Factors Influencing Security Incidents on Personal Computing Devices

Factors Influencing Security Incidents on Personal Computing Devices

Barbara Hewitt (Texas State University, San Marcos, USA) and Garry White (Texas State University, San Marcos, USA)
Copyright: © 2021 |Pages: 24
DOI: 10.4018/JOEUC.20210701.oa9
Article PDF Download
Open access articles are freely available for download

Abstract

Organizations expect their employees to connect securely to the organization's computer systems. Often these employees use their personal computers to access the organization's networks. This research explores whether these same employees apply protective security measures to their personal computers. Perhaps these employees behave riskily based on their optimistic bias. Results indicate that while cyber optimistic bias and perceived vulnerability influence individuals to apply more protective security measures, the users still experienced security incidents. Thus, organization are vulnerable to cyber-attacks if they are allowing employees to use personal computers to access these databases.
Article Preview
Top

Introduction

Organizations spent over $73.7 billion protecting their computer systems in 2016 to avoid becoming victims of security breaches with predictions that number will increase to over $170 billion by 2020 (Freeman, 2017). Regardless of the vast amounts of money an organization spends, hackers circumvent security measures when users fail to exercise good security practices by responding to phishing emails that harvest personally identifiable information including passwords, visiting untrusted websites, downloading malicious software such as key loggers, or failing to create strong passwords or to apply updates, security patches, and virus protection software (Goel, Williams, & Dincelli, 2017; Thomas, 2004). For example, Anthem released over 83 million patient insurance records after five employees including the database administrator inadvertently responded to a phishing attack and provided their login credentials to the attackers (Huson & Hewitt, 2016; Ragan, 2015).

Many organizations allowed their employees to use personal phones (95%), tablets (67%), and laptops (93%) with slightly more than half of the devices being issued by the organization (51%, 30%, and 63% respectively) (M. A. Harris & Patten, 2015).While these organizations can enforce policies and security measures on the business owned devices, it is much harder to enforce these measures on the individual’s personal devices. Over a third (35%) of the cell phone users installed third party apps, 31% of cell phone users and 52% of laptop users stored authentication credentials in apps, and 13% of cell phone users and 5% of laptop users devices were lost or stolen.

Thus, organizations must improve their users’ security practices since these users are often the weakest link (Ayyagari, 2012; Bulgurcu, Cavusoglu, & Benbasat, 2010; Kirkpatrick, 2006; Lee, Lee, & Yoo, 2004; Mitnick, Simon, & Wozniak, 2006; Rezgui & Marks, 2008). Sometimes, attacks occur when users access their organizations’ systems, databases, and confidential documents using their home computers as opposed to their work computers (Furnell, Bryant, & Phippen, 2007). Organizations must ensure users comply with information security (IS) policies to minimize incidents since roughly 70% of employees know where to find their corporate security policies and only 64% read the policy (Da Veiga, 2016). Major threats to security include employees who do not comply with policies either because they are careless (Siponen, Mahmood, & Pahnila, 2014; Siponen, Pahnila, & Mahmood, 2007) or are unaware of how to securely access the organization’s systems. To improve users' compliance, IS managers have implemented IS awareness programs (Bauer, Bernroider, & Chudzikowski, 2017).

To prevent data breaches, organizations should increase the IS awareness of their employees. Subsequently, organizations attempt to increase the employee’s security awareness through training and educational courses (Dodge, Carver, & Ferguson, 2007; He, Ash, et al., 2019; Schultz, 2012) in the hopes of motivating these employees to safeguard their passwords as well as the organization’s computer systems and databases (Gage, 1996; Grau, 1984; Siponen, 2000). Several studies explored whether training and education influence security behavior rather than determine if it decrease the number of security incidents one experiences (Britt, 2008; Caldwell, 2016; Pollitt, 2005; Puhakainen & Siponen, 2010; Sherizen, 1984; Siponen, 2000).

However, security training and awareness programs only effect an employee's knowledge, behavior, and awareness for a short time (Hagen & Albrechtsen, 2009). White (2012, 2015) found those with more security education still reported experiencing security incidents.

Complete Article List

Search this Journal:
Reset
Volume 34: 5 Issues (2022): 4 Released, 1 Forthcoming
Volume 33: 6 Issues (2021)
Volume 32: 4 Issues (2020)
Volume 31: 4 Issues (2019)
Volume 30: 4 Issues (2018)
Volume 29: 4 Issues (2017)
Volume 28: 4 Issues (2016)
Volume 27: 4 Issues (2015)
Volume 26: 4 Issues (2014)
Volume 25: 4 Issues (2013)
Volume 24: 4 Issues (2012)
Volume 23: 4 Issues (2011)
Volume 22: 4 Issues (2010)
Volume 21: 4 Issues (2009)
Volume 20: 4 Issues (2008)
Volume 19: 4 Issues (2007)
Volume 18: 4 Issues (2006)
Volume 17: 4 Issues (2005)
Volume 16: 4 Issues (2004)
Volume 15: 4 Issues (2003)
Volume 14: 4 Issues (2002)
Volume 13: 4 Issues (2001)
Volume 12: 4 Issues (2000)
Volume 11: 4 Issues (1999)
Volume 10: 4 Issues (1998)
Volume 9: 4 Issues (1997)
Volume 8: 4 Issues (1996)
Volume 7: 4 Issues (1995)
Volume 6: 4 Issues (1994)
Volume 5: 4 Issues (1993)
Volume 4: 4 Issues (1992)
Volume 3: 4 Issues (1991)
Volume 2: 4 Issues (1990)
Volume 1: 3 Issues (1989)
View Complete Journal Contents Listing