Factors that influence an organizations information security hiring decisions

1 Introduction

Chief Information Officers [CIOs], Chief Information Security Officers [CISOs] and other C-suite executives are, these days, quite convinced that humans represent a major threat to the security of an organization’s computer systems and the information that these systems store and process. This realization relates to the behavior of employees whilst they are “operating” a computer which can range between accidental-naïve incidents to deliberate-malicious actions. The research described in this paper was specifically focused on the accidental-naive [and therefore not deliberate-malicious] behavior of employees. For example, such behavior includes the opening of unsolicited email attachments or the inadvertent sharing of passwords with others by writing them on post-it notes and sticking them to their computer monitor. Therefore, if organizations could minimize this type of behavior, that increases the risk of an information security incident, the organization’s information assets would be more secure. So, how can this be achieved? Before this question can be addressed it is necessary to establish why employees unknowingly behave badly when they use a computer. Individuals may not be aware of the consequences of certain behaviors, they may also have limited knowledge of computers, or their attitude towards their employer or computers may influence their subsequent behavior. In other words, what variables are associated with poor accidental-naïve behavior by computer users? If the most significant of these factors can be identified, whether they are individual, organizational or interventional factors, information security professionals will be better placed to design and implement information security interventions that will mitigate this type of behavior. In turn, this will raise the level of information security within their organizations.

This research examines the impact that a selection of factors had on the self-reported accidental-naïve behavior of employees. These factors include their age; the highest level of education that they completed; their ability to control impulsivity; their familiarity with computers; and their personality traits.

1.1 Literature Review

An extensive literature review into the factors that affect information security behavior was conducted by Abraham [] in 2011. Although Abraham reported a healthy amount of research in this area, most of these studies related to the type of user behavior that impacts on “compliance with security policies”. That is, deliberate and possibly malicious behavior. For example, Pahnila et al. [] examined how the attitudes towards compliance, normative beliefs and habits influence the intention to comply with organizational policies. Abraham [] reported no evidence of research that was concerned with accidental-naïve behavior, as in this current research. In addition, many of these studies focussed on factors such as attitudes, beliefs and self-efficacy. Very few involved the factors that were examined in this current study such as the ability to control impulsivity and familiarity with computers. For example, a study conducted by D’Arcy et al. [] examined the behavior of insider computer users, specifically focussing on “intentional insider misuse” and how certain controls and practices deter such deliberate actions. In contrast, Anderson et al. [], examined the behavioral intentions of “home” computer users. They focused on the impact of factors such as attitude, self-efficacy, subjective norms and psychological ownership.

Since 2011, although there has been an escalation in information security behavioral research, there is still a dearth of research pertaining to factors that affect the accidental-naïve behavior of organisational computer users. Notwithstanding this situation, a relevant study by Vance et al. [] examined the influence of factors such as perceived security, rewards and vulnerability on employee intention to comply with information system security policies. Also, relevant to this current study, due to the fact that it involved the use of personality traits, was a recent study conducted by Kajzer et al. [] that examined the effectiveness of different types of information security awareness messages. Messages in this context included newsletters, email, face-to-face instruction, screensavers, signage, seminars, training and education events.

1.2 Aim of this Paper

The aim of this paper is twofold. The first aim is to report on a web-based survey that elicited information from anonymous Australian working adults for the purpose of testing the following two types of hypotheses.

General Hypotheses. A number of studies have been conducted that examined similar factors in regard to various types of behavior in a variety of domains including information technology use [It is beyond the scope of this paper to provide a literature review that is more extensive than Sect.  above]. The following hypotheses relate to self-reported information security behavior and the extent to which it is risky.

Age is positively associated with self-reported behavior.

Level of education completed is positively associated with self-reported behavior.

Ability to control impulsivity is positively associated with self-reported behavior.

Familiarity with computers is positively associated with self-reported behavior.

Exploratory Hypotheses. These hypotheses are exploratory because there is no evidence of previous research regarding the traditional five personality traits and how they impact accidental-naive behavior of computer users.

Openness is associated with self-reported behavior.

Concientiousness is associated with self-reported behavior.

Extraversion is associated with self-reported behavior.

Agreeableness is associated with self-reported behavior.

Emotional stability is associated with self-reported behavior.

The second aim of this paper is to report on the data analysis and how the results can be interpreted in order to improve this type of behavior. This, in turn, will potentially provide a greater level of information security within the respective employee organizations.

The structure of this paper is as follows. The next section provides an explanation of the web-based survey instrument, its validity and how information was collected. Following this, the results are presented and discussed, limitations are conceded and conclusions are expressed.

2 Method

This research utilized the Qualtrics web-based survey software to develop an online survey questionnaire. This questionnaire was distributed to selected respondents who were registered with Qualtrics as people who were interested in responding to questionnaires for a fee. This ‘panel’ of respondents was selected because they qualified as “Working Australian Adults”. These respondents received an email from Qualtrics that contained a clickable link which directed them to the questionnaire. Respondents were excluded if they did not use a computer at work and they were filtered out if their responses appeared to be too “mechanical”, that is, not thought out [known as content non-responsivity]. A total of 500 responses were considered valid for analysis with SPSS software. The questionnaire took an average of 30 min to complete.

The following data was collected via the questionnaire:

Self-Reported Behavior. Participants were asked to rate each of 21 behaviors on a 5-point rating scale ranging from “Strongly disagree” to “Strongly agree”. Three questions were posed for each of seven focus areas that were gleaned from information security standards and guidelines [–] and via interviews with senior management and certified information security auditors [CISAs]. These focus areas are:

• Password Management

• Email Use

• Internet Use

• Social Networking Site Use

• Mobile Computing

• Information Handling and

• Incident Reporting.

Approximately half of the items were expressed in negative terms and questions were presented in a random order of focus area. Each participant recorded 21 scores between 1 and 5. Scores were aggregated after adjusting for reversed questions. Consequently, the higher a participant’s aggregated score, the better behaved the participant was likely to be.

Age. Participants were asked to indicate their age within one of six ranges, namely, “20 or under”, “21–30”, “31–40”, “41–50”, “51–60” and “61 or over”.

Level of Education Completed. Participants were asked to indicate the highest level of education they completed on the 5-point scale, “Did not graduate from high school”, “Year 12 or equivalent”, “Some post-secondary”, “Bachelor degree” and “Post-graduate degree”.

Familiarity with Computers. On a 5-point Likert scale participants were asked to indicate how often they engage in each of 13 different computer activities [Refer Table  below] using the question: How frequently do you engage in the following computer activities using any type of computer or portable device? Scales were assigned scores as follows: “Daily” = 4, “Weekly” = 3, “Monthly” = 2, “Less than Monthly” = 1 and “Never” = zero. The 13 scores were aggregated to represent a participant’s familiarity with computers. In other words, the higher the aggregated score, the more familiar a participant was considered to be with computers.

Personality Traits. This survey used an abbreviated version of the Big Five Inventory [BFI] personality test [], namely, the Ten-Item Personality Inventory [TIPI] developed by Gosling et al. []. This measure consists of 10 items each using 7-point ratings [Disagree strongly = 1 to Agree strongly = 7]. Two items represent each personality trait, namely, Agreeableness, Conscientiousness, Extraversion, Openness and Emotional stability. A measure for each trait is calculated as the sum of the scores for the two relevant items. This abbreviated method of measuring personality traits was considered adequate and appropriate for an exploratory study of this nature because it consumed much less time to complete than longer versions of the BFI.

Table 1. Percentage of participants [N = 500] who engage in various computer activities [the basis for assessing familiarity with computers].

Full size table

Ability to Control Impulsivity. A participant’s ability to control impulsivity was measured by utilizing Frederick’s [] cognitive reflection test. This test consists of three mathematically-simple questions for which intuitive answers are not correct []. Each correct answer earns a score of 1, therefore a participant can score between zero [none correct] and three [all correct]. Participants who do well in this test tend to be more patient in decisions, that is, they are assumed to be less impulsive in their decision-making.

2.1 Validation

This research was primarily interested in how individual factors influenced self-reported accidental-naive behavior of participants and to a lesser extent how the composite model of independent variables predicted this behavior. Consequently, Standard Multiple Regression was used to analyse the data.

Sample Size. This study, which comprised nine independent variables and one dependent variable, used a sample size of 500 participants. According to Green [], a minimum sample size for such a study can be calculated as the sum of the number of independent variables plus 104. Consequently, the sample size of this study is not only far greater than 113 but also satisfies the Miles and Shevlin [] recommended sample size of 200, when using up to 20 predictors that have a medium effect [i.e. how well they predict self-reported behavior].

Multicollinearity. Table  below shows the Pearson correlation coefficients [r] and descriptive statistics for all 10 variables in the model. The correlations between each of the independent variables are all less than 0.7, which is considered acceptable according to Cohen []. The correlations between the independent variables and the dependent variable, self-reported behavior, are mostly greater than 0.3. This is also considered acceptable, particularly since the Tolerance values are all greater than 0.10 and the VIF [Variance Inflation Factor] values are well below 10. Hence it is reasonable to assume that multi-collinearity has not been violated [, ].

Table 2. Descriptive statistics and variable intercorrelations

Full size table

3 Results and Discussion

This paper reports on exploratory research that empirically tested the effect of various factors on the self-reported behavior of employees. These factors are not intended to entirely predict a participant’s self-reported behaviour because there are many other individual, organizational and interventional factors that have this same potential. In this study ‘self-reported behavior’ relates to accidental-naïve behavior of employees whilst they are using a computer. Standard multiple regression analyses were conducted to investigate the impact of nine factors on self-reported behavior. A summary of these results is shown in Fig.  below.

Fig. 1.

Regression model

Full size image

The strength of the relationships between the independent variables and the dependent variable are shown in the model together with the amount of variance [39 %] in self-reported behavior that is accounted for by the independent variables combined [R2]. The dependent variable, self-reported behavior, was represented by 21 items. The Cronbach Alpha reliability coefficient for these items was 0.918. Since this is greater than the recommended value of 0.7 [], construct reliability is assured. Note that the higher the score a participant gets for self-reported accidental-naive behavior, the better [that is, less risky] their behavior is assumed to be.

The independent variable Conscientiousness [37 %] makes the strongest individual contribution towards explaining the self-reported behavior of participants. Other predictor variables that contributed to a lesser extent in explaining self-reported behavior, in order of effect, were Age [15 %], Agreeableness [15 %], Ability to control impulsivity [12 %], Openness [12 %] and Familiarity with computers [10 %]. The relationships between each of the independent variables and the dependent variable, self-reported behavior, are discussed in more detail below.

Age [β = 0.15, p