Technology-related interventions do not always prevent organizations from becoming victims of cyberattacks and data breaches. Indeed, cybersecurity is not just about technology: almost all successful cyberattacks have a contributing human factor. Employees can bolster organizational cybersecurity as, for the most part, technology cannot be the only solution. However, as much as employees can be a critical asset in the fight against cybersecurity breaches, they are also the ‘weakest link.’
The concept of Information Security Awareness (ISA) has two essential components. The first one relates to the level of understanding the individual has about the organizational information security policy (knowledge of information security policies and protocols). The second component is the extent to which the individual commits to the core principles of information security within an organization, and how much of its behaviour meets the requirements for ‘best practice’ in such a context. This second aspect presents an interesting avenue to explore individual differences in relation to the level of commitment an individual has to its current workplace.
The present study aimed to explore individual differences in human factors in the context of information security awareness. The first aim was to explore if an individual’s work locus of control could predict the level at which employees engage in effective ISA. The second aim was to explore if the construct of work identity could also serve to predict an individual’s adherence to ISA within the workplace.
The authors suggested that if an individual has poor engagement with their workplace and their organization, or if they feel they have limited control over their work, they will be less likely to engage in effective information security. Therefore, the authors used the concept of work locus of control which was designed to explore the extent to which an individual views the control they have over workplace roles and activities. Locus of control relates to an individual expectancy to how rewards or aspects of life outcomes are controlled on the basis of their actions (internality) or as a result of forces outside the control of the individual (externality). The study also includes the role of an individual’s work identity and its impact on ISA. Work identity measures the strength of an individual’s identification with their work, and not directly their workplace or organization.
More than 1,000 participants aged 18-65 took part in an online study between March 3-8, 2018. 76% of the participants were working full-time while 24% were part-timers. Participants had to be currently employed, at least 18 years of age, spend at least 20% of their standard working day using computer technology, and work for an organization that had formal or informal rules governing information security.
The results showed that only work locus of control acted as a key predictor for information security practice that could hinder the cybersecurity posture of the host organization. The individuals who were categorized as being more external and having limited perceived control over their workplace environments were more likely to have weaker information security awareness.
A better understanding of how and why employees fail to adhere to the principles related to information security in the workplace is essential to develop interventions that could enhance employees perception of control within the workplace, which in turn may serve to bolster their understanding of ISA as well as engaging them to take more control over such matters.
Cite: Hadlington, L., Popovac, M. Janicke, H., Yevseyeva, I. and Jones, K. (2019). Exploring the role of work identity and work locus of control in information security awareness. Computers and Security, 81, 41-48.