Logo FedCSIS

Annals of Computer Science and Information Systems, Volume 24

Proceedings of the 2020 International Conference on Research in Management & Technovation

Logo PTI

A Perspective on the Intersection of Information Security Policies and IA Awareness, Factoring in End-User Behavior

DOI: http://dx.doi.org/10.15439/2020KM1

Citation: Proceedings of the 2020 International Conference on Research in Management & Technovation, Shivani Agarwal, Darrell Norman Burrell, Vijender Kumar Solanki (eds). ACSIS, Vol. 24, pages 137142 ()

Full text

Abstract. In 2017 Executive Order 13800 was enacted for all federal entities to use the NIST Cybersecurity Framework to report on FISMA compliance. According to GAO-19-545 report sixteen agencies were identified as failing to successfully implement FISMA regulations rooted in information security policies (ISPs). This paper will introduce the link between information assurance awareness with the prescribed actions and its direct influence on information security policies. While organizations are conscious of the federal rules and regulations, most continue to fail to successfully implement and comply with the guidelines due to a sincere lack of information assurance and awareness, which ties directly into human behavior. A discussion on the intersection of information security awareness and behavior will be presented. The UTAUT theory measures and informs the researcher on factors that influence the end-user. Conclusively, recommendations will be offered on why organizations need to invest in a mechanism that measures these factors, which increases information awareness to change behavior, thus achieving better compliance with their organizational ISPs.


  1. Government Accountability Office (GAO) Report # 19-545. Federal Information Security: Agencies and OMB Need to Strengthen Policies and Practices, 2019. https://www.gao.gov/assets/710/700588.pdf [Accessed October 10, 2020]
  2. National Institute of Standards and Technology (2011) Managing Information Security Risk: Organization, Mission, and Information System View, Special Publications (SP PUBS) 800-39, 2011. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf. [Accessed October 9, 2020]
  3. V. Venkatesh, M. Morris, G. Davis, and F. Davis. User acceptance of information technology: Toward a unified view, 2003. MIS Quarterly, 27, 425-478. http://dx.doi.org/10.2307/30036540. [Accessed October 9, 2020]
  4. K. Quigley, C. Burns, and K. Stallard, K. Cyber gurus: A rhetorical analysis of the language of cybersecurity specialists and the implications for security policy and critical infrastructure protection, 2015. Government Information Quarterly. Retrieved from http://doi.org/10.1016/j.giq.2015.02.001 [Accessed October 21, 2020]
  5. S. Lupin, H. Tun, A. Thike, and M. Puschin. Hybrid modeling as a tool for analysis of information systems security. In Proceedings of the 2016 IEEE North West Russia Young Researchers in Electrical and Electronic Engineering Conference (EIConRusNW), 2016 (pp. 259-261). Piscataway, NJ: IEEE. [Accessed October 3, 2020]
  6. L. Miller, and H. Gregory. CISSP and information security education, training, and awareness, 2016. Retrieved from http://www.dummies.com/programming/certification/cissp-information-security-education-training-awareness/. [Accessed October 3, 2020]
  7. C. Huang, and Y. Kao. UTAUT2 based predictions of factors influencing the technology acceptance of phablets by DNP. Mathematical Problems in Engineering, 2015, 1-23. http://dx.doi.org/10.1155/2015/603747 [Accessed October 3, 2020]
  8. B. Stahl, N. Doherty, and M. Shaw. Information security policies in the UK healthcare sector: A critical evaluation. Information Systems Journal, 22, 77-94, 2012. http://dx.doi.org/10.1111/j.1365-2575.2011.00378.x. [Accessed October 1, 2020]
  9. E. Kolkowska, F. Karlsson, and K. Hedström. Towards analyzing the rationale of information security noncompliance: Devising a value-based compliance analysis method. The Journal of Strategic Information Systems, 26, 39-57, 2017. http://dx.doi.org/10.1016/j.jsis.2016.08.005 [Accessed October 10, 2020]
  10. D. Kostadinov. Key elements of an information security policy, 2014. Retrieved from https://resources.infosecinstitute.com/key-elements-information-security-policy/#gref [Accessed October 5, 2020]
  11. B. Lebek, J. Uffen, M. Neumann, B. Hohler, and M. Breitner. Information security awareness and behavior: A theory-based literature review. Management Research Review, 37, 1049-1092, 2014). http://dx.doi.org/10.1108/MRR-04-2013-0085 [Accessed October 5, 2020]
  12. T. Peltier. Information security policies, procedures, standards: Guidelines for effective information security management, 2016. Boca Raton, FL: CRC Press. [Accessed October 6, 2020]
  13. V. Etsebeth. Information security policies: The legal risk of uninformed personnel. Paper presented at the ISSA 2006 From Insight to Foresight Conference, Sandton, South Africa, 2006. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi= [Accessed October 6, 2020]
  14. V. Venkatesh, J. Thong, and X. Xu. Consumer acceptance and use of information technology: Extending the unified theory of acceptance and use of technology, 2012. MIS Quarterly, 36, 157-178. http://dx.doi.org/10.2307/41410412. [Accessed October 5, 2020]
  15. S. Fourtané. How ‘defense in depth’ gets data protection right, 2018. Retrieved from https://www.securitynow.com/author.asp?section_id=613&doc_id=741221 [Accessed October 5, 2020]
  16. J. Hammarstrand, and T. Fu. Information security awareness and behavior: Of trained and untrained home users in Sweden, 2015. Retrieved from http://www.diva-portal.se/smash/get/diva2:950568/FULLTEXT01.pdf. [Accessed October 5, 2020]
  17. A. Ahlan, M. Lubis, and A. Lubis Information security awareness at the knowledge-based institution: Its antecedents and measures. Procedia Computer Science, 72, 361-373, 2015. http://dx.doi.org/10.1016/j.procs.2015.12.151 [Accessed October 5, 2020]
  18. F. Haeussinger, and J. Kranz. Information security awareness: Its antecedents and mediating effects on security compliant behavior. Paper presented at the Thirty-fourth International Conference on Information Systems, Milan, Germany, 2013. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi= [Accessed October 15, 2020]
  19. E. Yildirim. The importance of information security awareness for the success of business enterprises. In D. Nicholson (Ed.), Advances in human factors in cybersecurity: Advances in intelligent systems and computing (Vol. 501, pp. 211-212), 2016. Cham, Switzerland: Springer. [Accessed October 15, 2020]
  20. N. Giandomenico, and J. de Groot. Insider vs. outsider data security threats: What’s the greater risk, 2018. Retrieved from https://digitalguardian.com/blog/insider-outsider-data-security-threats. [Accessed October 15, 2020]
  21. M. Heckman, and R. Schell. Using proven reference monitor patterns for security evaluation. Information, 7(2), 23-32, 2016. http://dx.doi.org/10.3390/info7020023 [Accessed October 15, 2020]
  22. S. Pahnila, M. Siponen, and A. Mahmood. Employees’ behavior towards IS security policy compliance. In R. H. Srague, Jr. (Ed.), Proceedings of the 40th annual Hawaii International Conference on System Sciences (pp. 156-165), 2007. Piscataway, NJ: IEEE. [Accessed October 15, 2020]
  23. A. Stephanou, and R. Dagada. The impact of information security awareness training on information. Security behavior: The case for further research. In H. Venter, M. Eloff, J. Eloff, & L. Labuschagne (Eds.), Information security for South Africa: Proceedings of the ISSA 2008 Innovative Minds Conference (pp. 311-330), 2008. Pretoria, South Africa: Information Security South Africa [Accessed October 15, 2020]
  24. J. Andress. The basics of information security: Understanding the fundamentals of infosec in theory and practice, 2015. Rockland, MA: Syngress. [Accessed October 5, 2020]
  25. A. Shameli-Sendi, R. Aghababaei-Barzegar, and M. Cheriet, M. Taxonomy of information security risk assessment (ISRA). Computers & Security, 57, 14-30, 2016. http://dx.doi.org/10.1016/j.cose.2015.11.001/ [Accessed October 5, 2020]
  26. F. Aloul. The need for effective information security awareness. Journal of Advances in Information Technology, 3, 176-183, 2012. http://dx.doi.org/10.4304/jait.3.3.176-183. [Accessed October 15, 2020]
  27. T. Deepa. Survey on need for cyber security in India. Unpublished manuscript, Acharya Institute of Technology, Bangalore, Karnataka, India, 2014. http://dx.doi.org/10.10.13140/2.1.4555.7768 [Accessed October 15, 2020]
  28. D. Shackleford. Combating cyber risks in the supply chain. SANS Institute, 2015. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/combatting-cyber-risks-supply-chain-36252. [Accessed October 15, 2020]
  29. H. Kyriakou, J. Nickerson, and G. Sabnis. Knowledge reuse for customization: Metamodels in an open design community for 3D printing. MIS Quarterly, 41, 315-332, 2017. http://dx.doi.org/10.25300/MISQ/2017/41.1/17. [Accessed October 15, 2020]
  30. J. Arenas-Gaitán, B. Peral-Peral, and M. Ramon-Jeronimo. Elderly and internet banking: An application of UTAUT2. Journal of Internet Banking and Commerce, 20(1), 1-23, 2015. Retrieved from http://www.icommercecentral.com [Accessed October 15, 2020]
  31. S. Muller, and M. Lind. Factors in information assurance professionals’ intentions to adhere to information security policies. International Journal of Systems and Software Security and Protection, 11(1), 2020. Hershey, PA: IGI Global [Accessed October 15, 2020]
  32. F. Alqahtani. Developing an information security policy: A case study approach. Procedia Computer Science, 124, 691-697, 2017. http://dx.doi.org/10.1016/j.procs.2017.12.206. [Accessed October 5, 2020]
  33. N. Lord. Data security experts reveal the biggest mistakes companies make with data and information security, 2018. Retrieved from https://digitalguardian.com/blog/data-security-experts-reveal-biggest-mistakes-companies-make-data-information-security [Accessed October 5, 2020]
  34. N. Humaidi, and V. Balakrishnan. Leadership styles and information security compliance behavior: The mediator effect of information security awareness. International Journal of Information and Education Technology, 5, 311-318, 2015. http://dx.doi.org/10.7763/IJIET.2015.V5.522