Employee Information Security Practices: A Framework and Research Agenda

Employee Information Security Practices: A Framework and Research Agenda

Eli Hustad (University of Agder, Kristiansand, Norway), Frode Mathias Bekkevik (EVRY Consulting, Fornebu, Norway), Ole Reidar Holm (Bekk Consulting, Oslo, Norway) and Polyxeni Vassilakopoulou (University of Agder, Kristiansand, Norway)
Copyright: © 2020 |Pages: 14
DOI: 10.4018/IJESMA.2020040101
OnDemand PDF Download:
No Current Special Offers


Employee information security practices are pivotal to prevent, detect, and respond to security incidents. This article synthesizes insights from research on challenges related to employee information security practices and measures to address them. The challenges identified are associated to idiosyncratic aspects of communities and individuals within organizations (culture and personal characteristics) and to systemic aspects of organizations (procedural and structural arrangements). The measures aimed to enhance systemic capabilities and to adapt security mechanisms to the idiosyncratic characteristics and are categorized as: (a) measures of training and awareness; (b) measures of organizational support; and (c) measures of rewards and penalties. Further research is needed to explore the dynamics related to how challenges emerge, develop, and get addressed over time and also, to explore the interplay between systemic and idiosyncratic aspects. Additionally, research is needed on the role of security managers and how it can be reconfigured to suit flatter organizations.
Article Preview

Research Method

The identification and analysis of literature to be reviewed was based on the approach proposed by Webster et al. (2002). Specific keywords were used for identifying articles along with a set of inclusion / exclusion criteria to ensure the quality and relevance of selected papers. The review process was guided by the guidelines suggested by Kitchenham (Kitchenham, 2004, 2009) that include three phases: (1) planning (e.g., identifying the need for a literature search on organizational security risks, developing a procedure for conducting the study), (2) implementing (identifying previous research, selecting the main studies, undertaking quality assurance of the studies, collecting and monitoring the data, and synthesizing the data), and (3) reporting the results. The literature search was performed in Scopus and was confined to primary studies (not literature reviews) that include empirical data (not solely conceptual papers). The search strings used consist of combinations of the main theme (information security), together with synonyms and secondary search terms directly linked to the research questions (Table 1).

Table 1.
Inclusion and exclusion criteria and search query
Inclusion criteriaPeer-reviewed, English, published in 2007 or later, empirical studies
Exclusion criteriaExclude literature review studies, exclude studies on specific themes not related to the research questions (e.g., technological aspects such as cryptography, security in mobile applications, RFID).
Search queryPART A: “information security policy” OR “data security policy” OR “information security awareness” OR “data security awareness” OR “information privacy policy” OR “data privacy policy”
PART B: compliance OR conformance OR attitude* OR culture
PART C: employee* OR person* OR human resources OR user*

Complete Article List

Search this Journal:
Volume 14: 4 Issues (2022): 1 Released, 3 Forthcoming
Volume 13: 4 Issues (2021)
Volume 12: 4 Issues (2020)
Volume 11: 4 Issues (2019)
Volume 10: 4 Issues (2018)
Volume 9: 4 Issues (2017)
Volume 8: 4 Issues (2016)
Volume 7: 4 Issues (2015)
Volume 6: 4 Issues (2014)
Volume 5: 4 Issues (2013)
Volume 4: 4 Issues (2012)
Volume 3: 4 Issues (2011)
Volume 2: 4 Issues (2010)
Volume 1: 4 Issues (2009)
View Complete Journal Contents Listing