You are here: Home Contents V9 N2 V9N2_Bachlechner.html
Personal tools

Mitigating the Risk Employees Pose to Information Security: Findings of a Series of Interviews with Information Security Professionals



Full text

Journal of Information Systems Security
Volume 9, Number 2 (2913)
Pages 2962
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Daniel Bachlechner — University of Innsbruck, Austria
Ronald Maier — University of Innsbruck, Austria
Frank Innerhofer-Oberperfler — University of Innsbruck, Austria
Information Institute Publishing, Washington DC, USA




Advances in technology together with changes in work practices make an ongoing adaptation of information security measures necessary. Appropriate technical and operational measures are in place in most organizations by now and thoroughly discussed in scholarly literature. However, so far, no comprehensive theories have been proposed concerning the risk employees pose to information security in general and the factors affecting this risk in particular. In order to better understand the risk employees pose to the security of information assets and to help organizations address the factors affecting it, we conducted a series of interviews with information security professionals. The results of a qualitative content analysis of these interviews suggest that besides explicit awareness-raising activities also trainings and the provision of security policies and guidelines affect the risk employees pose to information security. According to our results, the risk is also affected by the organization of the security team and the general management’s commitment. Besides discussing factors affecting the risk employees pose to information security, this work also provides insight into approaches selected by organizations to mitigate this risk. 




Information Security, Cause-Effect Model, Employee Risk, Risk Mitigation Approaches, Qualitative Content Analysis, Theory of Planned Behavior




A-SIT (2007) Austrian Information Security Handbook.Adams A and Sasse MA (1999) Users Are Not the Enemy. In Communications of the ACM 42(12), 41–46. 

Ajzen I (1985) From Intentions to Actions: A Theory of Planned Behavior. In Action Control: From Cognition to Behavior (Kuhl J and Beckmann J, Eds.), 11–39, Springer, Heidelberg. 

Ajzen I (1991) The Theory of Planned Behavior. In Organizational Behavior and Human Decision Processes 50(2), 179–211. 

Albrechtsen E (2007) A Qualitative Study of Users’ View on Information Security. In Computers & Security 26(4), 276–289. 

Arce I and Levy E (2003) The Weakest Link Revisited. In IEEE Security & Privacy 1(2), 72–76. 

Armitage CJ and Conner M (2001) Efficacy of the Theory of Planned Behaviour: A Meta-Analytic Review. In British Journal of Social Psychology 40, 71– 499. 

BBC News (2010) Stolen Laptop Held Customer Data, Admits Yorkshire,, August 31, 2010. 

Computerworld (2010) Researchers up Ante, Create Exploits for IE7, IE8,, April 6, 2011. 

Crossler RE and Bélanger F (2009) The Effects of Security Education Training and Awareness Programs and Individual Characteristics on End User Security Tool Usage. In Journal of Information System Security 5(3), 3–22. 

D’Arcy J and Hovav A (2007) Towards a Best Fit between Organizational Security Countermeasures and Information Systems Misuse Behaviors. In Journal of Information System Security 3(2), 3–30. 

De Keeuw K (2007) Introduction. In The History of Information Security: A Comprehensive Handbook (de Leeuw K and Bergstra J, Eds.), 1–25, Elsevier Science, Amsterdam. 

ENISA (2008) The New Users’ Guide: How to Raise Information Security Awareness. 

Ernst & Young (2010) Technical Report Borderless Security: Ernst & Young’s 2010 Global Information Security Survey. 

eSecurity Planet (2010) Companies Fail Defcon Social Engineering Security Test, August 31, 2010. (2010) Hackers Target Friends of Google Workers,, August 31, 2010. 

Galletta DF and Polak P (2003) An Empirical Investigation of Antecedents of Internet Abuse in the Workplace. In Proceedings of the 2nd Annual Workshop on HCI Research in MIS, Seattle, USA. 

GCN (2010) Google CEO Defends Stance on China,, April 6, 2011. 

Ghonaimy A, et al. (Eds.) (2002) Security in the Information Society - Visions and Perspectives. Kluwer Academic Publishers, Norwell. 

Hagen JM and Albrechtsen E (2009) Effects on Employees’ Information Security Abilities by E-Learning. In Information Management & Computer Security 17(5), 388–407. 

Hill CWL and Jones GR (2009) Strategic Management Theory: An Integrated Approach. South Western Educ Pub, Cincinnati. 

ISO/IEC (2005a) 27002:2005: Information Technology - Security Techniques - Code of Practice for Information Security Management. 

ISO/IEC (2005b) 27001:2005: Information Technology - Security Techniques - Information Security Management Systems - Requirements. 

IT Governance Institute (2007) Cobit 4.1 - Control Objectives for Information and Related Technology. 

Johnson ME and Goetz E (2007) Embedding Information Security into the Organization. In IEEE Security & Privacy 5(3), 16–24. 

Johnston AC and Warkentin M (2010) Fear Appeals and Information Security Behaviors: An Empirical Study. In MIS Quarterly 34(3), 549–566. 

Jones A, et al. (2002) Global Information Warfare: How Businesses, Governments, and Others Achieve Objectives and Attain Competitive Advantages. Auerbach, Boca Raton. 

Kayworth T and Whitten D (2010) Effective Information Security Requires a Balance of Social and Technology Factors. In MIS Quarterly Executive 9(3), 163–175. 

Kim TG, et al. (2010) Change-Supportive Employee Behavior: Antecedents and the Moderating Role of Time. In Journal of Management, Prepublished April 9, 2010. 

Kraemer S, et al. (2009) Human and Organizational Factors in Computer and Information Security: Pathways to Vulnerabilities. In Computers & Security 28(7), 509–520. 

Lacey D (2009) Managing the Human Factor in Information Security. Wiley, Chichester. 

Lamnek S (2005) Qualitative Sozialforschung. Beltz PVU, Weinheim. 

Lynch A and Gomaa M (2003) Understanding the Potential Impact of Information Technology on the Susceptibility of Organizations to Fraudulent Employee Behavior. In International Journal of Accounting Information Systems 4(4), 295–308. 

McIlwraith A (2006) Information Security and Employee Behaviour: How to Reduce Risk through Employee Education, Training and Awareness. Gower Publishing, Hampshire. 

Merton RK (1968) Social Theory and Social Structure. Free Press, New York, USA. 

Miles MB and Huberman AM (1994) Qualitative Data Analysis. Sage Publications, Thousand Oaks. 

NIST (1998) Special Publication 800-16: Information Technology Security Training Requirements: A Role and Performance-Based Model. 

NIST (2003) Special Publication 800-50: Building an Information Technology Security Awareness and Training Program. 

OECD and Eurostat (2005) Oslo Manual - Guidelines for Collecting and Interpreting Innovation Data. 

Patton MQ (1990) Qualitative Evaluation and Research Methods. Sage Publications, Newbury Park. 

Pfleeger CP and Pfleeger SL (2006) Security in Computing. Prentice Hall, Upper Saddle River. 

PricewaterhouseCoopers (2010) Information Security Breaches Survey 2010. 

Schein EH (1984) Coming to a New Awareness of Organizational Culture. In Sloan Management Review 25(2), 3–16. 

Schein EH (1996) Three Cultures of Management: The Key to Organizational Learning. In Sloan Management Review 37(1), 9–20. 

Schein EH (2010) Organizational Culture and Leadership. Jossey-Bass, San Francisco. 

Schneier B (2000) Secrets and Lies: Digital Security in a Networked World. John Wiley & Sons, New York. 

Siponen M, et al. (2010) Compliance with Information Security Policies: An Empirical Investigation. In Computer 43(2), 64–71. 

Siponen MT (2000) A Conceptual Foundation for Organizational Information Security Awareness. In Information Management & Computer Security 8(1), 31–41. 

Siponen MT (2001) Five Dimensions of Information Security Awareness. In ACM SIGCAS Computers and Society 31(2), 24–29. 

Siponen MT and Iivari J (2006) Six Design Theories for IS Security Policies and Guidelines. In Journal of the Association for Information Systems 7(7), 445–472. 

Siponen MT and Oinas-Kukkonen H (2007) A Review of Information Security Issues and Respective Research Contributions. In The DATA BASE for Advances in Information Systems 38(1), 60–80. 

Stanton JM, et al. (2004) Behavioral Information Security: Two End User Survey Studies of Motivation and Security Practices. In Proceedings of the 10th Americas Conference on Information Systems, New York, USA. 

Stanton JM, et al. (2005) Analysis of End User Security Behaviors. In Computers & Security 24(2), 124–133. 

Suppes P (1970) A Probabilistic Theory of Causality. North-Holland, Amsterdam, Netherlands. 

Thomson ME and von Solms R (1998) Information Security Awareness: Educating Your Users Effectively. In Information Management & Computer Security 6(4), 167–173. 

Tsohou A, et al. (2008) Investigating Information Security Awareness: Research and Practice Gaps. In Information Security Journal: A Global Perspective 17(5/6), 207–227. 

Von Solms B (2000) Information Security - the Third Wave? In Computers & Security 19(7), 615–620. 

Vroom C and von Solms R (2004) Towards Information Security Behavioural Compliance. In Computers & Security 23(3), 191–198. 

Warman AR (1992) Organizational Computer Security Policy: The Reality. In European Journal of Information Systems 1(5), 305–310. 

Whitman ME and Mattord HJ (2010) Management of Information Security. Course Technology, Boston. 

Woodhouse S (2007) Information Security: End User Behavior and Corporate Culture. In Proceedings of the 7th IEEE International Conference on Computer and Information Technology, Aizu-Wakamatsu City, Japan. 

Workman M (2007) Gaining Access with Social Engineering: An Empirical Study of the Threat. In Information Systems Security 16(6), 315–331. 

Zhang D, et al. (2006) An Experimental Study of the Factors Influencing Non-Work Related Use of IT Resources at Workplace. In Proceedings of the 39th Annual Hawaii International Conference on System Sciences, Kauai, USA.