تاثیر آگاهی امنیتی بر پیروی از مقررات امنیتی از سوی کاربران دورکاری در دوره همه‌گیری بیماری کووید-19

نوع مقاله : مقاله پژوهشی

نویسنده

دانشیار گروه مدیریت صنعتی، دانشکده مدیریت و حسابداری، دانشگاه علامه طباطبائی، تهران، ایران.

چکیده

هدف از پژوهش حاضر، بررسی تاثیر آگاهی امنیتی بر پیروی از مقررات امنیتی از سوی کاربران دورکاری در دوره همه‌گیری بیماری کووید-19 با استفاده مدل باور سلامتی (HBM) است. کاربرانی که پس از همه‌گیری این بیماری، تجربه دورکاری در سازمان‌ها در شهر تهران داشتند، به عنوان جامعه آماری این پژوهش انتخاب شدند و 288 نفر، پرسشنامه پژوهش را تکمیل و در آن مشارکت کردند. نمونه‌ها با استفاده از روش نمونه‌گیری در دسترس انتخاب شدند و سپس اطلاعات و فرضیه‌های پژوهش با استفاده از روش مدل‌سازی معادلات ساختاری مورد تحلیل و آزمون قرار گرفتند. یافته‌های پژوهش نشان دادند که آگاهی امنیتی به طور مستقیم بر پیروی از مقررات امنیتی در سازمان‌ها توسط پرسنل دورکار تاثیر  ندارد، اما بر نگرانی حریم خصوصی و انتظارات امنیتی آن‌ها اثرگذار است و این دو مورد می‌توانند منتهی به تبعیت بیشتر پرسنل دورکار از مقررات و سیاست‌های امنیتی در سازمان‌ها شود.
 

کلیدواژه‌ها


عنوان مقاله [English]

The Effect of Security Awareness on Compliance with Security Regulations by Teleworkers in the Period of COVID-19 Epidemic

نویسنده [English]

  • Mohammad Reza Taghva
Associate Professor of Allameh Tabataba’i University, Tehran, Iran.
چکیده [English]

Extended abstract
Abstract
The aim of this research was to investigate the effect of security awareness on compliance with security regulations by teleworkers during the epidemic of COVID-19 using the Health Belief Model (HBM). Users who experienced teleworking in organizations in Tehran after the outbreak of the disease were selected as the statistical population of this study and 288 people completed the research questionnaire and participated in it. The samples were selected using the available sampling method and then the information and research hypotheses were analyzed using structural equation modeling. The research findings showed that security awareness does not directly affect the compliance with security regulations in organizations by teleworking personnel, but it affects their privacy concerns and security expectations, and these two elements can lead them to more adhering to security regulations and policies of organizations.
Introduction
Covid-19 pandemic is considered to be the most important global health disaster of the century and is the greatest challenge facing humanity since World War II. In fact, the corona outbreak is an example of a widespread crisis; A crisis in which events or their sequences occur on a large scale and are of astonishing speed, leading to a high degree of uncertainty that exacerbates irregularities. It creates a feeling of lack of control and causes emotional disturbance in people.
This study attempts to examine the issue of security awareness and compliance with security regulations by employees, using the health belief model. Hochbaum (1958) developed the health belief model to study the behavior of individuals in health research. Based on what has been stated, the purpose of this study is to investigate whether users involved in telecworking have security awareness and whether there is a relationship between this security awareness and users' compliance with security regulations.
Theoretical framework
The health belief model was developed in the 1950s to explain and predict preventive health behaviors. This model identifies the feasibility, benefits, and costs associated with behavior intervention or change based on the four constructs (sensitivity, severity, benefits, and perceived barriers). In the field of information systems, this model can be used to explain the security behavior of users. This study uses the health belief model as the basis of its research model. The model includes constructs of perceived severity, perceived sensitivity, perceived threat, expectations (perceived benefits and barriers), and cues of action. In addition, the proposed model of the present study includes three other structures that do not exist in the health belief model: security awareness, privacy concern, and compliance with security regulations.
Methodology
The approach of this study to achieve the results is to use a quantitative method with the data collected through a questionnaire and a survey. The questionnaire assesses security awareness, information privacy concerns, self-efficacy, expectations of security measures, security threats, and participants' security behavior. The statistical population of this study consists of people involved in teleworking in Iranian organizations. The questionnaire consists of two parts: general questions (gender, job title, passing security courses in the organization and the level of proficiency in using common IT tools) and specialized questions that are categorized based on the components of the research. Specialized questions consist of four parts; health belief model, privacy concern, security compliance, and security awareness. To test the hypotheses of this study, structural equation modeling and multiple regression analysis were used.
Discussion and results
According to the results obtained from the test of research hypotheses, it was found that all research hypotheses were confirmed and only hypothesis 9 (the effect of perceived threat on compliance with security regulations) was not approved. These results mean that security awareness has a positive effect on expectations (perceived benefits - perceived barriers), privacy concerns, and perceived threats. These results are consistent with the results of previous studies. In addition, the results showed that the severity and sensitivity perceived by users has a positive effect on the perceived threat by them. These results are consistent with the results of previous studies. Expectations and privacy concerns also have a positive and significant effect on compliance with security regulations. These results are completely consistent with the results obtained in the past. In another part of the research results, it was found that privacy concerns and cues of action have a positive and significant effect on perceived threat. These results are fully consistent with studies conducted other researchers. However, the results of the study indicate that perceived threats to security issues do not have a significant effect on compliance with security regulations.
Conclusion
In summary, the findings of this study show that the majority of teleworking users are somewhat aware of security issues (especially in the field of social engineering). Although this issue does not directly affect compliance with organizations' security regulations and policies, it does affect expectations, privacy concerns, and perceived threats. Also, expectations and privacy concerns have a positive and significant effect on compliance with security regulations in organizations, but the perceived threat has no significant effect on compliance with these regulations. Based on the above results, the managers of organizations (especially information technology and security managers) can be advised to improve their staff awareness of security issues related to teleworking by holding awareness and training courses in the field of information security. Consequently, in the case of incidents and events (such as the outbreak of Covid-19 pandemic) that inevitably lead to teleworking, they can comply with the organization's security regulations in their organizational activities so as not to compromise the organization's data and information.
 

کلیدواژه‌ها [English]

  • Security Awareness
  • COVID-19
  • Health Believe Model
  • Security Regulations
1-Al Abri, D., McGill, T., & Dixon, M. (2009). Examining the impact of E-privacy risk concerns on citizens' intentions to use E-government services: An Oman perspective. Journal of Information Privacy & Security, 5(2), 3-26.
2-Angst, C. M. & Agarwal, R. (2009). Adoption of electronic health records in the presence of privacy concerns: The elaboration likelihood model and individual persuasion. MIS Quarterly, 33(2), 339-370.
3-Anti-Phishing Working Group. (2011). Phishing activity trends report 1st half / 2011. Retrieved December 15, 2015, from http://www.antiphishing.org/reports /apwg_trends_report_h1_2011.pdf
4-Ajzen, I. (1991). The Theory of Planned Behavior. Organizational Behavior and Human Decision Processes, 50, 179-211.
5-Bagozzi, R. P. & Yi, Y. (1988). On the evaluation of structural equation models. Journal of the Academy of Marketing Science, 16(1), 74-94.
7-Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010, January). Quality and fairness of an information security policy as antecedents of employees' security engagement in the workplace: An empirical investigation. In 2010 43rd Hawaii International Conference on System Sciences (pp. 1-7). IEEE.‏
8-Cho, H. (2010). Determinants of behavioral responses to online privacy: The effects of concern, risk beliefs, self-efficacy, and communication sources on self-protection strategies. Journal of Information Privacy & Security, 6(1), 3-27.
9-Cho, H., Rivera, M., & Lim, S. (2009). A multinational study on online privacy: Global concerns and local responses. New Media & Society, 11(3), 409-431.
10-Claar, C. L. (2011). The adoption of computer security: An analysis of home personal computer user behavior using the health belief model. Utah State University. Retrieved from ProQuest Dissertations and Theses, UMI Number: 3449480.
11-Cohen, J. (1988). Statistical Power Analysis for the Behavioral Sciences (2nd ed.), Lawrence Erlbaum Associates.
12-Cone, B. D., Irvine, C. E., Thompson, M. F., & Nguyen, T. D. (2007). A video game for cyber security training and awareness. Computers & Security, 26, 63-72
13-Chakraborty, I., & Maity, P. (2020). COVID-19 outbreak: Migration, effects on society, global environment and prevention. Science of the Total Environment, 138882.‏
14-D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79–98.
15-Dinev, T. & Hart, P. (2005). Internet privacy concerns and social awareness as determinants of intention to transact. International Journal of Electronic Commerce, 10(2), 7-29.
16-Edwards, K. (2015). Examining the Security Awareness, Information Privacy, and the Security Behaviors of Home Computer Users. Doctoral dissertation. Nova Southeastern University. Retrieved from NSUWorks, College of Engineering and Computing.
17-Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intention, and behavior: An introduction to theory and research. Boston, MA: Addison-Wesley.
18-Fornell, C. & Larcker, D. F. (1981). Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research, 18(1), 39-50.
19-Ghauri, P., Grønhaug, K., & Strange, R. (2020). Research methods in business studies. Cambridge University Press.‏
20-Gay, L. R., Mills, G. E., & Airasian, P. (2009). Educational research competencies for Analysis and Applications (9th ed.), pp. 129-131, 155-157. Upper Saddle River, NJ: Pearson Education, Inc.
21-Glanz, K., Rimer, B. K., & Viswanath, K. (2008). Health Behavior and Health Education: Theory, Research, and Practice (4th ed.). John Wiley and Sons.
22-Grant, G. J. (2010). Ascertaining the relationship between security awareness and the security behavior of individuals. Nova Southeastern University. Retrieved from ProQuest Dissertations and Theses, UMI Number: 3423144.
23-Hayden, J. (2009). Introduction to health behavior theory. Burlington, MA: Jones & Bartlett Learning.
24-Hochbaum, G. M. (1958). Public participation in medical screening programs: A sociopsychological study. Public Health Service Publication No. 572. Washington, D.C., 1-23.
25-Humaidi, N., Balakrishnan, V., & Shahrom, M. (2014). Exploring user's compliance behavior towards Health Information System security policies based on extended Health Belief Model. 2014 IEEE Conference on e-Learning, e-Management and e-Services (IC3e), 30-35.
26-Jafari, M. S., Hamidizadeh, A., & Montazeri Najafabadi, R. (2016). Investigating the effective factors on employees' compliance with information systems security policies in the organization. Scientific Journal of Information Management, 2(2), 102-131. (in persian)
27-Janz, N. K. & Becker, M. H. (1984). The Health Belief Model: A decade later. Health Education Quarterly, 11(1), 1-47.
28-Koloseni, D. N., Lee, C. Y., & Gan, M. (2019). Understanding Information Security Behaviours of Tanzanian Government Employees: A Health Belief Model Perspective. International Journal of Technology and Human Interaction (IJTHI), IGI Global, vol. 15(1), 15-32, January.
29-Kritzinger, E. & von Solms, S. H. (2010). Cyber security for home users: A new way of protection through awareness enforcement. Computers & Security, 29, 840-847.
30-Kruger, H. A. & Kearney, W. D. (2006). A prototype for assessing information security awareness. Computers & Security, 25, 289-296.
31-Liang, H. & Xue, Y. (2010). Understanding security behaviors in personal computer usage: A threat avoidance perspective. Journal of the Association for Information Systems, 11(7), 394-413.
32-Mirnezami, S., & Rajabi, S. (2020). Estimating the Impacts of COVID-19 on Iran Economy: Modelling 7 Scenarios. Science and Technology Policy, 10(2).
33-Nardi, P. M. (2003). Doing Survey Research: A guide to quantitative methods. Boston, MA: Pearson Education, Inc.
34-Nasri, A., Bagheri, A., & Boushehri, A. (2020). Assessing the Role of Governmental Support in Strategy Formation of Knowledge-based Enterprises Facing Coronavirus Pandemic Consequences. Science and Technology Policy, 10(2).
35-Ng, B., Kankanhalli, A., & Xu, Y. (2009). Studying users' computer security behavior: A health belief perspective. Decision Support Systems, 46, 815-825.
36-Payande, I., Majdizade, Z., Mirzapour, H. (2020). In Search of an Alternative to "Strict Lockdown"; Data-driven Policies in the Face of COVID-19 Pandemic. Science and Technology Policy Letters, 10(2), 59-73.
37-Rea, L. M. & Parker, R. A. (2005). Designing & conducting survey research: A comprehensive Guide (3rd ed.). Hoboken, NJ: John Wiley & Sons, Inc.
38-Rhee, H., Kim, C., & Ryu, Y. U. (2009). Self-efficacy in information security: Its influence on end users’ information security practice behavior. Computers & Security, 28, 816-826.
39-Ross, T. P., Ross, L. T., Rahman, A., & Cataldo, S. (2010). The bicycle helmet attitudes scale: using the health belief model to predict helmet use among undergraduates. Journal of American College Health, 59(1), 29-36.‏
40-Rovai, A. P., Baker, J. D., & Ponton, M. K. (2014). Social Science Research Design and Statistics: A Practitioner's Guide to Research Methods and IBM SPSS Analysis (2nd ed.), p. 419. Watertree Press LLC. Kindle Edition.
41-Straub, D. W. (1989). Validating instruments in MIS research. MIS Quarterly, 13(2), 147-169.
42-Straub, D., Boudreau, M., & Gefen, D. (2004). Validation guidelines for is positivist research. Communications of the Association for Information Systems, 13, 380-427.
43-Styles, M. & Tryfonas, T. (2009). Using penetration testing feedback to cultivate an atmosphere of proactive security amongst end-users. Information Management & Computer Security, 17(1), 44-52.
44-Trochim, W. M. K. & Donnelly, J. P. (2008). The research methods knowledge base (3rd ed.), pp. 56-65. Mason, OH: Atomic Dog.
45-Van Slyke, C., Shin, J. T., Johnson, R., & Jiang, J. (2006). Concern for information privacy and online consumer purchasing. Journal of the Association for Information Systems, 7(6), 415-431, 433-443.
46-Weiers, R. M. (2002). Introduction to Business Statistics (4th ed.). Belmont, CA: Duxbury, Thomson Learning.