Employees' Information Security Awareness and Behavioural Intentions in Higher Education Institutions in Oman

Al-Mahri, Mohammed (2018) Employees' Information Security Awareness and Behavioural Intentions in Higher Education Institutions in Oman. Doctoral thesis, Northumbria University.

[img]
Preview
Text (Doctoral thesis)
Al-Mahri.Mohammed_phd.pdf - Submitted Version

Download (5MB) | Preview

Abstract

Organisations throughout the world face threats to the security of their information. In most organisations these threats are thought to be a consequence of employees’ lack of knowledge of information security, security behaviours and/or understanding of the possible detriments to their organisation of not complying with their organisation’s information security policy (ISP). Therefore, empirical research is needed to explore the main threats to information security and the factors that influence how employees intend to behave in relation to information security policies.

The main aims of this research were to investigate employees’ ISP compliance behaviour intentions and to explore the organisational and human factors that influence this. Consequently, this research conducted four studies to explore the views of both those responsible for information security (IT staff and system administrators) and non-security employees from a range of higher education institutions in the Sultanate of Oman.

First, interviews were conducted with eight IT staff and system administrators from Omani universities and colleges to explore the common, current information security threats, organisational information security processes and their perceptions of employee information security behaviour in general, and their compliance with ISPs in particular. The findings of this study showed the weaknesses in information security in different organisations and IT staff suggested that employees may not be aware of information security and do not comply with their organisation’s ISP. The reported perceptions of IT and staff system administrators were used to design a survey of employee knowledge, awareness and behaviour intentions which was used in the second study.

The second study used a questionnaire-based survey which was designed from the knowledge gained form the first study, a review of the relevant literature and actual ISPs in use at the organisations involved in the study. Data from 503 employees from multiple higher education institutions was analysed. The survey comprised three parts: (i) demographic questions, (ii) 14 information security scenario questions designed to elicit employee behaviour intentions and (iii) some of the factors influencing their behaviour (underpinned by current theories in psychology). The results show that employees’ behaviour intentions vary according to the information security scenario they experience and that the biggest influences on their behaviour are perceived to be trust and authority.

The third study involved 17 IT staff and system administrators from six higher education institutions. Using the same questionnaire from the second study plus qualitative questions, the aim of this third study was to understand what behaviours were seen by IT staff and system administrators as most important and what non-ISP-compliant behaviours they would, nevertheless, also deem to be acceptable. The results highlight the relationship between the behaviours that IT staff rate as important, and whether or not staff intend to adopt that behaviour.

The fourth study used four focus groups (n= 21) from one higher education institution to further explore why employees may not intend to comply with the organisation’s ISP and to explore the factors that influence these non-compliance intentions. The focus groups also explored the employees’ recommendations for improving organisational information security management. The finding of this study revealed some recommendations for developing information security organisation management and the motivators and barriers that influence employees’ security behaviours.

Finally, the results of the four studies were analysed together and it was found that staff consider that communicating the information security policy, ongoing information security risk assessment, ongoing awareness and training, management support and commitment and good communication are important factors in information security compliance intentions. Secondly, it was found that the way organisations manage information security, and human factors in particular (mostly to do with trust and authority), is most important in maximising compliance intentions. Recommendations were provided to improve organisational information security management and to encourage employees to comply with ISPs.

Item Type: Thesis (Doctoral)
Subjects: G400 Computer Science
Department: Faculties > Engineering and Environment > Computer and Information Sciences
University Services > Graduate School > Doctor of Philosophy
Depositing User: Paul Burns
Date Deposited: 03 Jun 2019 15:24
Last Modified: 26 Oct 2019 08:34
URI: http://nrl.northumbria.ac.uk/id/eprint/39454

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year

View more statistics