信息安全威胁的应对行为——基于云计算情境的实证研究
|
摘要
为了解释用户面对信息安全威胁时的"不作为"现象,基于技术威胁规避理论,构建了信息安全风险(机密性、完整性和可用性)通过感知威胁(感知易感度、感知严重度和感知可避免度)影响用户信息安全应对行为(问题导向应对和情绪导向应对)的研究模型。以云计算为实证情境,应用结构方程模型对489位企业员工的调查问卷进行数据分析和模型拟合。研究结果表明,面对信息安全威胁时用户往往更倾向于采取情绪导向应对行为,而非单纯地采取问题导向应对。研究还发现,在不同感知可避免度下,用户面对信息安全威胁采取的安全行为是不同的,在感知可避免度高的情况下,感知易感度和感知严重度越高,用户越会采取情绪导向应对行为;在感知可避免度低的情况下,感知易感度和感知严重度越高,用户越会倾向于同时采取问题导向应对和情绪导向应对行为。
In order to explore the "non-action" phenomenon of users who face IT threat, a research model is constructed based on the technology threat avoidance theory(TTAT), which shows that information security risks(confidentiality risk, integrity risk, and availability risk) influence users' coping behavior(problem-focused coping(PFC) and emotion-focused coping(EFC)) through perceived threats(perceived susceptibility, perceived severity, and perceived avoidability). The theoretical model is empirically tested using the data obtained from the survey of 489 employees in the context of cloud computing. The results indicate that, users tend to adopt PFC, besides EFC when they face IT threat. Users adopt different security behaviors when they perceive avoidability. When the perceived avoidability is high, as the perceived susceptibility and perceived severity increase, it is more likely for the the users to adopt EFC. When the perceived avoidability is low, as the perceived susceptibility and perceived severity increase, it is more likely for the users to adopt both EFC and PFC.
In order to explore the "non-action" phenomenon of users who face IT threat, a research model is constructed based on the technology threat avoidance theory(TTAT), which shows that information security risks(confidentiality risk, integrity risk, and availability risk) influence users' coping behavior(problem-focused coping(PFC) and emotion-focused coping(EFC)) through perceived threats(perceived susceptibility, perceived severity, and perceived avoidability). The theoretical model is empirically tested using the data obtained from the survey of 489 employees in the context of cloud computing. The results indicate that, users tend to adopt PFC, besides EFC when they face IT threat. Users adopt different security behaviors when they perceive avoidability. When the perceived avoidability is high, as the perceived susceptibility and perceived severity increase, it is more likely for the the users to adopt EFC. When the perceived avoidability is low, as the perceived susceptibility and perceived severity increase, it is more likely for the users to adopt both EFC and PFC.
引文
[1] Internet users. [EB/OL]. (2016). http://www.internetlivestats.com/.
[2] Siponen M, Pahnila S, Mahmood M A. Compliance with information security policies: An empirical investigation[J]. Computer, 2010, 43(2): 64-71.
[3] Morgan S. How consumers lost $158 billion to cyber crime in the past year and what to do about It [EB/OL]. (2016). http://www.forbes.com/sites/stevemorgan/.
[4] 国家计算机病毒应急处理中心. 2012全国信息网络安全状况与计算机及移动终端病毒疫情调查分析报告[R]. 天津:国家计算机病毒应急处理中心, 2013.
[5] 《中国信息安全》编辑部. 我国发布首个《公众网络安全意识调查报告(2015)》[R]. 中国信息安全, 2015:77-80.
[6] Nathan E. Smartphone owners concerned about mobile security but lack education: Survey[R]. eWeek, 2012.
[7] Liang H, Xue Y. Avoidance of information technology threats: A theoretical perspective[J]. MIS Quarterly, 2009,33(1): 71-90.
[8] Lee Y, Larsen K R. Threat or coping appraisal: Determinants of SMB executives' decision to adopt anti-malware software[J]. European Journal of Information Systems, 2009, 18(2): 177-187.
[9] Herath T, Rao H R. Protection motivation and deterrence: A framework for security policy compliance in organisations[J]. European Journal of Information Systems, 2009, 18(2): 106-125.
[10] Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness[J]. MIS Quarterly, 2010, 34(3): 523-548.
[11] Chen Y, Ramamurthy K, Wen K-W. Organizations' information security policy compliance: Stick or carrot approach?[J]. Journal of Management Information Systems, 2012, 29(3): 157-188.
[12] Hu Q, Dinev T, Hart P, et al. Managing employee compliance with information security policies: The critical role of top management and organizational culture[J]. Decision Sciences, 2012, 43(4): 615-660.
[13] Hu Q, Xu Z, Dinev T, et al. Does deterrence work in reducing information security policy abuse by employees?[J]. Communications of the ACM, 2011, 54(6): 54-60.
[14] Guo K H, Yuan Y, Archer N P, et al. Understanding nonmalicious security violations in the workplace: A composite behavior model[J]. Journal of Management Information Systems, 2011, 28(2): 203-236.
[15] D'Arcy J, Hovav A, Galletta D. User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach[J]. Information Systems Research, 2009, 20(1): 79-98.
[16] Siponen M, Vance A. Neutralization: new insights into the problem of employee information systems security policy violations[J]. MIS Quarterly, 2010, 34(3): 487.
[17] Puhakainen P, Siponen M. Improving employees' compliance through information systems security training: An action research study[J]. MIS Quarterly, 2010: 757-778.
[18] Johnston A C, Warkentin M. Fear appeals and information security behaviors: An empirical study[J]. MIS Quarterly, 2010,34(3): 549-566.
[19] Anderson C L, Agarwal R. Practicing safe computing: A multimedia empirical examination of home computer user security behavioral intentions[J]. MIS Quarterly, 2010, 34(3): 613-643.
[20] Slovic P, Finucane M L, Peters E, et al. Risk as analysis and risk as feeling: Some thoughts about affect[C]// Reason Risk, and Rationality, Risk Analysis. [s.l.]:[s.n.],2004: 311-322.
[21] Wynn D, Williams C, Karahanna E, et al. Preventive adoption of information security behaviors[C]//Thirty Fourth International conference on Information systems. Milan, 2013.
[22] Rippetoe P A, Rogers R W. Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat[J]. Journal of personality and Social Psychology, 1987, 52(3): 596.
[23] Lazarus R S, Folkman S. Stress, appraisal, and coping[M]. New York: Springer Publishing Company, 1984.
[24] Weinstein N D. Perceived probability, perceived severity, and health-protective behavior[J]. Health Psychology, 2000, 19(1): 65.
[25] Ifinedo P. Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory[J]. Computers & Security, 2012, 31(1): 83-95.
[26] Liang H, Xue Y. Understanding security behaviors in personal computer usage: A threat avoidance perspective[J]. Journal of the Association for Information Systems, 2010, 11(7): 394.
[27] Beaudry A, Pinsonneault A. Understanding user responses to information technology: A coping model of user adaptation[J]. MIS Quarterly, 2005, 29(3): 493-524.
[28] Boss S R, Galletta D F, Lowry P B, et al. What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors[J]. MIS Quarterly, 2015, (4): 837-864.
[29] Beaudry A, Pinsonneault A. The other side of acceptance: Studying the direct and indirect effects of emotions on information technology use[J]. MIS Quarterly, 2010, 34(4): 689-710.
[30] Kirscht J P, Haefner D P, Kegeles S S, et al. A national study of health beliefs[J]. Journal of Health and Human Behavior, 1966,7(4): 248-254.
[31] Bernard R. Information lifecycle security risk assessment: A tool for closing security gaps[J]. Computers & Security, 2007, 26(1): 26-30.
[32] Arachchilage N A G, Love S. A game design framework for avoiding phishing attacks[J]. Computers in Human Behavior, 2013, 29(3): 706-714.
[33] Padmavathi G, Shanmugapriya M D. A survey of attacks, security mechanisms and challenges in wireless sensor networks[J]. International Journal of Computer Science Information Security, 2009,4(2): 2.
[34] Browne A, Miller B, Maguin E. Prevalence and severity of lifetime physical and sexual victimization among incarcerated women[J]. International Journal of Law and Psychiaty, 1999, 22(3-4): 301-322.
[35] Hartono E, Holsapple C W, Kim K-Y, et al. Measuring perceived security in B2C electronic commerce website usage: A respecification and validation[J]. Decision Support Systems, 2014, 62: 11-21.
[36] Avizienis A, Laprie J-C, Randell B. Fundamental concepts of dependability[M]. UK: University of Newcastle upon Tyne, Computing Science Newcastle upon Tyne, 2001.
[37] Dhillon G. Information security management: Global challenges in the new millennium: Global challenges in the new millennium[M]. Hershey, Pennsylvania: IGI Global, 2000.
[38] Gordon L A, Loeb M P. The economics of information security investment[J]. ACM Transactions on Information and System Security (TISSEC), 2002, 5(4): 438-457.
[39] Loske A, Widjaja T, Benlian A, et al. Perceived IT security risks in cloud adoption: The role of perceptual incongruence between users and providers[C]//Twenty Second European Conference on Information Systems. [s.l.]:Tel Aviv, 2014.
[40] Xiao Z, Xiao Y. Security and privacy in cloud computing[J]. Communications Surveys & Tutorials, IEEE, 2013, 15(2): 843-859.
[41] Gilbert F. Cloud service contracts may be fluffy: Selected legal issues to consider before taking off[J]. Journal of Internet Law, 2010, 14(6): 17-30.
[42] Carroll M, Van Der Merwe A, Kotze P. Secure cloud computing: Benefits, risks and controls[C]//I. Information Security South Africa. [s.l.]: IEEE, 2011: 1-9.
[43] Beaudry A, Pinsonneault A. Understanding user responses to information technology: A coping model of user adaptation[J]. MIS Quarterly, 2005, 29(3): 493-524.
[44] Folkman S, Lazarus R S. If it changes it must be a process: Study of emotion and coping during three stages of a college examination[J]. Journal of Personality and Social Psychology, 1985, 48(1): 150.
[45] Ackermann T, Widjaja T, Benlian A, et al. Perceived IT security risks of cloud computing: Conceptualization and scale development[C]//Thirty Third International Conference on Information Systems. Drlando:[s.n.], 2012.
[46] Armstrong J S, Overton T S. Estimating nonresponse bias in mail surveys[J]. Journal of Marketing Research, 1977, 14(3): 396-402.
[47] 邵真, 葛虹, 冯玉强, 等. 组织文化对 ERP 系统消化吸收阶段知识共享作用机理的实证研究[J]. 系统管理学报, 2013, 22(2): 194-201.
[48] 周驷华, 万国华. 信息技术能力对供应链绩效的影响:基于信息整合的视角[J]. 系统管理学报, 2016, 25(1): 90-102.待发表论文摘要
[2] Siponen M, Pahnila S, Mahmood M A. Compliance with information security policies: An empirical investigation[J]. Computer, 2010, 43(2): 64-71.
[3] Morgan S. How consumers lost $158 billion to cyber crime in the past year and what to do about It [EB/OL]. (2016). http://www.forbes.com/sites/stevemorgan/.
[4] 国家计算机病毒应急处理中心. 2012全国信息网络安全状况与计算机及移动终端病毒疫情调查分析报告[R]. 天津:国家计算机病毒应急处理中心, 2013.
[5] 《中国信息安全》编辑部. 我国发布首个《公众网络安全意识调查报告(2015)》[R]. 中国信息安全, 2015:77-80.
[6] Nathan E. Smartphone owners concerned about mobile security but lack education: Survey[R]. eWeek, 2012.
[7] Liang H, Xue Y. Avoidance of information technology threats: A theoretical perspective[J]. MIS Quarterly, 2009,33(1): 71-90.
[8] Lee Y, Larsen K R. Threat or coping appraisal: Determinants of SMB executives' decision to adopt anti-malware software[J]. European Journal of Information Systems, 2009, 18(2): 177-187.
[9] Herath T, Rao H R. Protection motivation and deterrence: A framework for security policy compliance in organisations[J]. European Journal of Information Systems, 2009, 18(2): 106-125.
[10] Bulgurcu B, Cavusoglu H, Benbasat I. Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness[J]. MIS Quarterly, 2010, 34(3): 523-548.
[11] Chen Y, Ramamurthy K, Wen K-W. Organizations' information security policy compliance: Stick or carrot approach?[J]. Journal of Management Information Systems, 2012, 29(3): 157-188.
[12] Hu Q, Dinev T, Hart P, et al. Managing employee compliance with information security policies: The critical role of top management and organizational culture[J]. Decision Sciences, 2012, 43(4): 615-660.
[13] Hu Q, Xu Z, Dinev T, et al. Does deterrence work in reducing information security policy abuse by employees?[J]. Communications of the ACM, 2011, 54(6): 54-60.
[14] Guo K H, Yuan Y, Archer N P, et al. Understanding nonmalicious security violations in the workplace: A composite behavior model[J]. Journal of Management Information Systems, 2011, 28(2): 203-236.
[15] D'Arcy J, Hovav A, Galletta D. User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach[J]. Information Systems Research, 2009, 20(1): 79-98.
[16] Siponen M, Vance A. Neutralization: new insights into the problem of employee information systems security policy violations[J]. MIS Quarterly, 2010, 34(3): 487.
[17] Puhakainen P, Siponen M. Improving employees' compliance through information systems security training: An action research study[J]. MIS Quarterly, 2010: 757-778.
[18] Johnston A C, Warkentin M. Fear appeals and information security behaviors: An empirical study[J]. MIS Quarterly, 2010,34(3): 549-566.
[19] Anderson C L, Agarwal R. Practicing safe computing: A multimedia empirical examination of home computer user security behavioral intentions[J]. MIS Quarterly, 2010, 34(3): 613-643.
[20] Slovic P, Finucane M L, Peters E, et al. Risk as analysis and risk as feeling: Some thoughts about affect[C]// Reason Risk, and Rationality, Risk Analysis. [s.l.]:[s.n.],2004: 311-322.
[21] Wynn D, Williams C, Karahanna E, et al. Preventive adoption of information security behaviors[C]//Thirty Fourth International conference on Information systems. Milan, 2013.
[22] Rippetoe P A, Rogers R W. Effects of components of protection-motivation theory on adaptive and maladaptive coping with a health threat[J]. Journal of personality and Social Psychology, 1987, 52(3): 596.
[23] Lazarus R S, Folkman S. Stress, appraisal, and coping[M]. New York: Springer Publishing Company, 1984.
[24] Weinstein N D. Perceived probability, perceived severity, and health-protective behavior[J]. Health Psychology, 2000, 19(1): 65.
[25] Ifinedo P. Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory[J]. Computers & Security, 2012, 31(1): 83-95.
[26] Liang H, Xue Y. Understanding security behaviors in personal computer usage: A threat avoidance perspective[J]. Journal of the Association for Information Systems, 2010, 11(7): 394.
[27] Beaudry A, Pinsonneault A. Understanding user responses to information technology: A coping model of user adaptation[J]. MIS Quarterly, 2005, 29(3): 493-524.
[28] Boss S R, Galletta D F, Lowry P B, et al. What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors[J]. MIS Quarterly, 2015, (4): 837-864.
[29] Beaudry A, Pinsonneault A. The other side of acceptance: Studying the direct and indirect effects of emotions on information technology use[J]. MIS Quarterly, 2010, 34(4): 689-710.
[30] Kirscht J P, Haefner D P, Kegeles S S, et al. A national study of health beliefs[J]. Journal of Health and Human Behavior, 1966,7(4): 248-254.
[31] Bernard R. Information lifecycle security risk assessment: A tool for closing security gaps[J]. Computers & Security, 2007, 26(1): 26-30.
[32] Arachchilage N A G, Love S. A game design framework for avoiding phishing attacks[J]. Computers in Human Behavior, 2013, 29(3): 706-714.
[33] Padmavathi G, Shanmugapriya M D. A survey of attacks, security mechanisms and challenges in wireless sensor networks[J]. International Journal of Computer Science Information Security, 2009,4(2): 2.
[34] Browne A, Miller B, Maguin E. Prevalence and severity of lifetime physical and sexual victimization among incarcerated women[J]. International Journal of Law and Psychiaty, 1999, 22(3-4): 301-322.
[35] Hartono E, Holsapple C W, Kim K-Y, et al. Measuring perceived security in B2C electronic commerce website usage: A respecification and validation[J]. Decision Support Systems, 2014, 62: 11-21.
[36] Avizienis A, Laprie J-C, Randell B. Fundamental concepts of dependability[M]. UK: University of Newcastle upon Tyne, Computing Science Newcastle upon Tyne, 2001.
[37] Dhillon G. Information security management: Global challenges in the new millennium: Global challenges in the new millennium[M]. Hershey, Pennsylvania: IGI Global, 2000.
[38] Gordon L A, Loeb M P. The economics of information security investment[J]. ACM Transactions on Information and System Security (TISSEC), 2002, 5(4): 438-457.
[39] Loske A, Widjaja T, Benlian A, et al. Perceived IT security risks in cloud adoption: The role of perceptual incongruence between users and providers[C]//Twenty Second European Conference on Information Systems. [s.l.]:Tel Aviv, 2014.
[40] Xiao Z, Xiao Y. Security and privacy in cloud computing[J]. Communications Surveys & Tutorials, IEEE, 2013, 15(2): 843-859.
[41] Gilbert F. Cloud service contracts may be fluffy: Selected legal issues to consider before taking off[J]. Journal of Internet Law, 2010, 14(6): 17-30.
[42] Carroll M, Van Der Merwe A, Kotze P. Secure cloud computing: Benefits, risks and controls[C]//I. Information Security South Africa. [s.l.]: IEEE, 2011: 1-9.
[43] Beaudry A, Pinsonneault A. Understanding user responses to information technology: A coping model of user adaptation[J]. MIS Quarterly, 2005, 29(3): 493-524.
[44] Folkman S, Lazarus R S. If it changes it must be a process: Study of emotion and coping during three stages of a college examination[J]. Journal of Personality and Social Psychology, 1985, 48(1): 150.
[45] Ackermann T, Widjaja T, Benlian A, et al. Perceived IT security risks of cloud computing: Conceptualization and scale development[C]//Thirty Third International Conference on Information Systems. Drlando:[s.n.], 2012.
[46] Armstrong J S, Overton T S. Estimating nonresponse bias in mail surveys[J]. Journal of Marketing Research, 1977, 14(3): 396-402.
[47] 邵真, 葛虹, 冯玉强, 等. 组织文化对 ERP 系统消化吸收阶段知识共享作用机理的实证研究[J]. 系统管理学报, 2013, 22(2): 194-201.
[48] 周驷华, 万国华. 信息技术能力对供应链绩效的影响:基于信息整合的视角[J]. 系统管理学报, 2016, 25(1): 90-102.待发表论文摘要