Self-efficacy in information security: Its influence on end users' information security practice behavior

Abstract

The ultimate success of information security depends on appropriate information security practice behaviors by the end users. Based on social cognitive theory, this study models and tests relationships among self-efficacy in information security, security practice behavior and motivation to strengthen security efforts. This study also explores antecedents to individuals' self-efficacy beliefs in information security. Results provide support for the many hypothesized relationships. This study provides an initial step toward understanding of the applicability of social cognitive theory in a new domain of information security. The results suggest that simply listing what not to do and penalties associated with a wrong doing in the users' information security policy alone will have a limited impact on effective implementation of security measures. The findings may help information security professionals design security awareness programs that more effectively increase the self-efficacy in information security.

Introduction

The increasing sophistication of information security threats and the ever-growing body of regulation has made information security a critical function within many sectors of business. Organizations devote significant resources to control threats imposed on their information security by securing their network using a combination of anti-virus/anti-spyware software, firewalls, intrusion detection and prevention systems, and content filtering software. However, this technical layer of defense to an organization's security can succumb to human failure. A laptop is left carelessly behind in a public area such as an Internet café. Through manipulation of social engineering, naïve users often reveal their passwords and e-mail the company directory or other sensitive and classified information (Winkler and Hayden, 2005). American Express warned their customers of a phishing scheme that presents itself as a security measure by the company and asks for social security number, mother's maiden name, and date of birth (Washkuch, 2006). Numerous other studies provide similar evidence (e.g., see Albrechtsen, 2007). For the past several years, malicious codes have been listed as one of dominating threats to information security (Power, 2008). Spyware is a type of malicious code intended to help an unauthorized entity break into users' computers to divulge private information (Thompson, 2005). It is a deliberate software attack that imposes substantial risk to both individual and organizational information security. Its primary means of accessing a system is a user's accidental or careless activation of a virus or a worm from an e-mail or a web site download (Whitman, 2003). Although the use of an anti-spyware program can effectively shield from such an attack, the adoption rate of such software by end users is as low as 10 percent (Lee and Kozar, 2005). Even, an installed anti-spyware program can be outdated losing its effectiveness if its detection database is not regularly updated. An estimate reports that more than half of all security breaches are due to social engineering and end users' careless behavior (Mackenzie, 2006).

These examples suggest that no matter how effective the technical layer of security, the security posture ultimately depends on appropriate end user behavior. However, information security has traditionally been treated as a technical problem, resulting in information security teams being staffed solely with technicians (Collette and Gentile, 2006). This skewed perspective of information security has resulted in overlooking the human factor issue, often referred to as the weakest point of a security chain (Angel, 1993). Concerns about this lack of consideration of the human factor in security programs have been raised in academic research (e.g., Bishop et al., 1997, Dhillon and Backhouse, 2000, Lee and Kozar, 2005, Spruit, 1995, Straub, 1990, Straub and Welke, 1998) as well as field studies (BERR, 2008, Ernst and Young, 2008). Some researchers in IS studied the human agent issue in the context of information security. For example, drawing upon criminology theory of general deterrence, Straub (1990) investigated the extent to which the severity and certainty of sanctions could influence computer abuse. Loch and Conger (1996) addressed attitudinal variables and social norms on ethical computer usage behavior. The main focus of these works is on how to deter an individual behavior, which is counterproductive to information security. The foundational assumption made by this line of research is that human agents have malicious intentions. Therefore, an external deterrent, such as punishment, needs to be introduced (Stanton et al., 2005). However, as evidenced above, there are many naïve user behaviors that are not intended but may cause detrimental effects on information security. In order to design a more effective security program for this group of users, understanding the factors that promote good end user behavior (i.e., control-enhancing behavior) is important. While there are some research efforts which address deterring bad end user behavior, little work has been done to promote good end user behavior in information security (Stanton et al., 2005, Whitman, 2003).

To address this need, we use social cognitive theory and explore its viability as a framework for understanding factors influencing end users' control-enhancing behavior. Social cognitive theory is concerned with how perceptions of self-efficacy affect peoples' motivation and action (Bandura, 1986). Self-efficacy is people's belief in their abilities to mobilize the motivation, cognitive resources, and courses of action needed to exercise control over given events (Ozer and Bandura, 1990). The theory appears to be particularly well suited to studying individual behavior in the domain of information security, because self-regulated behavior in terms of using information and information systems seems critically important for ensuring information security. Self-efficacy has been argued as the most focal or pervasive mechanism of human agency which motivates and regulates individual behavior (Bandura and Jourden, 1991).

In this paper, we are particularly interested in exploring (1) the degree to which self-efficacy predicts current security practice behavior (i.e., the use of security technology and security conscious care behavior); (2) the extent to which self-efficacy predicts motivation (i.e., intentions to continue and to strengthen their information security practices); and (3) the extent to which self-efficacy is related to previous relevant experiences and perceived general controllability of information security threats.

Because of the importance of end-user behavior for overall security, understanding factors influencing control-enhancing behavior could provide helpful benefits for information security professionals, managers, and auditors with an interest in assessing the effectiveness of an information security program. Furthermore, such an understanding helps in designing more focused training programs. This paper also extends the current understanding of self-efficacy in a new domain, information security.

The paper is organized as follows. In the next section, we discuss the concept of self-efficacy in information security. This is followed by a description of the research model and its hypotheses. The research method is then presented, followed by a discussion of the analysis and results. Finally, we discuss our findings and suggest future research and managerial implications.