Professional Documents
Culture Documents
ScienceDirect
journal homepage: www.elsevier.com/locate/cose
Information Systems Department, University of Fort Hare, 50 Church Street, East London 5200, South Africa
Kings College, University of London, United Kingdom
article info
abstract
Article history:
Smartphone information security awareness describes the knowledge, attitude and behaviour
that employees apply to the security of the organisational information that they access, process
and store on their smartphone devices. The surge in the number of smartphone devices con-
16 January 2014
necting to organisational systems and used to process organisational data has enabled a new
level of operational efficiency. While employees are aware of the benefits they enjoy by bringing
their personal devices into the workplace, managers too are aware of the benefits of having a
Keywords:
constantly connected workforce. Unfortunately, those aware of the risks to information se-
Smartphone
curity do not share an equal level of enthusiasm. These devices are owned by employees who
Information security
are not adequately skilled to configure the security settings for acceptable security of that in-
Awareness
gradually fade into the daily rush of operations from the day they are completed.
Mobile computing
This paper explores the factors which influence these oscillating levels of information
security awareness. By applying an adapted version of an awareness model from the
domain of accident prevention, the factors which cause diminishing awareness levels are
exposed. Subsequently, information security awareness emerges as a symptom of such
factors. Through geometrical modelling of the boundaries and pressures that govern our
daily operations, an awareness model emerges. This model ensures that organisations are
better equipped to monitor their information security awareness position, their boundaries
and the daily pressures affecting the organisation, thus allowing them to design better
integrated policies and procedures to encourage safe operating limits. The model is evaluated using a theory evaluation framework through an expert review process.
2014 Elsevier Ltd. All rights reserved.
1.
Introduction
daily as part of the bring your own device (BYOD) phenomenon. Smartphone devices are often the personal property of
the users, but are increasingly being used to access and process organisational information in addition to personal information. However, users are often unaware of the risk these
5
This is an open-access article distributed under the terms of the Creative Commons Attribution-NonCommercial-No Derivative
Works License, which permits non-commercial use, distribution, and reproduction in any medium, provided the original author and
source are credited.
* Corresponding author. Tel.: 27 43 7047071.
E-mail address: sflowerday@ufh.ac.za (E. Flowerday).
0167-4048/$ e see front matter 2014 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.cose.2014.01.005
c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5
57
This model provides organisations with a better understanding of the impact that operational pressures have on
smartphone information security awareness, allowing for the
improvement of policy relating to those elements. Mahesh and
Hooter (2013) note the importance of not only providing organisational policy to govern the use of smartphone devices by
employees, but also explaining the purpose and intention of the
policy to the employees. The paper shows how seemingly positive efforts to improve operational efficiencies may actually be
the cause of incidents, with lowered levels of user awareness in
fact being one of the symptoms of a broader set of influencing
factors. This is illustrated by the geometrical transformation of
an established awareness model from the domain of accident
prevention. In using this model, policy makers will be better
equipped to understand the relationship between the forces at
play that influence smartphone information security awareness.
2.
58
c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5
2.1.
2.2.
An adaptation for smartphone information security
awareness
59
c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5
smartphone devices, employees might find themselves pressured or pushed over the boundary of unacceptable smartphone operations. This would ultimately result in resistance
from employees towards smartphone operations.
At the boundary of functional acceptance of smartphone
usage, the risk of breaching the boundary of economic feasibility or the boundary of unacceptable workload is minimised,
and the pressure from the social gradients is maximised. At a
position on or very near this boundary, operations are optimised. Although optimised, risk increases as the organisation
moves closer to the boundary. Rasmussen (1997) warns that
this is because operating outside this boundary places the
organisation at increased risk of experiencing an information
security incident.
Fig. 2 e Smartphone awareness boundary model (Allam
and Flowerday, 2011, adapted from Rasmussen, 1997).
3.
operating system. This model positions smartphone information security as the victim of the operational pressures
highlighted by the model. These pressures should be the
target of smartphone security policy, not the devices.
As provided by Rasmussen (1997), the Awareness Boundary
Model is very broadly applicable. Through prior adaptation
(Allam and Flowerday, 2011) of Rasmussens (1997) Awareness
Boundary Model, the model boundaries have been refined in
order to address specifically the awareness of smartphone
information security. In addition, by applying General Systems Theory (Von Bertalanffy, 1950), an awareness feedback
loop is included to promote feedback as a mechanism for
promoting perpetuity in the application of the model. Tankard
(in Mansfield, 2013) states that although many organisations
do have some level of security in place, they very often fail to
react adequately to what these systems are telling them.
Table 1 provides a description of the adapted version of
each boundary for targeting smartphone operations at an
organisation (Allam and Flowerday, 2011):
The adapted model provides three boundaries with similar
consequences to the boundaries found in the original model.
These three boundaries effectively provide the safe operating
space for smartphone operations within an organisation. In
the event that one of the gradient boundaries (social boundaries) is breached, smartphone operations will become unsustainable. For example, where management applies
excessive pressure on users to perform operations using their
Adapted boundary
Description
Social boundary
Yes
Yes
No
60
3.1.
c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5
3.2.
4.
4.2.
c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5
61
4.2.1.
Workload boundary
The workload boundary is provided as a line at which employees or an individual employee would perceive that the
amount of work effort required for smartphone operations
exceeds their benefit and reward of use. Employees will then
naturally migrate away from this boundary as they seek to
minimise the amount of effort required to perform their daily
tasks. The position along the boundary from which the
migration will take place is dependent on the level of workload currently being experienced in the organisation. Any
organisation which finds itself at a position outside this
boundary (outside the triangle nearest the boundary of unacceptable workload) will face certain labour unrest and
possible strikes. In the case of skilled workers, the organisation is likely to face massive staff turnover and heavy loss of
intellectual capital.
4.2.2.
Productivity boundary
4.2.3.
Functional acceptance
4.3.
4.3.1.
Work pressure
62
c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5
This might be in the form of an employee storing large volumes of corporate information on an unsecure smartphone
device in order to process information remotely or to work on
the move.
4.3.2.
Work effort
The gradient of work effort is the pressure exerted by nonmanagers in a direction away from the boundary of workload. The pressure from the boundary represents a diminishing level of work effort as the distance from the boundary
increases (see Fig. 3). Rasmussen (1997) explains that in efforts
and experiments to improve performance, employees will
naturally seek to minimise the level of effort required to
produce the same output. For example, employees may
reduce the steps in their smartphone operations by disabling
the security controls on their devices. This will continue unabated for an indefinite period. However, at some point this
behaviour will place the organisation at a level of increased
risk; for example, eventually the organisation will become
overly optimised to the point that security control measures
are being circumvented or ignored in favour of reduced
workload or increased productivity.
4.3.3.
Counter gradient
4.4.
4.4.1.
State areas
4.5.
State positioning
c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5
4.5.1.
Formula
(1)
(2)
63
5.
64
c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5
5.1.
6.
Conclusion
The adapted model and the exploration of its parts provide new
insight into security awareness. Traditionally, the focus has always centred on training users about specific risk areas. By
contrast, this model establishes that awareness of information
security is only effective when applied within the dynamically
changing organisational context. Prevailing information security awareness levels have been observed as symptoms of a
greater set of organisational pressures; the cause of the symptom. For the effective management of user smartphone security
awareness levels, the contributing factors, which are identified
as attributes in the model, have been established in combination
with the events that alter the value of these attributes. By
addressing these as the root of the problem, information security will naturally be improved. Awareness subsequently shifts
from an understanding of complex security procedures, to an
understanding of organisational pressures.
Smartphone information security awareness is found to be
dependent on a combination of the following:
smartphone productivity levels;
the pressure applied by management on workers to
perform work using smartphones;
smartphone workload levels;
the pressure applied by employees to reduce the amount of
effort required to perform work using smartphone devices;
the resulting pressure applied from policy and procedure in
relation to the organisations distance from the functional
acceptance boundary.
As smartphone technology continues to mature, users and
managers will continue to seek ways in which the operations
c o m p u t e r s & s e c u r i t y 4 2 ( 2 0 1 4 ) 5 6 e6 5
references
65