A Management Decision Support System for Evaluating Information Security Behaviour

  • Dirk SnymanEmail author
  • Hennie Kruger
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1166)


Information security management is a difficult task in organisations. Owing to skills shortages and the like, there are relatively few managerial staff that possess the required expertise to confidently make security decisions. The purpose of this paper is to present a decision support system that can analyse, and provide insight into, information security behaviour in an organisation, all the while supporting management decision-making for organisational factors. Behavioural threshold analysis is employed by the system to predict eventual information security behaviour for different groupings in an organisation. The decision support system that is presented here, which is the first of its kind, can be helpful in understanding the current state of organisational information security behaviour, and what can be done to improve upon the current state. After intervention measures the system may be used to test whether these measures had the intended positive effect. The system is discussed in terms of the different information areas that are used to allow insight into the security behaviours. A critical reflection provides an analysis of the contributions and limitations of the system.


Information security Decision support system Behavioural threshold analysis 



The authors would like to thank and acknowledge the contributions of Erik Jonker and Arno Strydom for their undertaking in programming the system based on the requirements as set out by the authors.


  1. 1.
    Alshaikh, M., Maynard, S.B., Ahmad, A., Chang, S.: An exploratory study of current information security training and awareness practices in organizations. In: 51st Hawaii International Conference on System Sciences, pp. 5085–5094 (2018)Google Scholar
  2. 2.
    Singh, A.N., Gupta, M.: Information security management practices: case studies from India. Glob. Bus. Rev. 20, 253–271 (2019)CrossRefGoogle Scholar
  3. 3.
    Werlinger, R., Hawkey, K., Beznosov, K.: An integrated view of human, organizational, and technological challenges of IT security management. Inf. Manag. Comput. Secur. 17, 4–19 (2009)CrossRefGoogle Scholar
  4. 4.
    Shao, X., Siponen, M., Pahnila, S.: To calculate or to follow others: how do information security managers make investment decisions? In: 52nd Hawaii International Conference on System Sciences, pp. 4885–4894 (2019)Google Scholar
  5. 5.
    Fielder, A., Panaousis, E., Malacaria, P., Hankin, C., Smeraldi, F.: Decision support approaches for cyber security investment. Decis. Support Syst. 86, 13–23 (2016)CrossRefGoogle Scholar
  6. 6.
    Kankanhalli, A., Teo, H.-H., Tan, B.C., Wei, K.-K.: An integrative study of information systems security effectiveness. Int. J. Inf. Manag. 23, 139–154 (2003)CrossRefGoogle Scholar
  7. 7.
    Shropshire, J., Warkentin, M., Sharma, S.: Personality, attitudes, and intentions: predicting initial adoption of information security behavior. Comput. Secur. 49, 177–191 (2015)CrossRefGoogle Scholar
  8. 8.
    Almeida, L., Respício, A.: Decision support for selecting information security controls. J. Decis. Syst. 27, 173–180 (2018)CrossRefGoogle Scholar
  9. 9.
    Furnell, S., Fischer, P., Finch, A.: Plugging the cyber-security skills gap. Comput. Fraud Secur. 2013, 5–10 (2013)Google Scholar
  10. 10.
    Snyman, D.P., Kruger, H.A.: Behavioural threshold analysis: methodological and practical considerations for applications in information security. Behav. Inf. Technol. 38, 1–19 (2019)CrossRefGoogle Scholar
  11. 11.
    Bada, M., Sasse, A.M., Nurse, J.R.: Cyber security awareness campaigns: why do they fail to change behaviour? In: 1st International Conference on Cyber Security for Sustainable Society, pp. 118–131 (2019)Google Scholar
  12. 12.
    Furnell, S., Thomson, K.-L.: Recognising and addressing ‘security fatigue’. Comput. Fraud Secur. 2009, 7–11 (2009)CrossRefGoogle Scholar
  13. 13.
    Stanton, B., Theofanos, M.F., Prettyman, S.S., Furman, S.: Security fatigue. IT Prof. 18, 26–32 (2016)CrossRefGoogle Scholar
  14. 14.
    Granovetter, M.: Threshold models of collective behavior. Am. J. Sociol. 83, 1420–1443 (1978)CrossRefGoogle Scholar
  15. 15.
    Snyman, D.P., Kruger, H.A.: Behavioural thresholds in the context of information security. In: 10th International Symposium on Human Aspects of Information Security & Assurance (HAISA 2016), pp. 22–32. Plymouth University (2016)Google Scholar
  16. 16.
    Growney, J.S.: I Will if You Will: Individual Thresholds and Group Behavior - Applications of Algebra to Group Behavior. COMAP Inc., Bedford (1983)Google Scholar
  17. 17.
    Hekkala, R., Väyrynen, K., Wiander, T.: Information security challenges of social media for companies. In: 20th European Conference on Information Systems, p. 56 (2012)Google Scholar
  18. 18.
    Gardner, B., Thomas, V.: Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats. Elsevier, Amsterdam (2014)Google Scholar
  19. 19.
    Ashenden, D.: In their own words: employee attitudes towards information security. Inf. Comput. Secur. 26, 327–337 (2018)CrossRefGoogle Scholar
  20. 20.
    Pérez-González, C.J., Colebrook, M., Roda-García, J.L., Rosa-Remedios, C.B.: Developing a data analytics platform to support decision making in emergency and security management. Expert Syst. Appl. 120, 167–184 (2019)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.School of Computer Science and Information SystemsNorth-West UniversityPotchefstroomSouth Africa

Personalised recommendations