Skip to main content
SpringerLink
Log in

A Descriptive Review and Classification of Organizational Information Security Awareness Research

  • Conference paper
  • First Online:
Information and Cyber Security (ISSA 2019)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1166))

Included in the following conference series:

Abstract

Information security awareness (ISA) is a vital component of information security in organizations. The purpose of this research is to descriptively review and classify the current body of knowledge on ISA. A sample of 59 peer-reviewed academic journal articles, which were published over the last decade from 2008 to 2018, were analyzed. Articles were classified using coding techniques from the grounded theory literature-review method. The results show that ISA research is evolving with behavioral research studies still being explored. Quantitative empirical research is the dominant methodology and the top three theories used are general deterrence theory, theory of planned behavior, and protection motivation theory. Future research could focus on qualitative approaches to provide greater depth of ISA understanding.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Grant, K., Edgar, D., Sukumar, A., Meyer, M.: Risky business: perceptions of e-business risk by UK small and medium sized enterprises (SMEs). Int. J. Inf. Manag. 34(2), 99–122 (2014). https://doi.org/10.1016/j.ijinfomgt.2013.11.001

    Article  Google Scholar 

  2. Arachchilage, N.A.G., Love, S.: Security awareness of computer users: a phishing threat avoidance perspective. Comput. Hum. Behav. 38, 304–312 (2014). https://doi.org/10.1016/j.chb.2014.05.046

    Article  Google Scholar 

  3. Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., Zwaans, T.: The Human Aspects of Information Security Questionnaire (HAIS-Q): two further validation studies. Comput. Secur. 66, 40–51 (2017). https://doi.org/10.1016/j.cose.2017.01.004

    Article  Google Scholar 

  4. Metalidou, E., Marinagi, C., Trivellas, P., Eberhagen, N., Giannakopoulos, G., Skourlas, C.: Human factor and information security in higher education. J. Syst. Inf. Technol. 16(3), 210–221 (2014). https://doi.org/10.1108/JSIT-01-2014-0007

    Article  Google Scholar 

  5. Kruger, H.A., Drevin, L., Steyn, T.: A vocabulary test to assess information security awareness. Inf. Manag. Comput. Secur. 18(5), 316–327 (2010). https://doi.org/10.1108/09685221011095236

    Article  Google Scholar 

  6. Bauer, S., Bernroider, E.W.N.: From information security awareness to reasoned compliant action. ACM SIGMIS Database: DATABASE Adv. Inf. Syst. 48(3), 44–68 (2017). https://doi.org/10.1145/3130515.3130519

    Article  Google Scholar 

  7. Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., Baskerville, R.: Future directions for behavioral information security research. Comput. Secur. 32, 90–101 (2013). https://doi.org/10.1016/j.cose.2012.09.010

    Article  Google Scholar 

  8. Bauer, S., Bernroider, E.W.N., Chudzikowski, K.: Prevention is better than cure! Designing information security awareness programs to overcome users’ non-compliance with information security policies in banks. Comput. Secur. 68, 145–159 (2017). https://doi.org/10.1016/j.cose.2017.04.009

    Article  Google Scholar 

  9. Bulgurcu, B., Cavusoglu, H., Benbasat, I.: Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3), 523–548 (2010)

    Article  Google Scholar 

  10. Siponen, M.T.: A conceptual foundation for organizational information security awareness. Inf. Manag. Comput. Secur. 8(1), 31–41 (2000). https://doi.org/10.1108/09685220010371394

    Article  Google Scholar 

  11. Bitton, R., Finkelshtein, A., Sidi, L., Puzis, R., Rokach, L., Shabtai, A.: Taxonomy of mobile users’ security awareness. Comput. Secur. 73, 266–293 (2018). https://doi.org/10.1016/j.cose.2017.10.015

    Article  Google Scholar 

  12. Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., Jerram, C.: Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Comput. Secur. 42, 165–176 (2014). https://doi.org/10.1016/j.cose.2013.12.003

    Article  Google Scholar 

  13. Okoli, C., Schabram, K.: A guide to conducting a systematic literature review of information systems research. In: Working Papers on Information Systems, vol. 10, no. 26, pp. 1–51 (2010). https://doi.org/10.2139/ssrn.1954824

  14. Prasetio, A., Sari, P.K., Ramadhani, D.P.: Electronic Word-of-Mouth (EWOM) Adoption Model for Information Security Awareness: A Case Study in University Students, pp. 154–159 (2015) (2016)

    Google Scholar 

  15. Kruger, H.A., Kearney, W.D.: A prototype for assessing information security awareness. Comput. Secur. 25(4), 289–296 (2006). https://doi.org/10.1016/j.cose.2006.02.008

    Article  Google Scholar 

  16. Haeussinger, F., Kranz, J.: Understanding the antecedents of information security awareness - an empirical study. In: Proceedings of the Nineteenth Americas Conference on Information Systems, (Section 6), pp. 1–9 (2013)

    Google Scholar 

  17. Tsohou, A., Kokolakis, S., Karyda, M., Kiountouzis, E.: Investigating information security awareness: research and practice gaps. Inf. Secur. J. 17(5–6), 207–227 (2008). https://doi.org/10.1080/19393550802492487

    Article  Google Scholar 

  18. Straub, D.W., Welke, R.J.: Coping with systems risk: security planning models for management decision making. MIS Q. 22(4), 441–469 (1998). https://doi.org/10.2307/249551

    Article  Google Scholar 

  19. Rhee, H., Ryu, Y., Kim, C.-T.: I am fine but you are not: optimistic bias and illusion of control on information security. In: ICIS, pp. 381–394, April 2005

    Google Scholar 

  20. Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Managing the introduction of information security awareness programmes in organisations. Eur. J. Inf. Syst. 24, 38–58 (2013)

    Article  Google Scholar 

  21. Jaeger, L.: Information security awareness: literature review and integrative framework. In: 51st Hawaii International Conference on System Sciences, vol. 9, no. 3, pp. 4703–4712 (2018)

    Google Scholar 

  22. Anderson, B.B., Kirwan, C.B., Eargle, D.: Using measures of risk perception to predict information security behavior: insights from using measures of risk perception to predict information security behavior: insights from electroencephalography (EEG). J. Assoc. Inf. Syst. 15(April 2013), 679–722 (2014)

    Google Scholar 

  23. Scholl, M.C., Wildau, T., Fuhrmann, F., Scholl, L.R.: Scientific knowledge of the human side of information security as a basis for sustainable trainings in organizational practices. In: Hawaii International Conference on System Sciences, vol. 9, p. 10 (2018)

    Google Scholar 

  24. Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Analyzing trajectories of information security awareness. Inf. Technol. People 25(3), 327–352 (2012). https://doi.org/10.1108/09593841211254358

    Article  Google Scholar 

  25. Khan, B., Alghathbar, K., Nabi, S., Khan, K.: Effectiveness of information security awareness methods based on psychological theories. Afr. J. Bus. Manag. 5, 26 (2011)

    Google Scholar 

  26. Puhakainen, P., Siponen, M.: Improving employees’ compliance through information systems security training: an action research study. MIS Q. 34 (2010). https://doi.org/10.2307/25750704

    Article  Google Scholar 

  27. Posey, C., Roberts, T.L., Lowry, P.B.: The impact of organizational commitment on insiders motivation to protect organizational information assets. J. Manag. Inf. Syst. 32(4), 179–214 (2015). https://doi.org/10.1080/07421222.2015.1138374

    Article  Google Scholar 

  28. Merete Hagen, J., Albrechtsen, E., Hovden, J.: Implementation and effectiveness of organizational information security measures. Inf. Manag. Comput. Secur. 16(4), 377–397 (2008). https://doi.org/10.1108/09685220810908796

    Article  Google Scholar 

  29. D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20(1), 79–98 (2009). https://doi.org/10.1287/isre.1070.0160

    Article  Google Scholar 

  30. Herath, T., Rao, H.R.: Protection motivation and deterrence: a framework for security policy compliance in organisations. Eur. J. Inf. Syst. 18(2), 106–125 (2009). https://doi.org/10.1057/ejis.2009.6

    Article  Google Scholar 

  31. Chen, C.C., Medlin, B.D., Shaw, R.S.: A cross-cultural investigation of situational information security awareness programs. Inf. Manag. Comput. Secur. 16(4), 360–376 (2008). https://doi.org/10.1108/09685220810908787

    Article  Google Scholar 

  32. Karjalainen, M., Siponen, M.: Toward a new meta-theory for designing information systems (IS) security training approaches. J. Assoc. Inf. Syst. 12(8), 518–555 (2011)

    Google Scholar 

  33. Johnston, A.C., Warkentin, M., Siponen, M.: An enhanced fear appeal rhetorical framework: leveraging threats to the human asset through sanctioning rhetoric. MIS Q. 39(1), 113–134 (2015). https://doi.org/10.25300/MISQ/2015/39.1.06

    Article  Google Scholar 

  34. Johnston, A.C., Warkentin, M., McBride, M., Carter, L.: Dispositional and situational factors: influences on information security policy violations. Eur. J. Inf. Syst. 25(3), 231–251 (2016). https://doi.org/10.1057/ejis.2015.15

    Article  Google Scholar 

  35. Lebek, B., Uffen, J., Breitner, M.H., Neumann, M., Hohler, B.: Employees’ information security awareness and behavior: a literature review. In: Proceedings of the Annual Hawaii International Conference on System Sciences, pp. 2978–2987 (2013). https://doi.org/10.1109/HICSS.2013.192

  36. Lebek, B., Uffen, J., Neumann, M., Hohler, B., Breitner, M.: Information security awareness and behavior: a theory-based literature review. Manag. Res. Rev. 37(12), 1049–1092 (2014). https://doi.org/10.1108/MRR-04-2013-0085

    Article  Google Scholar 

  37. D’Arcy, J., Herath, T.: A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings. Eur. J. Inf. Syst. 20(6), 643–658 (2011). https://doi.org/10.1057/ejis.2011.23

    Article  Google Scholar 

  38. Sommestad, T., Hallberg, J., Lundholm, K., Bengtsson, J.: Variables influencing information security policy compliance: a systematic review of quantitative studies. Inf. Manag. Comput. Secur. 22(1), 42–75 (2014). https://doi.org/10.1108/IMCS-08-2012-0045

    Article  Google Scholar 

  39. Dang-Pham, D., Pittayachawan, S., Bruno, V.: Why employees share information security advice? Exploring the contributing factors and structural patterns of security advice sharing in the workplace. Comput. Hum. Behav. 67, 196–206 (2017). https://doi.org/10.1016/j.chb.2016.10.025

    Article  Google Scholar 

  40. Sparks, P., Ajzen, I., Hall-box, T.: Perceived behavioral control, self-efficacy, locus of control, and the theory of planned behavior, pp. 665–683 (2002)

    Google Scholar 

  41. Safa, N., von Solms, R.: An information security knowledge sharing model in organizations. Comput. Hum. Behav. 57, 442–451 (2016). https://doi.org/10.1016/j.chb.2015.12.037

    Article  Google Scholar 

  42. Safa, N., Sookhak, M., von Solms, R., Furnell, S., Ghani, N.A., Herawan, T.: Information security conscious care behaviour formation in organizations. Comput. Secur. 53, 65–78 (2015). https://doi.org/10.1016/j.cose.2015.05.012

    Article  Google Scholar 

  43. Myers, M.D.: Qualitative Research in Business and Management. SAGE Publications Ltd., London (2013)

    Google Scholar 

  44. King, W.R., He, J.: Understanding the role and methods of meta-analysis in is research. Commun. Assoc. Inf. Syst. 16(October), 654 (2005)

    Google Scholar 

  45. Wolfswinkel, J.F., Furtmueller, E., Wilderom, C.P.M.: Using grounded theory as a method for rigorously reviewing literature. Eur. J. Inf. Syst. 22(1), 45–55 (2011). https://doi.org/10.1057/ejis.2011.51

    Article  Google Scholar 

  46. Saunders, M.N.K., Lewis, P., Thornhill, A.: Research Methods for Business Students. Pearson Education Limited, London (2015)

    Google Scholar 

  47. Tsohou, A., Karyda, M., Kokolakis, S.: Analyzing the role of cognitive and cultural biases in the internalization of information security policies: recommendations for information security awareness programs. Comput. Secur. 52, 128–141 (2015). https://doi.org/10.1016/j.cose.2015.04.006

    Article  Google Scholar 

  48. Da Veiga, A., Eloff, J.H.P.: A framework and assessment instrument for information security culture. Comput. Secur. 29(2), 196–207 (2010). https://doi.org/10.1016/j.cose.2009.09.002

    Article  Google Scholar 

  49. Liang, H., Xue, Y.: Avoidance of information technology threats: a theoretical perspective. MIS Q. 33(1), 71–90 (2009). https://doi.org/10.2307/20650279

    Article  Google Scholar 

  50. Öʇütçü, G., Testik, Ö.M., Chouseinoglou, O.: Analysis of personal information security behavior and awareness. Comput. Secur. 56, 83–93 (2016). https://doi.org/10.1016/j.cose.2015.10.002

    Article  Google Scholar 

  51. Snyman, D., Kruger, H.A.: The application of behavioural thresholds to analyse collective behaviour in information security. Inf. Comput. Secur. 25(2), 152–164 (2017). https://doi.org/10.1108/ICS-03-2017-0015

    Article  Google Scholar 

  52. Connolly, L., Lang, M., Gathegi, J., Tygar, D.J.: Organisational culture, procedural countermeasures, and employee security behaviour: a qualitative study. Inf. Comput. Secur. 25(2), 118–136 (2017). https://doi.org/10.1108/ICS-03-2017-0013

    Article  Google Scholar 

  53. D’Arcy, J., Greene, G.: Security culture and the employment relationship as drivers of employees’ security compliance. Inf. Manag. Comput. Secur. 22(5), 474–489 (2014). https://doi.org/10.1108/IMCS-08-2013-0057

    Article  Google Scholar 

  54. Da Veiga, A., Martins, N.: Defining and identifying dominant information security cultures and subcultures. Comput. Secur. 70, 72–94 (2017). https://doi.org/10.1016/j.cose.2017.05.002

    Article  Google Scholar 

  55. Da Veiga, A., Martins, N.: Improving the information security culture through monitoring and implementation actions illustrated through a case study. Comput. Secur. 49, 162–176 (2015). https://doi.org/10.1016/j.cose.2014.12.006

    Article  Google Scholar 

  56. Merete Hagen, J., Albrechtsen, E.: Effects on employees’ information security abilities by e-learning. Inf. Manag. Comput. Secur. 17(5), 388–407 (2009). https://doi.org/10.1108/09685220911006687

    Article  Google Scholar 

  57. Chen, C.C., Ramamurthy, K., Wen, K.-W.: Organizations’ information security policy compliance: stick or carrot approach? J. Manag. Inf. Syst. 29(3), 157–188 (2012). https://doi.org/10.2753/MIS0742-1222290305

    Article  Google Scholar 

  58. Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Managing the introduction of information security awareness programmes in organisations. Eur. J. Inf. Syst. 24(1), 38–58 (2015). https://doi.org/10.1057/ejis.2013.27

    Article  Google Scholar 

  59. Thomson, K., van Niekerk, J.: Combating information security apathy by encouraging prosocial organisational behaviour. Inf. Manag. Comput. Secur. 20(1), 39–46 (2012). https://doi.org/10.1108/09685221211219191

    Article  Google Scholar 

  60. Menard, P., Bott, G.J., Crossler, R.E.: User motivations in protecting information security: protection motivation theory versus self-determination theory. J. Manag. Inf. Syst. 34(4), 1203–1230 (2017). https://doi.org/10.1080/07421222.2017.1394083

    Article  Google Scholar 

Download references

Acknowledgements

This work is based on the research supported wholly/in part by the National Research Foundation of South Africa (Grant Numbers 114838).

Author information

Authors and Affiliations

  1. University of Cape Town, Cape Town, South Africa

    Gershon Hutchinson & Jacques Ophoff

  2. Abertay University, Dundee, UK

    Jacques Ophoff

Authors
  1. Gershon Hutchinson
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jacques Ophoff
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jacques Ophoff .

Editor information

Editors and Affiliations

  1. University of Pretoria, Pretoria, Gauteng, South Africa

    Hein Venter

  2. University of South Africa, Florida, Gauteng, South Africa

    Marianne Loock

  3. University of Johannesburg, Auckland Park, Gauteng, South Africa

    Marijke Coetzee

  4. University of South Africa, Pretoria, Gauteng, South Africa

    Mariki Eloff

  5. University of Pretoria, Pretoria, Gauteng, South Africa

    Jan Eloff

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hutchinson, G., Ophoff, J. (2020). A Descriptive Review and Classification of Organizational Information Security Awareness Research. In: Venter, H., Loock, M., Coetzee, M., Eloff, M., Eloff, J. (eds) Information and Cyber Security. ISSA 2019. Communications in Computer and Information Science, vol 1166. Springer, Cham. https://doi.org/10.1007/978-3-030-43276-8_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-43276-8_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-43275-1

  • Online ISBN: 978-3-030-43276-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation