Investigating the Effect of Moral Disengagement and Organizational Culture on Behaviors Related to Information Security Awareness; Case Study Saderat and Mellat Banks

Ghahremani, Tooraj; Farnia, Farhad

doi:10.22034/jipm.2023.709000

Investigating the Effect of Moral Disengagement and Organizational Culture on Behaviors Related to Information Security Awareness; Case Study Saderat and Mellat Banks

Document Type : Original Article

Authors

Tooraj Ghahremani ¹

Farhad Farnia ²

¹ Payame Noor University; Tehran, Iran

² Supreme National Defense University; Tehran, Iran

10.22034/jipm.2023.709000

Abstract

When it comes to information security (IS), human behavior is a factor that should not be underestimated. Information Security Awareness (ISA) programs are in place as a preventative measure, but data security breaches still exist, and banks hold valuable personal and financial information that makes them a target for cybercriminals. Based on this, the aim of the present study is to investigate the effect of moral disengagement and organizational culture on behaviors related to information security awareness, taking into account the mediating role of cognitive- effective variables of ISA (knowledge and attitude) and security culture of employees of Saderat and Mellat banks. The current research is applied in terms of its purpose, and in terms of data collection it is descriptive and correlational and is based on the structural equation model. The statistical population of the research was the employees of Mellat and Saderat Bank branches in Tehran. In this regard, the sample size was estimated to be 430 people. In this study, descriptive analysis method with SPSS software and partial least squares (PLS) approach with Smart PLS software were used for data analysis. Because the use of the partial least squares approach as a method of evaluating relationships between variables related to human behavior in the field of information security has been the most common approach in quantitative studies. The findings of the research confirmed the relationships of the model and the path analysis results showed the influence of the variable “moral disengagement” on the variables of “information security awareness behaviors” (first hypothesis), “information security awareness knowledge” (second hypothesis) and “information security awareness attitude” (third hypothesis) is significantly negative. Also, the effect of the variable “information security awareness knowledge” on “information security awareness behaviors” (fourth hypothesis), the effect of the “information security awareness attitude” variable on “information security awareness behaviors” (fifth hypothesis), the effect of the “organizational culture” variable” on the variables of “information security awareness behaviors” and “organizational security culture” (sixth and seventh hypotheses) and the effect of the “organizational security culture” variable on “information security awareness behaviors” (eighth hypothesis) is positive and significant.

Keywords

Moral Disengagement

Organizational Culture

Security Culture

Information Security Awareness Behaviors

Cognitive-Emotional Variables

Employees of Banks

Bank Mellat

Bank Saderat

Subjects

Literacy (Information, Digital, Content, and Media)

پیکری، حمیدرضا، و بابک بنازاده. 1397. رابطۀ آگاهی از امنیت اطلاعات با قصد نقض امنیت اطلاعات با نقش میانجی هنجارهای فردی و خودکنترلی عنوان مکرر: قصد نقض امنیت اطلاعات. پژوهش‌های راهبردی مسائل اجتماعی ایران 7 (4): 41–58.

جعفری، سید محمدباقر، علی حمیدی‎زاده، و راضیه منتظری نجف‎آبادی. 1395. بررسی عوامل مؤثر بر پیروی کارکنان از سیاست‌های امنیت سیستم‌های اطلاعاتی در سازمان. نشریه علمی مدیریت اطلاعات 2 (2): 102–131.

حسن‎زاده، محمد، داود کریم‎زادگان مقدم، و نرگس جهانگیری. 1391. ارائه یک چارچوب مفهومی برای ارزیابی پرمایگی و آموزش آگاهی از امنیت اطلاعات کاربران. نظام‌ها و خدمات اطلاعاتی 1 (2): 1–16.

حسینی‎سنو، سید امین، و الهام مظاهری. 1395. تأثیر حریم خصوصی، امنیت و اعتماد ادراک‌شده بر رفتار به اشتراک‌گذاری اطلاعات در شبکه‌های اجتماعی موبایل: نقش تعدیل‌کننده متغیر جنسیت. پژوهشنامه پردازش و مدیریت اطلاعات 34 (1): 245–274.

داوری، علی، و آرش رضازاده. (1395). مدل‎سازی معادلات ساختاری با نرم‌افزارPLS . تهران: نشر جهاد دانشگاهی.

دهقانی، محمد، زری رحمت‌پسند فتیده، زهرا آراسته، و کبری شکری‌زاده بزنجانی. 1398. آگاهی، نگرش و عملکرد کارکنان بخش مدیریت اطلاعات سلامت بیمارستان‌‌های ایران نسبت به امنیت اطلاعات سلامت. مدیریت اطلاعات سلامت 16 (1): 3–9.

کریمی، زهرا، و حمیدرضا پیکری. 1397. تأثیر ادراک پرستاران از آموزش امنیت اطلاعات و آگاهی از سیاست‌های امنیت اطلاعات بر ادراک از شدت و قطعیت مجازات نقض امنیت اطلاعات (مورد مطالعه بیمارستان‌های تخصصی آموزشی شهر اصفهان). نشریه آموزش پرستاری 7 (2): 17–24.

_____. 1398. مدیریت امنیت اطلاعات: تأثیر تعهد سازمانی و عواقب ادراک‌شده افشای اطلاعات محرمانه بر قصد نقض امنیت اطلاعات بیماران. مجله اخلاق پزشکی 13 (44): 1–10.

References:

Baskerville, R., P. Spagnoletti, & J. Kim. 2014. Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management 51 (1): 138–151.

Bauer, S., & E. W. N. Bernroider. 2017. From information security awareness to reasoned compliant action: analyzing information security policy compliance in a large banking organization. ACM SIGMIS Database: The DATABASE for Advances in Information Systems 48 (3): 44–68.

Bulgurcu, B., H. Cavusoglu, & I. Benbasat. 2010. Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Quarterly 34 (3): 523–548.

Chin, W. W. 1998. The partial least squares approach to structural equation modeling. Modern Methods for Business Research 295 (2): 295–336.

Coopamootoo, K., & T. Gross. 2019. A Systematic Evaluation of Evidence-Based Methods in Cyber Security User Studies. School of Computing Technical Report Series 5 (2): 241-260.

Cronk, L. 2017. Culture’s influence on behavior: Steps toward a theory. Evolutionary Behavioral Sciences 11 (1): 36.

D’Arcy, J., & G. Greene. 2014. Security culture and the employment relationship as drivers of employees’ security compliance. Information Management & Computer Security 22 (5): 474-489.

D’Arcy, J., T. Herath, & M. K. Shoss. 2014. Understanding employee responses to stressful information security requirements: A coping perspective. Journal of Management Information Systems 31 (2): 285–318.

Da Veiga, A., & J. H. P. Eloff. 2010. A framework and assessment instrument for information security culture. Computers & Security 29 (2): 196–207.

Da Veiga, A., & N. Martins. 2015. Information security culture and information protection culture: A validated assessment instrument. Computer Law & Security Review 31 (2): 243–256.

Davidson, J. 2016. FDIC reports five ‘major incidents’ of cybersecurity breaches since fall. Washingtonpost. https://www.washingtonpost.com/news/powerpost/wp/2016/05/09/fdic-reports-five-major-incidents-of-cybersecurity-breaches-since-fall/ (accessed

Detert, J. R., L. K. Treviño, & V. L. Sweitzer. 2008. Moral disengagement in ethical decision making: a study of antecedents and outcomes. Journal of Applied Psychology 93 (2): 374.

Ernst & Young Global Limited. 2019. EY Global Information Security Survey 2018–19. https://www.ey.com/Publication/vwLUAssets/EY_Global_Information_Security_Survey_2018/$FI%0ALE/EY Global Information Security Survey 2018-19.pdf (accessed March 25, 2021)

Fassihi, F., & R. Bergman. 2019. Iran Banks Burned, Then Customer Accounts Were Exposed Online. The New York Times. https://www.nytimes.com/2019/12/10/world/middleeast/Iran-bank-hacking-protests.html (accessed Dec. 9, 2020)

Fornell, C., & D. F. Larcker. 1981. Evaluating structural equation models with unobservable variables and measurement error. Journal of Marketing Research 18 (1): 39–50.

Gay, L. R., G. E. Mills, & P. W. Airasian. 2012. Educational Research: Competencies for Analysis and Applications (10th ed.). Pearson. https://yuli-elearning.com/mod/resource/view.php?id=677 (access Aug. 11, 2020)

Goldstein, J., A. Chernobai, & M. Benaroch. 2011. An event study analysis of the economic impact of IT operational risk and its subcategories. Journal of the Association for Information Systems 12 (9): 1.

Goodhue, D. L., & D. W. Straub. 1991. Security concerns of system users: A study of perceptions of the adequacy of security. Information & Management 20 (1): 13–27.

Guo, K. H. 2013. Security-related behavior in using information systems in the workplace: A review and synthesis. Computers & Security 32: 242–251.

Hadlington, L., J. Binder, & N. Stanulewicz. 2021. Exploring role of moral disengagement and counterproductive work behaviours in information security awareness. Computers in Human Behavior, 114, 106557. https://doi.org/10.1016/j.chb.2020.106557 (accessed March 7, 2021)

Hadlington, L., & K. Parsons. 2017. Can cyberloafing and Internet addiction affect organizational information security? Cyberpsychology, Behavior, and Social Networking 20 (9): 567–571.

Hadlington, L., M. Popovac, H. Janicke, I. Yevseyeva, & K. Jones. 2019. Exploring the role of work identity and work locus of control in information security awareness. Computers & Security 81: 41–48.

Hanus, B., & Y. “Andy” Wu. 2016. Impact of users’ security awareness on desktop security behavior: A protection motivation theory perspective. Information Systems Management 33 (1): 2–16.

Henseler, J., C. M. Ringle, & R. R. Sinkovics. 2009. The use of partial least squares path modeling in international marketing. Advances in International Marketing 20: 277–319. https://doi.org/10.1108/S1474-7979(2009)0000020014 (accessed Feb., 19 2020)

Höne, K., & J. H. P. Eloff. 2002. Information security policy—what do international information security standards say? Computers & Security 21 (5): 402–409.

Hsu, C., J. Backhouse, L. & Silva. 2014. Institutionalizing operational risk management: an empirical study. Journal of Information Technology 29 (1): 59–72.

Johnson, E. C. 2006. Security awareness: switch to a better programme. Network Security 2006(2): 15–18.

Kajzer, M., J. D’Arcy, C. R. Crowell, A. Striegel, & D. Van Bruggen. 2014. An exploratory investigation of message-person congruence in information security awareness campaigns. Computers & Security 43: 64–76.

Magner, N., R. B. Welker, T. L. & Campbell. 1996. Testing a model of cognitive budgetary participation processes in a latent variable structural equations framework. Accounting and Business Research 27 (1): 41–50.

McCormac, A., D. Calic, K. Parsons, M. Butavicius, M. Pattinson, & M. Lillie. 2018. The effect of resilience and job stress on information security awareness. Information & Computer Security 26 (3): 277-289.

McCormac, A., T. Zwaans, K. Parsons, D. Calic, M. Butavicius & M. Pattinson. 2017. Individual differences and information security awareness. Computers in Human Behavior 69: 151–156.

Nctv. 2019. Cybersecuritybeeld nederland. https://www.thehaguesecuritydelta.com/media/com_hsd/report/237/document/CSBN2019-%0Aonline-tcm31-392768.pdf%0Awww.ncsc.nl (accessed Jan. 29, 2021)

Norton, J., & G. Walker. 2014. Banks: fraud and crime. ?: CRC Press.

Nosworthy, J. D. 2000. Implementing information security in the 21st century—do you have the balancing factors? Computers & Security 19 (4): 337–347.

Parsons, K. M., E. Young, M. A. Butavicius, A. McCormac, M. R. Pattinson, & C. Jerram. 2015. The influence of organizational information security culture on information security decision making. Journal of Cognitive Engineering and Decision Making 9 (2): 117–129.

Pricewaterhouse Coopers. 2014. Information Security Breaches Survey. https://www.pwc.co.uk/assets/pdf/cyber-security-2014-technical-report.pdf (accessed Dec. 28, 2020)

Schlienger, T., & S. Teufel. 2003. Analyzing information security culture: increased trust by an appropriate information security culture. 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings., 405–409. Prague, Czech Republic

Siponen, M. T. 2000. A conceptual foundation for organizational information security awareness. Information Management & Computer Security 8 (1): 31–41.

Siponen, M., & A. Vance. 2010. Neutralization: new insights into the problem of employee information systems security policy violations. MIS Quarterly 34 (3): 487–502.

Stanton, J. M., K. R. Stam, P. Mastrangelo, & J. Jolton. 2005. Analysis of end user security behaviors. Computers & Security 24 (2): 124–133.

Tessem, H. M., & K. R. Skaaraas. 2005. Creating a security culture. Telektronikk 101 (1): 15.

Thomson, M. E., & R. Von Solms. 1998. Information security awareness: Educating your users effectively. Information Management and Computer Security 6 (4): 167–173. https://doi.org/10.1108/09685229810227649

Warkentin, M., & R. Willison. 2009. Behavioral and policy issues in information systems security: the insider threat. European Journal of Information Systems 18 (2): 101–105.

Wetzels, M., G. Odekerken-Schröder, & C. Van Oppen. 2009. Using PLS path modeling for assessing hierarchical construct models: Guidelines and empirical illustration. MIS Quarterly 33 (1): 177–195.

Wiley, A., A. McCormac, & D. Calic. 2020. More than the individual: Examining the relationship between culture and Information Security Awareness. Computers & Security 88: 101640.