authors

1. Malcolm Pattinson

   View author publications

   You can also search for this author in PubMed Google Scholar

2. Marcus Butavicius

   View author publications

   You can also search for this author in PubMed Google Scholar

3. Kathryn Parsons

   View author publications

   You can also search for this author in PubMed Google Scholar

4. Agata McCormac

   View author publications

   You can also search for this author in PubMed Google Scholar

5. Dragana Calic

   View author publications

   You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Malcolm Pattinson .

Editor information

Editors and Affiliations

1. University of Bristol, Bristol, United Kingdom

   Theo Tryfonas

2. Institute of Computer Science (ICS), Foundation for Research and Technology - Hellas (FORTH), Crete, Heraklion, Greece

   Ioannis Askoxylakis

Rights and permissions

Reprints and Permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Pattinson, M., Butavicius, M., Parsons, K., McCormac, A., Calic, D. (2015). Factors that Influence Information Security Behavior: An Australian Web-Based Study. In: Tryfonas, T., Askoxylakis, I. (eds) Human Aspects of Information Security, Privacy, and Trust. HAS 2015. Lecture Notes in Computer Science(), vol 9190. Springer, Cham. https://doi.org/10.1007/978-3-319-20376-8_21

What are the factors affecting information security?

What are the four important functions of information security in an organization?

What are the factors that make information so valuable that securing IT is essential?

What are the forces of natural affecting information security?