Article Preview
Top1. Introduction
The diffusion of the Internet has boosted cyber-based operations for private and public organizations across the world. Internet-adopting organizations entrust workers to use the tool to perform work-related tasks; however, employees often deviate from organizational rules on prescribed cybersecurity practices and measures (Farshadkhah et al., 2021; Ogbanufe, 2021; Hamidi & Moradi, 2017; The ePolicy Institute, 2017; Ifinedo, 2019; Wang et al., 2020). Organizations that use the Internet for operations, including storing customer data, employee information, and financial records, as well as transmitting data and information to clients and partners, must accept that they share in its increased vulnerability because security incidents and breaches do occur (Anderson & Agarwal, 2010; CyberEdge Group Report, 2020). Unfortunately, the aftermath of security incidents can be devastating for affected organizations (Optimum Security, 2021).
Security incidents with origins in global networks, including the Internet, are indeed pervasive. A survey of 1,200 information systems (IS) security professionals based in 17 countries revealed that 76.7% of participants admitted their organizations experienced one or more successful cyber attacks in 2019, and 81.7% of them predicted that at least one incident would occur in 2020 (CyberEdge Group Report, 2020). Threats to organizational IS, including the Internet, emanate from internal and external sources (Blue Coat Systems Inc., 2015; Ponemon Institute, 2012; Verizon Business Systems, 2019). According to Verizon Business Systems’ (2019) report of 41,686 security incidents in private and public organizations worldwide, 34% of such attacks involved an insider.
Insiders are current employees, part-time workers, former employees, and other business associates who have—or have had—access to an organization's IS resources in the course of performing their work responsibilities (Burns et al., 2018). A report published by the Ponemon Institute (2020) identified three primary insider-threat profiles: employee or contractor negligence, criminal and malicious insiders, and credential theft or imposter risk. The report notes that the global average cost of an insider threat is USD 11.45 million across the three primary insider threat profiles. Furthermore, the percentage of incidents caused by employee or contractor negligence, criminal and malicious insiders, and imposter risk is 63%, 23%, and 14%, respectively (Ponemon Institute, 2020). The high percentage of incidents attributable to employees or contractors suggests a need to focus on their security practices and behaviors.
This study focuses on negligent employees who participate in unsafe or unhygienic cyber practices, such as downloading unauthorized software from the Internet onto work computers and logging into the Internet via unsecured WIFI networks. A recent cybersecurity report on some African countries (KNOWBE4, 2019, p. 6) notes, “more than a quarter of respondents connected their devices to the internet using a free Wi-Fi connection in a public space.” Although these actions seem harmless, they can be exploited by cybercriminals, who may leverage such lapses to harm an organization’s digital resources. Cyber hygiene practices are the precautions and steps users of online digital tools take to maintain, safeguard, and secure data resources from intrusions and external attacks (McAfee.com, 2020; National Cyber Security Alliance 2007, 2020). Here, the term ‘cyber hygiene practices’ refers to the acceptable or favorable notion of the phenomenon, while the term unhygienic cyber practices (UCP) connotes unfavorable and ill-advised acts.