Measuring Employees Information Security Compliance Behaviors:



Similar documents
Employee Compliance with Information Systems Security Policy in Retail Industry. Case: Store Level Employees

EFFECTIVENESS OF DETECTIVE AND PREVENTATIVE INFORMATION SECURITY CONTROLS IN INFORMATION SYSTEMS ORGANIZATIONS

THE IMPACT OF SECURITY PRACTICES ON REGULATORY COMPLIANCE AND SECURITY PERFORMANCE 1

The Value of Vulnerability Management*

Exploring the Drivers of E-Commerce through the Application of Structural Equation Modeling

4 Testing General and Automated Controls

Office of Inspector General

Cloud Computing: A Comparison Between Educational Technology Experts' and Information Professionals' Perspectives

NIST Special Publication (SP) , Revision 2, Security Considerations in the System Development Life Cycle

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Service Quality Value Alignment through Internal Customer Orientation in Financial Services An Exploratory Study in Indian Banks

IA Metrics Why And How To Measure Goodness Of Information Assurance

Chapter 14 Managing Operational Risks with Bayesian Networks

Cyber security in the workplace: Understanding and promoting behaviour change

AUDIT REPORT. Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

The Human Factor of Cyber Crime and Cyber Security

SecSDM: A Model for Integrating Security into the Software Development Life Cycle

Space project management

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Educational Requirement Analysis for Information Security Professionals in Korea

Risk Management. Upasna Saluja, PhD Candidate. Dato Dr Norbik Bashah Idris

Key Factors for Developing a Successful E-commerce Website

Traffic Behavior Analysis with Poisson Sampling on High-speed Network 1

IT Security Governance for e-business

Security metrics to improve information security management

Ensuring Cloud Security Using Cloud Control Matrix

Improved Event Logging for Security and Forensics: developing audit management infrastructure requirements

Metrics to Assess and Manage Software Application Security Risk. M. Sahinoglu, S. Stockton, S. Morton, P. Vasudev, M. Eryilmaz

Mobile Stock Trading (MST) and its Social Impact: A Case Study in Hong Kong

Get Confidence in Mission Security with IV&V Information Assurance

Multimedia Information Security Architecture Framework

COMPARATIVE STUDY BETWEEN TRADITIONAL AND ENTERPRISE RISK MANAGEMENT A THEORETICAL APPROACH

Surveying the Influence of Customer Relationship Management on Gaining Competitive Advantage

SECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY

Online Ensembles for Financial Trading

Effect of Job Autonomy Upon Organizational Commitment of Employees at Different Hierarchical Level

C. Wohlin, "Is Prior Knowledge of a Programming Language Important for Software Quality?", Proceedings 1st International Symposium on Empirical

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

A SHORT NOTE ON RELIABILITY OF SECURITY SYSTEMS

Office of Inspector General

Single Level Drill Down Interactive Visualization Technique for Descriptive Data Mining Results

Keywords Cloud Storage, Error Identification, Partitioning, Cloud Storage Integrity Checking, Digital Signature Extraction, Encryption, Decryption

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

PDS (The Planetary Data System) Information Technology Security Plan for The Planetary Data System: [Node Name]


How Direct and Vicarious Experience Promotes Security Hygiene

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

for Information Security

Kittipat Laisasikorn Thammasat Business School. Nopadol Rompho Thammasat Business School

WIRELESS LOCAL AREA NETWORK (WLAN) IMPLEMENTATION

SRA International Managed Information Systems Internal Audit Report

Quantitative Inventory Uncertainty

E-Commerce Web Sites Trust Factors: An Empirical Approach

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

PERCEPTION OF BUILDING CONSTRUCTION WORKERS TOWARDS SAFETY, HEALTH AND ENVIRONMENT

MAGNT Research Report (ISSN ) Vol.2 (Special Issue) PP:

Summary: Natalia Futekova * Vladimir Monov **

Security Management. Keeping the IT Security Administrator Busy

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

J. Appl. Environ. Biol. Sci., 5(5) , , TextRoad Publication

It is important to bear in mind that one of the first three subscripts is redundant since k = i -j +3.

NIST National Institute of Standards and Technology

IT Security Management Risk Analysis and Controls

Management (CSM) Capability

FREQUENTLY ASKED QUESTIONS

Case Study on Critical Success Factors of Running Scrum *

Basic Concepts in Research and Data Analysis

Computer Security: Principles and Practice

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Leader Succession and Collective Efficacy: Conditions that Create Continuity in Transition

A Systems Engineering Approach to Developing Cyber Security Professionals

IT Security Risk Management Model for Cloud Computing: A Need for a New Escalation Approach.

Measurement Information Model

Strategies and Methods for Supplier Selections - Strategic Sourcing of Software at Ericsson Mobile Platforms

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

Big Data, Big Risk, Big Rewards. Hussein Syed

CHAPTER 1 INTRODUCTION

Errors in Operational Spreadsheets: A Review of the State of the Art

An Analysis of Agricultural Risk and Intelligent Monitoring Technology Fantao Kong 1, a, Shiwei Xu 2,b, Shengwei Wang 3,c and Haipeng Yu 4,d

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

SERVICE QUALITY DIMENSION COMPARISON BETWEEN PUBLIC AND PRIVATE LIFE INSURANCE COMPANIES

Writing Learning Objectives

SLA Based Information Security Metric for Cloud Computing from COBIT 4.1 Framework

Modelling user acceptance of wireless medical technologies

Influence of information search on risky investment preferences: Testing a moderating role of income

Transcription:

Measuring Employees Information Security Compliance Behaviors: A Holistic State Perspective 1 Xiaolong Wang, 2 Wenli Li 1, First Author Faculty of Management and Economics, Dalian University of Technology, michaelwangxl@mail.dlut.edu.cn *1, Corresponding Author Faculty of Management and Economics, Dalian University of Technology, 310730952@qq.com 2 Faculty of Management and Economics, Dalian University of Technology, wlli@dlut.edu.cn Abstract The holistic state of information security compliance behaviors in an organization refers to a global description of the information security activities that are regulated by the information security policy, and that have to be correctly implemented by all of employees. The holistic state is measured in terms of a mathematical distribution composed of discrete numbers, each number in the distribution being the count of the compliance behaviors of every employee in a given time interval. A weighted information security compliance behaviors entropy (wiscbe) index is proposed for measuring and ranking the holistic states. The experimental results indicate that the holistic states are measured and clearly ranked by the magnitude of the wiscbe index in different departments during the same period of time, and in one department during different time intervals. The wiscbe index is expected to be useful for security managers to make decisions concerning the information security. 1. Introduction Keywords: Information Management, Information System, Information Security, Compliance, Measurement, Entropy Information security compliance behaviors refer to a set of information security activities that have to be adhered to by employees to maintain information security as defined by the information security policy of an organization [1]. Information security depends largely on the compliance behaviors of employees [2, 3, 4, 5, 6, 7]. Measurement and report of the compliance behaviors can be used for evaluating the status of the implementation of security policies, the effectiveness/efficiency of security services delivery, and the impact of the business consequences of security events as well. This has become increasingly apparent in the field of information security over the past decade [8]. Recently in many organizations, the effective measurement of the information security behaviors has been also driven by the amplified regulatory environment in which greater transparency and accountability are highly demanding [9]. In the relevant empirical studies, various factors that affect the compliance behavior intentions of employees are explored, and a number of behavioral compliance models have been proposed and tested, in which the behavioral intention is assumed as the immediate antecedent of actual behavior [10, 11, 12, 13, 14, 15, 16, 17]. Some of the other studies, however, suggest that it is preferable to measure actual behaviors rather than intentions [13, 18, 19]. The measurement of behavioral intentions has been found to be especially troubling because intentions do not always lead to behaviors [17, 19], and it is extremely complex and difficult to measure the psychosocial factors that lead to the creation of motivations and behavioral intentions [19, 20]. Some standards, frameworks and tools that are explicitly connected with the development, implementation and maintenance of information security metric/measure/measurement have been proposed [9]. These standards, frameworks and tools are not specific for the measurement of the compliance behaviors. For instance, a framework for security measurement has been presented in NIST Special Publication 800-55 (Revision 1) [21], along with a set of candidate measurements in Appendix A of this standard. These candidate measurements deliver a guide for evaluating the information security performance, which is measured using simple statistical treatments such as percentage ratio. The recent study, however, has revealed that the distribution of human behaviors follows non-poisson statistics [22]. Since the information security compliance behavior is human behavior in nature, a International Journal of Information Processing and Management(IJIPM) Volume4, Number6, September 2013 76

percentage ratio may not be appropriate for measuring the compliance behaviors themselves. In addition, Barabanov et al. have pointed out that the standards, frameworks and tools mentioned above are multidimensional or have lateral administrative functions and hierarchical administrative levels, where the lower metrics may roll up into the higher level ones [9]. In this study, we follow the idea of statistical mechanics to treat the compliance behaviors of employees in an organization. By analogy, an organization can be treated as a physical system and an employee a molecule component of such system. A compliance behavior is defined to be that one item of the information security policy has been correctly completed by an employee. For each employee, there is a count of compliance behaviors in a given time interval. For all of employees, these counts constitute a distribution. A number of distributions are thus obtained from different time intervals. Provided that the information security compliance behaviors of each employee are independent, the information entropy statistical theory can be used to deal with the distributions [23]. Based on this consideration, such a distribution would represent the holistic state of the information security compliance behaviors of all employees in an organization within a given time interval. The information entropy theory is used to study the distribution, and an entropy index is derived to characterize the holistic state. In light of the suggestion of Barabanov et al. [9], the holistic state has the implication of a roll-up measurement. A weighted Information Security Behaviors Entropy (wiscbe) index is proposed to measure the holistic state of the information security compliance behaviors of employees in an organization. The magnitude of wiscbe is used to rank different holistic states. The main contents of this paper are structured as follows: in section 2 the information security behaviors entropy (ISCBE), Normalized ISCBE (NISCBE), and wiscbe are formulated in sequence. An experimental test is presented in section 3, and the measurement results are discussed in section 4. Concluding remarks are given in section 5. 2. Derivation of the wiscbe index 2.1. Information security compliance behaviors entropy ( ISCBE) The information entropy theory of Shannon has found quite a few applications in both natural and social systems [24, 25, 26, 27]. For instances in the human behavior-orientated studies, the theory has been used to estimate human workload in human-robot interaction domains [28] and multitasking behavior [29]. Using this theory, in this study a mathematical model is constructed to derive a weighted entropy index for characterizing the holistic state of the information security compliance behaviors in an organization. Appendix A of NIST Special Publication 800-55 (Revision 1) contains nineteen measurement items of the impact, implementation and effectiveness/efficiency requirements. A compliance behavior is defined to be that one item has been correctly completed by an employee. Suppose that all of them are required to be correctly completed by every employee in an organization, we first introduce the information security compliance behaviors entropy (ISCBE). The number of employees of an organization is n. is assigned to be the number of compliance behaviors of the ith employee, where i = 1, 2,, n. The distribution of x i in an organization is (,,, ). Let =, here X stands for the total number of compliance behaviors in the organization within one measurement cycle. Hence, ( ) =, and ( ) = 1, the ISCBE can be calculated with the formula: = ( ) ln ( ) (1) where ( ) is the probability distribution function of the number of compliance behaviors of each employee. As a rule, 0 ln(0) is set to be zero. As a consequence, a large value of ISCBE indicates a relatively more secure holistic state. This is shown by the following example. Consider distributions (,,, ) obtained during four different measurement cycles: (18, 11, 9, 2, 5, 15), (19, 3, 1, 3, 2, 3), (19, 19, 19, 19, 19, 19), and (4, 4, 4, 4, 4, 4). Their ISCBE values are calculated to be 1.548, 1.342, 1.792, and 1.792, respectively. Therewith, the latter two values reveal a better holistic state than the former ones. However, the last two holistic states are not discriminated. Modification of this index has to be made to resolve this problem. 77

2.2. Normalized and weighted ISCBE A normalized ISCBE is introduced in the following form: = ( ) ln ( ) / ln() (2) where ln() is the theoretical maximum of ISCBE. The values of NISCBE thus fall into an interval [0, 1]. A large value of NISCBE is naturally obtained when the distribution (,,, ) is uniform and x i themselves are big numbers. The NISCBE values in the above example turn to be 0.864, 0.748, 1, and 1, respectively. The holistic states corresponding the two distributions (19, 19, 19, 19, 19, 19) and (4, 4, 4, 4, 4, 4) are still not discriminated. An eventual solution is reached by further introducing a weighted NISCBE, viz. wiscbe: = ( ) ln ( ) / ln() (3) where w is a weighting coefficient. For a distribution (,,,, ), the value of w is calculated with the formula: = ( )/() (4) where m is the total number of information security items that each employee has to complete correctly. A large wiscbe value thereby would signal a better holistic state. We recall the problem that arose in the distributions (4, 4, 4, 4, 4, 4) and (19, 19, 19, 19, 19, 19). Their wiscbe values are well separated as 0.210 and 1. In this case, m = 19. We note that in the reality of information security management, m can take different values in an organization. 3. Experiment Application of the wiscbe index for the holistic state measurement of compliant behaviors has been attempted in Chinese companies. The companies of interest should have adequate implementation of information systems and information security policies for the convenient sampling to be reliable. Three such Chinese companies are chosen: a data service company in Shanghai, a software company in Dalian, and the Dalian Locomotive and Rolling Stock Co., Ltd. The former two companies primary businesses are information technology and information service, the third one being a traditional stateowned manufacturing industry. In the three companies, one or two departments are randomly selected to conduct the measurement. Data collecting has been accomplished by two independent and complementary means: (I) survey questionnaire: The questionnaire is designed mainly upon the nineteen candidate measurements included in Appendix A of NIST Special Publication 800-55 (Revision 1). Apart from the nineteen measurements, an additional measurement is introduced into the questionnaire to obtain the data specifying the employees compliance behaviors that the self-motivated learning the contents of information security policy. The questionnaire thus totally contains 20 items. The employees are required to do self-report on what they have done or are being done in relation to the information security policy during the past three years (-). These questionnaires are distributed to all of the employees in these departments via email; (II) Managerial monitoring: We have had interviews with the department managers in these companies. The data collected from the questionnaires and interviews are promised to be confidential. The details of data collecting process are as follows: (1) Two departments in the Shanghai data service company are selected. There are 6 and 10 employees in department 1 and 2, respectively. The employees of department 1 deal with the internal business process, and in department 2 all of the employees are site engineers, taking care of the external business of the company. (2) In the Dalian software company, a software development team of 21 members has been surveyed. (3) A department having 12 employees in the Dalian Locomotive and Rolling Stock Co., Ltd has been taken into consideration. It is worth noting that the individuals being 78

investigated are regular employees, rather than part-time employees. The department managers are not included in the questionnaire, and interviews have been done with them, instead. The questionnaires have been completed by all the employees of these departments. Inspection of these questionnaires identified an invalid one from department 2 of the Shanghai data service company, two invalid ones from the team of the Dalian software company, and two invalid ones from the Dalian Locomotive and Rolling Stock Co., Ltd. The valid questionnaire ratio reaches 89%. This ratio ensures that the measurement results reflect the holistic state of the information security compliance behaviors at the department level. The variation of the holistic state against time is also examined, for which three annual year data from to have been collected. Though the time interval is fairly large, we assume that the information security related behaviors are sensitive and impressive, and after explicit questions have been designed, the employees would find it easy to recall what they have done during the past three years in relation to the information security policy. The demographical data of the employees are obtained from the valid questionnaires and summarized in Table 1. In an interview, the department manager is requested to make qualitative assessments for the annual year holistic states of the information security compliance behaviors in his departments during the past three years (-). The managers are suggested to do the assessment referring to the nineteen candidate measurements of Appendix A of NIST Special Publication 800-55 (Revision 1) and the practical situations of the employees concerning the self-motivated study of the information security policy contents. The assessment results are leveled to be excellent, good, fair, poor, and bad in a qualitative fashion. 4. Results and discussion Using the questionnaire data, the wiscbe index is calculated with equations (3) and (4). For the discrimination of the holistic state at the department level, we assign an excellent state for wiscbe 0.800; 0.800 > wiscbe 0.600 for a good state; 0.600 > wiscbe 0.400 for a fair state; 0.400 > wiscbe 0.200 for a poor state; and wiscbe < 0.200 for a bad state. Each wiscbe index value and the corresponding discrimination level are summarized in Table 2. Also included in Table 2 are the assessments of the managers on the holistic states of their respective departments. It is seen that the measurement results from the wiscbe index are almost consistent with those given by the managers. An exception is found in the measurement for the Dalian Locomotive and Rolling Stock Co., Ltd. The department manager assigned a fair state for the holistic state of, while wiscbe is worked out to be 0.610, which is indicative of a good state. The wiscbe index calculation results are illustrated by the bar chart in Fig. 1. The bar heights compare the annual year holistic states of the information security compliance behaviors of the employees in each department, and those between different departments as well. For instance for department 1 in the Shanghai data service company, the annual year holistic state gets improved from a fair state (wiscbe: 0.544 and 0.587) in and to a good state (wiscbe = 0.713) in. For comparison, the assessment results of the manager of department 1 are taken into account for the three annual years. The manager reported that the holistic state in was better than and. This is consistent with the variation tendency of the annual year holistic state shown by the bar chart. In the other departments of the three companies, the consistency between the quantitative calculation with the wiscbe index and the department manager report is also found. The application of the wiscbe index calculation for a single compliance behavior has also been studied. Consider for example the specific measurement twelve (Media protection) of Appendix A of NIST Special Publication 800-55 (Revision 1). Here the questionnaire data obtained from department 1 and 2 in the Shanghai data service company are used for the calculation. The calculated wiscbe index values are summarized in Table 3, and the corresponding bar chart is presented in Fig. 2. The qualitative assessment results of the department manager for the specific measurement are also included in Table 3. The consistency of the results obtained from the two complementary means is also confirmed. Moreover, it is found that the wiscbe index is capable of characterizing the holistic state specified by every single compliance behavior. The experimental results indicate that the wiscbe index can exploit quantification and comparison of the holistic states in different departments in the same time interval, and in one department for different time intervals. The criterion for ranking the holistic state is simply the magnitude of the 79

wiscbe index. A smaller wiscbe index value is indicative of the less number of the compliance behaviors, and the less uniform distribution of the counts of the compliance behaviors in a department, thereby signaling an inferior holistic state. Therewith, the wiscbe index provides a simple and effective measure for the holistic state of the information security compliance behaviors of employees in a department. This attribute of the wiscbe index renders an immediate prejudgment on the holistic state of the information security compliance behaviors of employees in a department possible. Moreover, as shown by fig. 1, the evolution of the holistic state in a department over a long period of time is readily seen. These results are useful reference for security managers to make decisions. In this case, the wiscbe index appears as a derivative measure, playing the role of a roll-up measurement for the assessment of the information security compliance behaviors. Considering the statistical nature of wiscbe, the application for departments/organizations having a large number of employees would be more suitable, and its effectiveness would be more convincing. The formation of our questionnaire is mainly based on the nineteen candidate measurements of NIST Special Publication 800-55 (Revision 1). These measurements are initially employed to assess the performance of the information security. Here the measurements are modified to take responsibility for the compliance behaviors of employees, viz., what the employees have ever done or are being done concerning with the information security policy of the department/organization. A set of standard information technology terms are used in the original measurements appeared in Appendix A of NIST Special Publication 800-55 (Revision 1) so that the un-equivalence [30, 31] is avoided in the questionnaire. On the other hand, the content validity [32], the uni-dimensionality [33] and the internal consistency of the present questionnaires also depend on these original measurements. As regards the interview with a department manager, a concise structural question is used, and the relevant concepts are defined in advance for reference. It should be mentioned that in a questionnaire or an interview, the respondents are naturally not willing to reveal their true responses to items they perceive might have negative consequences to their personal image or job [19]. There is an inherent difficulty in collecting actual behaviors data in the context of information security. In this study, the self-reported behavioral data from employees and answers from managers are independent and cross checked, and the unreliability of the data is supposed to get reduced to a certain extent. Table 1. Demographic characteristic of employees Variables Mathematical expectation Standard deviation Sample size Percentage Age 31 6 6*3; 9*3; 19*3; 10*3 Years of working 6 5 6*3; 9*3; 19*3; 10*3 Degree of education 16 2 6*3; 9*3; 19*3; 10*3 Gender Male 35 79% Female 9 21% Race Yellow 6; 9; 19; 10 100% Note: Values for age, years of working and degree of education are expressed in years; *3 stands for 3 times the sample size. Organization Table 2. Results of the annual year holistic state measurements Department Measurement period Questionnaire data wiscbe index /ranking Assessment of manager The data service corporation in Shanghai Department 1 (17, 15, 15, 11, 13, 15) (14, 13, 13, 9, 12, 9) (4, 13, 16, 6, 11, 7) 0.713/ 0.587/ 0.544/ 80

The software corporation in Dalian Dalian Locomotive and Rolling Stock Co., Ltd Department 2 A development team A department (7, 13, 11, 9, 10, 11, 12, 17, 11) (6, 8, 13, 10, 10, 10, 12, 13, 9) (5, 11, 14, 10, 8, 10, 8, 13, 11) (10, 16, 12, 7, 18, 10, 16, 13, 17, 8, 18, 14, 10, 15, 8, 9, 11, 10, 14) (10, 16, 11, 5, 17, 10, 10, 9, 10, 7, 18, 8, 8, 14, 8, 8, 7, 7, 12) (10, 18, 11, 6, 16, 10, 8, 10, 9, 8,18, 9, 7, 13, 8, 8, 5, 6, 12) (14, 10, 9, 11, 12, 14, 13, 18, 12, 10) (14, 7, 8, 11, 13, 14, 13, 13, 12, 10) (13, 6, 6, 10, 11, 8, 13, 7, 12, 10) 0.496/ 0.456/ 0.449/ 0.613/ 0.503/ 0.457 / 0.610/ 0.569/ 0.472/ Table 3. Measurement results of a single information security compliance behavior Organization Department Year The data service corporation in Shanghai Department 1 Department 2 Questionnaire data (20, 10, 10, 16, 16, 16) (20, 10, 10, 16, 16, 10) (20, 10, 10, 16, 10, 10) (20, 10, 4, 16, 4, 10, 10, 20, 16, 16) (10, 10, 4, 16, 10, 4, 10, 20, 10, 16) (16, 4, 4, 16, 4, 0, 10, 20, 10, 16) wiscbe index /ranking 0.672/ 0.667/ 0.616/ 0.600/ 0.526/ 0.445/ Assessment of manager wiscbe values 1.0 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0.0 Shanghai department 1 Shanghai department 2 Dalian Software Dalian Locomotive Annual year Figure 1. The bar heights showing the magnitudes of wiscbe of the annual year holistic states from to in the four different departments of three Chinese companies 81

wiscbe values 1.0 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0.0 Department 1 Department 2 Annual year Figure 2. The bar heights showing the magnitudes of wiscbe of the annual year holistic states from to in the two departments of the data service corporation in Shanghai 5. Conclusion The holistic state of the information security compliance behaviors of all employees in an department /organization has been studied. The weighted information security compliance behaviors entropy (wiscbe) index is proposed to measure and rank a holistic state. The values of the wiscbe index are readily separated in the interval [0, 1]. The larger the magnitude of the wiscbe index is, the better would be the holistic state. An experiment has been designed to test the effectiveness of this index in ranking a holistic state. The results indicate that the wiscbe index is capable of measuring and comparing the holistic states in different departments/organizations in the same period of time, and in one department/organization in different time intervals. The wiscbe index can be a useful reference for security managers to inspect the trend of the information security compliance behaviors of employees at the team, department or organizational level. 6. Acknowledgement The authors acknowledge the supports of the National Natural Science Foundation of China (No.70972058/G0211 and No.71272092/G0211) and Dalian University of Technology (No. DUT12Z D208). 7. References [1] Keshnee Padayachee, Taxonomy of Compliant Information Security Behavior, Computers & Security, Elsevier, vol.31, no. 5, pp. 673-680,. [2] Rossouw Von Solms, Basie Von Solms, From Policies to Culture, Computers & Security, Elsevier, vol. 23, no.4, pp.275-279, 2004. [3] Jeffrey M. Stanton, Paul R. Mastrangelo, Kathryn R. Stam, Jeffrey Jolton, Behavioral Information Security: Two End User Survey Studies of Motivation and Security Practices, In Proceedings of the Tenth Americas Conference on Information Systems, pp.175, 2004. [4] Jeffrey. M. Stanton, Kathryn R. Stama, Paul Mastrangelo, Jeffrey Jolton, Analysis of End User Security Behaviors, Computers & Security, Elsevier, vol. 24, no.2, pp. 124-133, 2005. [5] Cheryl Vroom, Rossouw Von Solms, Towards Information Security Behavioural Compliance, Computers & Security, Elsevier, vol. 23, no.3, pp. 191-198, 2004. 82

[6] Michael Workman, Gaining Access with Social Engineering: An Empirical Study of the Threat, Information Systems Security, Taylor & Francis, vol.16, pp.315-331, 2007. [7] Salvatore Aurigemma, Raymond Panko, A Composite Framework for Behavioral Compliance with Information Security Policies, In Proceedings of the 45th Hawaii International Conference on System Sciences, pp. 3248-3257,. [8] IATAC, Measuring Cyber Security and Information Assurance: State-of-the-art Report, IATAC, http:// iac.dtic.mil/ iatac/ download/cybersecurity.pdf, 2009. [9] Rostyslav Barabanov, Stewart Kowalski, Louise Yngström, Information Security Metrics: State of the Art. DSV Report Series No.11-007,. [10] Detmar W. Straub, Jr. William D. Nance, Discovering and Disciplining Computer Abuse in Organization: a Field Study, MIS Quarterly, Management Information Systems Research Center, University of Minnesota, vol.14, no.1, pp.45-60,1990. [11] Qing Hu, Tamara Dinev, Paul Hart, Donna Cooke, Managing Employee Compliance with Information Policies: The Role of Top Management and Organizational Culture, Decision Sciences, Decision Science Institute, vol.43, no.4, pp.615 660,. [12] Burcu Bulgurcu, Hasan Cavusoglu, Izak Benbasat, Information Security Policy Compliance: An Empirical Study of Rationality-based Beliefs and Information Security Awareness, MIS Quarterly, Management Information Systems Research Center, University of Minnesota, vol.34, no.3, pp. 523-48,. [13] Catherine L. Anderson, Ritu Agarwal. Practicing Safe Computing: A Multi-method Empirical Examination of Home Computer User Security Behavioral Intentions, MIS Quarterly, Management Information Systems Research Center, University of Minnesota, vol. 34, no.3, pp.613-643,. [14] Allen C. Johnston, Merrill Warkentin, Fear Appeals and Information Security Behaviors: An Empirical Study, MIS Quarterly, Management Information Systems Research Center, University of Minnesota, vol. 34, no.3, pp. 649-666,. [15] Merrill Warkentin, Robert Willison, Behavioral and Policy Issue in Information Systems Security: The Insider Threat, European Journal of Information Systems, Palgrave Macmillan, vol.18, no.2, pp.101-105, 2009. [16] Seppo Pahnila, Mikko Siponen, Adam Mahmood, Employees Behavior Towards IS Security Policy Compliance, In Proceedings of the 40th Hawaii International Conference on System Sciences, paper 156, 2007. [17] Robert E. Crossler, Allen C. Johnston, Paul Benjamin Lowry, Qing Hu, Merrill Warkentin, Richard Baskerville, Future Directions for Behavioral Information Security Research, Computer & Security, Elsevier, vol. 32, pp. 90-101, 2013. [18] M. Adam Mahmood, Mikko Siponen, Detmar Straub, H. Raghav Rao, T. S. Raghu, Moving Toward Black Hat Research in Information Systems Security: An Editorial Introduction to the Special Issue, MIS Quarterly, Management Information Systems Research Center, University of Minnesota, vol.34, no.3, pp. 431-433,. [19] Merrill Warkentin, Detmar Straub, Kalana Malimage, Measuring Secure Behavior: A Research Commentary, In Proceedings of the Annual Symposium on Information Assurance, pp.1-8,. [20] Robert Willison, Merrill Warkentin, Beyond Deterrence: An Expanded View of Employee Computer Abuse, MIS Quarterly, Management Information Systems Research Center, University of Minnesota, vol. 37, no.1, pp. 1-20, 2013. [21] Elizabeth Chew, Marianne Swanson, Kevin Stine, Nadya Bartol, Anthony Brown, Will Robinson, Performance Measurement Guide for Information Security, NIST Special Publication 800-55 Revision 1, http://csrc.nist. gov/publications/nistpubs/ 800-55-Rev1/SP800-55-rev1.pdf, 2008. [22] Albert-László Barabási, The Origins of Bursts and Heavy Tails in Human Dynamics, Nature, NPG, vol.435, pp.207-211, 2005. [23] Claude Elwood Shannon, A Mathematical Theory of Communication, The Bell System Technical Journal, American Telephone and Telegraph Company, vol.27, pp.379-423, pp.623 656, 1948. [24] C. Radhakrishna Rao, Diversity: Its Measurement, Decomposition, Apportionment and Analysis, The Indian Journal of Statistics, Springer, vol.44 (series A), no.1, pp.1-22, 1982. 83

[25] Sandrine Pavoine, Sylvain Dolédec, The Apportionment of Quadratic Entropy: A Useful Alternative for Partitioning Diversity in Ecological Data, Environmental and Ecological Statistics, Springer, vol.12, pp.125-138, 2005. [26] Kenneth D. Bailey, Social Entropy Theory, State University of New York Press, USA, 1990. [27] Erwin R. Boer, Behavioral Entropy As an Index of Workload, In Proceedings of the Human Factors and Ergonomics Society Annual Meeting, pp.125-128, 2000. [28] Michael A. rich, Erwin R. Boer, Jacob W. Crandall, R. W. Ricks, Morgon L. Quigley, Behavioral Entropy in Human-robot Interaction, In Proceedings of the Performance Metrics for Intelligent Systems, paper 12, 2004. [29] Raquel Benbunan-Fich, An Entropy Index for Multitasking Behavior, In Proceedings of the International Conference on Information Systems, paper 2,. [30] Ronald K. Hambleton, Liane Patsula, Adapting Tests for Use in Multiple Languages and Cultures, Social Indicators Research, Springer, vol.45, no.1-3, pp.153-171, 1998. [31] Janet A. Harkness, Questionnaire Translation, (In: Harkness JA, Van de vijver FIR, Mohler PPH, editors, Cross-cultural Survey Methods), John Wiley & Sons, pp.35-56, 2003. [32] Stephen N. Haynes, David C. S. Richard, Edward S. Kubany, Content Validity in Psychological Assessment: A Functional Approach to Concepts and Methods, Psychological Assessment, American Psychology Association, vol.7, no.3, pp.238-247, 1995. [33] David W. Gerbing, James C. Anderson, An Updated Paradigm for Scale Development Incorporating Uni-dimensionality and Its Assessment, Journal of Marketing Research, vol. XXV, pp.186-192, 1988. Candidate Measurements of NIST Special Publication 800-55 (Revision 1) Measurement 1: Security budget Measurement 2: Vulnerability Management Measurement 3: Access Control Measurement 4: Awareness and Training Measurement 5 : Audit and Accountability Measurement 6: Certification, accreditation and security assessments Measurement 7: Configuration management Measurement 8: Contingency planning Measurement 9: Identification and authentication Measurement 10: Incident response Measurement 11 : Maintenance Appendix 1: Questionnaire and Interview Questionnaire (Respondents: all of employees) Item 1: Does the security budget of the department have any influences on the information security compliance behavior of the employee? Item 2: Has the high vulnerabilities of the information system been mitigated in time by the employee? Item 3: Have the un-authorized remote accesses to the information system been blocked by the employee? Item 4: Has the employee been trained concerning the information security? Item 5: Has the employee ever checked the contents of the audit reports on the improper information security behaviors of the department? Item 6: Has the employee ever used the software without security certification? Item 7: Have the configurations of the hardware been updated by the employee without authorization? Item 8: Has the employee ever taken part in the annual year contingency exercise? Item 9: Have the legal usernames and passwords always been used by the employee to access the information system? Item 10: Have the information security incidents been reported in time by the employee? Item 11: Have the security maintenance been performed by the employee following the formal procedures? Interview (Respondents: department managers) Please refer to the definition of the information security compliance behavior, NIST Special Publication 800-55 (Revision 1), and the twenty items involved in the survey questionnaire to make assessments on the annual year (, and ) holistic states of the information security compliance behaviors of all employees in your department. 1. Excellent ; 2. ; 3. ; 4. Poor ; 5. Bad. 84

Measurement 12 : Media protection Measurement 13 : Physical and environmental Measurement 14 : Planning Measurement 15 : Personnel security Measurement 16 : Risk assessment Measurement 17 : System and services acquisition Measurement 18 : System and communications protection Measurement 19 : System and information integrity Measurement 20: Initiative study of information security policy Item 12: Have the data been cleaned up from the discarded U-sticks by the employee? Item 13: Has the employee ever entered into the computer facilities without authorization? Item 14: Have the rules of behavioral acknowledgements of information security been signed by the employee? Item 15: Have the information system ever been used by the un-authorized employee? Item 16: Have the security vulnerabilities of the information system been remediated by the employee following the procedures regulated by the information security policy? Item 17: Have the information security requirements been emphasized by the employee in acquisition of information systems and service? Item 18: Have the cryptographic operations been performed strictly in the employee s laptop? Item 19: Have the patching programs been set up by the employee for the computer operation system? Item 20: Has the employee ever studied self-motivated the clauses of the information security policy? 85

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information