Information Management & Computer Security

Towards privacy in personal data management : Table of Contents

Pavlos S. Efraimidis, Georgios Drosatos, Fotis Nalbadis, Aimilia Tasidou — Mon Oct 05 11:22:02 BST 2009

Abstract:
Purpose – In order to enhance privacy protection during electronic transactions, the purpose of this paper is to propose, develop, and evaluate a personal data management framework called Polis that abides by the following principle: every individual has absolute control over his/her personal data that reside only at his/her own side. Design/methodology/approach – This paper identifies representative electronic transactions that involve personal data and proposes Polis-based protocols for them. The approach is evaluated on a Polis prototype both as a stand-alone application and as part of a commercial database management system. Findings – The results of this paper indicate that electronic transactions can remain both feasible and straightforward, while personal data remain only at the owner's side. Research limitations/implications – This paper describes a Polis-approach implementing prototype, which is easy to deploy and friendly to current information management technologies. However, the usability of the prototype has to be enhanced with supporting tools for editing personal data and policies and a more intuitive user interface. Finally, the Polis-platform enables a new class of user-centered distributed applications, which it intends to investigate. Practical implications – Even though the conditions for a personal data management approach like Polis are mature, and Polis can be progressively adopted, it still entails a major change in current business practices. Originality/value – This paper proposes a new paradigm for the management of personal data, which admits individuals to have their personal data stored only at their own side. The new approach can be of mutual benefit to both individuals and companies.

How perceptions of justice affect security attitudes: suggestions for practitioners and researchers : Table of Contents

Michael Workman — Mon Oct 05 11:22:02 BST 2009

Abstract:
Purpose – Surveillance is seen as an important tool to prevent security breaches and may improve prosecutorial ability, but employees may engage in subtitle counterproductive behaviors in protest. This poses significant risks and costs to employers. The purpose of this paper is to summarize the results of a previous field study of the influences from justice perceptions as mitigation and prescribe some methods for addressing the issues that are raised. Design/methodology/approach – Drawing from protection motivation theory, the psychological contract, and the systems of organizational justice, a threat control model about surveillance attitudes is field-tested in a randomized design. Findings – Trust and perceptions of justice mediated attitudes about surveillance practices; and threat severity and efficacy of surveillance in maintaining security moderated attitudes about corporate surveillance are founded. Originality/value – The paper illustrates the theoretical linkages between surveillance practices and employee counterproductive behaviors. Grounded in these findings, an explanation for how security managers might balance the simultaneous demands for security while maintaining an effective workforce is presented.

A canonical analysis of intentional information security breaches by insiders : Table of Contents

Jordan Shropshire — Mon Oct 05 11:22:02 BST 2009

Abstract:
Purpose – The paper focuses on intentional information security breaches by insiders. The purpose is to assess the relationship between insiders' backgrounds and motivations and their deviant behaviors. Two outcome variables, information technology (IT) espionage and IT sabotage, are correlated with four predictors, financial changes, relationship strains, substance abuse, and job changes. Design/methodology/approach – Some 62 cases of intentional information security breaches by insiders are examined using canonical analysis. Findings – The results indicate that a significant relationship exists between financial hardship, relationship strains, and the theft and sale of proprietary data by insiders; and recent firings, substance abuse, and relationship strains are related to information system sabotage. Research limitations/implications – Because little or no research has been conducted on this topic, there is a lack of validated measures for variables associated with information security. Thus, the measures used in this paper are necessarily simplistic. Because few organizations report information security weaknesses, the sample is relatively small. Practical implications – In the majority of cases included in this paper, it is found that the insider convey a number of warning signs before committing the security breach. After reading this paper, diligent managers should be able to identify potential security breaches. Originality/value – This is one of the first studies to explore insider security breaches using canonical analysis.

Impact of perceived technical protection on security behaviors : Table of Contents

Jie Zhang, Brian J. Reithel, Han Li — Mon Oct 05 11:22:02 BST 2009

Abstract:
Purpose – The purpose of this paper based on compensation theory, is to incorporate perceived technical security protection into the theory of planned behavior and examined factors affecting end-user security behaviors, specifically, compliance with security policies. Design/methodology/approach – An online survey is conducted to validate the proposed research model. The survey is sent out to an industrial panel. A total of 176 usable responses are received and used in the data analysis. Findings – The results show that both perceived behavioral control (PBC) and attitude have significant impact on intention to comply with security policy. Perceived technical protection affects behavioral intentions both indirectly, through PBC, and directly. The negative direct effect (i.e. perceived high technical protection leads to low intention to comply with security policy) suggests possible risk compensation effects in the information security context. Practical implications – This result should be of interest to practitioners. In practice (e.g. during security training), the power and capability of technical protection mechanisms should not be exaggerated. Instead, its limitations and drawbacks should be emphasized, so that end-users will adopt more cautious security practices and adhere to the requirements of the organization's security policies. Originality/value – This paper embeds risk compensation theory within the security policy compliance context and offers a useful starting point for further empirical examination of this theory in information security context.