Examining the Linkage between Information Security andEnd-user Trust
Ioannis Koskosas¹, Konstantinos Kakoulidis², Christos Siomos³¹Department of Information Technologies and Telecommunications,University of Western Macedonia, and Department of Finance, TechnologicalEducational Institute of Western Macedonia, KOZANI, 50100, Greece²Department of Finance, Technological Educational Institute of Western Macedonia, KOZANI, 50100, Greece
³
SY.F.FA.S.DY.M (Pharmaceuticals of Western Macedonia)KOZANI, 50100, GreeceE-mail:ioanniskoskosas@yahoo.com
Abstract
- The main purpose of information security is to protect information and specifically, the integrity,confidentiality, and availability of data through an organization’s network and telecommunication channels.Although information security is critical for organizations to survive, a number of studies continue to reportincidents of critical information loss. To this end, there is still an increasing interest to study information securityfrom a non-technical perspective. In doing so, this research focuses on the linkage between information securityand end-user trust as a way to better understand and more efficiently manipulate the information securitymanagement process. That is, manipulating more effectively information security among end-users. Achieving therequired level of information security within organizations usually requires security awareness and control butalso a better understanding of end-user behavior in which security measures are tailored, too. In effect,organizations may have a clearer insight into how to behave more effectively to such security measures.Keywords-
Information Security, End-user Trust, Information Technology
I. INTRODUCTIONThe reliance by every organization uponinformation technology (IT) has increaseddramatically, as technology has developed andevolved. Over recent decades, organizations havecome to depend on IT for operations, externaltransactions, and mediated communications (e.g., e-mail, fascimile). Similarly, information has developedinto a strategic asset, while the computerizedinformation systems have become ultimate strategictools for both government and organizations [1,2].Due to globalization and competitive economicenvironments, efficient information management iscritical to business survival and effective decisionmaking activities. Although, as connectivity todevices has increased, so has the likelihood of unauthorized intrusion to systems, theft, defacement,and other forms of information resource loss.In a similar vein, as the society and its economicpatterns have evolved from the heavy- industrial erato that of information society, in terms of providingnew products and services to satisfy people’s needs,organizational strategies have changed too. In effect,corporations have altered their organizational andmanagerial structures as well as work patterns inorder to leverage technology to its greatest advantage.Economic and technology phenomena such asdownsizing, outsourcing, distributed architecture,client/server and e-banking, all include the goal of making organizations leaner and more efficient.However, information systems are deeply exposed tosecurity threats as organizations push their technological resources to the limit in order to meetorganizational needs [3,4].A number of major studies recently conducted[5,6,7] have indicated that security threats continue torise. While security attacks are either internal or
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 2, February 201121 http://sites.google.com/site/ijcsis/ISSN 1947-5500
external, 66% of computer attacks in Greece comefrom employees within organizations [8]. To this end,the success of information security appears to depend,in part, upon the effective behavior and understandingof the individuals involved in its use. Constructivebehavior by end users and system administrators canimprove the effectiveness of information security.Human behavior is complex and multi-faceted, andthis becomes more complicated in organizationswhereas their culture defies the expectations for control and predictability that developers routinelyassume for technology. In support of this, the [9]Guidelines for the Security of Information Systems,also state that: “
The diversity of system user-employees, consultants, customers, competitors or thegeneral public- and their various levels of awareness,training and interest compound the potential difficulties of providing security
”.The present research takes a different perspectiveon this issue by focusing on behavioral informationsecurity: the values and beliefs held by end-users thatinfluence the confidentiality, availability, andintegrity of data through the organizations’information systems. To this end, this researchexamines the extent to which information securitybehaviors relate to end-users trust, that is: opening tothe efficient communication of security risk messages.The main research assumption is that end-users trustwould relate positively to the enactment of information security behaviors such as following newsecurity policies and communicating securitymessages that are in effect of the organizations’business objectives. Hence, information securityshould support the mission of the organizations, itmust be cost effective and must be in sync with end-users behavior seamlessly; that is, integratetechnology, processes and people.II. BRIEF INFORMATIONSECURITY BACKGROUNDAlthough a number of IS security approaches havebeen developed over the years that reactivelyminimize security threats such as checklists, risk analysis and evaluation methods, there is a need toestablish mechanisms to proactively manage ISsecurity. That said, academics’ and practitioners’interest has turned on social and organizational factorsthat may have an influence on IS securitydevelopment and management. For example,Reference [10] have emphasized the importance of understanding the assumptions and values of differentstakeholders to successful IS implementation. Suchvalues have also been considered important inorganizational change [11], in security planning [12]and in identifying the values of internet commerce tocustomers [13]. Reference [4] have also used thevalue-focused thinking approach to identifyfundamental and mean objectives, as opposed togoals, that would be a basis for developing IS securitymeasures. These value-focused objectives were moreof the organizational and contextual type.
A number of studies investigated inter-organizational trust in a technical context. Some of them have studied the impacts of trust in an e-commerce context [14,15,16] and others in virtualteams [17,18]. Reference [19] studied trust as a factorin social engineering threat success and found thatpeople who were trusting were more likely to fallvictims to social engineering than those who weredistrusting. Reference [20] used a goal settingapproach to identify weaknesses in securitymanagement procedures and found that differentpolitical agendas influenced the level of goal securitygoal setting negatively.Reference [21, p. 1551] also reviewed 1043papers of the IS security literature for the period1990-2004 and found that almost 1000 of the paperswere categorized as ‘subjective-argumentative’ in
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 2, February 201122 http://sites.google.com/site/ijcsis/ISSN 1947-5500
terms of methodology with field experiments,surveys, case studies and action research accountingfor less than 10% of all the papers. That said, thisresearch adopts a survey approach to study thelinkage between information security and end-usertrust as no prior research has studied these specificcontexts and their interrelationship.
III. INFORMATION SECURITY BEHAVIOR Information security behavior is part of thecorporate culture and defines how employees see theorganization [22]. Most of the literature onorganizational culture focuses on the hypothesis thatstrong cultures enhance organizational performance[23,24]. This hypothesis is based on the notion thathaving widely shared and commonly held strongorganizational norms and values leads to higher performance through at least three ways. First, astrong culture enhances coordination and controlwithin the organization. Second, it improves goalalignment between the organization and its members.Third, a strong corporate culture improves employeeefforts.Similarly, organizational culture is a system of learned behavior which is reflected on the level of end-user awareness and can have an effect on thesuccess or failure of the information security process.Reference [25] found that users considered a user-involving approach to be much more effective for influencing user awareness and behavior ininformation security. Reference [26] studiedinfluences that affect a user’s security behavior andsuggested that by strengthening security cultureorganizations may have significant security gains.Reference [27] investigated security informationmanagement as an outsourced service and suggestedaugmenting security procedures as a solution, while[28] suggested a model based on the Direct-ControlCycle for improving the quality of policies ininformation security governance. Reference [29]discussed the importance of gaining improvementsfrom software developers during the softwaredeveloping phase in order to avoid securityimplications. Reference [30] advanced a new modelthat explains employees’ adherence to IS policies andfound that threat appraisal, self-efficacy and responseefficacy have an important effect on intention tocomply with information security policies.Behavior, in terms of information security, is theperception of organizational norms and valuesassociated with information security and so it existswithin the organizations, not in the individual. To thisend, individuals with different backgrounds or atdifferent levels in the organization tend to describethe organization in similar way [31]. Security cultureis used to describe how members perceive securitywithin the organization. Since security and risk minimization are embedded into the organizationalculture, all employees, managers and end-users mustbe concerned of security issues in their planning,managing and operational activities. In order toensure effective and proactive information security,all staff must be active participants rather than passiveobservers of information security. In doing so, staff must strongly held and widely share the norms andvalues of the organizational culture in terms of information security behavior and perception.IV. END-USER TRUSTOrganizational researchers began to study theconcept of trust in inter-organizational relationshipsand between organizations [32]. A variety of trustmodels have been applied to various research streams[33,34] to explain inter-organizational trust indifferent contexts. For instance, a number of studiesinvestigated inter-organizational trust in a technicalcontext. Some of them have studied the impact of trust in e-commerce [14,15,16] and others in virtualteams [17,18].
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 2, February 201123 http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
Examining the Linkage between Information Security and End-user Trust
The main purpose of information security is to protect information and specifically, the integrity, confidentiality, and availability of data through an organization’s network and telecommunication channels. Although information security is critical for organizations to survive, a…
(More)
802
Reads
6
Readcasts
0
Embed Views
More From This User
Notes
Load more
