Published October 21, 2018 | Version v1
Journal article Open

Employees Attitude towards Cyber Security and Risky Online Behaviours: An Empirical Assessment in the United Kingdom

Creators

  • 1. De Montfort University, United Kingdom

Contributors

  • 1. International Journal of Cyber Criminology

Description

The present study aimed to explore if the size of company an individual works for, age or attitudes towards cyber security affected frequency to engage in risky online behaviours. A total of 515 participants aged between 18-84 in full or part-time employment were asked to complete a questionnaire that consisted of two scales. One measured their attitude towards cyber security and general awareness of cyber crime, the other examined the types of risky cyber security behaviours they were engaged in. The results demonstrated a significant negative correlation between attitudes towards cyber security and risky cyber security behaviours, with more negative attitudes being linked to higher levels of risky behaviours. There were also significant differences according to company size and age group according to frequency of engaging in risky cyber security behaviour and attitudes towards cyber security. The findings are presented as furthering our understanding of how employee attitudes contribute to company cyber security, as well as highlighting how the size of an organisation could be linked to difference in knowledge and adherence to ISA protocols.

Files

HadlingtonVol12Issue1IJCC2018.pdf

Files (521.4 kB)

Name Size Download all
md5:59b51e2da2d5b14e97629c90bf4cd98e
521.4 kB Preview Download

Additional details

Related works

Is identical to
http://cybercrimejournal.com/HadlingtonVol12Issue1IJCC2018.pdf (URL)

References

  • Anwar, M., He, W., Ash, I., Yuan, X., Li, L., and Xu, L. (2016). Gender difference and employees' cyber security behaviors. Computers in Human Behavior, 69, 437–443. doi: 10.1016/j.chb.2016.12.040. Bishop, M., Gollmann, D., Hunker, J., and Probst, C. W. (2008). Countering insider threats. In Dagstuhl Seminar Proceedings 08302 (pp. 1–18). Retrieved from http://vesta.informatik.rwth-aachen.de/opus/volltexte/2008/1793/pdf/08302.SWM.1793.pdf. Briney, A., & Prince, F. (2002). Does Size Matter ? The Size of your organisation may be the single biggest barometer of IT security's effectiveness. ISM Survey, (September). Claycomb, W., Huth, C., & Flynn, L. (2012). Chronological examination of insider threat sabotage: preliminary observations. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 3(4), 4–20. Retrieved from http://isyou.info/jowua/papers/jowua-v3n4-1.pdf. CPNI. (2013). CPNI Insider Data Collection Study: Report of Main Findings. London. Egelman, S., Cranor, L. F., & Hong, J. (2008). You've Been Warned: An Empirical Study of the Effectiveness of Web Browser Phishing Warnings. Proceeding of the Twenty-Sixth Annual CHI Conference on Human Factors in Computing Systems - CHI '08, 1065. doi: 10.1145/1357054.1357219. Egelman, S., and Peer, E. (2015a). Predicting Privacy and Security Attitudes. Computers and Society: The Newletter of ACM SIGCAS, 45(1), 22–28. doi: 10.1145/2738210.2738215. Egelman, S., & Peer, E. (2015b). Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS). Proceedings of the ACM CHI'15 Conference on Human Factors in Computing Systems, 1, 2873–2882. https://doi.org/10.1145/2702123.2702249. Greitzer, F., Kangas, L., Noonan, C., & Dalton, A. (2010). Identifying at-risk employees: A behavioral model for predicting potential insider threats. Retrieved from http://www.pnl.gov/main/publications/external/technical_reports/PNNL-19665.pdf. Hadlington, L. (2017). Human factors in cyber security; examining the link between Internet addiction, impulsivity, attitudes towards cyber security, and risky cyber security behaviours. Heliyon, 3(7), e00346. doi: 10.1016/j.heliyon.2017.e00346. Hadlington, L., & Parsons, K. (2017). Can Cyberloafing and Internet Addiction Affect Organizational Information Security? Cyberpsychology, Behavior, and Social Networking, 20(9), cyber.2017.0239. doi: 0.1089/cyber.2017.0239. Herath, T., & Rao, H. (2009a). Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness. Decision Support Systems, 47(2), 154–165. doi: 10.1016/j.dss.2009.02.005. Herath, T., & Rao, H. (2009b). Protection Motivation and Deterrence: a Framework for Security Policy Compliance in Organisations. European Journal of Information Systems, 18(2), 106–125. doi: 10.1057/ejis.2009.6. Hunker, J., & Probst, C. (2011). Insiders and insider threats—an overview of definitions and mitigation techniques. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, 2(1), 4–27. Retrieved from http://isyou.info/jowua/papers/jowua-v2n1-1.pdf. Jackson, J. ., Walton, K., Harms, P. D., Bogg, T., Wood, D., Lodi-Smith, J., Roberts, B. W. (2009). Not all Conscientiousness Scales Change Alike: A Multimethod, Multisample Study of Age Differences in the Facets of Conscientiousness. Journal of Personality and Social Psychology, 96(52), 446–459. doi: 10.1038/jid.2014.371. Keeney, M. (2005). Insider threat study: Computer system sabotage in critical infrastructure sectors, (May). Retrieved from http://scholar.google.com/scholar?hl=en&btnG=Search&q=intitle:Insider+Threat+Study+:+Computer+System+Sabotage+in+Critical+Infrastructure+Sectors#0. McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., & Pattinson, M. (2017). Individual differences and Information Security Awareness. Computers in Human Behavior, 69, 151–156. doi: 10.1016/j.chb.2016.11.065. Osborn, E. (2015). Business vs Technology : Sources of the Perceived Lack of Cyber Security in SMEs. Centre for Doctoral Training in Cyber Security. Probst, C., Hunker, J., Gollmann, D., and Bishop, M. (2010). Insider Threats in Cyber Security. Vasa. New York: Springer. Retrieved from http://link.springer.com/content/pdf/10.1007/978-1-4419-7133-3.pdf. Reyna, V. F., & Farley, F. (2006). Risk and rationality in adolescent decision making: Implications for theory, practice, and public policy. Psychological Science in the Public Interest, Supplement, 7(1), 1–44. doi: 10.1111/j.1529-1006.2006.00026.x. Sasse, M., & Flechais, I. (2005). Usable Security: Why Do We Need It? How Do We Get It? In L. F. Cranor and S. Garfinkel (Eds.), Security and Usability (pp. 13–30). Sebastopol, CA: O'Reilly Publishing. Retrieved from http://discovery.ucl.ac.uk/20345. Sheng, S., Holbrook, M., Kumaraguru, P., Cranor, L. F., & Downs, J. (2010). Who falls for phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions. Proceedings of the 28th International Conference on Human Factors in Computing Systems - CHI '10, 373–382. https://doi.org/10.1145/1753326.1753383. Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E., & Bailey, M. (2016). Users Really Do Plug in USB Drives They Find. IEEE Symposium on Security and Privacy, 1–14. https://doi.org/10.1109/SP.2016.26.