Boss, Scott Russel
(2007)
CONTROL, PERCEIVED RISK, AND INFORMATION SECURITY PRECAUTIONS: EXTERNAL AND INTERNAL MOTIVATIONS FOR SECURITY BEHAVIOR.
Doctoral Dissertation, University of Pittsburgh.
(Unpublished)
Abstract
Computer security has become increasingly important to organizations as the number of security incidents skyrockets. While many technical means are used to secure corporate systems, individual employees remain the last line - and frequently the weakest link - in organizational defenses. When individuals choose to disregard security policies and procedures meant to protect the organization, they leave the organization at risk. How, then, can organizations motivate their employees to follow security guidelines? Using organizational control and the fear of crime as the lens, we build a model to examine this research question. The research model examines the relationship between the elements of control (specification, evaluation, and reward), risk elements and risk antecedents (direct experience, indirect experience, and risk) and precautions that can be taken at the individual level which are typically motivated by organizational policies and procedures. The model also introduces the concept of "mandatoriness" which is generally not specifically highlighted in extant literature. The specific hypotheses are developed and tested using a field survey. An organization was identified for data collection and 1,738 total responses were collected from a population of approximately 3,500. The model was tested using PLS analysis after examination of the data, scale reliability, and item validity. The results from the analysis suggest that the acts of specifying a policy and evaluating behaviors are effective in convincing individuals that security policies and procedures are mandatory. The perception of mandatoriness, in turn, is effective in motivating individuals to take security precautions. Likewise, both direct and indirect experience have a significant positive effect on perceptions of risk, but risk perceptions do not have any effect on the level of precautions taken by individuals. The findings highlight the need for management to clearly specify computer security policies and procedures and to evaluate individual employee compliance with those policies. The findings also indicate that the perceived impact of specific scenarios is more likely to affect individual precaution taking behaviors than statistics indicating the likelihood that they will be affected. Additionally, managers need to address the problems of apathy as it relates to security and bolster individuals' efficacy as it relates to computers.
Share
| Citation/Export: |
|
| Social Networking: |
|
Details
| Item Type: |
University of Pittsburgh ETD
|
| Status: |
Unpublished |
| Creators/Authors: |
|
| ETD Committee: |
|
| Date: |
7 September 2007 |
| Date Type: |
Completion |
| Defense Date: |
11 July 2007 |
| Approval Date: |
7 September 2007 |
| Submission Date: |
24 July 2007 |
| Access Restriction: |
No restriction; Release the ETD for access worldwide immediately. |
| Institution: |
University of Pittsburgh |
| Schools and Programs: |
Joseph M. Katz Graduate School of Business > Business Administration |
| Degree: |
PhD - Doctor of Philosophy |
| Thesis Type: |
Doctoral Dissertation |
| Refereed: |
Yes |
| Uncontrolled Keywords: |
Computer Security; Control; Mandatoriness; Reward; Risk |
| Other ID: |
http://etd.library.pitt.edu/ETD/available/etd-07242007-151755/, etd-07242007-151755 |
| Date Deposited: |
10 Nov 2011 19:53 |
| Last Modified: |
15 Nov 2016 13:46 |
| URI: |
http://d-scholarship.pitt.edu/id/eprint/8566 |
Metrics
Monthly Views for the past 3 years
Plum Analytics
Actions (login required)
 |
View Item |
![[feed]](/images/feed-icon-32x32.png){kind=icon}