Protecting information from a wide variety of security threats is an important and sometimes daunting organizational activity. Instead of relying solely on technological advancements to help solve human problems, managers within firms must recognize and understand the roles that organizational insiders have in the protection of information (Choobineh et al. 2007; Vroom et al. 2004). The systematic study of human influences on organizational information security is termed behavioral information security (Fagnot 2008; Stanton et al. 2006b), and it affirms that the protection of organizational information assets is best achieved when the detrimental behaviors of organizational insiders are effectively deterred and the beneficial activities of these individuals are appropriately encouraged. Relative to the former, the latter facet has received little attention in the academic literature.Given this opportunity, this research explicitly focuses upon protective behaviors that help promote the protection of organizational information resources. These behaviors are termed protection-motivated behaviors (PMBs). PMBs are defined as the volitional behaviors organizational insiders can enact that protect (1) organizationally relevant information within their firms and (2) the computer-based information systems in which that information is stored, collected, disseminated, and/or manipulated from information-security threats. This paper focuses upon the development of a formal typology of PMBs as viewed by organizational insiders. Data are obtained from 33 interviews and several end-user surveys, which are then utilized by the complementary classification techniques of Multidimensional Scaling (MDS), Property Fitting (ProFit) analysis, and cluster analysis. Sixty-seven individual PMBs were discovered, and the above classification techniques uncovered a three-dimensional perceptual space common among organizational insiders regarding PMBs. This space verifies that insiders differentiate PMBs according to whether the behaviors (1) require a minor or continual level of improvements within organizations, (2) are widely or narrowly standardized and applied throughout various organizations, and (3) are a reasonable or unreasonable request of organizations to make of their insiders. Fourteen unique clusters were also discovered during this process; this finding further assists information security researchers and practitioners in their understanding of how organizational insiders perceive the behaviors that help protect information assets.
Research on the effectiveness of cyber security awareness in ICS Risk Assessment Frameworks
Assessing security awareness among users is essential for protecting industrial control systems (ICSs) from social...