Date of Award

Spring 2010

Document Type

Dissertation

Degree Name

Doctor of Business Administration (DBA)

Department

Computer Information Systems

First Advisor

Tom L. Roberts

Abstract

Protecting information from a wide variety of security threats is an important and sometimes daunting organizational activity. Instead of solely relying on technological advancements to help solve human problems, managers within firms must recognize and understand the roles that organizational insiders have in the protection of information. The systematic study of human influences on organizational information security is termed behavioral information security (Fagnot 2008; Stanton, Stam, Mastrangelo, and Jolton 2006), and it affirms that the protection of organizational information assets is best achieved when the detrimental behaviors of organizational insiders are effectively deterred and the beneficial activities of these individuals are appropriately encouraged. Relative to the former, the latter facet has received little attention in the academic literature.

Given this opportunity, this dissertation explicitly focuses upon protective behaviors that help promote the protection of organizational information resources. These behaviors are termed protection-motivated behaviors (PMBs) and are defined as the volitional behaviors organizational insiders can enact that protect (1) organizationally-relevant information within their firms and (2) the computer-based information systems in which that information is stored, collected, disseminated, and/or manipulated from information-security threats. Each of the chapters herein is dedicated to fostering knowledge about these beneficial behaviors and acts as a complement to existing research in order to more fully support the entire scope of behavioral information security.

Chapter 2 focuses upon the development of a formal typology of PMBs and relies on the complementary classification techniques of Multidimensional Scaling (MDS), Property Fitting (ProFit) analysis, and cluster analysis. 67 individual PMBs were discovered, and the above classification techniques uncovered a three-dimensional perceptual space common among organizational insiders regarding PMBs. This space verifies that insiders differentiate PMBs according to whether the behaviors (1) require minor or continual level of improvements within organizations, (2) are widely or narrowly standardized and applied throughout various organizations, and (3) are a reasonable or unreasonable request of organizations to make of their insiders. 14 unique clusters were also discovered during this process, which finding further assists information security researchers in their understanding of how organizational insiders perceive the behaviors that help protect information assets.

Chapter 3 uses the findings from Chapter 2 to develop a self-report measure of insiders' engagement in PMBs within their organizations. PMBs are modeled as a multiple indicators and multiple causes (MIMIC) structure (Joreskog and Goldberger 1975) with the clusters found in Chapter 2 being first-order, formative constructs of the overall, second-order PMB measure. These clusters explain over 70% of the variance in overall PMB activity. The nomological validity of the newly constructed measure is also empirically examined in this chapter, and the results largely support the conceptualization of PMBs.

Chapter 4 places the measure developed in the previous chapter in a motivational model founded on Protection Motivation Theory (PMT) (Rogers 1975, 1983). The findings from covariance-based structural equation modeling show that insiders' motivation to engage in PMBs is largely influenced by the perceived efficacy of protective responses and potential adaptive response costs—both components of the coping appraisal process. Fear, however, is shown to have little influence on these motivational levels. In addition to the PMT components, several rival explanations are examined. Job satisfaction and management support are found to significantly explain variance in organizational insiders' motivation to engage in PMBs.

In summary, this dissertation comprises a significant work in the field of behavioral information security by conducting 33 semi-structured interviews, eliciting the participation of 13 subject matter experts, and issuing 6 individual data collections. When these efforts are combined, the results of this dissertation are based on the responses of more than 1,700 organizational insiders. The findings help both information security researchers and managers within organizations more fully understand the protective role that organizational insiders play in the protection of information resources.

Download

Share

COinS