Information security in the workplace : a mixed-methods approach to understanding and improving security behaviours

• Main Author: Blythe, John Matthew
• Other Authors: Coventry, Lynne
• Published: Northumbria University 2015
• Subjects: 658.4; C800 Psychology
• Online Access: https://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.713851

Traditionally, employees have been viewed as an enemy to information security (IS) within organisations, rather than as an organisational asset that can be harnessed to help protect company information. Existing research is largely fragmented with a distinct lack of theorybased approaches for the design and evaluation of behaviour change interventions. Furthermore, research has largely focussed on employees' compliance with IS policies and less so, the multitude of individual behaviours covered in them. This thesis presents a mixed-method approach to changing employees' security behaviour using theory to inform the design of an intervention. The thesis identified influencers and barriers to specific security behaviours and developed an extended-Protection Motivation Theory model. The model includes information sensitivity appraisal as an important influencer for which a new scale (WISA) was developed and validated. The model was tested on three specific anti-malware behaviours: usage of antimalware software, installing software updates and avoiding suspicious links within emails. The testing allowed the identification of the most influential factors for each behaviour and demonstrated how these factors differ between behaviours. A nuance that is lost when adopting the IS policy compliance approach and was also confirmed by the qualitative findings. The findings from the models informed the design of the behaviour change intervention. Components of the model were utilised in an intervention to promote email security behaviour. The intervention comprised of a motivational component, together with a volitional component based on implementation intentions to help translate good 'intentions' into good 'security actions'. The study found significant improvements in objective performance on email legitimacy tasks that were more sustainable with the addition of implementation intentions. Response efficacy was an identified barrier, demonstrated to influence anti-malware behaviours and was malleable to significant change during the intervention. The theoretical and practical implications of these results are discussed together with suggestions for future research.