Introduction
Many studies indicate that employees, who deal with day-to-day information, are the cause for at least half of the security breaches experienced within a company. In several studies, users are portrayed as being the weakest link in security issues. They can decide to be the security problem or the solution (Spears & Barki, 2010).
Herath and Wijayanayake (2009) assert that promoting good end-user behaviour, as well as restricting inappropriate end-user behaviour account for effective security of information. As such, they are essential in each and every company.
In the year 2005, D’Arcy and Hovaw (2007) conducted a research to gain insights into employees’ awareness of four principal security countermeasures. These were security awareness programs, security policies, computer monitoring, and preventive security software, as well as their constraining effect on users’ intentions with regard to misuse of IS.
Security policies aim at providing detailed guidance of acceptable use of organizational IS resources to users (DÁrcy & Hovaw, 2007). The study proposed that complementary technical and procedural control are essential in imparting knowledge on employees, regarding their responsibilities in an organization’s information resources. The control is also vital in deterring the intentions of employees in misusing computer systems.
Thus, awareness, training, motivation, and monitoring are vital strategies that play a leading role in protecting organizations, and attracting the attention of employees from violation of security measures. Information specialists believe that promotion of good end behaviour and constraint of bad end user behaviour are important components of effectiveness in Information Security Management System (ISMS) ((Herath & Wijayanayake, 2009).
In order to implement effective information security systems, there is a need to fully understand security-related risks and implement appropriate controls to these risks. Employees who apply controls in a remarkable manner enhance security of information within an organization.
However, many employees do not understand the value of implementing the controls, and thus end up creating security risks. Others do it out of ignorance, and a large group of employees do it willingly. This research proposes to look into the role of employees in information security maintenance.
Problem statement
The purpose of this project is to investigate the role played by information users in information security management (D’Arcy & Hovav, 2007). It proceeds from the premise that employees account for most of the breaches of IS experienced in companies.
This is most likely caused by the online value system, which lays emphasis on openness and information sharing. Furthermore, many users do not have up-to-date information on browsers, applications, as well as operating systems.
Research questions
- Why do employees cause most of the security breaches in organizations?
- What is the main responsibility of end-users in information security?
- Why do employees engage in security-related risks that lead to breach of information security in the contemporary world?
- What are the predisposing factors to the employees’ cause of security breaches?
These questions are relevant to this research because they revolve around the quality of service for end- users and employees. In order to assess the issues comprehensively and gather data, qualitative data is extremely vital. Gathering information on the key responsibilities of end- users in the security of information is crucial as it helps in gathering insights on how to include end- users more.
End- users have more experience in information security as they interact with the information directly (Herath & Wijayanayake, 2009). Companies and organizations should make efforts to assess and evaluate why employees often engage in risks related to security. In this case, the target is the employees and gathering such information helps to implement improved strategies for information protection (Spears & Barki, 2010).
Such information and data can only be gathered using qualitative research methods. Breach of information in an organization is an extremely grave issue. It is also vital that organizations protect their information as it is their vital strength. Assessing the predisposing factors that make employees in organizations breach information is a principal thing.
The targets to gather this information from are employees. This can successfully be accomplished through qualitative methods of research. In most cases, they breach information because of inadequate motivation. Consequently, the management in the organization should implement strategies to ensure that their employees are adequately motivated (D’Arcy & Hovav, 2007).
In order to gather information on the stated questions, several methods can be used, these include participant observation, direct observation, unstructured interviewing, and case studies. In a case study, a company is selected and its end- users and employees studied on how they behave towards information security (Spears & Barki, 2010).
Participant observation, direct observation, and unstructured interviewing are vital tools as the employees are usually not aware that they are being studied. Therefore, the information obtained is highly valid and of high quality. Combining more than one method of data collection is vital in ensuring credibility and validity.
Most of these methods allows the person gathering data to observe body language, as well. Therefore, information that is not said by word of mouth is also gathered.
References
D’Arcy, J., & Hovav, A. (2007). Deterring Internal Information Systems. Misuse. Communications of the ACM, 50 (10), 12- 45.
Herath, M. P. S., H., & Wijayanayake, W. I. (2009). Computer misuse in the workplace. Journal Of Business Continuity & Emergency Planning, 3(3), 259-270.
Spears, J. L., & Barki, H. (2010). User Participation in Information Systems Security Risk Management. Mis Quarterly, 34(3), 503-A5.