ABSTRACT
Abstract: Information security is a multibillion-dollar problem faced by commercial, non-profit, and government organizations around the world. Because of their adverse effects on organizational information systems, viruses, hackers, and malicious insiders can jeopardize organizations’ capabilities to pursue their missions effectively. Although technology-based solutions help to mitigate some of the many problems of information security, even the best technology cannot work successfully unless effective human-computer interaction occurs. Information technology professionals, managers, and end users all play a significant role in determining whether the behavior that occurs as people interact with information technology will support the maintenance of effective security or undermine it. In the present paper we try to apply behavioral science concepts and techniques to understanding problems of information security in organizations. We analyzed a large set of interviews, developed a set of behavioral categories, and conducted three survey studies (N 1167, N 298, and N 414) to explore whether and how behavioral science could apply to the complex set of organizational problems surrounding contemporary information security. We report these results and provide a future research agenda for researchers who wish to support organizations’ efforts to ensure security of their information assets. Keywords: Information Security, Organizational Psychology, Surveys
INTRODUCTION
Over recent decades, most work organizations have come to depend on information technology. As connectivity among computers has increased, so has the likelihood of intrusion, theft, defacement, etc. Surprisingly, although organizations sometimes focus more on vulnerability to external attack, industry research by Ernst and Young (2002) indicated that well over half of the cost of security failures results from insider activity. Computer scientists, network engineers, information technology specialists, and others have developed technological solutions for these information security problems (e.g., Won, 2001), and a large software and hardware development industry is dedicated to the design and marketing of security-related devices such as firewalls and biometrics.
