Advanced search
Publication Cover
Journal of Information Privacy and Security Volume 10, 2014 - Issue 4: Behavioral Information Security Research with Emerging Technologies
Journal homepage
333
Views
15
CrossRef citations to date
0
Altmetric
Articles

A Model of Information Security Awareness for Assessing Information Security Risk for Emerging Technologies

Roberto J. MejiasColorado State University-PuebloCorrespondence[email protected]
&
Pierre A. BalthazardCalifornia State University-Sacramento
Pages 160-185 | Published online: 07 Jan 2015

REFERENCES

  • Anderson, J. C. (1987). An approach to confirmatory measurement, structural equation modeling of organizational properties. Management Science, 33, 525 – 541.
  • Andriole, S. J. (2014). Ready technology: Fast tracking emerging business technologies. Communications of the ACM, 57(2), 40 –42.
  • Arbuckle, J. L., & Wothke, W. (1999). Amos 4.0 user’s guide. Chicago, IL: Small Waters Corp.
  • Bentler, P., & Bonnett, D. (1980). Significance tests and goodness of fit in the analysis of covariance structures. Psychological Bulletin, 88, 588 –606.
  • Bodin, L., Gordon, L. A., & Loeb, M. P. (2008). Information security and risk management. Communications of the ACM, 51(4), 64 –68.
  • Browne, M., & Cudeck, R. (1993). Alternative ways of assessing model fit. In K. A. Bollen and J. S. Long ( Eds.), Testing structural equation models. Newbury Park, CA: Sage.
  • Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information system awareness. MIS Quarterly, 34, 523 –548.
  • Byrne, B. (2009). Structural equation modeling with AMOS: Basic concepts, application, and programming (2nd ed.). New York, NY: Routledge, Taylor and Francis Group.
  • Carver, C. S. (2006). Approach, avoidance, and self-regulation of affect and action. Motivation and Emotion, 30, 105 –110.
  • Carver, C. S., & Scheier, M. F. (1982). Control theory: A useful conceptual framework for personality-social, clinical, and health psychology. Psychological Bulletin, 92(1), 111 –135.
  • Cavusoglu, H. (2010). Making sound security investment decisions. Journal of Information Privacy and Security, 6(1), 53 –71.
  • Chen, P. Y., Kataria, G., & Krishman, R. (2011). Correlated failures, diversification, and information security risk management. MIS Quarterly, 35, 397 –422.
  • Chen, Y., Ramamurthy, K., & Wen, K. W. (2012). Organizations’ information security policy compliance: Stick or carrot approach? Journal of Management Information Systems, 29(3), 157 –188.
  • Chirita, P. A., Wolfgang, N., & Zamfir, C. (2005). Preventing shilling attacks in online recommender systems (pp. 67–74). In WIDM ’05: Proceedings of the 7th Annual ACM International Workshop on Web Information and Data Management. New York, NY: Web Information and Data Management (WIDM).
  • Ciampa, M. (2012). Security+ guide to network security fundamentals (4th ed.). Boston, MA: Course Technology, Cengage Learning.
  • D’Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems, 20, 643 –658.
  • Denning, P. J., & Denning, D. E. (2010). The profession of IT: Discussing cyberattack. Communications of the ACM, 53(9), 29 –31.
  • Dey, D., Lahiri, A., & Zhang, G. (2012). Hacker behavior, network effects, and the security software market. Journal of Management Information Systems, 29(2), 77 –108.
  • Dutta, A., & Roy, R. (2008). Dynamics of organizational information security. System Dynamics Review, 24, 349 –375.
  • Fornell, C., & Larcker, D. F. (1981). Evaluating structural models with unobserved variables and measurement error. Journal of Marketing Research, 18, 39 –50.
  • Geng, X., & Lee, Y. J. (2013). Competing with piracy: A multichannel sequential search approach. Journal of Management Information Systems, 30(2), 159 –184.
  • Ghiselli, E. E., Campbell, J. P., & Zedeck, J. P. (1981). Measurement theory for the behavioral sciences. San Francisco, CA: Freeman Press.
  • Gibbs, J. P. (1975). Crime, punishment, and deterrence. New York, NY: Elsevier.
  • Gordon, L.A., Loeb, M. P., & Lucyshyn, W. 2012. Reducing the challenges to making cyber security investments in the private sector. In Principal investigator’s meeting TTA: Cyber economics. College Park, MD: University of Maryland Smith School of Business.
  • Goulder, M. H. (2011). Network defense: Security and vulnerability assessment. Course Technology Series, 5(5). Boston, MA: Cengage Learning, EC-Council Press.
  • Guikema, S. D., & Aven, T. (2010). Assessing risk from intelligent attacks: A perspective on approaches. Reliability and System Safety, 95, 478 –483.
  • Gulliksen, H., & Tukey, J. W. (1958). Reliability for the law of comparative judgment. Psychometrika, 23(2), 95 –110.
  • Hair, J., & Anderson, R. E., Tatham, R. L., & Black, W. C. (1995). Multivariate data analyses. Englewood Cliffs, NJ: Prentice Hall.
  • He, W., Yang, X., & Yang, L. (2013). Supporting case-based learning in information security with web-based technology. Journal of Information Systems Education, 24(1), 31 –40.
  • Herath, H. S. B., & Herath, T. C. (2014). IT security auditing: A performance evaluation decision model. Decision Support Systems, 57(1), 54 –63.
  • Hong, W., & Thong, J. Y. L. (2013). Internet privacy concerns: An integrated conceptualization and four empirical studies. MIS Quarterly, 37(1), 275 –298.
  • Jenkins, J. L., Durcikova, A., Ross, G., & Nunamaker, J. F., Jr. (2010). Encouraging users to behave securely: Examining the influence of technical, managerial, educational controls on users’ secure behavior. In Proceedings of the 31st ICIS Conference (pp. 3159–3168). St. Louis, MO: International Association for Computing and Information Systems.
  • Khansa, L., & Liginlal, D. (2009). Quantifying the benefits of investing in information security. Communications of the ACM, 52(11), 113 –117.
  • Kim, B. C., & Yong, W. P. (2012). Security versus convenience? An experimental study of user misperceptions of wireless internet service quality. Decision Support Systems, 53(1), 1 –11.
  • Ko, M., Osei-Bryson, K. M., & Dorantes, C. (2009). Investigating the impact of publicly announced information security breaches on three performance indicators of the breached firms. Information Resource Management Journal, 22(2), 1 –21.
  • Ko, M., & Zafar, H. (2009). Current state of information security research in IS. Communications of Association for Information Systems (CAIS), 24(34), 557 –596.
  • Kruger, H. A., & Kearney, W. D. 2006. A prototype for assessing information security awareness. Computers and Security, 25, 289 –296.
  • Kumar, R. L., Park, S., & Subramanian, C. (2008). Understanding the value of countermeasure portfolios in information systems security. Journal of Management Information Systems, 25(2), 214 –279.
  • Lee, J., & Lee, S. (2002). A holistic model of computer abuse within organizations. Information Management and Computer Security, 10(2), 57 –63.
  • Lee, S. M., Lee, S. G., & Yoo, S. (2003). An integrative model of computer abuse based on social control and general deterrence theories. Information and Management 41(6), 707 –718.
  • Liang, H., & Xue, Y. (2009). Avoidance of information technology threats: A theoretical perspective. MIS Quarterly, 33(1), 71 –90.
  • Lindell, M. K., & Whitney, D. (2001). Accounting for common method variance in cross-section research designs. Journal of Applied Psychology, 86(1), 114 –121.
  • MacKenzie, S. B., Podsakoff, P. M., & Podsakoff, N. P. (2011). Construct measurement, and validation procedures in MIS and behavioral research: Integrating new, existing techniques. MIS Quarterly, 35, 293 –334.
  • McGavran, W. (2009). Intended consequences: Regulating cyberattacks. Tulane Journal of Technology and Intellectual Property, 12, 259 –275.
  • Mejias, R. J. (2012). An integrative model of information security awareness for assessing information systems security risk. In Proceedings of the 45th Hawaii International Conference Systems Sciences (pp. 3258–3267). Big Island, HI: IEEE Computer Society.
  • Mejias, R. J., & Harvey, M. (2012). A case for information security awareness programs to protect global information, innovation and knowledge resources. International Journal of Transitions and Innovation Systems,2, 302 –324.
  • Meso, P., Yi, D., & Shuting, X. (2013). Applying protection motivation theory to information security training for college students. Journal of Information Privacy and Security, 9(1), 47 –67.
  • Moore, A. P., Cappelli, D. M., Caron, T. C., Shaw, E., Spooner, D. and Trzeciak, R. F. (2011). A preliminary model of insider theft of intellectual property. Journal of Wireless Mobile Networks Ubiquitous Computing, and Dependable Applications, 2(1), 28 –49.
  • Mukhopadhyay, A., Chatterjee, S., Saha, D., Mahanti, A. and Sadhukhan, S. K. (2013). Cyber-risk decision models: to insure IT or not? Decision Support Systems, 56, 11 –26.
  • National Institute of Standards and Technology (NIST). (2006). NIST-100, Technology Administration, U.S. Dept. of Commerce, Information Security Handbook: A Guide for Managers, prepared by P. Bowen, J. Hash, and M. Wilson. Washington, DC: NIST.
  • Nunnally, J. C., & Bernstein, J. H. (1994). Psychometric theory (3rd ed.). New York, NY: McGraw-Hill.
  • Pfleeger, S. L., & Caputo, D. D. (2012). Leveraging behavioral science to mitigate cyber-security risk. MITRE Technical Report 12-0499. Bedford, MA: MITRE Corporation.
  • Png, I. P. L., & Wang, C. Y. (2009). Information security: Facilitating user precautions vis-á-vis enforcement against attackers. Journal of Management Information Systems, 26(2), 97 –121.
  • Png, I. P. L., Wang, C. Y., & Wang, Q. H. (2008). The deterrent and displacement effects of info security enforcement: International evidence. Journal of Management Information Systems, 25(2), 125 –144.
  • Podsakoff, P. M., & Organ, D. W. (1986). Self-reports in organizational research: Problems and prospects. Journal of Management, 12, 531 –544.
  • Pratt, T. C., Cullen, F. T., Blevis, K. R., Daigle, L. E., & Madensen, T. D. (2006). The empirical status of deterrence theory: A meta-analysis. In F. T. Cullen, J. P. Wright, and K. R. Blevins ( Eds.), Taking stock: The status of criminological theory (pp. 37–76). New Brunswick, NJ: Transaction Publishers.
  • Puhakainen, P., & Siponen, M. (2010). Improving employee compliance through IS security training: An action research study. MIS Quarterly, 34, 757 –778.
  • Radcliff, D. (2004). What are they thinking? Network World, 21(9), 40 –44.
  • Rees, L .P., Deane, J. K., Rakes, T. R., & Baker, W. H. (2011). Decision support for cyber security risk planning. Decision Support Systems, 51, 493 –505.
  • Sawik, T. (2013). Selection of optimal countermeasure portfolio in IT security planning. Decision Support Systems, 55(1), 156 –164.
  • Schuessler, J. H. (2013). Contemporary threats and countermeasures: A security evaluation. Journal of Information Privacy and Security, 9(2), 3 –20.
  • Shackelford, S. J. (2010). Estonia three years later: A progress report on combating cyber attacks. Journal of Internet Law, 138, 22 –29.
  • Sharma, S. (1996). Applied multivariate techniques. New York, NY: John Wiley & Sons.
  • Shepherd, M. M., Mejias, R. J., & Klein, G. (2014). A longitudinal study to determine the effects of non-technical deterrence on reducing employee internet abuse frequency. In Proceedings of the 47th Hawaii International Conference on Systems Sciences (HICSS) (pp. 3159–3168). Waikoloa, HI: IEEE Computer Society.
  • Simpson, M. T., Backman, K., & Corely, J. (2010). Hands on ethical hacking and network defense (2nd ed.). Boston, MA: Thompson Course Tech.
  • Siponen, M. T. (2000). A conceptual foundation for organizational information security awareness. Information Management and Computer Security, 8(1), 31 –41.
  • Siponen, M. T. (2005). An analysis of the traditional IS security approaches: Implications for research and practice. European Journal of Information Systems, 14, 303 –315.
  • Slusky, L. & Parviz-Navin, P. (2012). Student information security practices and awareness. Journal of Information Privacy and Security, 8(4), 3 –26.
  • Spears, J. L., & Barki, H. (2010). User participation in information systems security risk management. MIS Quarterly, 34, 503 –522.
  • Stonebumer, G., Goguen, A., & Feringa, A. (2002). Risk management guide for IT Systems. Washington, DC: National Institute of Standards and Technology (NIST) U.S. Dept. of Commerce. Publication No. 800 –3.
  • Sveen, F. O., Rich, E., & Jager, M. (2007). Overcoming organizational challenges to secure knowledge. Information Systems Frontiers, 9, 481 –492.
  • U.S. Dept. of Homeland Security. (2013). Privacy Office, 2013 Report to Congress. Washington, DC: U.S. Dept. of Homeland Security.
  • Whitman, M. E., & Mattord, H. J. (2012). Principles of information security (4th ed.). Boston, MA: Thompson Course Technology.
  • Wiener, N. (1948). Cybernetics: Control and communication in the animal and the machine. Cambridge, MA: MIT Press.
  • Williams, C.A, Mobasher, B., Burke, R., & Bhaumik, R. (2006). Detecting profile injection attacks in collaborative filtering: a classification-based approach. In WebKDD’06: Proceedings of the 8th Knowledge Discovery on the Web International Conference on Advances in Web Mining and Web Usage Analysis (pp. 167–186). Philadelphia, PA: Association for Computing Machinery.
  • Yuan, X., Jiang, K., Murthy, S., Jones, J., & Yu, H. (2010). Teaching security management with case studies experiences and evaluation. Journal of Education Informatics and Cybernetics, 2(2), 25 –30.
  • Zafar, H. (2011). Security risk management at a Fortune 500 firm: A case study. Journal of Information Privacy and Security, 7(4), 23 –53.
  • Zhao, X., Xue, L., & Whinston, A. B. (2013). Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. Journal of MIS, 3(1), 123 –152.

Reprints and Corporate Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

To request a reprint or corporate permissions for this article, please click on the relevant link below:

Order Reprints Request Corporate Permissions

Academic Permissions

Please note: Selecting permissions does not provide access to the full text of the article, please see our help page How do I view content?

Obtain permissions instantly via Rightslink by clicking on the button below:

Request Academic Permissions

If you are unable to obtain permissions via Rightslink, please complete and submit this Permissions form. For more information, please visit our Permissions help page.

Related research

People also read lists articles that other readers of this article have read.

Recommended articles lists articles that we recommend and is powered by our AI driven recommendation engine.

Cited by lists all citing articles based on Crossref citations.
Articles with the Crossref icon will open in a new tab.