ITR: Behavioral Information Security: The Politics, Motivation, and Ethics of Information Security in Work Organizations
Syracuse University, Syracuse NY
Investigators
Abstract
Many technical solutions to information security only function well when operationalized effectively by individuals and groups of people. The present proposal addresses this constraint by focusing on "behavioral information security," defined as the complexes of human action within organizations that influence the availability, confidentiality, and integrity of information systems. By harnessing theories from the social and organizational sciences, this approach attempts to advance the understanding of the nature and antecedents of security-related behavior in organizations. Prior research by these investigators has revealed that conflicting organizational subcultures, inappropriate organizational incentives, communication barriers, and disconcerted ethical standards for behavior each and all interfere with the effective enactment of information security in organizations. The proposed research will build on this completed and in-progress work to develop a theoretical framework for behavioral information security in organizations. The framework will explicitly address the tension between organizations' interests in controlling behavior and individuals' rights (e.g., self determination, speech, privacy). The project will observe and document security-related behavior in organizations, using a multiple case study approach. Team members will conduct a series of onsite interviews and job observations with workers, managers, and information technology professionals at ten to twenty organizations with operations in the research team's regional area, including small and large organizations, for profit and non-profit organizations, and possibly a governmental organization. The team will identify and analyze the specific social configurations, power dynamics, learning opportunities, freedom of action, and personal characteristics that influence how workers decide to comply with, resist, or improve upon prescribed information security behavior. Compilation, transcription, and analysis of interview and observational data will lead to the development and testing of a preliminary theoretical framework. Investigators will disseminate project results through conferences, scholarly journal submissions, and brief practitioner articles and through the development of a project website. At the close of the project, they will compile a data archive for use by other scholars that includes de-identified versions of all transcriptions. Additionally, the project intends to work with the trade press on behavioral approaches to information security. This project has the potential to enhance the effectiveness of information security practices in critical infrastructure organizations such as hospitals and utilities. Because the cost of information security continues to rise in many industries, it also has potential economic benefits in many sectors. Simultaneously, however, by attending to the concerns of workers, the results may help organizations to avoid infringing upon or diminishing individual workers' rights.
View original record on NSF Award Search →