Change search
ReferencesLink to record
Permanent link

Direct link
Organizational issues related to information security behavior: consequences of the mismatches between the organizational view and user point of view of information security
2010 (English)Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

Many companies struggle to gain a proper information security level, since employees lack such training and may not follow the internal information security policies. This is an important area of concern that should be addressed properly by the top management and the information security department, to avoid incidents, losses, loss of goodwill among more. In this qualitative case study in a Norwegian governmental organization, thoughts of the top management and information security responsible, middle leaders and employees regarding information security and policies were studied. This company has among many other, noticed information security incidents recent years. 13 employees on various departments with different background and skills have been interviewed to better understand the view from various sides. I hope this study may be helpful for information security personnel to succeed with their tasks. The mismatches indicated in this study are that employees focus on data, passwords and Internet security, middle leaders are concerned about company values and reputation, while the top management focuses on decision processes and good regulations. Even if they state they have enough time for it.employees might oversee restrictions. This may not be seen by their leader or the IT department due to lack of monitoring. They might not be happy about certain things then. And well functioned tasks which are not correct in a security perspective, may continue if they go well. Employees don’t feel they help the organizations since they don’t get positive feedback and don’t see the result of all actions. They might be motivated for more training but barely get it, since the top management doesn’t think it is important enough and too challenging. It may be explained by lack of awareness in the top management. Employees also think the policy must be reasonable and meaningful in order to fully adhere to it. Another concern is that they may feel comfortable, even if they don’t know sufficient. Telling about threats is a challenging task for the IT department, even if the organizational members think it is important. This is of course a concern and should be addressed better for companies struggling with this. Either employees or the top management have been involved in the policy process, but the union clubs have been able to review the policy. The middle leaders are open for some awareness responsibilities, but this approach is doubted by the top management. Adhering to the ISS policy is not considered important by the employees or the middle leaders, only the IT leader. And motivation which is considered very important, may be reduced if the focus is low and user involvement lacks. Visibility is not considered important by the middle leaders since so much happens. The respondents also barely don’t remember earlier initiatives which may explain the reason for it. The policy process stopped due to lack of use of a system development process. Specialists may have helped them out. The IT leader believes the policy may exist without a strict punishment, since incidents usually may be addressed by explaining the wrong actions they did, and a risk management is not considered necessary. Some internal and external factors have not either been addressed in the policy process. The top management and information security personnel designing the policies should use standards to ensure the processes are performed properly and use successful guidelines to ensure quality in the whole of the process. It is also important to involve the users, care about their opinions and motivate them by correct and popular information security initiatives (training and awareness). The consequences of such mismatches may be that employees can lack an ownership and don’t know about threats and their consequences: which may cause risky behavior like ignoring security mechanisms and avoiding correct actions. Especially if employees are not happy about something, are not monitored or the company lacks a proper reward and sanction system. Risks may not be detected if risk management is not performed too. Lack of proper cooperation between the information security professionals and the various departments as well as low visibility, lack of discussions and a proper ISS culture may cause low awareness in the organization. Incidents may occur if employee’ behavior is not fully considered, or work tasks and settings is not fully understood. Information security may further not be considered important if it is not fully known among all employees, or by lack of top management involvement. The policy might not either be approved and paid attention to if important policy processes are not fulfilled, like ignored internal and external factors. These may all cause incidents, loss of money and in worst case bad company reputation in a company with a weak ISS culture. These consequences may be resolved by informing about the importance of all CIA elements and handle sensitive data and assets, by use of security training/awareness in all organizational levels, policy enforcement and clearly explain the consequences of breaking regulations. Middle leaders may have some awareness responsibilities and discuss information security on regular meetings with their employees. It shoud be in cooperation with information security specialists, This may strengthen the ISS culture It may also be wise to include users in some policy and strategic information security plan development, govern ISS initiatives, develop a security culture, perform a cyclic policy management procedure, anchor the process at the top and have a good project manager running policy projects. Internal and external influences like regulations, reputation and business objectives should also be stated in the policy. And employees should be reminded of these regularly. An award and punishment system may also be established to handle a few areas of concern. But when all comes to all, people tend to act of free will and must be listened to. This may get them motivated and build an ownership, especially in areas like policies and training, which doesn’t interest all.

Place, publisher, year, edition, pages
Keyword [en]
Social Behaviour Law, Organizational information security behaviour, information, security, end user, middle leaders and top management view, of information security, qualitative information security, case study at a governmental organization
Keyword [sv]
Samhälls-, beteendevetenskap, juridik
URN: urn:nbn:se:ltu:diva-52815ISRN: LTU-PB-EX--10/049--SELocal ID: 9e893cbc-c205-4ea4-94a1-7b2b0c994810OAI: diva2:1026187
Subject / course
Student thesis, at least 30 credits
Educational program
Information Security, master's level
Validerat; 20101217 (root)Available from: 2016-10-04 Created: 2016-10-04Bibliographically approved

Open Access in DiVA

fulltext(1850 kB)0 downloads
File information
File name FULLTEXT01.pdfFile size 1850 kBChecksum SHA-512
Type fulltextMimetype application/pdf

Search outside of DiVA

GoogleGoogle Scholar
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

ReferencesLink to record
Permanent link

Direct link