AbstractsBusiness Management & Administration

The Role of Information Security Awareness for Promoting Information Security Policy Compliance in Banks

by Stefan Bauer

Institution: Vienna University of Economics and Business
Year: 2016
Posted: 02/05/2017
Record ID: 2094708
Full text PDF: http://epub.wu.ac.at/4946/1/DISS_FINAL_V2.pdf


Banks rely heavily on information security (IS) by preserving confidentiality, integrity, and availability of information. A key layer for ensuring information security is the employees, who need to be aware of possible information security issues and behave accordingly. Banks introduce information security policies (ISP) to establish required rules for IS behavior and implement information security awareness (ISA) programs, which are systematically planned ISA interventions such as structured campaigns using intranet messages or posters to educate employees and enhance their ISA. According to previous conceptual research, the most cost-effective method to prevent IS incidents is fostering ISA. The purpose of this dissertation is to explore the role of ISA for promoting employees' ISP compliance. The four stages of this dissertation project focus on organizational efforts such as ISA programs to improve employees' compliant IS behavior and identifying predecessors for explaining employees' ISP compliance based on established scientific theories. A developmental mixed methods approach is conducted through these four stages of analysis. Primary data were collected in each stage to investigate banks operating in countries such as Austria, Germany, Czech Republic, Hungary, Slovakia, and Rumania. In the first research stage, semi-structured expert interviews were conducted with operational risk and IS managers to explore banks' efforts to counteract IS incidents. The considered banks primarily use online methods such as intranet articles and conventional methods such as posters for building ISA. Second, the findings from stage one were incorporated in research stage two, in which a positivistic case study was conducted to test the Theory of Reasoned Action, Neutralization Theory, as well as the Knowledge-Attitude-Behavior model. The data were analyzed by utilizing partial least squares structural equation modeling (PLS-SEM). In addition to several qualitative interviews and an online survey at the headquarters of the case bank, data such as internal ISA materials (e.g., posters or IS intranet messages) were also analyzed. The second research stage provided empirical evidence that ISA program components affect employees' ISA, which further positively affects employees' attitudes and social norms toward compliance with ISPs, but negatively affects the use of neutralization techniques. All of these effects should eventually positively influence IS. This is shown in the chain of subsequent factors. The employees' attitudes and social norms positively affect the intention for compliant IS behavior, which is negatively affected by the use of neutralization techniques. In the third research stage, the influence of employees' perception of ISA programs on the Protection Motivation Theory was examined by conducting an online survey among German bank employees. It is demonstrated that employees' perception of ISA programs positively affects perceived severity as well as their coping mechanisms, which play the most important role…