Risk homeostasis and security fatigue: a case study of data specialists

IF 1.6 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS Information and Computer Security Pub Date : 2023-02-09 DOI:10.1108/ics-11-2022-0172
Anusha Bhana, Jacques Ophoff
{"title":"Risk homeostasis and security fatigue: a case study of data specialists","authors":"Anusha Bhana, Jacques Ophoff","doi":"10.1108/ics-11-2022-0172","DOIUrl":null,"url":null,"abstract":"Purpose Organisations use a variety of technical, formal and informal security controls but also rely on employees to safeguard information assets. This relies heavily on compliance and constantly challenges employees to manage security-related risks. The purpose of this research is to explore the homeostatic mechanism proposed by risk homeostasis theory (RHT), as well as security fatigue, in an organisational context. Design/methodology/approach A case study approach was used to investigate the topic, focusing on data specialists who regularly work with sensitive information assets. Primary data was collected through semi-structured interviews with 12 data specialists in a large financial services company. Findings A thematic analysis of the data revealed risk perceptions, behavioural adjustments and indicators of security fatigue. The findings provide examples of how these concepts manifest in practice and confirm the relevance of RHT in the security domain. Originality/value This research illuminates homeostatic mechanisms in an organisational security context. It also illustrates links with security fatigue and how this could further impact risk. Examples and indicators of security fatigue can assist organisations with risk management, creating “employee-friendly” policies and procedures, choosing appropriate technical security solutions and tailoring security education, training and awareness activities.","PeriodicalId":45298,"journal":{"name":"Information and Computer Security","volume":"4 1","pages":"0"},"PeriodicalIF":1.6000,"publicationDate":"2023-02-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Computer Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1108/ics-11-2022-0172","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Purpose Organisations use a variety of technical, formal and informal security controls but also rely on employees to safeguard information assets. This relies heavily on compliance and constantly challenges employees to manage security-related risks. The purpose of this research is to explore the homeostatic mechanism proposed by risk homeostasis theory (RHT), as well as security fatigue, in an organisational context. Design/methodology/approach A case study approach was used to investigate the topic, focusing on data specialists who regularly work with sensitive information assets. Primary data was collected through semi-structured interviews with 12 data specialists in a large financial services company. Findings A thematic analysis of the data revealed risk perceptions, behavioural adjustments and indicators of security fatigue. The findings provide examples of how these concepts manifest in practice and confirm the relevance of RHT in the security domain. Originality/value This research illuminates homeostatic mechanisms in an organisational security context. It also illustrates links with security fatigue and how this could further impact risk. Examples and indicators of security fatigue can assist organisations with risk management, creating “employee-friendly” policies and procedures, choosing appropriate technical security solutions and tailoring security education, training and awareness activities.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
风险稳态和安全疲劳:数据专家的案例研究
组织使用各种技术、正式和非正式的安全控制,但也依靠员工来保护信息资产。这在很大程度上依赖于合规性,并不断挑战员工管理与安全相关的风险。本研究的目的是探讨由风险稳态理论(RHT)提出的稳态机制,以及安全疲劳,在组织背景下。设计/方法/方法采用案例研究方法调查该主题,重点关注经常处理敏感信息资产的数据专家。主要数据是通过对一家大型金融服务公司的12位数据专家的半结构化访谈收集的。对数据的专题分析揭示了风险认知、行为调整和安全疲劳指标。这些发现提供了这些概念如何在实践中体现的示例,并确认了RHT在安全领域中的相关性。原创性/价值本研究阐明了组织安全背景下的稳态机制。它还说明了与安全疲劳的联系,以及这可能如何进一步影响风险。安全疲劳的例子和指标可以帮助组织进行风险管理,制定“员工友好”的政策和程序,选择适当的技术安全解决方案,以及定制安全教育、培训和意识活动。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
Information and Computer Security
Information and Computer Security COMPUTER SCIENCE, INFORMATION SYSTEMS-
CiteScore
4.60
自引率
7.10%
发文量
23
期刊介绍: Information and Computer Security (ICS) contributes to the advance of knowledge directly related to the theory and practice of the management and security of information and information systems. It publishes research and case study papers relating to new technologies, methodological developments, empirical studies and practical applications. The journal welcomes papers addressing research and case studies in relation to many aspects of information and computer security. Topics of interest include, but are not limited to, the following: Information security management, standards and policies Security governance and compliance Risk assessment and modelling Security awareness, education and culture User perceptions and understanding of security Misuse and abuse of computer systems User-facing security technologies Internet security and privacy The journal is particularly interested in receiving submissions that consider the business and organisational aspects of security, and welcomes papers from both human and technical perspective on the topic. However, please note we do not look to solicit papers relating to the underlying mechanisms and functions of security methods such as cryptography (although relevant applications of the technology may be considered).
期刊最新文献
Informational inequality: the role of resources and attributes in information security awareness Organizational perspectives on converged security operations Applying the Goal, Question, Metric method to derive tailored dynamic cyber risk metrics Determining cybersecurity culture maturity and deriving verifiable improvement measures Exploring the role of assurance context in system security assurance evaluation: a conceptual model
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1