Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Shaping intention to resist social engineering through transformational leadership, information security culture and awareness
KTH, School of Electrical Engineering (EES), Electric Power and Energy Systems. (Industrial information and control systems)
KTH, School of Electrical Engineering (EES), Electric Power and Energy Systems. (Industrial information and control systems)ORCID iD: 0000-0003-3922-9606
2016 (English)In: Computers & security (Print), ISSN 0167-4048, E-ISSN 1872-6208, Vol. 59, p. 26-44Article in journal (Refereed) Published
Abstract [en]

This paper empirically investigates how organizational and individual factors complement each other in shaping employees' intention to resist social engineering. The study followed a mixed methods research design, wherein qualitative data were collected to both establish the study's research model and develop a survey instrument that was distributed to 4296 organizational employees from a diverse set of organizations located in Sweden. The results showed that attitude toward resisting social engineering has the strongest direct association with intention to resist social engineering, while both self-efficacy and normative beliefs showed weak relationships with intention to resist social engineering. Furthermore, the results showed that transformational leadership was strongly associated with both perceived information security culture and information security awareness. Two mediation tests showed that attitude and normative beliefs partially mediate the effect of information security culture on employees' intention to resist social engineering. This suggests that both attitude and normative beliefs play important roles in governing the relationship between information security culture and intention to resist social engineering. A third mediation test revealed that information security culture fully explains the effect of transformational leadership on employees' attitude toward resisting social engineering. Discussion of the results and practical implications of the performed research are provided.

Place, publisher, year, edition, pages
2016. Vol. 59, p. 26-44
Keywords [en]
Transformational leadership, Information security culture, Information security awareness, Theory of planned behavior, Social engineering, Mixed methods research
National Category
Other Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
URN: urn:nbn:se:kth:diva-186098DOI: 10.1016/j.cose.2016.01.004ISI: 000375737400003Scopus ID: 2-s2.0-84961148106OAI: oai:DiVA.org:kth-186098DiVA, id: diva2:925346
Note

QC 20181203

Available from: 2016-05-02 Created: 2016-05-02 Last updated: 2018-12-03Bibliographically approved
In thesis
1. Shaping information security behaviors related to social engineering attacks
Open this publication in new window or tab >>Shaping information security behaviors related to social engineering attacks
2016 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Today, few companies would manage to continuously stay competitive without the proper utilization of information technology (IT). This has increased companies’ dependency of IT and created new threats that need to be addressed to mitigate risks to daily business operations. A large extent of these IT-related threats includes hackers attempting to gain unauthorized access to internal computer networks by exploiting vulnerabilities in the behaviors of employees. A common way to exploit human vulnerabilities is to deceive and manipulate employees through the use of social engineering. Although researchers have attempted to understand social engineering, there is a lack of empirical research capturing multilevel factors explaining what drives employees’ existing behaviors and how these behaviors can be improved. This is addressed in this thesis.

The contribution of this thesis includes (i) an instrument to measure security behaviors and its multilevel determinants, (ii) identification of multilevel variables that significantly influence employees’ intent for behavior change, (iii) identification of what behavioral governance factors that lay the foundation for behavior change, (iv) identification that national culture has a significant effect on how organizations cope with behavioral information security threats, and (v) a strategy to ensure adequate information security behaviors throughout an organization.

This thesis is a composite thesis of eight papers. Paper 1 describes the instrument measuring multilevel determinants. Paper 2 and 3 describes how security knowledge is established in organizations, and the effect on employee information security awareness. In Paper 4 the root cause of employees’ intention to change their behaviors and resist social engineering is described. Paper 5 and 8 describes how the instrument to measure social engineering security behaviors was developed and validated through scenario-based surveys and phishing experiments. Paper 6 and 7 describes experiments performed to understand reason to why employees fall for social engineering. Finally, paper 2, 5 and 6 examines the moderating effect of national culture.

Place, publisher, year, edition, pages
KTH Royal Institute of Technology, 2016. p. xv, 156
Series
TRITA-EE, ISSN 1653-5146 ; 2016:061
Keywords
Information security, Behavioral information security, Social engineering, Phishing, Measuring information security behaviors, Information security governance, Experiments, National culture, Mixed method research design, Quantitative methods
National Category
Other Electrical Engineering, Electronic Engineering, Information Engineering
Research subject
Industrial Information and Control Systems
Identifiers
urn:nbn:se:kth:diva-186113 (URN)978-91-7595-969-6 (ISBN)
Public defence
2016-05-27, L1, Drottning Kristinas väg 30, KTH Campus, Stockholm, 10:00 (English)
Opponent
Supervisors
Note

QC 20160503

Available from: 2016-05-03 Created: 2016-05-02 Last updated: 2016-05-20Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records BETA

Ekstedt, Mathias

Search in DiVA

By author/editor
Rocha Flores, WaldoEkstedt, Mathias
By organisation
Electric Power and Energy Systems
In the same journal
Computers & security (Print)
Other Electrical Engineering, Electronic Engineering, Information Engineering

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 195 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • harvard1
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf