EconPapers    
Economics at your fingertips  

EconPapers Home
About EconPapers

Working Papers
Journal Articles
Books and Chapters
Software Components

Authors

JEL codes
New Economics Papers

Advanced Search


EconPapers FAQ
Archive maintainers FAQ
Cookies at EconPapers

Format for printing

The RePEc blog
The RePEc plagiarism page

 

The role of internal audit and user training in information security policy compliance

Thomas Stafford, George Deitz and Yaojie Li

Managerial Auditing Journal, 2018, vol. 33, issue 4, 410-424

Abstract: Purpose - The purpose of the study is to investigate the role of information security policy compliance and the role of information systems auditing in identifying non-compliance in the workplace, with specific focus on the role of non-malicious insiders who unknowingly or innocuously thwart corporate information security (IS) directives by engaging in unsafe computing practices. The ameliorative effects of auditor-identified training and motivational programs to emphasize pro-security behaviors are explored. Design/methodology/approach - This study applies qualitative case analysis of technology user security perceptions combined with interpretive analysis of depth interviews with auditors to examine and explain the rubrics of non-malicious technology user behaviors in violation of cybersecurity directives, to determine the ways in which auditors can best assist management in overcoming the problems associated with security complacency among users. Findings - Enterprise risk management benefits from audits that identify technology users who either feel invulnerable to cyber threats and exploits or feel that workplace exigencies augur for expedient workarounds of formal cybersecurity policies. Research limitations/implications - Implications for consideration of CyberComplacency and Cybersecurity Loafing expand the insider threat perspective beyond the traditional malicious insider perspective. Practical implications - Implications for consideration of CyberComplacency and Cybersecurity Loafing include broadened perspectives for the consultative role of IS audit in the firm. Social implications - CyberComplacency is a practice that has great potential for harm in all walks of life. A better understanding of these potential harms is beneficial. Originality/value - This study is the first to characterize CyberComplacency as computer users who feel they operate invulnerable platforms and are subsequently motivated to engage in less cybersecurity diligence than the company would desire. This study is also the first to characterize the notion of Cybersecurity Loafing to describe technically competent workers who take unauthorized but expedient steps around certain security polices in the name of workgroup efficiency.

Keywords: Internal audit; Cybersecurity; Information systems audit; Security policy compliance; User security training (search for similar items in EconPapers)
Date: 2018
References: Add references at CitEc
Citations: View citations in EconPapers (4)

Downloads: (external link)
https://www.emerald.com/insight/content/doi/10.110 ... d&utm_campaign=repec (text/html)
https://www.emerald.com/insight/content/doi/10.110 ... d&utm_campaign=repec (application/pdf)
Access to full text is restricted to subscribers

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:eme:majpps:maj-07-2017-1596

DOI: 10.1108/MAJ-07-2017-1596

Access Statistics for this article

Managerial Auditing Journal is currently edited by Professor Jie Zhou

More articles in Managerial Auditing Journal from Emerald Group Publishing Limited
Bibliographic data for series maintained by Emerald Support ().

 
Share

RePEc
This site is part of RePEc and all the data displayed here is part of the RePEc data set.

Is your work missing from RePEc? Here is how to contribute.

Questions or problems? Check the EconPapers FAQ or send mail to .

Örebro UniversityEconPapers is hosted by the School of Business at Örebro University.

Page updated 2025-03-19
Handle: RePEc:eme:majpps:maj-07-2017-1596