The Curious Incidence of Security Breaches by Knowledgeable Employees and the Pivotal Role a of Security Culture

  • Karen Renaud
  • Wendy Goucher
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8533)


Computer users are often referred to, rather disparagingly as “the weakest link” in information security. This resonates with the frus- tration experienced by organisations who are doing their best to secure their systems, only to have an employee compromise everything with an insecure act. Organisations put a great deal of effort into education and training but it has become clear that this, on its own, is not sufficient. A wide range of relevant literature has been consulted in order to produce a model that reflects the process from ignorance to actual behaviour, and to highlight the factors that play a role in this pathway. This is the pri- mary contribution of this paper. The model introduces the notion of two gulfs. The gulf of evaluation has the undecided user at one side, at the other a user with an intention to behave securely. A set of factors that help to bridge the gulf have been identified from the research literature. The second gulf is called the gulf of execution, which has to be bridged, assisted or deterred by a number of factors, so that users will convert intentions to actual behaviours. Interestingly, one of the factors that play a role in bridging both gulfs is security culture. Particular attention is paid to this factor and its role in encouraging secure behaviour.


Actual Behaviour Behavioural Intention Information Security Human Motivation Descriptive Norm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Chia, P., Maynard, S., Ruighaver, A.: Understanding organizational security culture. In: Proceedings of PACIS 2002, Japan (2002)Google Scholar
  2. 2.
    Albrechtsen, E.: A qualitative study of users’ view on information security. Computers & Security 26(4), 276–289 (2007)CrossRefGoogle Scholar
  3. 3.
    Pahnila, S., Siponen, M., Mahmood, A.: Employees’ behavior towards is security policy compliance. In: 40th Annual Hawaii International Conference on System Sciences, HICSS 2007, p. 156b. IEEE (2007)Google Scholar
  4. 4.
    Siponen, M., Pahnila, S., Mahmood, A.: Employees adherence to information security policies: an empirical study. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds.) New Approaches for Security, Privacy and Trust in Complex Environments. IFIP, vol. 232, pp. 133–144. Springer, Boston (2007)CrossRefGoogle Scholar
  5. 5.
    Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger pass- word authentication using browser extensions. In: Proceedings of the 14th Usenix Security Symposium, vol. 1998 (2005)Google Scholar
  6. 6.
    Gaunt, N.: Practical approaches to creating a security culture. International Journal of Medical Informatics 60(2), 151–157 (2000)CrossRefGoogle Scholar
  7. 7.
    Gundu, T., Flowerday, S.V.: The enemy within: A behavioural intention model and an information security awareness process. In: Information Security for South Africa (ISSA), pp. 1–8. IEEE (2012)Google Scholar
  8. 8.
    Skinner, B.F.: Beyond freedom and dignity. Bantam Vintage (1972)Google Scholar
  9. 9.
    Locke, J.: Some thoughts concerning education. In: Eliot, C.W. (ed.) The Harvard Classics, ch. XXXVII. P.F. Collier & Son, New York (1909-1914)Google Scholar
  10. 10.
    Gloucestershire Citizen, Poundland staff in Gloucester given 10p discount for Christmas bonus (December 22, 2013),
  11. 11.
    Hawkes, S.: IKEA rewards thousands of staff with pension bonus. The Telegraph (December 19, 2013)Google Scholar
  12. 12.
    Taylor, F.W.: The principles of scientific management, New York, vol. 202 (1911)Google Scholar
  13. 13.
    Maslow, A.H.: A theory of human motivation. Psychological Review 50(4), 370 (1943)CrossRefGoogle Scholar
  14. 14.
    Roe, A.: Section of psychology: Personality and vocation. Transactions of the New York Academy of Sciences 9(7 Series II), 257–267 (1947)CrossRefGoogle Scholar
  15. 15.
    Rock, D.: SCARF: a brain-based model for collaborating with and influencing others. NeuroLeadership Journal 1(1), 44–52 (2008)Google Scholar
  16. 16.
    Lopes, H.: Why do people work? Individual wants versus common goods. Journal of Economic Issues 45(1), 57–74 (2011)CrossRefGoogle Scholar
  17. 17.
    Deci, E.L.: Intrinsic motivation, extrinsic reinforcement, and inequity. Journal of Personality and Social Psychology 22(1), 113 (1972)CrossRefGoogle Scholar
  18. 18.
    Pink, D.H.: The surprising truth about what motivates us. Soundview Executive Book Summaries (2010)Google Scholar
  19. 19.
    Ryff, C.D., Keyes, C.L.M.: The structure of psychological well-being revisited. Journal of Personality and Social Psychology 69(4), 719 (1995)CrossRefGoogle Scholar
  20. 20.
    Adams, J.S.: Inequity in social exchange. Advances in Experimental Social Psychology 2, 267–299 (1965)CrossRefGoogle Scholar
  21. 21.
    Ajzen, I.: From intentions to actions: A theory of planned behavior. Springer (1985)Google Scholar
  22. 22.
    Norman, D.A.: Cognitive engineering. In: User Centered System Design, pp. 31–61 (1986)Google Scholar
  23. 23.
    Webb, T.L., Sheeran, P.: Integrating concepts from goal theories to understand the achievement of personal goals. European Journal of Social Psychology 35(1), 69–96 (2005)CrossRefGoogle Scholar
  24. 24.
    Cooke, R., Sheeran, P.: Moderation of cognition-intention and cognition- behaviour relations: A meta-analysis of properties of variables from the theory of planned behaviour. British Journal of Social Psychology 43(2), 159–186 (2004)CrossRefGoogle Scholar
  25. 25.
    Dinev, T., Hu, Q.: The centrality of awareness in the formation of user behavioral intention toward preventive technologies in the context of voluntary use. In: The Fourth Annual Workshop on HCI Research in MIS, International Conference of Information Systems, ICIS (2005)Google Scholar
  26. 26.
    Bentler, P.M., Speckart, G.: Models of attitude–behavior relations. Psychological Review 86(5), 452 (1979)CrossRefGoogle Scholar
  27. 27.
    Herath, T., Rao, H.R.: Protection motivation and deterrence: a framework for security policy compliance in organisations. European Journal of Information Systems 18(2), 106–125 (2009)Google Scholar
  28. 28.
    Hedstrom, K., Karlsson, F., Kolkowska, E.: Social action theory for understanding information security non-compliance in hospitals: The importance of user rationale. Information Management & Computer Security 21(4), 266–287 (2013)CrossRefGoogle Scholar
  29. 29.
    Maddux, J.E., Rogers, R.W.: Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change. Journal of Experimental Social Psychology 19(5), 469–479 (1983)CrossRefGoogle Scholar
  30. 30.
    Vroom, V.H., Yetton, P.W.: Leadership and decision-making. University of Pittsburgh Press (1973)Google Scholar
  31. 31.
    Liu, C., Marchewka, J.T., Lu, J., Yu, C.-S.: Beyond concern: a privacy–trust–behavioral intention model of electronic commerce. Information & Management 42(1), 127–142 (2004)CrossRefGoogle Scholar
  32. 32.
    Damond, M.E., Breuer, N.L., Pharr, A.E.: The evaluation of setting and a culturally specific HIV/AIDS curriculum: HIV/AIDS knowledge and behavioral intent of african american adolescents. Journal of Black Psychology 19(2), 169–189 (1993)CrossRefGoogle Scholar
  33. 33.
    Goo, J., Yim, M.-S., Kim, D.J.: A path way to successful management of individual intention to security compliance: A role of organizational security climate. In: 2013 46th Hawaii International Conference on System Sciences (HICSS), pp. 2959–2968. IEEE (2013)Google Scholar
  34. 34.
    Renaud, K., Goucher, W.: Health service employees and information security policies: an uneasy partnership? Information Management & Computer Security 20(4), 296–311 (2012)CrossRefGoogle Scholar
  35. 35.
    Shelton, D.: Commitment and compliance: The role of non-binding norms in the international legal system. Oxford University Press (2003)Google Scholar
  36. 36.
    Steel, R.P., Ovalle, N.K.: A review and meta-analysis of research on the relationship between behavioral intentions and employee turnover. Journal of Applied Psychology 69(4), 673 (1984)CrossRefGoogle Scholar
  37. 37.
    Christophel, D.M.: The relationships among teacher immediacy behaviors, student motivation, and learning. Communication Education 39(4), 323–340 (1990)CrossRefGoogle Scholar
  38. 38.
    Whitby, M., McLaws, M.-L., Ross, M.W.: Why healthcare workers don’t wash their hands: a behavioral explanation. Infection Control and Hospital Epidemiology 27(5), 484–492 (2006)CrossRefGoogle Scholar
  39. 39.
    Bakker, A.B., Demerouti, E., Verbeke, W.: Using the job demands-resources model to predict burnout and performance. Human Resource Management 43(1), 83–104 (2004)CrossRefGoogle Scholar
  40. 40.
    Furnell, S., Rajendran, A.: Understanding the influences on information security behaviour. Computer Fraud & Security 2012(3), 12–15 (2012)CrossRefGoogle Scholar
  41. 41.
    Ashenden, D., Sasse, A.: CISOs and organisational culture: Their own worst enemy? Computers & Security 39, 396–405 (2013)CrossRefGoogle Scholar
  42. 42.
    Van Niekerk, J., Von Solms, R.: Information security culture: A management perspective. Computers & Security 29(4), 476–486 (2010)CrossRefGoogle Scholar
  43. 43.
    Leach, J.: Improving user security behaviour. Computers & Security 22(8), 685–692 (2003)CrossRefGoogle Scholar
  44. 44.
    Pornpitakpan, C.: The persuasiveness of source credibility: A critical review of five decades’ evidence. Journal of Applied Social Psychology 34(2), 243–281 (2004)CrossRefGoogle Scholar
  45. 45.
    Furnell, S., Thomson, K.-L.: From culture to disobedience: Recognising the varying user acceptance of it security. Computer Fraud & Security 2009(2), 5–10 (2009)CrossRefGoogle Scholar
  46. 46.
    Schelly, C., Cross, J.E., Franzen, W.S., Hall, P., Reeve, S.: Reducing energy consumption and creating a conservation culture in organizations: A case study of one public school district. Environment and Behavior 43(3), 316–343 (2011)CrossRefGoogle Scholar
  47. 47.
    Webb, T.L., Sheeran, P.: Does changing behavioral intentions engender behavior change? a meta-analysis of the experimental evidence. Psychological Bulletin 132(2), 249 (2006)CrossRefGoogle Scholar
  48. 48.
    Walton, R.E.: From control to commitment in the workplace. In: The Sociology of Organizations: Classic, Contemporary, and Critical Readings, pp. 114–122. Sage Publications, California (2003)Google Scholar
  49. 49.
    Singh, A.N., Picot, A., Kranz, J., Gupta, M., Ojha, A.: Information security management (ism) practices: Lessons from select cases from India and Germany. Global Journal of Flexible Systems Management 14(4), 225–239 (2013)CrossRefGoogle Scholar
  50. 50.
    Foubert, J.D.: The longitudinal effects of a rape-prevention program on fraternity mens attitudes, behavioral intent, and behavior. Journal of American College Health 48, 158–163 (2000)CrossRefGoogle Scholar
  51. 51.
    Ouellette, J.A., Wood, W.: Habit and intention in everyday life: the multiple processes by which past behavior predicts future behavior. Psychological Bulletin 124(1), 54 (1998)CrossRefGoogle Scholar
  52. 52.
    Gollwitzer, P.M., Bayer, U.C., McCulloch, K.C.: The control of the unwanted. In: The New Unconscious, pp. 485–515 (2005)Google Scholar
  53. 53.
    Thomson, K.-L., von Solms, R., Louw, L.: Cultivating an organizational information security culture. Computer Fraud & Security 2006(10), 7–11 (2006)CrossRefGoogle Scholar
  54. 54.
    Rivis, A., Sheeran, P.: Descriptive norms as an additional predictor in the theory of planned behaviour: A meta-analysis. Current Psychology 22(3), 218–233 (2003)CrossRefGoogle Scholar
  55. 55.
    Sheppard, B.H., Hartwick, J., Warshaw, P.R.: The theory of reasoned action: A meta-analysis of past research with recommendations for modifications and future research. Journal of Consumer Research, 325–343 (1988)Google Scholar
  56. 56.
    Feldman, D.C.: The development and enforcement of group norms. Academy of Management Review 9(1), 47–53 (1984)Google Scholar
  57. 57.
    Knapp, K.J., Marshall, T.E., Rainer, R.K., Ford, F.N.: Information security: management’s effect on culture and policy. Information Management & Computer Security 14(1), 24–36 (2006)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Karen Renaud
    • 1
  • Wendy Goucher
    • 1
  1. 1.School of Computing ScienceUniversity of GlasgowGlasgowUK

Personalised recommendations