Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.
KTH, School of Electrical Engineering (EES), Industrial Information and Control Systems.ORCID iD: 0000-0003-3922-9606
2014 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 43, 90-110 p.Article in journal (Refereed) Published
Abstract [en]

This paper presents an empirical investigation on what behavioral information security governance factors drives the establishment of information security knowledge sharing in organizations. Data was collected from organizations located in different geographic regions of the world, and the amount of data collected from two countries – namely, USA and Sweden – allowed us to investigate if the effect of behavioral information security governance factors on the establishment of security knowledge sharing differs based on national culture.

The study followed a mixed methods research design, wherein qualitative data was collected to both establish the study’s research model and develop a survey instrument that was distributed to 578 information security executives. The results suggest that processes to coordinate implemented security knowledge sharing mechanisms have a major direct influence on the establishment of security knowledge sharing in organizations; the effect of organizational structure (e.g., centralized security function to develop and deploy uniform firm-wide policies, and use of steering committees to facilitate information security planning) is slightly weaker, while business-based information security management has no significant direct effect on security knowledge sharing. A mediation analysis revealed that the reason for the non-significant direct relation between business-based information security management and security knowledge sharing is the fully mediating effect of coordinating information security processes. Thus, the results disentangles the interrelated influences of behavioral information security governance factors on security knowledge sharing by showing that information security governance sets the platform to establish security knowledge sharing, and coordinating processes realize the effect of both the structure of the information security function and the alignment of information security management with business needs.

A multigroup analysis identified that national culture had a significant moderating effect on the association between four of the six proposed relations. In Sweden – which is seen as a less individualist, feminine country – managers tend to focus their efforts on implementing controls that are aligned with business activities and employees’ need; monitoring the effectiveness of the implemented controls, and assuring that the controls are not too obtrusive to the end user. On the contrary, US organizations establish security knowledge sharing in their organization through formal arrangements and structures. These results imply that Swedish managers perceive it to be important to involve, or at least know how their employees cope with the decisions that have been made, thus favoring local participation in information security management, while US managers may feel the need to have more central control when running their information security function.

The findings suggest that national culture should be taken into consideration in future studies – in particular when investigating organizations operating in a global environment – and understand how it affects behaviors and decision-making. 

Place, publisher, year, edition, pages
Elsevier, 2014. Vol. 43, 90-110 p.
Keyword [en]
Information security, Knowledge sharing, Cultural differences, Mixed methods research, Partial least squares structural equation modeling
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
URN: urn:nbn:se:kth:diva-142630DOI: 10.1016/j.cose.2014.03.004ISI: 000337014000008Scopus ID: 2-s2.0-84898078970OAI: oai:DiVA.org:kth-142630DiVA: diva2:703804
Note

QC 20140520

Available from: 2014-03-09 Created: 2014-03-09 Last updated: 2017-12-05Bibliographically approved
In thesis
1. Shaping information security behaviors related to social engineering attacks
Open this publication in new window or tab >>Shaping information security behaviors related to social engineering attacks
2016 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Today, few companies would manage to continuously stay competitive without the proper utilization of information technology (IT). This has increased companies’ dependency of IT and created new threats that need to be addressed to mitigate risks to daily business operations. A large extent of these IT-related threats includes hackers attempting to gain unauthorized access to internal computer networks by exploiting vulnerabilities in the behaviors of employees. A common way to exploit human vulnerabilities is to deceive and manipulate employees through the use of social engineering. Although researchers have attempted to understand social engineering, there is a lack of empirical research capturing multilevel factors explaining what drives employees’ existing behaviors and how these behaviors can be improved. This is addressed in this thesis.

The contribution of this thesis includes (i) an instrument to measure security behaviors and its multilevel determinants, (ii) identification of multilevel variables that significantly influence employees’ intent for behavior change, (iii) identification of what behavioral governance factors that lay the foundation for behavior change, (iv) identification that national culture has a significant effect on how organizations cope with behavioral information security threats, and (v) a strategy to ensure adequate information security behaviors throughout an organization.

This thesis is a composite thesis of eight papers. Paper 1 describes the instrument measuring multilevel determinants. Paper 2 and 3 describes how security knowledge is established in organizations, and the effect on employee information security awareness. In Paper 4 the root cause of employees’ intention to change their behaviors and resist social engineering is described. Paper 5 and 8 describes how the instrument to measure social engineering security behaviors was developed and validated through scenario-based surveys and phishing experiments. Paper 6 and 7 describes experiments performed to understand reason to why employees fall for social engineering. Finally, paper 2, 5 and 6 examines the moderating effect of national culture.

Place, publisher, year, edition, pages
KTH Royal Institute of Technology, 2016. xv, 156 p.
Series
TRITA-EE, ISSN 1653-5146 ; 2016:061
Keyword
Information security, Behavioral information security, Social engineering, Phishing, Measuring information security behaviors, Information security governance, Experiments, National culture, Mixed method research design, Quantitative methods
National Category
Other Electrical Engineering, Electronic Engineering, Information Engineering
Research subject
Industrial Information and Control Systems
Identifiers
urn:nbn:se:kth:diva-186113 (URN)978-91-7595-969-6 (ISBN)
Public defence
2016-05-27, L1, Drottning Kristinas väg 30, KTH Campus, Stockholm, 10:00 (English)
Opponent
Supervisors
Note

QC 20160503

Available from: 2016-05-03 Created: 2016-05-02 Last updated: 2016-05-20Bibliographically approved

Open Access in DiVA

Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture(471 kB)721 downloads
File information
File name FULLTEXT01.pdfFile size 471 kBChecksum SHA-512
3d49f916e0dc454e5bc5df4b2db851526cd0b7591f9a58b69c272850e21de28aa298ce42fb10a1b86e124ce2f7f854154c5d7ddbcdd34db943920969932f2cfc
Type fulltextMimetype application/pdf

Other links

Publisher's full textScopusScience direct

Authority records BETA

Ekstedt, Mathias

Search in DiVA

By author/editor
Rocha Flores, WaldoAntonsen, EgilEkstedt, Mathias
By organisation
Industrial Information and Control Systems
In the same journal
Computers & security (Print)
Electrical Engineering, Electronic Engineering, Information Engineering

Search outside of DiVA

GoogleGoogle Scholar
Total: 721 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 751 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf