Factors that Influence Information Security Behavior: An Australian Web-Based Study

  • Malcolm PattinsonEmail author
  • Marcus Butavicius
  • Kathryn Parsons
  • Agata McCormac
  • Dragana Calic
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9190)


Information Security professionals have been attempting to convince senior management for many years that humans represent a major risk to the security of an organization’s computer systems and the information that these systems process. This major threat relates to the behavior of employees whilst they are using a computer at work. This paper examines the non-malicious computer-based behavior and how it is influenced by a mixture of individual, organizational and interventional factors. The specific factors reported herein include an employee’s age; education level; ability to control impulsivity; familiarity with computers; and personality. This research utilized the Qualtrics online web-based survey software to develop and distribute a questionnaire that resulted in 500 valid responses. The major conclusions of this research are that an employee’s accidental-naive behavior is likely to be less risky if they are more conscientious; older; more agreeable; less impulsive; more open; and, surprisingly, less familiar with computers.


Information security (InfoSec) Information risk Human aspects of cyber security (HACS) Behavioral information security Risk management 



This project is supported by a Premier's Research and Industry Fund grant provided by the South Australian Government Department of Further Education, Employment, Science and Technology.


  1. 1.
    Abraham, S.: Information security behaviour: factors and research directions. In: AMCIS 2011 Proceedings - All Submissions, Paper 462 (2011)Google Scholar
  2. 2.
    Pahnila, S., Siponen, M., Mahmood, A.: Employees’ behavior towards IS security policy compliance. In: 40th Annual Hawaii International Conference on System Sciences (HICSS 2007). IEEE, Hawaii (2007)Google Scholar
  3. 3.
    D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach. Inf. Syst. Res. 20(1), 79–98 (2009)CrossRefGoogle Scholar
  4. 4.
    Anderson, C., Agarwal, R.: Practicing safe computing: a multimethod empirical examination of home computer user security behavioral intentions. MIS Q. 34(3), 613–643 (2010)Google Scholar
  5. 5.
    Vance, A., Siponen, M., Pahnila, S.: Motivating IS security compliance: insights from habit and protection motivation theory. Inf. Manag. 49(3), 190–198 (2012)CrossRefGoogle Scholar
  6. 6.
    Kajzer, M., et al.: An exploratory investigation of message-person congruence in information security awareness campaigns. Comput. Secur. 43, 64–76 (2014)CrossRefGoogle Scholar
  7. 7.
    AS/NZS_ISO/IEC_27002: Information Technology - Security Techniques - Code of practice for Information security management. Standards Australia/Standards New Zealand (2006)Google Scholar
  8. 8.
    NIST_SP800_100: Information Security Handbook: A Guide for Managers. National Institute of Standards and Technology, MD (2006)Google Scholar
  9. 9.
    COBIT5: A Business Framework for the Governance and Management of Enterprise IT. ISACA, IL (2012)Google Scholar
  10. 10.
    John, O.P., Donahue, E.M., Kentle, R.L.: The Big Five Inventory—Versions 4a and 54. University of California, Institute of Personality and Social Research, Berkeley (1991)Google Scholar
  11. 11.
    Gosling, S.D., Rentfrow, P.J., Swann Jr., W.B.: A very brief measure of the Big-Five personality domains. J. Res. Pers. 37(6), 504–528 (2003)CrossRefGoogle Scholar
  12. 12.
    Frederick, S.: Cognitive reflection and decision making. J. Econ. Perspect. 19(4), 25–42 (2005)CrossRefGoogle Scholar
  13. 13.
    Welsh, M., Burns, N., Delfabbro, P.: The cognitive reflection test: how much more than numerical ability? In: Proceedings of the 35th Annual Conference of the Cognitive Science Society (2013)Google Scholar
  14. 14.
    Green, S.B.: How many subjects does it take to do a regression analysis. Multivar. Behav. Res. 26, 499–510 (1991)CrossRefGoogle Scholar
  15. 15.
    Miles, J., Shevlin, M.: Applying Regression and Correlation: A Guide for Students and Researchers. SAGE Publications, London (2001)Google Scholar
  16. 16.
    Cohen, J.W.: Statistical Power Analysis for the Behavioral Sciences, 2 ed. Lawrence Erlbaum Associates, New Jersey (1988)Google Scholar
  17. 17.
    Pallant, J.: SPSS Survival Manual: A Step-by-Step Guide to Data Analysis using SPSS for Windows, 3 ed. Allen & Unwin, NSW (2007)Google Scholar
  18. 18.
    Nunnally, J., Bernstein, I.: Psychological Theory. McGraw-Hill, New York (1994)Google Scholar
  19. 19.
    D’Arcy, J., Greene, G.: Security culture and the employment relationship as drivers of employees’ security compliance. Inf. Manage. Comput. Secur. 22(5), 474–489 (2014)Google Scholar
  20. 20.
    Workman, M.: Gaining access with social engineering: an empirical study of the threat. Inf. Syst. Secur. 16(6), 315–331 (2007)CrossRefGoogle Scholar
  21. 21.
    Spector, P.E.: Using self-report questionnaires in OB research: a comment on the use of a controversial method. J. Organ. Behav. 15(5), 385–392 (1994)CrossRefGoogle Scholar
  22. 22.
    Edwards, A.L.: The relationship between the judged desirability of a trait and the probability that the trait will be endorsed. J. Appl. Psychol. 37(2), 90–93 (1953)CrossRefGoogle Scholar
  23. 23.
    Crossler, R.E., et al.: Future directions for behavioral information security research. Comput. Secur. 32, 90–101 (2013)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Malcolm Pattinson
    • 1
    Email author
  • Marcus Butavicius
    • 2
  • Kathryn Parsons
    • 2
  • Agata McCormac
    • 2
  • Dragana Calic
    • 2
  1. 1.Adelaide Business SchoolThe University of AdelaideAdelaideAustralia
  2. 2.Defence Science and Technology OrganisationEdinburghAustralia

Personalised recommendations