Information security behavior: Recognizing the influencers
Institute of Electrical and Electronics Engineers Inc.
Security Research Institute
With the wide spread use of Internet, comes an increase in Information Security threats. To protect against these threats, technology alone have been found not enough as it can be misused by users and become vulnerable to various threats, thus, losing its usefulness. This is evident as users tend to use weak passwords, open email attachments without checking and do not set correct security settings. However, especially with the continuously evolving threat landscape, one cannot assume that users are always motivated to learn about Information Security and practice it. Actually, there are situations of an aware user who knows how to protect himself but, simply, chooses not to, because they do not care, usability problems or because they do not consider themselves as targets. Thus, understanding human security behavior is vital for ensuring an efficient Information Security environment that cannot depend on technology only. Although a number of psychological theories and models, such as Protection Motivation Theory and Technology Acceptance Model, were used in the literature to interpret these behaviors, they tend to assess users' intensions rather than actual behavior. The aim of this paper is to understand and assess these behaviors from a holistic view by finding the significant factors that influence them and how to best assist users to protect themselves. To accomplish this, a systematic literature review was conducted where relevant literature was sought in a number of academic digital databases. As a result, several key behavioral influencers were identified to be essential to consider when educating and directing users' security behavior. Further to that, a number of Information Security awareness approaches were proposed that may transform the user from being ill-informed into a security-minded user who is able to make an informed decision.