Strategies for End User Engagement in Information Security

Introduction

Information security awareness strategies or initiatives are essentially seen to be critical especially where end users are involved within the organizational context. End users can include client or customers, employees and even managers who are attached to information technology. However, in any system, security policies and the scale of compliance is quite important in enhancing the system’s security. Most of IT systems are largely dependent in people with researchers arguing that information security is largely about behaviour. This includes convincing people to behave in a particular way that is more convenient and safer in addressing the idea of compliance. The most critical hurdle in sustaining a robust security system goes a long way the need to make users understand and appreciate the essence of security and the benefits that come with it. Notably, there is a hype especially instigated by vendors regarding the security products, most of the critical security activities cannot be and will never be automated. This implies that firms would squarely rely on people in achieving a secure environment. Regardless of the criticism and counterarguments, security awareness among the end users is enough to ensure compliance to security policy.

Security policy awareness

The first area of the argument that affirms the essence of awareness of end users in security policy compliance entails the significant role of attitudes in the information or system security behaviour. As mentioned before, the security of the system relies on the people and not any other security products. Over the recent years, researchers have been paying close attention towards the behavioural aspects or elements of security as linked to computer users (Snyman 2017). Most of the findings denoted the fact that there is a correlation between the employees’ attitude and the information security behaviours.

Notably, behavioural information security is the right concept, which also reflects a branch of the information security that gives room for the researcher to examine the motivations behind security related behaviours. Attitude forms part of the controlling elements of behaviour because it impacts the way people view the world, what they think as well as what they do. Attitudes are commonly informed by beliefs which are key in engaging behaviour. The attitude can either be positive or negative with regards to the privacy or confidentiality of the system (Stephanou and Dagada 2008). When end users have a positive attitude, there are likely to abide by the provisions of the corporate security program. For the last 30 years, psychologists and sociologists found that attitude can easily be used in predicting behaviour, which is critical in developing most of the security awareness programs (Gundu and Flowerday 2013).

Furthermore, professionals, at one point started a campaign dubbed human firewall which appreciated the attitudinal change and the behaviour of the people engaged in the information security developed through policies and guidelines. According to Maio and Haddock and Verplanken (2018), most of the policy makers are becoming more interested in exploring how best attitudes can impact the behaviour of the people. Perhaps, changing behaviour through attitudinal shift is quire easier than changing the behaviour. This agrees with the behaviourism theory, which insists on the internal states which constitute the intentions or the thoughts, or even the experiences at some point. For instance, the behavioural habit of leaving the workstation active cannot easily be changed unless there is an attitudinal change of oneself. Perhaps, this also applies to the security policies (Snyman 2017). People may see no sense of complying with some of the security policies because they might be having negative attitude towards them. It should also be noted that policies can only be functional if people can abide by the regulations. Based on the role of attitude, it is evident that awareness among people is enough in ensuring compliance to security policy as far as behavioural change is put into consideration.

Secondly, awareness among end users is enough in ensuring compliance to security policies because of the unavoidable human factors, which influence the information security culture or the system’s security culture. Based on this, it is regarded that security technologies, guidelines and even policies can turn out effective only when end users have the required skills, knowledge and acceptance to make use of them (Herath and Rao 2009). Human factors have been paraded as the key determinants of the cybersecurity cultures, which are known for convincing people to adopt significant guidelines and policies associated to security. Part of these human factors includes the psychological factors where dissatisfaction is expected to attract anxiety or guilt. This prompts the ability to adopt lucrative habits, which may not compromise either their integrity or identity at the same time. Psychological factors in the face of the awareness of the security policies can be aligned to the individual personality traits, which equally have an impact on the security behaviour (Alfawaz et al. 2010). More diligent as well as the conscientious staff tend to be aware of and show the tendency of complying with security. Both the experience and openness can essentially support the security confidence as emotional instability as well as neuroticism posits a negative effect. Moreover, open individuals who are also extrovert and neurotic show high chances of violating the cybersecurity policies.

At some point, aversion and risk perceptions can attract differences in behaviour (Al-Omari et al. 2012). Gender is also cited as part of the psychological factors, embedded in the human factors, which can either discourage or encourage awareness among the end users as they comply with security policy. Men tend to be confident across their private attitude and security behaviour while using awareness in identifying vulnerable areas. Men would express their attitude towards technology while women would more focus on the behavioural controls, social roles and norms at the same time (Herath and Rao 2009). Apart from psychological factors, human factors still focus on compliance and personality as an avenue or characteristic that determines compliance with security policies once the end users are made aware of the need. Notably, security programs would easily rely on the end users’ perception of costs and benefits attached to security compliance. Under compliance and personality, security policies would only be meaningful if people can understand the threats, the constituents of the policy itself and the subsequent responsibilities (Pahnila et al. 2007).

Apparently, properly framed security programs which are based on empowerment, trust and openness may have a robust influence on the scale of compliance. For any lasting culture change, the degree of coercion and the rewards are important for any successful policies. Rewards are thought to be significant tools applied in reinforcing as well as motivating secure behaviour. On the other hand, sanctions as well as parallel monitoring can enhance perceived costs linked to insecure behaviour (Herath and Rao 2009).

Lastly, human factors close with the social environment in which humans have a tendency of following norms and subdue to peer pressure, which has influence on the personal behaviour. The same applies to the systems or organizational security linked to policies and guidelines. People in any social context would always want to have the approval of others with regards to behaviour and expectations. Cues from the pertinent management associated to the organizational security and collective behaviours of the members would form the right culture for security awareness. In addition, members empowered through sharing, security announcements and interactions would easily strive towards favourable or desirable outcomes that would impact the community as a whole (Beautement et al. 2016). Therefore, awareness, impacted through information security culture, among end users is enough to ensure security policy compliance.

Apart from the information security behaviour and information security, there is an extra component of awareness known as information or system security learning, which ensures compliance with the security policy. Based on the research conducted by the National Institute of Science and Technology (NIST), it could be noted that security learning is a continuum between training and awareness, as well as education in some cases (Stephanou 2008). Security awareness, on the grounds of learning, is largely directed at the end users in any organization while aiming at engaging the end users in security matters. Learning-based awareness essentially recognizes the security incidents and establishes a response path. Notably, learning and training are continuous processes that aim at enhancing the security skills to the end users apart from the custodians of the system itself.

Some of the researches have established the fact that end users need to understand the policy itself before they can adopt good security habits especially when they are conducting significant duties (Hovav and Putri 2016). This is due to the fact that system security incidents are largely due to the inattention on the side of the end users. Therefore, learning, education and training initiatives, in the light of awareness, ensures the significant support towards end users’ security consciousness and the awareness on the side of the consequences of each action. Notably, security awareness cannot survive without mentioning the human element, which is critical in ensuring compliance to security policies. This can be argued from two sides where first, security awareness in the face complying with security policies would mean attracting the end users to the system security issues (Stephanou 2008).

Secondly, it would mean understanding and appreciating security initiatives as well as binding the end users to them. Subsequently, awareness becomes more robust with the attitudes and behaviour, which influences the end users to learn how to secure organizational resources. Training, learning and education aid the achievement of sustainable attitudinal as well as behavioural improvement towards the security policies on the side of the end users in an organizational context (Coghlan 2019). This also implies that skills and knowledge, influenced through the learning process, are equally important while influencing absolute compliance with the information security policies. Perhaps, the only element that can improve or distort the security structure is the human element, which needs to be bolstered through knowledge and skills.

While talking of behaviour, attitudinal change, skills and knowledge, it is essential that security learning should be put in place to impact continuity. The only way security policies can impact in an organization is by enhancing sustainability, which cannot be achieved by installing better systems but through passing on the security culture from one generation of the end users to another (Safa and Von Solms 2016). Apparently, the culture is the one that carries the knowledge and the right skills, which can be passed on through learning processes. While systems can be upgraded or tuned to a better system, human elements can only be taught and motivated as far as security policies are put in place. Therefore, learning-based awareness can only impact individuals, who play a pivotal role in creating knowledge (Stephanou 2008). Organizations solely depend on individuals in magnifying the knowledge and impact the sustainable security policies, which come as a result of security consciousness and knowledge.

Notably, systems do not develop policies but people do, which is the same case that applies to absolute compliance. The human element is the only learning element that has the capacity of creating knowledge, with regards to security policies, and transfers the same to the rest (Coghlan 2019). While most of the Westerners believe in the explicit knowledge during the learning process, the Japanese insist on the tacit knowledge.

Based on these conventions, it is evident that human knowledge can only be produced via social interaction of the tacit as well as explicit knowledge, which is only possible among individuals. The theory proposed by Takeuchi and Nonaka points out that awareness, in the face of security policy compliance, can only have an impact when there is conversion of the tacit knowledge to the essential explicit knowledge (Sicari et al. 2015). The conversion should further be elevated dynamically from lower units of the organization to the higher ones. The power of sharing this knowledge, denoted under security awareness, is what ensures compliance to security policy, a scenario that is possible in the presence of the human factors (Stephanou 2008). Therefore, learning, which is part of the human element, empowers awareness as the sole avenue that can impact compliance to security policy in an organization.

In spite of awareness being the sole avenue that can influence security policy compliance, there are still other factors which can impact absolute compliance. Questions raised on the attitude and behaviour of the end users remain unanswered especially where security policy seem dysfunctional. Significant factors that have been raised in support of security policy compliance behaviour include the effect of motivation and capacity (Moody et al. 2018). A big share of the literature has noted that when discussing awareness, researchers would evidently mix it with frameworks of motivation and capacity. First, Vance et al. (2012) confirms that awareness cannot be outstanding without mentioning motivation, which controls the social norms, attitude and the behavioural controls. Based on this argument, motivation informs the fact that security policy compliance behaviour can be influenced through coping appraisal or threat appraisal (Hanus and Wu 2016). This means the severity of the threat determines the probability of compliance and implementation or adopting the preventive behaviour. Therefore, motivation is such a wide framework, which cannot just be embedded under awareness but establish an independent basis that affects the scale of compliance. Motivation, in the face of compliance, attracts such factors like penalty, costs and rewards among others (Moody et al. 2018). Apart from motivation, capability is also a separate avenue that fosters security policy compliance attention. Capability insists on self-efficacy and perception of controllability in the light of compliance. Despite the criticism, motivation and capability cannot have an impact on security policy compliance when awareness of the key factors is missing.

Apart from the debate of whether awareness is enough to ensure end users comply with the security policy, it is equally important to note that organizations have a lot more to do in terms of supporting their employees in being cyber secure. First, the organization has to insist on security awareness, the capacity as well as motivate the end users in securing organizational resources. Notably, the awareness platform has been discussed at large in the context (Yazdanmehr and Wang 2016). Secondly, organization needs to adopt the Secure Development Lifecycle (SDL), which is the critical foundation to a more sustainable security culture and therefore influence cyber security among the employees. SDL is regarded as a process as well as activities agreed on by the organization is performing every system or software release (Hausfeld and Zimmerman 2018). The latter includes threat modelling, security testing activities and the proper security requirements. Key example is Microsoft which is fond of releasing its SDL cost free. It is also necessary that organizations should emphasize on building security community, which is largely the backbone of the sustainable security culture (de Bruijn and Janssen 2017). Security communities are only possible when there common security interests.

Conclusion

The discussion presents a discourse that affirms awareness as the sole component in influencing security policy compliance behaviour. The discussion pointed out a few elements in support of this position. First, the idea of information security behaviour has been noted as the critical element of awareness. Positive security behaviours can easily spread and have an impact when there is awareness. The discussion also took note of the security culture and system security learning. However, critiques have noted that awareness alone is not sufficient. In any security policy compliance behaviour, it is equally important to also appreciate capability and motivation as significant elements. Regardless of the counterarguments, awareness remains the sole element in influencing compliance with security policy.

References

Vance, A., Siponen, M. and Pahnila, S., 2012. Motivating IS security compliance: insights from habit and protection motivation theory. Information & Management, 49(3-4), pp.190-198.

Maio, G.R., Haddock, G. and Verplanken, B., 2018. The psychology of attitudes and attitude change. Sage Publications Limited.

Snyman, M.C., 2017. Awareness and training: the influence on end-user'attitude towards information security policy compliance (Doctoral dissertation).

Herath, T. and Rao, H.R., 2009. Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems, 18(2), pp.106-125.

Stephanou, A., 2008. The impact of information security awareness training on information security behaviour (Doctoral dissertation).

Stephanou, T. and Dagada, R., 2008, July. The Impact of Information Security Awareness Training on Information Security Behaviour: The Case for Further Research. In ISSA (pp. 1-21).

Gundu, T. and Flowerday, S.V., 2013. Ignorance to awareness: Towards an information security awareness process. SAIEE Africa Research Journal, 104(2), pp.69-79.

Alfawaz, S., Nelson, K. and Mohannak, K., 2010, January. Information security culture: a behaviour compliance conceptual framework. In Proceedings of the Eighth Australasian Conference on Information Security-Volume 105 (pp. 47-55). Australian Computer Society, Inc..

Al-Omari, A., El-Gayar, O. and Deokar, A., 2012. Information security policy compliance: The role of information security awareness.

Pahnila, S., Siponen, M. and Mahmood, A., 2007, January. Employees' behavior towards IS security policy compliance. In 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07) (pp. 156b-156b). IEEE.

Beautement, A., Becker, I., Parkin, S., Krol, K. and Sasse, A., 2016. Productive security: A scalable methodology for analysing employee security behaviours. In Twelfth Symposium on Usable Privacy and Security ({SOUPS} 2016) (pp. 253-270).

Hovav, A. and Putri, F.F., 2016. This is my device! Why should I follow your rules? Employees’ compliance with BYOD security policy. Pervasive and Mobile Computing, 32, pp.35-49.

Coghlan, D., 2019. Doing action research in your own organization. SAGE Publications Limited.

Safa, N.S. and Von Solms, R., 2016. An information security knowledge sharing model in organizations. Computers in Human Behavior, 57, pp.442-451.

Sicari, S., Rizzardi, A., Grieco, L.A. and Coen-Porisini, A., 2015. Security, privacy and trust in Internet of Things: The road ahead. Computer networks, 76, pp.146-164.

Moody, G.D., Siponen, M. and Pahnila, S., 2018. Toward a unified model of information security policy compliance. MIS Quarterly, 42(1).

Hanus, B. and Wu, Y.A., 2016. Impact of users’ security awareness on desktop security behavior: a protection motivation theory perspective. Information Systems Management, 33(1), pp.2-16.

Yazdanmehr, A. and Wang, J., 2016. Employees' information security policy compliance: A norm activation perspective. Decision Support Systems, 92, pp.36-46.

Hausfeld, J.N. and Zimmerman, R., 2018. Your Organization Can and Should Be Cyber Secure!. The Journal of Medical Practice Management: MPM, 33(6), pp.389-391.

de Bruijn, H. and Janssen, M., 2017. Building cybersecurity awareness: The need for evidence-based framing strategies. Government Information Quarterly, 34(1), pp.1-7.