Though organizations are generally concerned with external security threats (such as viruses and hacking attempts) [9], industry surveys suggest that a substantial portion of computer security incidents are due to the intentional actions of legitimate users [2, 4]. A study by Vista Research in 2002 estimated that 70% of security breaches involving losses of more than $100,000 were internal, often perpetrated by disgruntled employees [8]. Besides financial loss, the negative consequences of such insider misuse of IS resources, or "IS misuse," include negative publicity, competitive disadvantage, and loss of customer confidence. Security experts predict that the frequency of IS misuse and the loss associated with it will persist due to increasing user sophistication and the availability of advanced software tools [5].
Researchers and practitioners concerned with information security recommend that organizations implement security countermeasures to control IS misuse [7, 10]. Countermeasures should include a combination of procedural controls (such as security policy statements, acceptable usage guidelines, and security awareness education and training) and technical controls (such as biometric devices and filtering and monitoring software). They can serve as a deterrent in that users perceive a greater threat of getting caught and punished for IS misuse and therefore would be discouraged from engaging in such behavior.
Research on the topic has produced conflicting results. A notion supported in [11] maintains that security policy statements and access controls deter IS misuse, while [6, 12] found that security policies have limited effect. The study in [11] was conducted more than 20 years ago when most business computers were monolithic (mainframes), and the security function was much more centralized than it is today. Moreover, the analyses in [11, 12] were limited to the misuse incidents detected by the organization, often only a fraction of the actual number of incidents [7]. Meanwhile, the results of a survey reported in [5] (primarily of managers) regarding security policies may differ from users' perceptions of the same policies.
Considering that the success of security countermeasures as a deterrence mechanism ultimately depends on the actions and awareness of end users, managers should understand the effect of controls from the user perspective. Such understanding would help produce a more realistic evaluation of the effect of security countermeasures on end-user computing behavior. Our 2005 study examined employee awareness of four security countermeasuressecurity policies, security-awareness programs, computer monitoring, and preventive security softwareand their deterrent effect on user intentions regarding IS misuse. The results have important implications for IS security management within organizations.
Security policies typically include statements of organizational goals and beliefs, existing controls, and employee responsibilities [5]. Their purpose is to provide detailed guidance to users regarding acceptable use of organizational IS resources. International standard ISO 17799 provides a common set of "best practices" for writing and implementing security policies. However, security policies vary by industry and by organization. For example, health care organizations are likely to have more stringent policies than, say, educational institutions.
Security-awareness programs focus on raising employees' awareness of their responsibilities regarding their organizations' information resources and the consequences of abusing them, providing the necessary skills to help fulfill these responsibilities. Effective security awareness requires an ongoing effort by the organization, including: reminders to change passwords; email messages announcing new virus threats; security-awareness newsletters; and periodic briefings explaining the consequences of noncompliance.
Security technologies (such as internal firewalls and filters) are often implemented to prevent IS misuse [7]. Here, we focus on technical controls as a deterrent against IS misuse by convincing potential offenders of the certainty of detection [6, 10]. The effect is, however, contingent on user awareness of the controls. Therefore, we limit our discussion to two controlscomputer monitoring and preventive security softwareend users interact with. Computer monitoring records who is doing what in the system and when such action takes place; examples include monitoring employee email and Internet use, recording network activity, and performing security audits [2, 7].
Preventive security software includes access control and authentication programs. The most common ones employ a user ID or password to authenticate users [6, 11]. More sophisticated ones authenticate users via token-based approaches (such as smart cards) and biometric techniques (such as fingerprints) [2].
We conducted our 2005 study using a sample of employees from eight organizations across the U.S. and part-time MBA students from two mid-Atlantic U.S. universities. We used a Web-based survey to elicit respondents' IS misuse intentions and awareness of security countermeasures within their organizations (see the sidebar "How the Survey Was Done"). All survey items were measured on seven-point scales with appropriate endpoints (for example, 1 = strongly disagree to 7 = strongly agree); Table 1 lists sample items for each of the countermeasures we measured.
A panel of experts tested, modified, and validated the survey; we also used two pilot studies. The full-scale study yielded a total of 579 usable surveys. Respondents were all employed professionals who used a computer regularly in their jobs. About 64% were male, and about 50% were in the 2534 age group. They held managerial (23%), technical (29%), professional (39%), and administrative (9%) positions in various industries, including manufacturing (32%), finance/insurance (22%), software (17%), health care (10%), advertising/marketing (7%), education (6%), and retail (6%). Company size ranged from small to large, with a sizable portion (44%) with 10,000 or more employees.
We initially examined respondents' awareness of the four security countermeasures discussed earlier within their organizations (see the figure here). This helped assess the security efforts of respondent organizations from an end-user perspective. Respondents were most aware of the existence of security policies compared to the other countermeasures. This was not surprising given that such policies are relatively inexpensive to implement and that most organizations of at least moderate size employ some type of policy [5].
It is interesting to note that security-awareness programs had the lowest score of the four countermeasures, suggesting that although organizations invest resources in developing security policies, they don't devote extensive resources toward educating users on the importance of compliance.
We next performed a regression analysis to assess the effect of awareness of each of the security countermeasures on IS misuse intentions. To eliminate potential bias due to age and gender, we controlled for both these variables in the regression (see Table 2). With the exception of computer monitoring, awareness of each of the countermeasures had a significant negative effect on IS misuse intentions, suggesting that as end users become more aware of the existence of security policies, security-awareness programs, and preventive security software within their organizations, they are less likely to engage in the misuse behaviors in the survey. The results also suggest that the effect of the countermeasures is not the same. Users seem most deterred by the existence of security-awareness programs, followed by security policies and preventive security software. Awareness of computer monitoring does not appear to deter users from IS misuse.
This disproportionate focus on technical security countermeasures may partially explain why IS misuse remains a significant problem.
While security researchers and best-practice advocates extol the benefits of security-awareness programs [7, 10], there is little empirical evidence to support their claims. Our results provide evidence that educating users is an effective way to deter IS misuse. Moreover, considering that awareness programs also alert users to known vulnerabilities and exploits (such as viruses, identity theft, and social engineering), our results suggest that educating users on security issues helps reduce the intentions behind IS misuse. Our results also suggest that security-awareness education/training is the most neglected countermeasure by organizations compared to the other countermeasures in the survey.
The survey's results also have implications for the allocation of IS security budgets. In [4], over 70% of surveyed organizations indicated that they use security technologies (such as virus-detection software and firewalls) to protect information systems, while only 28% indicated that they have implemented security-awareness programs. Our results suggest that organizations should consider allocating a greater portion of their IS security budgets to ongoing security awareness.
Prior research suggested that security policies have little, if any, effect on individual IS misuse behavior [6, 12]. However, it used managers' perceptions of security policies rather than asking end users directly; it is possible that employees were not fully aware of the security policies within their organizations. Therefore, an accurate assessment of the effect of these policies on end users could not be obtained. Such discrepancy between managers' awareness of security policies and users' awareness of the same policies is likely, given the lack of emphasis on user education and training. Our results suggest that users' awareness of security-policy statements and guidelines decreases the likelihood that they will engage in IS misuse.
Organizations should improve users' awareness of security policies by introducing them during employee orientation, even making employees sign an acknowledgment that they have read and understand them. Security-policy statements and procedures should also be prominently displayed on the organization's internal Web site.
The insignificant effect of computer monitoring on intentions regarding IS misuse is contrary to the notion that making users aware that they are being "watched" is an effective deterrent against IS misuse [11]. It is possible that users do not equate monitoring with being caught. For example, our informal discussions with several of our 54 pilot study participants revealed that many believed that their organizations recorded employees' Internet browsing and email behavior; however, they also doubted that IT personnel were reviewing these logs on a regular basis. A study [1] that found that monitoring had no effect on Internet abuse in the workplace is consistent with this line of thinking. It is also possible that even if users feel that monitoring increases their chances of getting caught, they doubt the punishment will be severe, since convicted computer abusers have historically received only light punishment, with some eventually hired as consultants [5]. Future research should examine the plausibility of these explanations in more detail in order to determine why computer monitoring does not seem to deter IS misuse.
The significant relationship between preventive security software and intentions regarding IS misuse empirically supports the argument that preventive technologies also serve as a deterrent by increasing users' fear of detection [5, 10]. Hence, organizations should make a concerted effort to alert employees as to the latest technological solutions protecting IS resources. Providing real-time feedback during the password-construction process is one such approach.
The finding regarding the effect of preventive security software has additional implications. Because this software helps prevent unauthorized activity, the apparent deterrent effect of preventive technologies is over and above their core functionality. IS managers should highlight the added value of deterrence when proposing investment in preventive security technologies (such as smart cards and biometric devices) to upper management, especially given the high cost of their implementation.
Our results suggest that users' awareness of security-policy statements and guidelines decreases the likelihood that they will engage in IS misuse.
The success of IS security depends largely on end-user behavior and awareness. Our study empirically examined user awareness of security policies, security-awareness programs, computer monitoring, and preventive security software and their effect on user intentions regarding IS misuse. With the exception of computer monitoring, each of these four security countermeasures appears to significantly reduce users' IS misuse intentions. What makes this an important finding is that research indicates that managers consider IS security a preventive rather than a deterrent function [10]. Consequently, strategies for combating IS misuse are often reactive. Our results suggest that a combined proactive and preventive approach to security that deters users from IS misuse should include:
They further suggest that ongoing security-awareness education and training is effective at deterring IS misuse and that monitoring end-user computer activity has little deterrent effect. However, while the results point to the benefits of procedural countermeasures, industry surveys continue to indicate that organizations manage IS security with a strong technological focus that places little emphasis on process controls. This disproportionate focus on technical countermeasures may partially explain why IS misuse remains a significant problem. Technical and procedural controls should complement one another.
It seems that end users are sophisticated enough today that technical security controls alone cannot deter misuse; they need additional "proof" that the organization is serious about security. Fostering a security culture that encourages compliance with security policies, along with end-user awareness and attention to security issues, will help reduce IS misuse in the workplace.
1. Galletta, D. and Polak, P. An empirical investigation of antecedents of Internet abuse in the workplace. In Proceedings of the Second Annual Workshop on HCI Research in MIS (Seattle, Dec. 1213, 2003), 4751.
2. Gordon, L., Loeb, M., Lucyshyn, W., and Richardson. R. 2006 CSI/FBI Computer Crime and Security Survey. Computer Security Institute, San Francisco, CA; www.gocsi.com/forms/fbi/csi_fbi_survey.jhtml.
3. Hays, R., Hayashi, T., and Stewart, A. A five-item measure of socially desirable response set. Educational and Psychology Measurement 49, 3 (1989), 629637.
4. InformationWeek. U.S. Information Security Research Report. InformationWeek (Aug. 29, 2005); www.informationweek.com/reports/showReport.jhtml?articleID=170100861.
5. Lee, J. and Lee, Y. A holistic model of computer abuse within organizations. Information Management & Computer Security 10, 2 (2002), 5763.
6. Lee, S.M., Lee, S.-G., and Yoo, S. An integrative model of computer abuse based on social control and general deterrence theories. Information and Management 41, 6 (2004), 707718.
7. Parker, D. Fighting Computer Crime. John Wiley & Sons, New York, 1998.
8. Standage, T. The weakest link. The Economist (Oct. 26, 2002), 1114.
9. Stanton, J., Stam, K., Mastrangelo, P., and Jolton, J. An analysis of end-user security behaviors. Computers & Security 24, 2 (2005), 124133.
10. Straub, D. and Welke, R. Coping with systems risk: Security planning models for management decision making. MIS Quarterly 22, 4 (Dec. 1998), 441469.
11. Straub, D. Effective IS security: An empirical study. Information Systems Research 1, 3 (1990), 255276.
12. Wiant, T. Policy and Its Impact on Medical Record Security. Unpublished doctoral dissertation, University of Kentucky, 2003.
©2007 ACM 0001-0782/07/1000 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2007 ACM, Inc.
No entries found