Article Preview
TopIntroduction
In 2021 alone, there were 5,258 confirmed data breaches in organizations from 88 countries (Verizon, 2021, p. 4). In this context, a breach is any “incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party” (p. 4). Data breaches and the financial and reputational losses associated with them have forced organizations to pay more attention to the security of their information systems (Khando et al., 2021). There are many examples of such breaches caused by employees. In January 2021, for instance, a group of lawyers working inside the law firm Elliott Greenleaf stole sensitive files, including client data, for personal gain and to help a competing law firm open a new office. This led to the closure of Elliott Greenleaf’s office and severe reputational harm (Ekran System, 2023; Liolis, 2022). In July 2020, phishing attacks by Twitter employees led to the transfer of about $180,000 in Bitcoin to scam accounts. The accounts of millions of followers were hacked, including those of Elon Musk, Apple, Jeff Bezos, and Bill Gates (Ekran System, 2023).
Information system security (ISS) breaches can have technical and nontechnical causes and associated preventive measures (Dong et al., 2021). Technical solutions include authentication and detection, antimalware, antispyware, and firewalls, but these alone are insufficient for ensuring security (Alassaf & Alkhalifah, 2021). Thus, there is a need for nontechnical solutions that take human behavior into account to guarantee information security policy (ISP) compliance (Almomani et al., 2021; Dong et al., 2021). While the terms cybersecurity and information security (IS) are sometimes used interchangeably, they are distinct concepts. IS is concerned with safeguarding the integrity, confidentiality, and availability of information and managing its loss (Greene et al., 2021). In contrast, cybersecurity involves the security of information, technology, processes, and people (Kovacevic et al., 2020). Therefore, it is important for organizations to create a safe environment in both regards (Antunes et al., 2022).
Hackers jeopardize system security by gaining access to weak points by targeting management and employee behavior (Huang et al., 2021). The human factor and unsafe user behavior, such as sharing passwords and usernames and opening insecure links, are the most common factors contributing to data breaches (Almuqrin et al., 2023; Kovacevic et al., 2020). As a result, employees are the weakest point in the data security of any organization and contribute to a large number of breaches (58%), 33% of which are a consequence of noncompliance with information security policies and procedures (ISPP; Alassaf & Alkhalifah, 2021). Despite this, organizations typically focus more on the technical aspects of IS than employee behavior (Khando et al., 2021).
Any breach can cause major challenges for organizations (Hwang & Um, 2021; Khando et al., 2021). One is that organizations must work vigorously to install high expectations for ISPP compliance. Another challenge is the shortage of skilled workers inside the organization who can conduct security training. Moreover, some board members fail to support spending on improving IS compliance. The inability to find guidelines based on best practices to keep up with IS threats that are continuously changing is a challenge as well. Therefore, it is vital for organizations to raise awareness among employees, improve their IS behavior, and motivate them to comply with ISP (Alassaf & Alkhalifah, 2021; Carmi & Bouhnik, 2020; Chen et al., 2022; Dong et al., 2021; Hina et al., 2019; Huang et al., 2021).